diff --git a/data/insecure_full.json b/data/insecure_full.json index 2330e3a8..4fc9a4c3 100644 --- a/data/insecure_full.json +++ b/data/insecure_full.json @@ -2,7 +2,7 @@ "$meta": { "advisory": "PyUp.io metadata", "base_domain": "https://pyup.io", - "timestamp": 1722492052 + "timestamp": 1725170436 }, "10cent10": [ { @@ -194,6 +194,18 @@ "v": "==0.1.0" } ], + "aba-cli-scrapper": [ + { + "advisory": "Aba-cli-scrapper 0.3.0 replaces its dependency 'pymysql' as a DBAPIS with 'mysqlclient' to avoid a SQLi vulnerability.", + "cve": "CVE-2024-36039", + "id": "pyup.io-72564", + "more_info_path": "/vulnerabilities/CVE-2024-36039/72564", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], "abe": [ { "advisory": "Abe (aka bitcoin-abe) through 0.7.2, and 0.8pre, allows XSS in __call__ in abe.py because the PATH_INFO environment variable is mishandled during a PageNotFound exception.", @@ -302,16 +314,6 @@ ], "v": "<0.8.45" }, - { - "advisory": "DataHub's AuthServiceClient, particularly versions below 0.8.45, creates JSON strings using format strings with user-controlled data. This approach lets potential attackers alter these JSON strings and forward them to the backend, causing potential misuse and authentication bypasses. This could lead to the creation of system accounts, potentially resulting in full system compromise. This vulnerability was discovered and reported by the GitHub Security lab and is being tracked under GHSL-2022-081.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-7wc6-p6c4-522c", - "cve": "CVE-2023-25561", - "id": "pyup.io-63339", - "more_info_path": "/vulnerabilities/CVE-2023-25561/63339", - "specs": [ - "<0.8.45" - ], - "v": "<0.8.45" - }, { "advisory": "DataHub under 0.8.45 frontend, acting as a proxy, is found to have a vulnerability where it doesn't properly construct URLs when forwarding data to the DataHub Metadata Store (GMS), potentially allowing external users to reroute requests from the DataHub Frontend to any host. This could enable attackers to reroute a request from the frontend proxy to any other server and return the result. The vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-076.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-5w2h-q83m-65xg", "cve": "CVE-2023-25557", @@ -342,6 +344,16 @@ ], "v": "<0.8.45" }, + { + "advisory": "DataHub's AuthServiceClient, particularly versions below 0.8.45, creates JSON strings using format strings with user-controlled data. This approach lets potential attackers alter these JSON strings and forward them to the backend, causing potential misuse and authentication bypasses. This could lead to the creation of system accounts, potentially resulting in full system compromise. This vulnerability was discovered and reported by the GitHub Security lab and is being tracked under GHSL-2022-081.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-7wc6-p6c4-522c", + "cve": "CVE-2023-25561", + "id": "pyup.io-63339", + "more_info_path": "/vulnerabilities/CVE-2023-25561/63339", + "specs": [ + "<0.8.45" + ], + "v": "<0.8.45" + }, { "advisory": "DataHub under 0.9.5 uses the X-DataHub-Actor HTTP header to infer the user sending requests on behalf of the frontend. However, due to case-insensitivity, an attacker could potentially exploit this by sending a header with different casing (e.g., X-DATAHUB-ACTOR), leading to potential authorization bypass. This allows any user to impersonate the system user account and perform actions on its behalf. This vulnerability, tracked as GHSL-2022-079, was discovered and reported by the GitHub Security lab.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-hrwp-2q5c-86wv\r\nhttps://github.com/datahub-project/datahub/commit/2a182f484677d056730d6b4e9f0143e67368359f", "cve": "CVE-2023-25558", @@ -505,7 +517,7 @@ ], "adyen": [ { - "advisory": "Adyen version 7.1.0 addresses a security vulnerability related to a timing attack in HMAC comparisons.\r\nhttps://github.com/Adyen/adyen-python-api-library/pull/170/commits/092f2062eafff2d92adc4d9f73c684510fe090d1", + "advisory": "Adyen version 7.1.0 addresses a security vulnerability related to a timing attack in HMAC comparisons.", "cve": "PVE-2024-66853", "id": "pyup.io-66853", "more_info_path": "/vulnerabilities/PVE-2024-66853/66853", @@ -513,16 +525,6 @@ "<7.1.0" ], "v": "<7.1.0" - }, - { - "advisory": "Versions of the Adyen Python API from 2.2.0 to below 7.1.0 are susceptible to a Timing Attack. This vulnerability stems from inadequate HMAC comparisons within the `is_valid_hmac()` and `is_valid_hmac_notification()` functions.\r\nhttps://github.com/Adyen/adyen-python-api-library/pull/170", - "cve": "PVE-2024-99763", - "id": "pyup.io-66698", - "more_info_path": "/vulnerabilities/PVE-2024-99763/66698", - "specs": [ - ">=2.2.0,<7.1.0" - ], - "v": ">=2.2.0,<7.1.0" } ], "aegea": [ @@ -563,40 +565,40 @@ ], "agentuniverse": [ { - "advisory": "Agentuniverse version 0.0.8 updates its langchain dependency from version 0.0.352 to 0.1.20 to address the security vulnerability identified as CVE-2024-21503.", - "cve": "CVE-2024-21503", - "id": "pyup.io-71402", - "more_info_path": "/vulnerabilities/CVE-2024-21503/71402", + "advisory": "Agentuniverse version 0.0.8 updates its flask dependency from ^2.2 to ^2.3.2 to address the security vulnerability identified as CVE-2023-30861.", + "cve": "CVE-2023-30861", + "id": "pyup.io-71400", + "more_info_path": "/vulnerabilities/CVE-2023-30861/71400", "specs": [ "<0.0.8" ], "v": "<0.0.8" }, { - "advisory": "Agentuniverse version 0.0.8 updates its gunicorn dependency from 21.2.0 to ^22.0.0 to address the security vulnerability identified as CVE-2024-1135.", - "cve": "CVE-2024-1135", - "id": "pyup.io-71403", - "more_info_path": "/vulnerabilities/CVE-2024-1135/71403", + "advisory": "Agentuniverse version 0.0.8 updates its Jinja2 dependency to version ^3.1.4, addressing the security vulnerability identified as CVE-2024-22195.", + "cve": "CVE-2024-22195", + "id": "pyup.io-71401", + "more_info_path": "/vulnerabilities/CVE-2024-22195/71401", "specs": [ "<0.0.8" ], "v": "<0.0.8" }, { - "advisory": "Agentuniverse version 0.0.8 updates its Jinja2 dependency to version ^3.1.4, addressing the security vulnerability identified as CVE-2024-22195.", - "cve": "CVE-2024-22195", - "id": "pyup.io-71401", - "more_info_path": "/vulnerabilities/CVE-2024-22195/71401", + "advisory": "Agentuniverse version 0.0.8 updates its langchain dependency from version 0.0.352 to 0.1.20 to address the security vulnerability identified as CVE-2024-21503.", + "cve": "CVE-2024-21503", + "id": "pyup.io-71402", + "more_info_path": "/vulnerabilities/CVE-2024-21503/71402", "specs": [ "<0.0.8" ], "v": "<0.0.8" }, { - "advisory": "Agentuniverse version 0.0.8 updates its flask dependency from ^2.2 to ^2.3.2 to address the security vulnerability identified as CVE-2023-30861.", - "cve": "CVE-2023-30861", - "id": "pyup.io-71400", - "more_info_path": "/vulnerabilities/CVE-2023-30861/71400", + "advisory": "Agentuniverse version 0.0.8 updates its gunicorn dependency from 21.2.0 to ^22.0.0 to address the security vulnerability identified as CVE-2024-1135.", + "cve": "CVE-2024-1135", + "id": "pyup.io-71403", + "more_info_path": "/vulnerabilities/CVE-2024-1135/71403", "specs": [ "<0.0.8" ], @@ -1399,20 +1401,20 @@ "v": "<3.8.6" }, { - "advisory": "Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).", - "cve": "CVE-2023-49082", - "id": "pyup.io-62583", - "more_info_path": "/vulnerabilities/CVE-2023-49082/62583", + "advisory": "Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request.\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2", + "cve": "CVE-2023-49081", + "id": "pyup.io-62582", + "more_info_path": "/vulnerabilities/CVE-2023-49081/62582", "specs": [ "<3.9.0" ], "v": "<3.9.0" }, { - "advisory": "Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request.\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2", - "cve": "CVE-2023-49081", - "id": "pyup.io-62582", - "more_info_path": "/vulnerabilities/CVE-2023-49081/62582", + "advisory": "Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).", + "cve": "CVE-2023-49082", + "id": "pyup.io-62583", + "more_info_path": "/vulnerabilities/CVE-2023-49082/62583", "specs": [ "<3.9.0" ], @@ -1429,20 +1431,20 @@ "v": "<3.9.1" }, { - "advisory": "Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions.", - "cve": "CVE-2024-30251", - "id": "pyup.io-71545", - "more_info_path": "/vulnerabilities/CVE-2024-30251/71545", + "advisory": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. See CVE-2024-27306.", + "cve": "CVE-2024-27306", + "id": "pyup.io-70630", + "more_info_path": "/vulnerabilities/CVE-2024-27306/70630", "specs": [ "<3.9.4" ], "v": "<3.9.4" }, { - "advisory": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. See CVE-2024-27306.", - "cve": "CVE-2024-27306", - "id": "pyup.io-70630", - "more_info_path": "/vulnerabilities/CVE-2024-27306/70630", + "advisory": "Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions.", + "cve": "CVE-2024-30251", + "id": "pyup.io-71545", + "more_info_path": "/vulnerabilities/CVE-2024-30251/71545", "specs": [ "<3.9.4" ], @@ -2552,9 +2554,9 @@ "id": "pyup.io-71997", "more_info_path": "/vulnerabilities/CVE-2024-29640/71997", "specs": [ - "<=2.3.3" + ">=0" ], - "v": "<=2.3.3" + "v": ">=0" } ], "allennlp": [ @@ -3003,6 +3005,16 @@ ], "v": "<1.5.4" }, + { + "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4660: Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the \"deb http://user:pass@server:port/\" format.\r\nhttps://www.openwall.com/lists/oss-security/2014/06/26/19", + "cve": "CVE-2014-4660", + "id": "pyup.io-42918", + "more_info_path": "/vulnerabilities/CVE-2014-4660/42918", + "specs": [ + "<1.5.5" + ], + "v": "<1.5.5" + }, { "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4659: Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the \"deb http://user:pass@server:port/\" format.", "cve": "CVE-2014-4659", @@ -3023,16 +3035,6 @@ ], "v": "<1.5.5" }, - { - "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4660: Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the \"deb http://user:pass@server:port/\" format.\r\nhttps://www.openwall.com/lists/oss-security/2014/06/26/19", - "cve": "CVE-2014-4660", - "id": "pyup.io-42918", - "more_info_path": "/vulnerabilities/CVE-2014-4660/42918", - "specs": [ - "<1.5.5" - ], - "v": "<1.5.5" - }, { "advisory": "Ansible 1.6.4 includes a fix for CVE-2014-4678: The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657.", "cve": "CVE-2014-4678", @@ -3053,16 +3055,6 @@ ], "v": "<1.6.6" }, - { - "advisory": "Ansible before 1.6.7 does not prevent inventory data with \"{{\" and \"lookup\" substrings, and does not prevent remote data with \"{{\" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.", - "cve": "CVE-2014-4966", - "id": "pyup.io-42334", - "more_info_path": "/vulnerabilities/CVE-2014-4966/42334", - "specs": [ - "<1.6.7" - ], - "v": "<1.6.7" - }, { "advisory": "ansible 1.6.7 contains two security fixes:\r\n * Strip lookup calls out of inventory variables and clean unsafe data\r\n returned from lookup plugins (CVE-2014-4966)\r\n * Make sure vars don't insert extra parameters into module args and prevent\r\n duplicate params from superseding previous params (CVE-2014-4967)", "cve": "CVE-2014-4967", @@ -3074,14 +3066,14 @@ "v": "<1.6.7" }, { - "advisory": "Ansible 1.7.0 adds path checking for relative/escaped tar filenames in the ansible-galaxy command.", - "cve": "PVE-2021-25622", - "id": "pyup.io-25622", - "more_info_path": "/vulnerabilities/PVE-2021-25622/25622", + "advisory": "Ansible before 1.6.7 does not prevent inventory data with \"{{\" and \"lookup\" substrings, and does not prevent remote data with \"{{\" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.", + "cve": "CVE-2014-4966", + "id": "pyup.io-42334", + "more_info_path": "/vulnerabilities/CVE-2014-4966/42334", "specs": [ - "<1.7" + "<1.6.7" ], - "v": "<1.7" + "v": "<1.6.7" }, { "advisory": "Ansible 1.7.0 avoids templating raw lookup strings.", @@ -3093,6 +3085,16 @@ ], "v": "<1.7" }, + { + "advisory": "Ansible 1.7.0 adds path checking for relative/escaped tar filenames in the ansible-galaxy command.", + "cve": "PVE-2021-25622", + "id": "pyup.io-25622", + "more_info_path": "/vulnerabilities/PVE-2021-25622/25622", + "specs": [ + "<1.7" + ], + "v": "<1.7" + }, { "advisory": "ansible 1.7.1 contains a security fix to disallow specifying 'args:' as a string, which could allow the insertion of extra module parameters through variables.", "cve": "PVE-2021-25623", @@ -3113,16 +3115,6 @@ ], "v": "<1.8.3" }, - { - "advisory": "Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", - "cve": "CVE-2015-3908", - "id": "pyup.io-25625", - "more_info_path": "/vulnerabilities/CVE-2015-3908/25625", - "specs": [ - "<1.9.2" - ], - "v": "<1.9.2" - }, { "advisory": "Ansible 1.9.2 includes a fix for CVE-2015-6240: The chroot, jail, and zone connection plugins in Ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1243468", "cve": "CVE-2015-6240", @@ -3134,15 +3126,14 @@ "v": "<1.9.2" }, { - "advisory": "Ansible 1.9.5 and 2.0.0.0 include a security fix: Information disclosure of sensitive data in log files.\r\nhttps://github.com/ansible/ansible/commit/a65543bbafbd328e7848a99d2a570f71c43a53a0", - "cve": "PVE-2023-99974", - "id": "pyup.io-60834", - "more_info_path": "/vulnerabilities/PVE-2023-99974/60834", + "advisory": "Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "cve": "CVE-2015-3908", + "id": "pyup.io-25625", + "more_info_path": "/vulnerabilities/CVE-2015-3908/25625", "specs": [ - "<1.9.5", - "==2.0.0" + "<1.9.2" ], - "v": "<1.9.5,==2.0.0" + "v": "<1.9.2" }, { "advisory": "Ansible versions 2.1.4 and 2.2.1 include a fix for CVE-2016-9587: Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.\r\nhttps://www.exploit-db.com/exploits/41013/", @@ -3150,10 +3141,10 @@ "id": "pyup.io-33285", "more_info_path": "/vulnerabilities/CVE-2016-9587/33285", "specs": [ - "<2.1.4.0", - ">2.1.4.0,<2.2.1.0" + "<2.1.4", + ">=2.2.0,<2.2.1" ], - "v": "<2.1.4.0,>2.1.4.0,<2.2.1.0" + "v": "<2.1.4,>=2.2.0,<2.2.1" }, { "advisory": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. This CVE affects community.aws before 1.2.1 and Ansible-build-data ships this dependency on versions before 2.10.5.", @@ -3205,6 +3196,89 @@ ], "v": "<2.3.1" }, + { + "advisory": "Ansible 2.5.14, 2.6.11 and 2.7.5 include a fix for CVE-2018-16876: Ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16876", + "cve": "CVE-2018-16876", + "id": "pyup.io-42889", + "more_info_path": "/vulnerabilities/CVE-2018-16876/42889", + "specs": [ + "<2.5.14", + ">=2.6.0a0,<2.6.11", + ">=2.7.0a0,<2.7.5" + ], + "v": "<2.5.14,>=2.6.0a0,<2.6.11,>=2.7.0a0,<2.7.5" + }, + { + "advisory": "A vulnerability in versions of the Ansible solaris_zone module permits an attacker to execute arbitrary commands on a Solaris host. This issue arises when the module checks the zone name by using a basic 'ps' command, enabling the attack through a maliciously crafted zone name. This flaw poses a risk to various versions of Ansible Engine, exposing systems to potential unauthorized command execution.", + "cve": "CVE-2019-14904", + "id": "pyup.io-68097", + "more_info_path": "/vulnerabilities/CVE-2019-14904/68097", + "specs": [ + "<2.7.15", + ">=2.8.0a1,<2.8.7", + ">=2.9.0b1,<2.9.2" + ], + "v": "<2.7.15,>=2.8.0a1,<2.8.7,>=2.9.0b1,<2.9.2" + }, + { + "advisory": "Ansible versions 2.7.17, 2.8.11 and 2.9.7 include a fix for CVE-2020-1733: A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 && mkdir -p \"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc//cmdline'.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733", + "cve": "CVE-2020-1733", + "id": "pyup.io-42879", + "more_info_path": "/vulnerabilities/CVE-2020-1733/42879", + "specs": [ + "<2.7.17", + ">=2.8.0a0,<2.8.11", + ">=2.9.0a0,<2.9.7" + ], + "v": "<2.7.17,>=2.8.0a0,<2.8.11,>=2.9.0a0,<2.9.7" + }, + { + "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1739: A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739", + "cve": "CVE-2020-1739", + "id": "pyup.io-42871", + "more_info_path": "/vulnerabilities/CVE-2020-1739/42871", + "specs": [ + "<2.7.17", + ">=2.8.0a0,<2.8.9", + ">=2.9.0a0,<2.9.6" + ], + "v": "<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" + }, + { + "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1735: A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735", + "cve": "CVE-2020-1735", + "id": "pyup.io-42877", + "more_info_path": "/vulnerabilities/CVE-2020-1735/42877", + "specs": [ + "<2.7.17", + ">=2.8.0a0,<2.8.9", + ">=2.9.0a0,<2.9.6" + ], + "v": "<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" + }, + { + "advisory": "A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble.", + "cve": "CVE-2020-10685", + "id": "pyup.io-54331", + "more_info_path": "/vulnerabilities/CVE-2020-10685/54331", + "specs": [ + "<2.7.17", + ">=2.8.0a1,<2.8.11", + ">=2.9.0b1,<2.9.7" + ], + "v": "<2.7.17,>=2.8.0a1,<2.8.11,>=2.9.0b1,<2.9.7" + }, + { + "advisory": "A flaw was found in the Ansible Engine, in ansible-engine affected versions, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, the default behaviour. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.", + "cve": "CVE-2020-14365", + "id": "pyup.io-54224", + "more_info_path": "/vulnerabilities/CVE-2020-14365/54224", + "specs": [ + "<2.8.15", + ">=2.9.0b1,<2.9.13" + ], + "v": "<2.8.15,>=2.9.0b1,<2.9.13" + }, { "advisory": "Ansible 2.9.18 includes a fix for CVE-2021-20178: A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1914774", "cve": "CVE-2021-20178", @@ -3215,17 +3289,6 @@ ], "v": "<2.9.18" }, - { - "advisory": "A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attacker to elevate the privilege from a low privileged user to an AWX user from outside the isolated environment.", - "cve": "CVE-2021-4112", - "id": "pyup.io-62644", - "more_info_path": "/vulnerabilities/CVE-2021-4112/62644", - "specs": [ - "==2.0", - "==2.1" - ], - "v": "==2.0,==2.1" - }, { "advisory": "An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.", "cve": "CVE-2020-14330", @@ -3246,6 +3309,18 @@ ], "v": ">=0,<2.2.1.0" }, + { + "advisory": "Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.", + "cve": "CVE-2018-16837", + "id": "pyup.io-54010", + "more_info_path": "/vulnerabilities/CVE-2018-16837/54010", + "specs": [ + ">=0,<2.5.11", + ">=2.6.0a1,<2.6.9", + ">=2.7.0.dev0,<2.7.1" + ], + "v": ">=0,<2.5.11,>=2.6.0a1,<2.6.9,>=2.7.0.dev0,<2.7.1" + }, { "advisory": "In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.", "cve": "CVE-2019-14846", @@ -3253,10 +3328,10 @@ "more_info_path": "/vulnerabilities/CVE-2019-14846/54288", "specs": [ ">=0,<2.6.20", - ">=2.7.0,<2.7.14", - ">=2.8.0,<2.8.6" + ">=2.7.0a0,<2.7.14", + ">=2.8.0a0,<2.8.6" ], - "v": ">=0,<2.6.20,>=2.7.0,<2.7.14,>=2.8.0,<2.8.6" + "v": ">=0,<2.6.20,>=2.7.0a0,<2.7.14,>=2.8.0a0,<2.8.6" }, { "advisory": "A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.", @@ -3275,10 +3350,10 @@ "more_info_path": "/vulnerabilities/CVE-2020-1746/54284", "specs": [ ">=0,<2.7.17", - ">=2.8.0,<2.8.11", - ">=2.9.0,<2.9.7" + ">=2.8.0a0,<2.8.11", + ">=2.9.0b1,<2.9.7" ], - "v": ">=0,<2.7.17,>=2.8.0,<2.8.11,>=2.9.0,<2.9.7" + "v": ">=0,<2.7.17,>=2.8.0a0,<2.8.11,>=2.9.0b1,<2.9.7" }, { "advisory": "A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.", @@ -3287,10 +3362,10 @@ "more_info_path": "/vulnerabilities/CVE-2020-1737/54191", "specs": [ ">=0,<2.7.17", - ">=2.8.0,<2.8.9", - ">=2.9.0,<2.9.6" + ">=2.8.0a0,<2.8.9", + ">=2.9.0b1,<2.9.6" ], - "v": ">=0,<2.7.17,>=2.8.0,<2.8.9,>=2.9.0,<2.9.6" + "v": ">=0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0b1,<2.9.6" }, { "advisory": "A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.", @@ -3299,10 +3374,10 @@ "more_info_path": "/vulnerabilities/CVE-2020-1753/54240", "specs": [ ">=0,<2.7.18", - ">=2.8.0,<2.8.11", - ">=2.9.0,<2.9.7" + ">=2.8.0a0,<2.8.11", + ">=2.9.0b1,<2.9.7" ], - "v": ">=0,<2.7.18,>=2.8.0,<2.8.11,>=2.9.0,<2.9.7" + "v": ">=0,<2.7.18,>=2.8.0a0,<2.8.11,>=2.9.0b1,<2.9.7" }, { "advisory": "A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.", @@ -3311,20 +3386,9 @@ "more_info_path": "/vulnerabilities/CVE-2020-14332/54226", "specs": [ ">=0,<2.8.14", - ">=2.9.0,<2.9.12" - ], - "v": ">=0,<2.8.14,>=2.9.0,<2.9.12" - }, - { - "advisory": "A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.", - "cve": "CVE-2020-14365", - "id": "pyup.io-54224", - "more_info_path": "/vulnerabilities/CVE-2020-14365/54224", - "specs": [ - ">=0,<2.8.15", - ">=2.9.0,<2.9.13" + ">=2.9.0b1,<2.9.12" ], - "v": ">=0,<2.8.15,>=2.9.0,<2.9.13" + "v": ">=0,<2.8.14,>=2.9.0b1,<2.9.12" }, { "advisory": "Ansible is an IT automation system that handles configuration management, application deployment, cloud provisioning, ad-hoc task execution, network automation, and multi-node orchestration. A flaw was found in Ansible Engine's ansible-connection module where sensitive information, such as the Ansible user credentials, is disclosed by default in the traceback error message when Ansible receives an unexpected response from `set_options`. The highest threat from this vulnerability is confidentiality.", @@ -3346,16 +3410,6 @@ ], "v": ">=0,<2.9.6" }, - { - "advisory": "A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.", - "cve": "CVE-2019-14858", - "id": "pyup.io-54153", - "more_info_path": "/vulnerabilities/CVE-2019-14858/54153", - "specs": [ - ">=2.0,<2.8.1" - ], - "v": ">=2.0,<2.8.1" - }, { "advisory": "Ansible 1.9.6 and 2.0.2 include a fix for CVE-2016-3096: The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.", "cve": "CVE-2016-3096", @@ -3368,14 +3422,28 @@ "v": ">=2.0.0.0,<2.0.2,<1.9.6" }, { - "advisory": "Ansible 2.4.0.0rc1 includes a security fix: There is a mismatch between two hash formats that causes the generation of a relatively shorter salt value (8 characters), which would make it easier to do dictionary/brute force attacks.\r\nhttps://github.com/ansible/ansible/commit/f5aa9df1fddb4448d5d81fbb9d03bb82a16eda52", - "cve": "PVE-2023-60874", - "id": "pyup.io-60874", - "more_info_path": "/vulnerabilities/PVE-2023-60874/60874", + "advisory": "Ansible 2.1.0.0 include a security fix: Information disclosure of sensitive data in log files.", + "cve": "PVE-2023-99974", + "id": "pyup.io-60834", + "more_info_path": "/vulnerabilities/PVE-2023-99974/60834", + "specs": [ + ">=2.0.0.0,<2.1.0.0" + ], + "v": ">=2.0.0.0,<2.1.0.0" + }, + { + "advisory": "A vulnerability was found in Ansible engine and Ansible tower. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.", + "cve": "CVE-2019-14858", + "id": "pyup.io-54153", + "more_info_path": "/vulnerabilities/CVE-2019-14858/54153", "specs": [ - ">=2.0.0.1,<=2.4.0.0rc1" + ">=2.10.0a1,<2.10.0b1", + ">=2.9.0b1,<2.9.0", + ">=2.8.0a1,<2.8.6", + ">=2.7.0.dev0,<2.7.14", + "<2.6.20" ], - "v": ">=2.0.0.1,<=2.4.0.0rc1" + "v": ">=2.10.0a1,<2.10.0b1,>=2.9.0b1,<2.9.0,>=2.8.0a1,<2.8.6,>=2.7.0.dev0,<2.7.14,<2.6.20" }, { "advisory": "A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality.", @@ -3383,33 +3451,11 @@ "id": "pyup.io-54286", "more_info_path": "/vulnerabilities/CVE-2021-20228/54286", "specs": [ - ">=2.10.0,<2.10.7", - ">=2.9.0,<2.9.18", + ">=2.10.0a1,<2.10.7", + ">=2.9.0b1,<2.9.18", ">=0,<2.8.19" ], - "v": ">=2.10.0,<2.10.7,>=2.9.0,<2.9.18,>=0,<2.8.19" - }, - { - "advisory": "There exists a vulnerability in Ansible versions v2.4 through to v2.5devel, which allows for the disclosure of passwords in the response. To rectify this issue, the password should be removed from the response. This vulnerability could potentially allow for a man-in-the-middle attack, in which the perpetrator could intercept the response to obtain the password.", - "cve": "PVE-2023-99966", - "id": "pyup.io-60875", - "more_info_path": "/vulnerabilities/PVE-2023-99966/60875", - "specs": [ - ">=2.4.0.0,<2.5.0" - ], - "v": ">=2.4.0.0,<2.5.0" - }, - { - "advisory": "A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.", - "cve": "CVE-2018-10875", - "id": "pyup.io-54289", - "more_info_path": "/vulnerabilities/CVE-2018-10875/54289", - "specs": [ - ">=2.5,<2.5.6", - ">=2.6,<2.6.1", - "<2.4.6.0" - ], - "v": ">=2.5,<2.5.6,>=2.6,<2.6.1,<2.4.6.0" + "v": ">=2.10.0a1,<2.10.7,>=2.9.0b1,<2.9.18,>=0,<2.8.19" }, { "advisory": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.", @@ -3417,10 +3463,10 @@ "id": "pyup.io-54290", "more_info_path": "/vulnerabilities/CVE-2018-10855/54290", "specs": [ - ">=2.5.0,<2.5.5", + ">=2.5.0a1,<2.5.5", ">=2.4.0,<2.4.5" ], - "v": ">=2.5.0,<2.5.5,>=2.4.0,<2.4.5" + "v": ">=2.5.0a1,<2.5.5,>=2.4.0,<2.4.5" }, { "advisory": "A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.", @@ -3428,21 +3474,21 @@ "id": "pyup.io-54564", "more_info_path": "/vulnerabilities/CVE-2022-3697/54564", "specs": [ - ">=2.5.0,<7.0.0" + ">=2.5.0a1,<7.0.0" ], - "v": ">=2.5.0,<7.0.0" + "v": ">=2.5.0a1,<7.0.0" }, { - "advisory": "Ansible 2.5.14, 2.6.11 and 2.7.5 include a fix for CVE-2018-16876: Ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16876", - "cve": "CVE-2018-16876", - "id": "pyup.io-42889", - "more_info_path": "/vulnerabilities/CVE-2018-16876/42889", + "advisory": "A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.", + "cve": "CVE-2018-10875", + "id": "pyup.io-54289", + "more_info_path": "/vulnerabilities/CVE-2018-10875/54289", "specs": [ - ">=2.5.0a0,<2.5.14", - ">=2.6.0a0,<2.6.11", - ">=2.7.0a0,<2.7.5" + ">=2.5a1,<2.5.6", + ">=2.6a1,<2.6.1", + "<2.4.6.0" ], - "v": ">=2.5.0a0,<2.5.14,>=2.6.0a0,<2.6.11,>=2.7.0a0,<2.7.5" + "v": ">=2.5a1,<2.5.6,>=2.6a1,<2.6.1,<2.4.6.0" }, { "advisory": "Ansible 2.5.15, 2.6.14 and 2.7.8 include a fix for CVE-2019-3828: Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local Ansible controller host by not restricting an absolute path.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828\r\nhttps://github.com/ansible/ansible/pull/52133", @@ -3457,64 +3503,30 @@ "v": ">=2.6.0a0,<2.6.14,>=2.7.0a0,<2.7.8,<2.5.15" }, { - "advisory": "Ansible versions 2.6.20, 2.7.14 and 2.8.6 include a fix for CVE-2019-14856: The fix for CVE-2019-10206 was found to be incomplete for the data disclosure flaw in Ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856", + "advisory": "Affected versions of Ansible are vulnerable to CVE-2019-14856: The fix for CVE-2019-10206 was found to be incomplete for the data disclosure flaw in Ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.", "cve": "CVE-2019-14856", "id": "pyup.io-42884", "more_info_path": "/vulnerabilities/CVE-2019-14856/42884", "specs": [ ">=2.6.0a0,<2.6.20", ">=2.7.0a0,<2.7.14", - ">=2.8.0a0,<2.8.6" - ], - "v": ">=2.6.0a0,<2.6.20,>=2.7.0a0,<2.7.14,>=2.8.0a0,<2.8.6" - }, - { - "advisory": "Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.", - "cve": "CVE-2018-16837", - "id": "pyup.io-54010", - "more_info_path": "/vulnerabilities/CVE-2018-16837/54010", - "specs": [ - ">=2.7,<2.7.1", - ">=2.6,<2.6.7", - ">=0,<2.5.11" - ], - "v": ">=2.7,<2.7.1,>=2.6,<2.6.7,>=0,<2.5.11" - }, - { - "advisory": "A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.", - "cve": "CVE-2019-14905", - "id": "pyup.io-54155", - "more_info_path": "/vulnerabilities/CVE-2019-14905/54155", - "specs": [ - ">=2.7.0,<2.7.16", - ">=2.8.0,<2.8.8", - ">=2.9.0,<2.9.3" + ">=2.8.0a0,<2.8.6", + ">=2.10.0a1,<2.10.0b1", + ">=2.9.0b1,<2.9.0rc4" ], - "v": ">=2.7.0,<2.7.16,>=2.8.0,<2.8.8,>=2.9.0,<2.9.3" + "v": ">=2.6.0a0,<2.6.20,>=2.7.0a0,<2.7.14,>=2.8.0a0,<2.8.6,>=2.10.0a1,<2.10.0b1,>=2.9.0b1,<2.9.0rc4" }, { - "advisory": "A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble.", - "cve": "CVE-2020-10685", - "id": "pyup.io-54331", - "more_info_path": "/vulnerabilities/CVE-2020-10685/54331", - "specs": [ - ">=2.7.0,<2.7.17", - ">=2.8.0,<2.8.11", - ">=2.9.0,<2.9.7" - ], - "v": ">=2.7.0,<2.7.17,>=2.8.0,<2.8.11,>=2.9.0,<2.9.7" - }, - { - "advisory": "Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password.", - "cve": "CVE-2018-16859", - "id": "pyup.io-54011", - "more_info_path": "/vulnerabilities/CVE-2018-16859/54011", + "advisory": "Ansible 2.6.18, 2.7.12 and 2.8.2 include a fix for CVE-2019-10156: A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156", + "cve": "CVE-2019-10156", + "id": "pyup.io-42887", + "more_info_path": "/vulnerabilities/CVE-2019-10156/42887", "specs": [ - ">=2.7.0,<2.7.4", - ">=0,<2.5.13", - ">=2.6.0,<2.6.10" + ">=2.7.0a0,<2.7.12", + ">=2.8.0a1,<2.8.2", + "<2.6.18" ], - "v": ">=2.7.0,<2.7.4,>=0,<2.5.13,>=2.6.0,<2.6.10" + "v": ">=2.7.0a0,<2.7.12,>=2.8.0a1,<2.8.2,<2.6.18" }, { "advisory": "Ansible versions 2.7.15, 2.8.7 and 2.9.1 include a fix for CVE-2019-14864: Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, are not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used to send tasks results events to collectors. This would disclose and collect any sensitive data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864", @@ -3529,34 +3541,10 @@ "v": ">=2.7.0a0,<2.7.15,>=2.8.0a0,<2.8.7,>=2.9.0a0,<2.9.1" }, { - "advisory": "Ansible versions 2.7.17, 2.8.11 and 2.9.7 include a fix for CVE-2020-1733: A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 && mkdir -p \"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc//cmdline'.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733", - "cve": "CVE-2020-1733", - "id": "pyup.io-42879", - "more_info_path": "/vulnerabilities/CVE-2020-1733/42879", - "specs": [ - ">=2.7.0a0,<2.7.17", - ">=2.8.0a0,<2.8.11", - ">=2.9.0a0,<2.9.7" - ], - "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.11,>=2.9.0a0,<2.9.7" - }, - { - "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1735: A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735", - "cve": "CVE-2020-1735", - "id": "pyup.io-42877", - "more_info_path": "/vulnerabilities/CVE-2020-1735/42877", - "specs": [ - ">=2.7.0a0,<2.7.17", - ">=2.8.0a0,<2.8.9", - ">=2.9.0a0,<2.9.6" - ], - "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" - }, - { - "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1739: A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739", - "cve": "CVE-2020-1739", - "id": "pyup.io-42871", - "more_info_path": "/vulnerabilities/CVE-2020-1739/42871", + "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684", + "cve": "CVE-2020-10684", + "id": "pyup.io-42864", + "more_info_path": "/vulnerabilities/CVE-2020-10684/42864", "specs": [ ">=2.7.0a0,<2.7.17", ">=2.8.0a0,<2.8.9", @@ -3589,28 +3577,28 @@ "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" }, { - "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684", - "cve": "CVE-2020-10684", - "id": "pyup.io-42864", - "more_info_path": "/vulnerabilities/CVE-2020-10684/42864", + "advisory": "A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.", + "cve": "CVE-2019-14905", + "id": "pyup.io-54155", + "more_info_path": "/vulnerabilities/CVE-2019-14905/54155", "specs": [ - ">=2.7.0a0,<2.7.17", - ">=2.8.0a0,<2.8.9", - ">=2.9.0a0,<2.9.6" + ">=2.7.0a1,<2.7.16", + ">=2.8.0a1,<2.8.8", + ">=2.9.0b1,<2.9.3" ], - "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" + "v": ">=2.7.0a1,<2.7.16,>=2.8.0a1,<2.8.8,>=2.9.0b1,<2.9.3" }, { - "advisory": "Ansible 2.6.18, 2.7.12 and 2.8.2 include a fix for CVE-2019-10156: A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156", - "cve": "CVE-2019-10156", - "id": "pyup.io-42887", - "more_info_path": "/vulnerabilities/CVE-2019-10156/42887", + "advisory": "Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password.", + "cve": "CVE-2018-16859", + "id": "pyup.io-54011", + "more_info_path": "/vulnerabilities/CVE-2018-16859/54011", "specs": [ - ">=2.8.0a0,<2.8.2", - ">=2.7.0a0,<2.7.12", - ">=2.6.0a0,<2.6.18" + ">=2.7.0a1,<2.7.4", + ">=0,<2.5.13", + ">=2.6.0a1,<2.6.10" ], - "v": ">=2.8.0a0,<2.8.2,>=2.7.0a0,<2.7.12,>=2.6.0a0,<2.6.18" + "v": ">=2.7.0a1,<2.7.4,>=0,<2.5.13,>=2.6.0a1,<2.6.10" }, { "advisory": "Ansible 2.8.4 includes a fix for CVE-2019-10217: A flaw was found in Ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all GCP modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running Ansible playbooks.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217", @@ -3630,9 +3618,9 @@ "specs": [ ">=2.8.0a0,<2.8.4", ">=2.7.0a0,<2.7.13", - ">=2.6.0a0,<2.6.19" + "<2.6.19" ], - "v": ">=2.8.0a0,<2.8.4,>=2.7.0a0,<2.7.13,>=2.6.0a0,<2.6.19" + "v": ">=2.8.0a0,<2.8.4,>=2.7.0a0,<2.7.13,<2.6.19" }, { "advisory": "Ansible versions 2.7.16, 2.8.8 and 2.9.3 include a fix for CVE-2019-14904: A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1776944", @@ -3657,25 +3645,15 @@ ], "v": ">=2.8.0a1,<2.8.19,>=2.9.0b1,<2.9.18" }, - { - "advisory": "A vulnerability in versions of the Ansible solaris_zone module permits an attacker to execute arbitrary commands on a Solaris host. This issue arises when the module checks the zone name by using a basic 'ps' command, enabling the attack through a maliciously crafted zone name. This flaw poses a risk to various versions of Ansible Engine, exposing systems to potential unauthorized command execution.", - "cve": "CVE-2019-14904", - "id": "pyup.io-68097", - "more_info_path": "/vulnerabilities/CVE-2019-14904/68097", - "specs": [ - ">=2.9.0,<2.9.2" - ], - "v": ">=2.9.0,<2.9.2" - }, { "advisory": "An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.", "cve": "CVE-2020-10691", "id": "pyup.io-54172", "more_info_path": "/vulnerabilities/CVE-2020-10691/54172", "specs": [ - ">=2.9.0,<2.9.7" + ">=2.9.0b1,<2.9.7" ], - "v": ">=2.9.0,<2.9.7" + "v": ">=2.9.0b1,<2.9.7" } ], "ansible-core": [ @@ -4288,20 +4266,20 @@ "v": "<1.9.0a0" }, { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Spark provider integration. Therefore, it is affected by CVE-2023-40195.", - "cve": "CVE-2023-40195", - "id": "pyup.io-63170", - "more_info_path": "/vulnerabilities/CVE-2023-40195/63170", + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Docker provider integration. Therefore, it is affected by CVE-2022-38362.", + "cve": "CVE-2022-38362", + "id": "pyup.io-63172", + "more_info_path": "/vulnerabilities/CVE-2022-38362/63172", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Sqoop provider integration. Therefore, it is affected by CVE-2023-25693.", - "cve": "CVE-2023-25693", - "id": "pyup.io-63178", - "more_info_path": "/vulnerabilities/CVE-2023-25693/63178", + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the JDBC provider integration. Therefore, it is affected by CVE-2023-22886.", + "cve": "CVE-2023-22886", + "id": "pyup.io-63171", + "more_info_path": "/vulnerabilities/CVE-2023-22886/63171", "specs": [ "<2.0.0b1" ], @@ -4328,10 +4306,20 @@ "v": "<2.0.0b1" }, { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Hive provider integration. Therefore, it is affected by CVE-2023-25696.", - "cve": "CVE-2023-25696", - "id": "pyup.io-63179", - "more_info_path": "/vulnerabilities/CVE-2023-25696/63179", + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Sqoop provider integration. Therefore, it is affected by CVE-2023-25693.", + "cve": "CVE-2023-25693", + "id": "pyup.io-63178", + "more_info_path": "/vulnerabilities/CVE-2023-25693/63178", + "specs": [ + "<2.0.0b1" + ], + "v": "<2.0.0b1" + }, + { + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Spark provider integration. Therefore, it is affected by CVE-2023-40195.", + "cve": "CVE-2023-40195", + "id": "pyup.io-63170", + "more_info_path": "/vulnerabilities/CVE-2023-40195/63170", "specs": [ "<2.0.0b1" ], @@ -4358,30 +4346,20 @@ "v": "<2.0.0b1" }, { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Hive provider integration. Therefore, it is affected by CVE-2022-46421.", - "cve": "CVE-2022-46421", - "id": "pyup.io-63180", - "more_info_path": "/vulnerabilities/CVE-2022-46421/63180", - "specs": [ - "<2.0.0b1" - ], - "v": "<2.0.0b1" - }, - { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Docker provider integration. Therefore, it is affected by CVE-2022-38362.", - "cve": "CVE-2022-38362", - "id": "pyup.io-63172", - "more_info_path": "/vulnerabilities/CVE-2022-38362/63172", + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Hive provider integration. Therefore, it is affected by CVE-2023-25696.", + "cve": "CVE-2023-25696", + "id": "pyup.io-63179", + "more_info_path": "/vulnerabilities/CVE-2023-25696/63179", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the JDBC provider integration. Therefore, it is affected by CVE-2023-22886.", - "cve": "CVE-2023-22886", - "id": "pyup.io-63171", - "more_info_path": "/vulnerabilities/CVE-2023-22886/63171", + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Hive provider integration. Therefore, it is affected by CVE-2022-46421.", + "cve": "CVE-2022-46421", + "id": "pyup.io-63180", + "more_info_path": "/vulnerabilities/CVE-2022-46421/63180", "specs": [ "<2.0.0b1" ], @@ -4427,6 +4405,16 @@ ], "v": "<2.1.2" }, + { + "advisory": "Apache Airflow, in affected versions, contains a vulnerability where a malicious provider could exploit a cross-site scripting (XSS) attack through a provider documentation link. A malicious user could inject a JavaScript URL (e.g., `javascript:prompt(document.domain)`) into the provider's metadata. If a user clicks on this crafted link, it could trigger an XSS attack. The vulnerability requires the malicious provider to be installed on the web server and the user to interact with the malicious link.", + "cve": "CVE-2024-41937", + "id": "pyup.io-72974", + "more_info_path": "/vulnerabilities/CVE-2024-41937/72974", + "specs": [ + "<2.10.0" + ], + "v": "<2.10.0" + }, { "advisory": "Apache-airflow 2.2.5 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/apache/airflow/pull/20699", "cve": "PVE-2023-60199", @@ -4449,9 +4437,9 @@ }, { "advisory": "Apache-airflow 2.3.0 updates its NPM dependency 'tar' requirement to '>=6.1.9' to include security fixes.", - "cve": "CVE-2021-37713", - "id": "pyup.io-48618", - "more_info_path": "/vulnerabilities/CVE-2021-37713/48618", + "cve": "CVE-2021-37701", + "id": "pyup.io-48616", + "more_info_path": "/vulnerabilities/CVE-2021-37701/48616", "specs": [ "<2.3.0" ], @@ -4459,9 +4447,9 @@ }, { "advisory": "Apache-airflow 2.3.0 updates its NPM dependency 'tar' requirement to '>=6.1.9' to include security fixes.", - "cve": "CVE-2021-37712", - "id": "pyup.io-48617", - "more_info_path": "/vulnerabilities/CVE-2021-37712/48617", + "cve": "CVE-2021-37713", + "id": "pyup.io-48618", + "more_info_path": "/vulnerabilities/CVE-2021-37713/48618", "specs": [ "<2.3.0" ], @@ -4469,9 +4457,9 @@ }, { "advisory": "Apache-airflow 2.3.0 updates its NPM dependency 'tar' requirement to '>=6.1.9' to include security fixes.", - "cve": "CVE-2021-37701", - "id": "pyup.io-48616", - "more_info_path": "/vulnerabilities/CVE-2021-37701/48616", + "cve": "CVE-2021-37712", + "id": "pyup.io-48617", + "more_info_path": "/vulnerabilities/CVE-2021-37712/48617", "specs": [ "<2.3.0" ], @@ -4488,20 +4476,20 @@ "v": "<2.6.0" }, { - "advisory": "Execution with Unnecessary Privileges: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow. The \"Run Task\" feature enables authenticated users to bypass some of the restrictions put in place. It allows the execution of code in the webserver context as well as bypasses the limitation of access the user has to certain DAGs. The \"Run Task\" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0", - "cve": "CVE-2023-39508", - "id": "pyup.io-65021", - "more_info_path": "/vulnerabilities/CVE-2023-39508/65021", + "advisory": "Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0.", + "cve": "CVE-2023-25754", + "id": "pyup.io-62916", + "more_info_path": "/vulnerabilities/CVE-2023-25754/62916", "specs": [ "<2.6.0" ], "v": "<2.6.0" }, { - "advisory": "Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0.", - "cve": "CVE-2023-25754", - "id": "pyup.io-62916", - "more_info_path": "/vulnerabilities/CVE-2023-25754/62916", + "advisory": "Execution with Unnecessary Privileges: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow. The \"Run Task\" feature enables authenticated users to bypass some of the restrictions put in place. It allows the execution of code in the webserver context as well as bypasses the limitation of access the user has to certain DAGs. The \"Run Task\" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0", + "cve": "CVE-2023-39508", + "id": "pyup.io-65021", + "more_info_path": "/vulnerabilities/CVE-2023-39508/65021", "specs": [ "<2.6.0" ], @@ -4517,16 +4505,6 @@ ], "v": "<2.6.3" }, - { - "advisory": "Apache Airflow affected versions are affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it.", - "cve": "CVE-2022-46651", - "id": "pyup.io-71689", - "more_info_path": "/vulnerabilities/CVE-2022-46651/71689", - "specs": [ - "<2.6.3" - ], - "v": "<2.6.3" - }, { "advisory": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected", "cve": "CVE-2023-22887", @@ -4547,6 +4525,26 @@ ], "v": "<2.6.3" }, + { + "advisory": "Apache Airflow affected versions are affected by a vulnerability that allows unauthorized read access to a DAG through the URL.", + "cve": "CVE-2023-35908", + "id": "pyup.io-71688", + "more_info_path": "/vulnerabilities/CVE-2023-35908/71688", + "specs": [ + "<2.6.3" + ], + "v": "<2.6.3" + }, + { + "advisory": "Apache Airflow affected versions are affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it.", + "cve": "CVE-2022-46651", + "id": "pyup.io-71689", + "more_info_path": "/vulnerabilities/CVE-2022-46651/71689", + "specs": [ + "<2.6.3" + ], + "v": "<2.6.3" + }, { "advisory": "Apache Airflow affected versions have a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected", "cve": "CVE-2023-36543", @@ -4568,30 +4566,30 @@ "v": "<2.6.3" }, { - "advisory": "Apache Airflow affected versions are affected by a vulnerability that allows unauthorized read access to a DAG through the URL.", - "cve": "CVE-2023-35908", - "id": "pyup.io-71688", - "more_info_path": "/vulnerabilities/CVE-2023-35908/71688", + "advisory": "Apache-airflow 2.7.0 disables support for the deserialize flag by default in the 'xcomEntries' API. This was an unsafe default, as deserialization may instantiates arbitrary objects.\r\nhttps://github.com/apache/airflow/pull/32176", + "cve": "PVE-2023-60962", + "id": "pyup.io-60962", + "more_info_path": "/vulnerabilities/PVE-2023-60962/60962", "specs": [ - "<2.6.3" + "<2.7.0" ], - "v": "<2.6.3" + "v": "<2.7.0" }, { - "advisory": "Apache-airflow 2.7.0 disables default allowing the testing of connections in UI, API and CLI for security reasons.\r\nhttps://github.com/apache/airflow/pull/32052", - "cve": "PVE-2023-60952", - "id": "pyup.io-60952", - "more_info_path": "/vulnerabilities/PVE-2023-60952/60952", + "advisory": "Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and\u00a0Apache Airflow before 2.7.0 are affected by the\u00a0Validation of OpenSSL Certificate vulnerability.\r\n\r\nThe default SSL context with SSL library did not check a server's X.509\u00a0certificate.\u00a0 Instead, the code accepted any certificate, which could\u00a0result in the disclosure of mail server credentials or mail contents\u00a0when the client connects to an attacker in a MITM position.\r\n\r\nUsers are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability", + "cve": "CVE-2023-39441", + "id": "pyup.io-65020", + "more_info_path": "/vulnerabilities/CVE-2023-39441/65020", "specs": [ "<2.7.0" ], "v": "<2.7.0" }, { - "advisory": "Apache-airflow 2.7.0 disables support for the deserialize flag by default in the 'xcomEntries' API. This was an unsafe default, as deserialization may instantiates arbitrary objects.\r\nhttps://github.com/apache/airflow/pull/32176", - "cve": "PVE-2023-60962", - "id": "pyup.io-60962", - "more_info_path": "/vulnerabilities/PVE-2023-60962/60962", + "advisory": "Apache-airflow 2.7.0 disables default allowing the testing of connections in UI, API and CLI for security reasons.\r\nhttps://github.com/apache/airflow/pull/32052", + "cve": "PVE-2023-60952", + "id": "pyup.io-60952", + "more_info_path": "/vulnerabilities/PVE-2023-60952/60952", "specs": [ "<2.7.0" ], @@ -4607,16 +4605,6 @@ ], "v": "<2.7.0" }, - { - "advisory": "Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and\u00a0Apache Airflow before 2.7.0 are affected by the\u00a0Validation of OpenSSL Certificate vulnerability.\r\n\r\nThe default SSL context with SSL library did not check a server's X.509\u00a0certificate.\u00a0 Instead, the code accepted any certificate, which could\u00a0result in the disclosure of mail server credentials or mail contents\u00a0when the client connects to an attacker in a MITM position.\r\n\r\nUsers are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability", - "cve": "CVE-2023-39441", - "id": "pyup.io-65020", - "more_info_path": "/vulnerabilities/CVE-2023-39441/65020", - "specs": [ - "<2.7.0" - ], - "v": "<2.7.0" - }, { "advisory": "Versions of Apache Airflow are susceptible to a vulnerability permitting authenticated and DAG-view authorized users to manipulate certain DAG run detail values, like configuration parameters and start dates, through note submission.", "cve": "CVE-2023-40611", @@ -4637,16 +4625,6 @@ ], "v": "<2.7.1" }, - { - "advisory": "Apache Airflow contains a vulnerability where an authorized user with limited permissions can access task instance information across unintended DAGs, posing a risk to versions prior to 2.7.2. Users are encouraged to upgrade to mitigate this security risk.", - "cve": "CVE-2023-42663", - "id": "pyup.io-65393", - "more_info_path": "/vulnerabilities/CVE-2023-42663/65393", - "specs": [ - "<2.7.2" - ], - "v": "<2.7.2" - }, { "advisory": "A security vulnerability exists in versions of Apache Airflow that enables an authenticated user with limited permissions to potentially alter DAG resources they should not have access to, by crafting specific requests. This flaw could lead to unauthorized modification of DAGs, compromising the integrity of those processes.", "cve": "CVE-2023-42792", @@ -4667,6 +4645,16 @@ ], "v": "<2.7.2" }, + { + "advisory": "Apache Airflow contains a vulnerability where an authorized user with limited permissions can access task instance information across unintended DAGs, posing a risk to versions prior to 2.7.2. Users are encouraged to upgrade to mitigate this security risk.", + "cve": "CVE-2023-42663", + "id": "pyup.io-65393", + "more_info_path": "/vulnerabilities/CVE-2023-42663/65393", + "specs": [ + "<2.7.2" + ], + "v": "<2.7.2" + }, { "advisory": "Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.\u00a0 This is a different issue than CVE-2023-42663 but leading to similar outcome.\r\nUsers of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability.", "cve": "CVE-2023-42781", @@ -4797,16 +4785,6 @@ ], "v": ">=0,<1.10.11" }, - { - "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.", - "cve": "CVE-2020-11983", - "id": "pyup.io-54181", - "more_info_path": "/vulnerabilities/CVE-2020-11983/54181", - "specs": [ - ">=0,<1.10.11rc1" - ], - "v": ">=0,<1.10.11rc1" - }, { "advisory": "Apache-airflow 1.10.11rc1 includes a fix for CVE-2020-11978: A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.", "cve": "CVE-2020-11978", @@ -4847,6 +4825,16 @@ ], "v": ">=0,<1.10.11rc1" }, + { + "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.", + "cve": "CVE-2020-11983", + "id": "pyup.io-54181", + "more_info_path": "/vulnerabilities/CVE-2020-11983/54181", + "specs": [ + ">=0,<1.10.11rc1" + ], + "v": ">=0,<1.10.11rc1" + }, { "advisory": "In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.", "cve": "CVE-2020-17511", @@ -4898,20 +4886,20 @@ "v": ">=0,<1.10.3b1" }, { - "advisory": "In Apache Airflow before 1.10.5 when running with the \"classic\" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new \"RBAC\" UI is unaffected.", - "cve": "CVE-2019-12398", - "id": "pyup.io-54139", - "more_info_path": "/vulnerabilities/CVE-2019-12398/54139", + "advisory": "Versions of Apache Airflow prior to 1.10.5 expose a vulnerability where the Databricks operator logs API keys in plaintext during task execution. This exposure results from the operator encouraging users to input their API key into a connection's \"extra\" field, which the Databricks hook subsequently logs, leading to information exposure.\r\nhttps://github.com/apache/airflow/pull/5635/commits/89f015e6c89392b6de61dab8ab90182e6ee42b74", + "cve": "PVE-2024-99796", + "id": "pyup.io-66019", + "more_info_path": "/vulnerabilities/PVE-2024-99796/66019", "specs": [ ">=0,<1.10.5" ], "v": ">=0,<1.10.5" }, { - "advisory": "Versions of Apache Airflow prior to 1.10.5 expose a vulnerability where the Databricks operator logs API keys in plaintext during task execution. This exposure results from the operator encouraging users to input their API key into a connection's \"extra\" field, which the Databricks hook subsequently logs, leading to information exposure.\r\nhttps://github.com/apache/airflow/pull/5635/commits/89f015e6c89392b6de61dab8ab90182e6ee42b74", - "cve": "PVE-2024-99796", - "id": "pyup.io-66019", - "more_info_path": "/vulnerabilities/PVE-2024-99796/66019", + "advisory": "In Apache Airflow before 1.10.5 when running with the \"classic\" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new \"RBAC\" UI is unaffected.", + "cve": "CVE-2019-12398", + "id": "pyup.io-54139", + "more_info_path": "/vulnerabilities/CVE-2019-12398/54139", "specs": [ ">=0,<1.10.5" ], @@ -4927,16 +4915,6 @@ ], "v": ">=0,<1.10.6rc1" }, - { - "advisory": "In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, whether it be via XSS or by leaving a machine unlocked can exfiltrate all credentials from the system.", - "cve": "CVE-2017-17836", - "id": "pyup.io-53950", - "more_info_path": "/vulnerabilities/CVE-2017-17836/53950", - "specs": [ - ">=0,<1.9.0" - ], - "v": ">=0,<1.9.0" - }, { "advisory": "It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for this is to upgrade to Apache Airflow 1.9.0 or above.", "cve": "CVE-2017-12614", @@ -4957,6 +4935,16 @@ ], "v": ">=0,<1.9.0" }, + { + "advisory": "In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, whether it be via XSS or by leaving a machine unlocked can exfiltrate all credentials from the system.", + "cve": "CVE-2017-17836", + "id": "pyup.io-53950", + "more_info_path": "/vulnerabilities/CVE-2017-17836/53950", + "specs": [ + ">=0,<1.9.0" + ], + "v": ">=0,<1.9.0" + }, { "advisory": "In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.\r\nhttps://github.com/apache/airflow/pull/2132", "cve": "CVE-2017-15720", @@ -4987,16 +4975,6 @@ ], "v": ">=0,<2.2.4rc1" }, - { - "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.", - "cve": "CVE-2022-38649", - "id": "pyup.io-54586", - "more_info_path": "/vulnerabilities/CVE-2022-38649/54586", - "specs": [ - ">=0,<2.3.0" - ], - "v": ">=0,<2.3.0" - }, { "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed).", "cve": "CVE-2022-40954", @@ -5027,6 +5005,16 @@ ], "v": ">=0,<2.3.0" }, + { + "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.", + "cve": "CVE-2022-38649", + "id": "pyup.io-54586", + "more_info_path": "/vulnerabilities/CVE-2022-38649/54586", + "specs": [ + ">=0,<2.3.0" + ], + "v": ">=0,<2.3.0" + }, { "advisory": "A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.", "cve": "CVE-2022-27949", @@ -5068,20 +5056,20 @@ "v": ">=0,<2.4.1" }, { - "advisory": "In Apache Airflow versions prior to 2.4.2, the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument.", - "cve": "CVE-2022-43982", - "id": "pyup.io-54568", - "more_info_path": "/vulnerabilities/CVE-2022-43982/54568", + "advisory": "In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.", + "cve": "CVE-2022-43985", + "id": "pyup.io-54567", + "more_info_path": "/vulnerabilities/CVE-2022-43985/54567", "specs": [ ">=0,<2.4.2" ], "v": ">=0,<2.4.2" }, { - "advisory": "In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.", - "cve": "CVE-2022-43985", - "id": "pyup.io-54567", - "more_info_path": "/vulnerabilities/CVE-2022-43985/54567", + "advisory": "In Apache Airflow versions prior to 2.4.2, the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument.", + "cve": "CVE-2022-43982", + "id": "pyup.io-54568", + "more_info_path": "/vulnerabilities/CVE-2022-43982/54568", "specs": [ ">=0,<2.4.2" ], @@ -5220,20 +5208,20 @@ "v": ">=1.10.0,<2.7.0" }, { - "advisory": "Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.", - "cve": "CVE-2021-26559", - "id": "pyup.io-54168", - "more_info_path": "/vulnerabilities/CVE-2021-26559/54168", + "advisory": "The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue only affects Apache Airflow 2.0.0.", + "cve": "CVE-2021-26697", + "id": "pyup.io-54461", + "more_info_path": "/vulnerabilities/CVE-2021-26697/54461", "specs": [ ">=2.0.0,<2.0.1" ], "v": ">=2.0.0,<2.0.1" }, { - "advisory": "The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue only affects Apache Airflow 2.0.0.", - "cve": "CVE-2021-26697", - "id": "pyup.io-54461", - "more_info_path": "/vulnerabilities/CVE-2021-26697/54461", + "advisory": "Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.", + "cve": "CVE-2021-26559", + "id": "pyup.io-54168", + "more_info_path": "/vulnerabilities/CVE-2021-26559/54168", "specs": [ ">=2.0.0,<2.0.1" ], @@ -5441,6 +5429,16 @@ ], "v": "<=2021.3.3" }, + { + "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", + "cve": "CVE-2021-33026", + "id": "pyup.io-49926", + "more_info_path": "/vulnerabilities/CVE-2021-33026/49926", + "specs": [ + "<=2021.3.3" + ], + "v": "<=2021.3.3" + }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-35936", @@ -5520,16 +5518,6 @@ "<=2021.3.3" ], "v": "<=2021.3.3" - }, - { - "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", - "cve": "CVE-2021-33026", - "id": "pyup.io-49926", - "more_info_path": "/vulnerabilities/CVE-2021-33026/49926", - "specs": [ - "<=2021.3.3" - ], - "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-apache-beam": [ @@ -6894,20 +6882,20 @@ "v": "<=2021.3.3" }, { - "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", - "cve": "CVE-2021-33026", - "id": "pyup.io-50006", - "more_info_path": "/vulnerabilities/CVE-2021-33026/50006", + "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", + "cve": "CVE-2021-23445", + "id": "pyup.io-49998", + "more_info_path": "/vulnerabilities/CVE-2021-23445/49998", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { - "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", - "cve": "CVE-2021-23445", - "id": "pyup.io-49998", - "more_info_path": "/vulnerabilities/CVE-2021-23445/49998", + "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", + "cve": "CVE-2021-33026", + "id": "pyup.io-50006", + "more_info_path": "/vulnerabilities/CVE-2021-33026/50006", "specs": [ "<=2021.3.3" ], @@ -7007,16 +6995,6 @@ } ], "apache-airflow-providers-amazon": [ - { - "advisory": "Apache-airflow-providers-amazon 4.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49833", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49833", - "specs": [ - "<=4.0.0" - ], - "v": "<=4.0.0" - }, { "advisory": "Apache-airflow-providers-amazon 4.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", @@ -7037,6 +7015,16 @@ ], "v": "<=4.0.0" }, + { + "advisory": "Apache-airflow-providers-amazon 4.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49833", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49833", + "specs": [ + "<=4.0.0" + ], + "v": "<=4.0.0" + }, { "advisory": "Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1.\r\nhttps://github.com/apache/airflow/pull/29587", "cve": "CVE-2023-25956", @@ -7174,20 +7162,20 @@ "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-apache-hive 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49870", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49870", + "advisory": "Apache-airflow-providers-apache-hive 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49871", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49871", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-apache-hive 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49871", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49871", + "advisory": "Apache-airflow-providers-apache-hive 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49870", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49870", "specs": [ "<=3.0.0" ], @@ -7267,16 +7255,6 @@ ], "v": "<4.1.3" }, - { - "advisory": "Apache-airflow-providers-apache-spark 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49845", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49845", - "specs": [ - "<=3.0.0" - ], - "v": "<=3.0.0" - }, { "advisory": "Apache-airflow-providers-apache-spark 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", @@ -7297,6 +7275,16 @@ ], "v": "<=3.0.0" }, + { + "advisory": "Apache-airflow-providers-apache-spark 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49845", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49845", + "specs": [ + "<=3.0.0" + ], + "v": "<=3.0.0" + }, { "advisory": "Apache-airflow-providers-apache-spark is affected by CVE-2023-40195: Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider.\r\nWhen the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the documentation explicitly, so it is possible that administrators provided authorizations to configure Spark hooks without taking this into account. We recommend administrators to review their configurations to make sure the authorization to configure Spark hooks is only provided to fully trusted users.\r\nhttps://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html", "cve": "CVE-2023-40195", @@ -7427,16 +7415,6 @@ } ], "apache-airflow-providers-databricks": [ - { - "advisory": "Apache-airflow-providers-databricks 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49825", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49825", - "specs": [ - "<=3.0.0" - ], - "v": "<=3.0.0" - }, { "advisory": "Apache-airflow-providers-databricks 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", @@ -7456,6 +7434,16 @@ "<=3.0.0" ], "v": "<=3.0.0" + }, + { + "advisory": "Apache-airflow-providers-databricks 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49825", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49825", + "specs": [ + "<=3.0.0" + ], + "v": "<=3.0.0" } ], "apache-airflow-providers-datadog": [ @@ -7512,20 +7500,20 @@ "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-docker 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49816", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49816", + "advisory": "Apache-airflow-providers-docker 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49815", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49815", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-docker 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49815", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49815", + "advisory": "Apache-airflow-providers-docker 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49816", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49816", "specs": [ "<=3.0.0" ], @@ -7545,16 +7533,6 @@ } ], "apache-airflow-providers-google": [ - { - "advisory": "Apache-airflow-providers-google 8.1.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49885", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49885", - "specs": [ - "<=8.1.0" - ], - "v": "<=8.1.0" - }, { "advisory": "apache-airflow-providers-google 8.1.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", @@ -7575,6 +7553,16 @@ ], "v": "<=8.1.0" }, + { + "advisory": "Apache-airflow-providers-google 8.1.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49885", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49885", + "specs": [ + "<=8.1.0" + ], + "v": "<=8.1.0" + }, { "advisory": "Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.\r\nhttps://github.com/apache/airflow/pull/29499", "cve": "CVE-2023-25692", @@ -7618,20 +7606,20 @@ "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-jdbc 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49878", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49878", + "advisory": "Apache-airflow-providers-jdbc 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49879", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49879", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-jdbc 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49879", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49879", + "advisory": "Apache-airflow-providers-jdbc 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49878", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49878", "specs": [ "<=3.0.0" ], @@ -7650,20 +7638,20 @@ "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-jenkins 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49813", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49813", + "advisory": "Apache-airflow-providers-jenkins 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49814", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49814", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-jenkins 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49814", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49814", + "advisory": "Apache-airflow-providers-jenkins 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49813", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49813", "specs": [ "<=3.0.0" ], @@ -7714,20 +7702,20 @@ "v": "<=4.0.0" }, { - "advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49876", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49876", + "advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49875", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49875", "specs": [ "<=4.0.0" ], "v": "<=4.0.0" }, { - "advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49875", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49875", + "advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49876", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49876", "specs": [ "<=4.0.0" ], @@ -7746,20 +7734,20 @@ "v": "<3.4.1" }, { - "advisory": "Apache-airflow-providers-microsoft-mssql 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49829", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49829", + "advisory": "Apache-airflow-providers-microsoft-mssql 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49827", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49827", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-microsoft-mssql 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49827", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49827", + "advisory": "Apache-airflow-providers-microsoft-mssql 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49829", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49829", "specs": [ "<=3.0.0" ], @@ -7777,16 +7765,6 @@ } ], "apache-airflow-providers-mongo": [ - { - "advisory": "Apache-airflow-providers-mongo 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49807", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49807", - "specs": [ - "<=3.0.0" - ], - "v": "<=3.0.0" - }, { "advisory": "Apache-airflow-providers-mongo 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", @@ -7807,6 +7785,16 @@ ], "v": "<=3.0.0" }, + { + "advisory": "Apache-airflow-providers-mongo 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49807", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49807", + "specs": [ + "<=3.0.0" + ], + "v": "<=3.0.0" + }, { "advisory": "When SSL\u00a0was enabled for Mongo Hook, default settings included \"allow_insecure\" which caused that certificates were not validated. This was unexpected and undocumented.", "cve": "CVE-2024-25141", @@ -7830,20 +7818,20 @@ "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-mysql 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49831", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49831", + "advisory": "Apache-airflow-providers-mysql 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49832", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49832", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-mysql 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49832", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49832", + "advisory": "Apache-airflow-providers-mysql 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49831", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49831", "specs": [ "<=3.0.0" ], @@ -7861,6 +7849,16 @@ } ], "apache-airflow-providers-odbc": [ + { + "advisory": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This\u00a0vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically\u00a0updating the connection to exploit it.\r\n\r\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\r\n\r\nIt is recommended to\u00a0upgrade to a version that is not affected", + "cve": "CVE-2023-35798", + "id": "pyup.io-64200", + "more_info_path": "/vulnerabilities/CVE-2023-35798/64200", + "specs": [ + "<4.0.0" + ], + "v": "<4.0.0" + }, { "advisory": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution. Starting version 4.0.0 driver can be set only from the hook constructor. This issue affects Apache Airflow ODBC Provider: before 4.0.0.", "cve": "CVE-2023-34395", @@ -7872,14 +7870,14 @@ "v": "<4.0.0" }, { - "advisory": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This\u00a0vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically\u00a0updating the connection to exploit it.\r\n\r\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\r\n\r\nIt is recommended to\u00a0upgrade to a version that is not affected", - "cve": "CVE-2023-35798", - "id": "pyup.io-64200", - "more_info_path": "/vulnerabilities/CVE-2023-35798/64200", + "advisory": "Apache-airflow-providers-odbc 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49895", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49895", "specs": [ - "<4.0.0" + "<=3.0.0" ], - "v": "<4.0.0" + "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-odbc 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", @@ -7900,16 +7898,6 @@ "<=3.0.0" ], "v": "<=3.0.0" - }, - { - "advisory": "Apache-airflow-providers-odbc 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49895", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49895", - "specs": [ - "<=3.0.0" - ], - "v": "<=3.0.0" } ], "apache-airflow-providers-oracle": [ @@ -8041,16 +8029,6 @@ } ], "apache-airflow-providers-presto": [ - { - "advisory": "Apache-airflow-providers-presto 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49864", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49864", - "specs": [ - "<=3.0.0" - ], - "v": "<=3.0.0" - }, { "advisory": "Apache-airflow-providers-presto 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", @@ -8070,19 +8048,19 @@ "<=3.0.0" ], "v": "<=3.0.0" - } - ], - "apache-airflow-providers-redis": [ + }, { - "advisory": "Apache-airflow-providers-redis 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "advisory": "Apache-airflow-providers-presto 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", - "id": "pyup.io-49873", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49873", + "id": "pyup.io-49864", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49864", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" - }, + } + ], + "apache-airflow-providers-redis": [ { "advisory": "Apache-airflow-providers-redis 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", @@ -8093,6 +8071,16 @@ ], "v": "<=3.0.0" }, + { + "advisory": "Apache-airflow-providers-redis 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49873", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49873", + "specs": [ + "<=3.0.0" + ], + "v": "<=3.0.0" + }, { "advisory": "Apache-airflow-providers-redis 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", @@ -8138,20 +8126,20 @@ ], "apache-airflow-providers-sftp": [ { - "advisory": "Apache-airflow-providers-sftp 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49900", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49900", + "advisory": "Apache-airflow-providers-sftp 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49901", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49901", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-sftp 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49901", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49901", + "advisory": "Apache-airflow-providers-sftp 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49900", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49900", "specs": [ "<=3.0.0" ], @@ -8308,20 +8296,20 @@ "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-telegram 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49804", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49804", + "advisory": "Apache-airflow-providers-telegram 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49805", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49805", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-telegram 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49805", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49805", + "advisory": "Apache-airflow-providers-telegram 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49804", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49804", "specs": [ "<=3.0.0" ], @@ -8351,16 +8339,6 @@ ], "v": "<1.3.6" }, - { - "advisory": "When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher\r\n\r\nAlias:\r\nGHSA-fp35-xrrr-3gph", - "cve": "CVE-2022-34662", - "id": "pyup.io-62760", - "more_info_path": "/vulnerabilities/CVE-2022-34662/62760", - "specs": [ - "<2.0.6" - ], - "v": "<2.0.6" - }, { "advisory": "Users have the ability to access any files through the log server. Apache-dolphinscheduler 2.0.5 (Python SDK) corresponds to DolphinScheduler version 2.0.5 Therefore, it is strongly recommended for users of Apache DolphinScheduler to update to version 2.0.6 or above. \r\n\r\nAlso known as: GHSA-vpgf-fgm8-gxr2", "cve": "CVE-2022-26884", @@ -8392,7 +8370,17 @@ "v": "<3.0.0" }, { - "advisory": "Apache-dolphinscheduler 3.0.0 (Python SDK) corresponds to DolphinScheduler version 3.0.0, that updates its Maven dependency 'postgresql' to v42.3.4 to include security fixes.", + "advisory": "Apache-dolphinscheduler 3.0.0 (Python SDK) corresponds to DolphinScheduler version 3.0.0, which is vulnerable to path traversal.", + "cve": "CVE-2022-34662", + "id": "pyup.io-62760", + "more_info_path": "/vulnerabilities/CVE-2022-34662/62760", + "specs": [ + "<3.0.0" + ], + "v": "<3.0.0" + }, + { + "advisory": "Apache-dolphinscheduler 3.0.0 (Python SDK) corresponds to DolphinScheduler version 3.0.0, which updates its Maven dependency 'postgresql' to v42.3.4 to include security fixes.", "cve": "CVE-2022-26520", "id": "pyup.io-49234", "more_info_path": "/vulnerabilities/CVE-2022-26520/49234", @@ -8402,15 +8390,14 @@ "v": "<3.0.0" }, { - "advisory": "Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.\r\n\r\nAlias(es):\r\nGHSA-3xh5-8hvq-rc8x\r\nPYSEC-2023-4", + "advisory": "Apache-dolphinscheduler (Python API) 3.0.2 works together with apache-dolphinscheduler (core) 3.0.2, that is vulnerable to improper validation of script alert plugin parameters, which could lead to remote command execution.", "cve": "CVE-2022-45875", "id": "pyup.io-62774", "more_info_path": "/vulnerabilities/CVE-2022-45875/62774", "specs": [ - "<3.0.2", - "==3.1.0" + "<3.0.2" ], - "v": "<3.0.2,==3.1.0" + "v": "<3.0.2" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'h2' to v2.1.210 to include security fixes.", @@ -8785,16 +8772,6 @@ ], "v": "<0.34.0" }, - { - "advisory": "Apache-superset 0.34.0 updates its dependency 'urllib3' to v1.24.3 to include security fixes.", - "cve": "CVE-2019-11324", - "id": "pyup.io-45812", - "more_info_path": "/vulnerabilities/CVE-2019-11324/45812", - "specs": [ - "<0.34.0" - ], - "v": "<0.34.0" - }, { "advisory": "Apache-superset 0.34.0 updates its dependency 'jinja2' to v2.10.1 to include a security fix.", "cve": "CVE-2018-20060", @@ -8825,6 +8802,16 @@ ], "v": "<0.34.0" }, + { + "advisory": "Apache-superset 0.34.0 updates its dependency 'urllib3' to v1.24.3 to include security fixes.", + "cve": "CVE-2019-11324", + "id": "pyup.io-45812", + "more_info_path": "/vulnerabilities/CVE-2019-11324/45812", + "specs": [ + "<0.34.0" + ], + "v": "<0.34.0" + }, { "advisory": "Apache-superset 0.35.0 adds security for restricted metrics (#8175).", "cve": "PVE-2021-39478", @@ -8966,20 +8953,20 @@ "v": "<1.2.0" }, { - "advisory": "Apache-superset 2.0.1 disables HTML rendering in Toast by default.\r\nhttps://github.com/apache/superset/pull/21853", - "cve": "PVE-2023-52807", - "id": "pyup.io-52807", - "more_info_path": "/vulnerabilities/PVE-2023-52807/52807", + "advisory": "Apache-superset 2.0.1 improves SafeMarkdown HTML sanitization to prevent possible attacks.\r\nhttps://github.com/apache/superset/pull/21895", + "cve": "PVE-2023-52798", + "id": "pyup.io-52798", + "more_info_path": "/vulnerabilities/PVE-2023-52798/52798", "specs": [ "<2.0.1" ], "v": "<2.0.1" }, { - "advisory": "Apache-superset 2.0.1 improves SafeMarkdown HTML sanitization to prevent possible attacks.\r\nhttps://github.com/apache/superset/pull/21895", - "cve": "PVE-2023-52798", - "id": "pyup.io-52798", - "more_info_path": "/vulnerabilities/PVE-2023-52798/52798", + "advisory": "Apache-superset 2.0.1 disables HTML rendering in Toast by default.\r\nhttps://github.com/apache/superset/pull/21853", + "cve": "PVE-2023-52807", + "id": "pyup.io-52807", + "more_info_path": "/vulnerabilities/PVE-2023-52807/52807", "specs": [ "<2.0.1" ], @@ -9056,20 +9043,20 @@ "v": "<3.0.0" }, { - "advisory": "An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service. This issue affects Apache Superset: before 3.0.0", - "cve": "CVE-2023-42504", - "id": "pyup.io-65228", - "more_info_path": "/vulnerabilities/CVE-2023-42504/65228", + "advisory": "Apache-superset 3.0.0 updates its NPM dependency 'ansi-regex' to include a security fix.", + "cve": "CVE-2021-3807", + "id": "pyup.io-61908", + "more_info_path": "/vulnerabilities/CVE-2021-3807/61908", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { - "advisory": "Apache-superset 3.0.0 updates its NPM dependency 'ansi-regex' to include a security fix.", - "cve": "CVE-2021-3807", - "id": "pyup.io-61908", - "more_info_path": "/vulnerabilities/CVE-2021-3807/61908", + "advisory": "An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service. This issue affects Apache Superset: before 3.0.0", + "cve": "CVE-2023-42504", + "id": "pyup.io-65228", + "more_info_path": "/vulnerabilities/CVE-2023-42504/65228", "specs": [ "<3.0.0" ], @@ -9116,17 +9103,6 @@ ], "v": "<4.0.2" }, - { - "advisory": "An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", - "cve": "CVE-2022-43720", - "id": "pyup.io-54625", - "more_info_path": "/vulnerabilities/CVE-2022-43720/54625", - "specs": [ - "<=1.5.2", - "==2.0.0" - ], - "v": "<=1.5.2,==2.0.0" - }, { "advisory": "When explicitly enabling the feature flag 'DASHBOARD_CACHE' (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", "cve": "CVE-2022-45438", @@ -9149,6 +9125,28 @@ ], "v": "<=1.5.2,==2.0.0" }, + { + "advisory": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", + "cve": "CVE-2022-43721", + "id": "pyup.io-54615", + "more_info_path": "/vulnerabilities/CVE-2022-43721/54615", + "specs": [ + "<=1.5.2", + "==2.0.0" + ], + "v": "<=1.5.2,==2.0.0" + }, + { + "advisory": "An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", + "cve": "CVE-2022-43720", + "id": "pyup.io-54625", + "more_info_path": "/vulnerabilities/CVE-2022-43720/54625", + "specs": [ + "<=1.5.2", + "==2.0.0" + ], + "v": "<=1.5.2,==2.0.0" + }, { "advisory": "Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", "cve": "CVE-2022-43717", @@ -9183,15 +9181,14 @@ "v": "<=1.5.2,==2.0.0" }, { - "advisory": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", - "cve": "CVE-2022-43721", - "id": "pyup.io-54615", - "more_info_path": "/vulnerabilities/CVE-2022-43721/54615", + "advisory": "A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery\r\nattacks and query internal resources on behalf of the server where Superset\r\nis deployed. This vulnerability exists\u00a0in Apache Superset versions up to and including 2.0.1.", + "cve": "CVE-2023-25504", + "id": "pyup.io-62896", + "more_info_path": "/vulnerabilities/CVE-2023-25504/62896", "specs": [ - "<=1.5.2", - "==2.0.0" + "<=2.0.1" ], - "v": "<=1.5.2,==2.0.0" + "v": "<=2.0.1" }, { "advisory": "An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1", @@ -9203,16 +9200,6 @@ ], "v": "<=2.0.1" }, - { - "advisory": "A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery\r\nattacks and query internal resources on behalf of the server where Superset\r\nis deployed. This vulnerability exists\u00a0in Apache Superset versions up to and including 2.0.1.", - "cve": "CVE-2023-25504", - "id": "pyup.io-62896", - "more_info_path": "/vulnerabilities/CVE-2023-25504/62896", - "specs": [ - "<=2.0.1" - ], - "v": "<=2.0.1" - }, { "advisory": "Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.", "cve": "CVE-2023-27524", @@ -9925,10 +9912,10 @@ "v": "<2.1.0" }, { - "advisory": "Aqtinstall 2.1.0rc2 uses 'secrets' instead of 'random' module to generate cryptographically safe numbers.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0", - "cve": "PVE-2022-47013", - "id": "pyup.io-47013", - "more_info_path": "/vulnerabilities/PVE-2022-47013/47013", + "advisory": "Aqtinstall 2.1.0rc2 uses 'defusedxml' instead of 'xml.etree.ElementTree' to avoid XXE attacks.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0", + "cve": "CVE-2013-1664", + "id": "pyup.io-47852", + "more_info_path": "/vulnerabilities/CVE-2013-1664/47852", "specs": [ "<2.1.0rc2" ], @@ -9945,10 +9932,10 @@ "v": "<2.1.0rc2" }, { - "advisory": "Aqtinstall 2.1.0rc2 uses 'defusedxml' instead of 'xml.etree.ElementTree' to avoid XXE attacks.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0", - "cve": "CVE-2013-1664", - "id": "pyup.io-47852", - "more_info_path": "/vulnerabilities/CVE-2013-1664/47852", + "advisory": "Aqtinstall 2.1.0rc2 uses 'secrets' instead of 'random' module to generate cryptographically safe numbers.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0", + "cve": "PVE-2022-47013", + "id": "pyup.io-47013", + "more_info_path": "/vulnerabilities/PVE-2022-47013/47013", "specs": [ "<2.1.0rc2" ], @@ -10126,9 +10113,9 @@ }, { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", - "cve": "CVE-2018-19839", - "id": "pyup.io-52812", - "more_info_path": "/vulnerabilities/CVE-2018-19839/52812", + "cve": "CVE-2019-18798", + "id": "pyup.io-52810", + "more_info_path": "/vulnerabilities/CVE-2019-18798/52810", "specs": [ "<0.13.0" ], @@ -10136,9 +10123,9 @@ }, { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", - "cve": "CVE-2019-18798", - "id": "pyup.io-52810", - "more_info_path": "/vulnerabilities/CVE-2019-18798/52810", + "cve": "CVE-2018-19839", + "id": "pyup.io-52812", + "more_info_path": "/vulnerabilities/CVE-2018-19839/52812", "specs": [ "<0.13.0" ], @@ -10400,6 +10387,16 @@ } ], "aries-cloudagent": [ + { + "advisory": "Affected versions of Aries-cloudagent are receiving unauthenticated DIDComm messages from connections in the invitation state.", + "cve": "PVE-2024-72483", + "id": "pyup.io-72483", + "more_info_path": "/vulnerabilities/PVE-2024-72483/72483", + "specs": [ + "<0.11.2" + ], + "v": "<0.11.2" + }, { "advisory": "Aries-cloudagent 0.12.0 upgrades its readthedocs-sphinx-search from 0.1.1 to 1.3.2 in response to GHSA-xgfm-fjx6-62mj: This vulnerability could have let attackers insert arbitrary HTML into search results via a crafted search query, due to inadequate escaping of user content.", "cve": "PVE-2024-67615", @@ -10522,6 +10519,19 @@ "v": "<2.0.0" } ], + "artifact-lab-3-package-3eef6c2c": [ + { + "advisory": "The artifact-lab-3-package-3eef6c2c has been flagged as malicious due to communication with a domain linked to unauthorized activities, potentially compromising system security. The package contains malicious code, raising concerns about its integrity. Immediate action is required to remove this package and replace it with a trusted alternative to prevent unauthorized access and safeguard sensitive information.", + "cve": "PVE-2024-72964", + "id": "pyup.io-72964", + "more_info_path": "/vulnerabilities/PVE-2024-72964/72964", + "specs": [ + ">=0", + "<=0" + ], + "v": ">=0,<=0" + } + ], "aryi": [ { "advisory": "Aryi is a malicious package. It steals users' credit card numbers and Discord tokens.\r\nhttps://www.bleepingcomputer.com/news/security/pypi-packages-caught-stealing-credit-card-numbers-discord-tokens/", @@ -10681,20 +10691,20 @@ "v": "<3.0.1" }, { - "advisory": "Astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.", - "cve": "CVE-2018-3849", - "id": "pyup.io-48548", - "more_info_path": "/vulnerabilities/CVE-2018-3849/48548", + "advisory": "Astropy 3.0.1 updates cfitsio to v3.43: NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact is: arbitrary code execution. The component is: over 40 source code files were changed. The attack vector is: remote unauthenticated attacker. The fixed version is: 3.43. NOTE: this CVE refers to the issues not covered by CVE-2018-3846, CVE-2018-3847, CVE-2018-3848, and CVE-2018-3849. One example is ftp_status in drvrnet.c mishandling a long string beginning with a '4' character.", + "cve": "CVE-2019-1010060", + "id": "pyup.io-70530", + "more_info_path": "/vulnerabilities/CVE-2019-1010060/70530", "specs": [ "<3.0.1" ], "v": "<3.0.1" }, { - "advisory": "Astropy 3.0.1 updates cfitsio to v3.43: NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact is: arbitrary code execution. The component is: over 40 source code files were changed. The attack vector is: remote unauthenticated attacker. The fixed version is: 3.43. NOTE: this CVE refers to the issues not covered by CVE-2018-3846, CVE-2018-3847, CVE-2018-3848, and CVE-2018-3849. One example is ftp_status in drvrnet.c mishandling a long string beginning with a '4' character.", - "cve": "CVE-2019-1010060", - "id": "pyup.io-70530", - "more_info_path": "/vulnerabilities/CVE-2019-1010060/70530", + "advisory": "Astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.", + "cve": "CVE-2018-3849", + "id": "pyup.io-48548", + "more_info_path": "/vulnerabilities/CVE-2018-3849/48548", "specs": [ "<3.0.1" ], @@ -10845,20 +10855,20 @@ ], "asyncssh": [ { - "advisory": "An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.", - "cve": "CVE-2023-46446", - "id": "pyup.io-65384", - "more_info_path": "/vulnerabilities/CVE-2023-46446/65384", + "advisory": "An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack.", + "cve": "CVE-2023-46445", + "id": "pyup.io-65385", + "more_info_path": "/vulnerabilities/CVE-2023-46445/65385", "specs": [ "<2.14.1" ], "v": "<2.14.1" }, { - "advisory": "An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack.", - "cve": "CVE-2023-46445", - "id": "pyup.io-65385", - "more_info_path": "/vulnerabilities/CVE-2023-46445/65385", + "advisory": "An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.", + "cve": "CVE-2023-46446", + "id": "pyup.io-65384", + "more_info_path": "/vulnerabilities/CVE-2023-46446/65384", "specs": [ "<2.14.1" ], @@ -11245,20 +11255,20 @@ "v": "<0.15.4" }, { - "advisory": "Authlib 1.1.0 includes a fix for CVE-2022-39175.\r\nhttps://github.com/lepture/authlib/commit/80b0808263c6ce88335532b78e62bf2522593390", - "cve": "CVE-2022-39175", - "id": "pyup.io-51645", - "more_info_path": "/vulnerabilities/CVE-2022-39175/51645", + "advisory": "Authlib 1.1.0 includes a fix for CVE-2022-39174.\r\nhttps://github.com/lepture/authlib/commit/3a382780907226d99c09606aac78e29fe5bd3bf6", + "cve": "CVE-2022-39174", + "id": "pyup.io-51646", + "more_info_path": "/vulnerabilities/CVE-2022-39174/51646", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Authlib 1.1.0 includes a fix for CVE-2022-39174.\r\nhttps://github.com/lepture/authlib/commit/3a382780907226d99c09606aac78e29fe5bd3bf6", - "cve": "CVE-2022-39174", - "id": "pyup.io-51646", - "more_info_path": "/vulnerabilities/CVE-2022-39174/51646", + "advisory": "Authlib 1.1.0 includes a fix for CVE-2022-39175.\r\nhttps://github.com/lepture/authlib/commit/80b0808263c6ce88335532b78e62bf2522593390", + "cve": "CVE-2022-39175", + "id": "pyup.io-51645", + "more_info_path": "/vulnerabilities/CVE-2022-39175/51645", "specs": [ "<1.1.0" ], @@ -11546,9 +11556,9 @@ }, { "advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.", - "cve": "CVE-2021-45105", - "id": "pyup.io-48623", - "more_info_path": "/vulnerabilities/CVE-2021-45105/48623", + "cve": "CVE-2021-44228", + "id": "pyup.io-48621", + "more_info_path": "/vulnerabilities/CVE-2021-44228/48621", "specs": [ ">=0.4.0,<0.4.1" ], @@ -11556,9 +11566,9 @@ }, { "advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.", - "cve": "PVE-2021-42426", - "id": "pyup.io-48620", - "more_info_path": "/vulnerabilities/PVE-2021-42426/48620", + "cve": "CVE-2021-45105", + "id": "pyup.io-48623", + "more_info_path": "/vulnerabilities/CVE-2021-45105/48623", "specs": [ ">=0.4.0,<0.4.1" ], @@ -11566,9 +11576,9 @@ }, { "advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.", - "cve": "CVE-2021-44228", - "id": "pyup.io-48621", - "more_info_path": "/vulnerabilities/CVE-2021-44228/48621", + "cve": "CVE-2021-45046", + "id": "pyup.io-48622", + "more_info_path": "/vulnerabilities/CVE-2021-45046/48622", "specs": [ ">=0.4.0,<0.4.1" ], @@ -11576,9 +11586,9 @@ }, { "advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.", - "cve": "CVE-2021-44832", - "id": "pyup.io-48624", - "more_info_path": "/vulnerabilities/CVE-2021-44832/48624", + "cve": "PVE-2021-42426", + "id": "pyup.io-48620", + "more_info_path": "/vulnerabilities/PVE-2021-42426/48620", "specs": [ ">=0.4.0,<0.4.1" ], @@ -11586,9 +11596,9 @@ }, { "advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.", - "cve": "CVE-2021-45046", - "id": "pyup.io-48622", - "more_info_path": "/vulnerabilities/CVE-2021-45046/48622", + "cve": "CVE-2021-44832", + "id": "pyup.io-48624", + "more_info_path": "/vulnerabilities/CVE-2021-44832/48624", "specs": [ ">=0.4.0,<0.4.1" ], @@ -13585,20 +13595,20 @@ ], "bikeshed": [ { - "advisory": "Bikeshed version 3.0.0 includes a fix for CVE-2021-23423:\r\nWhen an untrusted source file containing include, include-code or include-raw block is processed, the contents of arbitrary files could be disclosed in the HTML output.\r\nhttps://github.com/tabatkins/bikeshed/commit/b2f668fca204260b1cad28d5078e93471cb6b2dd", - "cve": "CVE-2021-23423", - "id": "pyup.io-41180", - "more_info_path": "/vulnerabilities/CVE-2021-23423/41180", + "advisory": "Bikeshed version 3.0.0 includes a fix for CVE-2021-23422:\r\nWhen an untrusted source file containing Inline Tag Command metadata is processed or when an arbitrary OS command is executed, the command output would be included in the HTML output.\r\nhttps://github.com/tabatkins/bikeshed/commit/b2f668fca204260b1cad28d5078e93471cb6b2dd", + "cve": "CVE-2021-23422", + "id": "pyup.io-41179", + "more_info_path": "/vulnerabilities/CVE-2021-23422/41179", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { - "advisory": "Bikeshed version 3.0.0 includes a fix for CVE-2021-23422:\r\nWhen an untrusted source file containing Inline Tag Command metadata is processed or when an arbitrary OS command is executed, the command output would be included in the HTML output.\r\nhttps://github.com/tabatkins/bikeshed/commit/b2f668fca204260b1cad28d5078e93471cb6b2dd", - "cve": "CVE-2021-23422", - "id": "pyup.io-41179", - "more_info_path": "/vulnerabilities/CVE-2021-23422/41179", + "advisory": "Bikeshed version 3.0.0 includes a fix for CVE-2021-23423:\r\nWhen an untrusted source file containing include, include-code or include-raw block is processed, the contents of arbitrary files could be disclosed in the HTML output.\r\nhttps://github.com/tabatkins/bikeshed/commit/b2f668fca204260b1cad28d5078e93471cb6b2dd", + "cve": "CVE-2021-23423", + "id": "pyup.io-41180", + "more_info_path": "/vulnerabilities/CVE-2021-23423/41180", "specs": [ "<3.0.0" ], @@ -13821,10 +13831,10 @@ "v": "<5.3.1" }, { - "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2023-0401", - "id": "pyup.io-59608", - "more_info_path": "/vulnerabilities/CVE-2023-0401/59608", + "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Use After Free vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", + "cve": "CVE-2023-0215", + "id": "pyup.io-59610", + "more_info_path": "/vulnerabilities/CVE-2023-0215/59610", "specs": [ "<5.3.1" ], @@ -13832,29 +13842,29 @@ }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2022-4203", - "id": "pyup.io-59614", - "more_info_path": "/vulnerabilities/CVE-2022-4203/59614", + "cve": "CVE-2023-2650", + "id": "pyup.io-59533", + "more_info_path": "/vulnerabilities/CVE-2023-2650/59533", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { - "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Use After Free vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2023-0215", - "id": "pyup.io-59610", - "more_info_path": "/vulnerabilities/CVE-2023-0215/59610", + "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", + "cve": "CVE-2023-0217", + "id": "pyup.io-59609", + "more_info_path": "/vulnerabilities/CVE-2023-0217/59609", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { - "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Timing Attack vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2022-4304", - "id": "pyup.io-59612", - "more_info_path": "/vulnerabilities/CVE-2022-4304/59612", + "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", + "cve": "CVE-2022-3996", + "id": "pyup.io-59617", + "more_info_path": "/vulnerabilities/CVE-2022-3996/59617", "specs": [ "<5.3.1" ], @@ -13862,19 +13872,19 @@ }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2023-2650", - "id": "pyup.io-59533", - "more_info_path": "/vulnerabilities/CVE-2023-2650/59533", + "cve": "CVE-2023-0216", + "id": "pyup.io-59613", + "more_info_path": "/vulnerabilities/CVE-2023-0216/59613", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { - "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Type Confusion vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2023-0286", - "id": "pyup.io-59611", - "more_info_path": "/vulnerabilities/CVE-2023-0286/59611", + "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", + "cve": "CVE-2023-0401", + "id": "pyup.io-59608", + "more_info_path": "/vulnerabilities/CVE-2023-0401/59608", "specs": [ "<5.3.1" ], @@ -13882,39 +13892,39 @@ }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2023-0216", - "id": "pyup.io-59613", - "more_info_path": "/vulnerabilities/CVE-2023-0216/59613", + "cve": "CVE-2022-4203", + "id": "pyup.io-59614", + "more_info_path": "/vulnerabilities/CVE-2022-4203/59614", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { - "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2022-3996", - "id": "pyup.io-59617", - "more_info_path": "/vulnerabilities/CVE-2022-3996/59617", + "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Type Confusion vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", + "cve": "CVE-2023-0286", + "id": "pyup.io-59611", + "more_info_path": "/vulnerabilities/CVE-2023-0286/59611", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { - "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix an Expected Behavior Violation vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2023-23931", - "id": "pyup.io-59616", - "more_info_path": "/vulnerabilities/CVE-2023-23931/59616", + "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Timing Attack vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", + "cve": "CVE-2022-4304", + "id": "pyup.io-59612", + "more_info_path": "/vulnerabilities/CVE-2022-4304/59612", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { - "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2023-0217", - "id": "pyup.io-59609", - "more_info_path": "/vulnerabilities/CVE-2023-0217/59609", + "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix an Expected Behavior Violation vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", + "cve": "CVE-2023-23931", + "id": "pyup.io-59616", + "more_info_path": "/vulnerabilities/CVE-2023-23931/59616", "specs": [ "<5.3.1" ], @@ -14457,20 +14467,20 @@ "v": "<1.2.0" }, { - "advisory": "Bokeh 1.2.0 updates its NPM dependency 'handlebars' to v4.1.2 to include a security fix.", - "cve": "PVE-2021-37170", - "id": "pyup.io-37170", - "more_info_path": "/vulnerabilities/PVE-2021-37170/37170", + "advisory": "Bokeh 1.2.0 updates its NPM dependency 'js-yaml' to v3.13.1 to include a security fix.", + "cve": "PVE-2022-45295", + "id": "pyup.io-45295", + "more_info_path": "/vulnerabilities/PVE-2022-45295/45295", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { - "advisory": "Bokeh 1.2.0 updates its NPM dependency 'js-yaml' to v3.13.1 to include a security fix.", - "cve": "PVE-2022-45295", - "id": "pyup.io-45295", - "more_info_path": "/vulnerabilities/PVE-2022-45295/45295", + "advisory": "Bokeh 1.2.0 updates its NPM dependency 'handlebars' to v4.1.2 to include a security fix.", + "cve": "PVE-2021-37170", + "id": "pyup.io-37170", + "more_info_path": "/vulnerabilities/PVE-2021-37170/37170", "specs": [ "<1.2.0" ], @@ -14488,9 +14498,9 @@ }, { "advisory": "Bokeh 2.4.2 updates its dependency 'jquery-ui' to v1.13.0 to include security fixes.", - "cve": "CVE-2021-41183", - "id": "pyup.io-42814", - "more_info_path": "/vulnerabilities/CVE-2021-41183/42814", + "cve": "CVE-2021-41184", + "id": "pyup.io-42815", + "more_info_path": "/vulnerabilities/CVE-2021-41184/42815", "specs": [ "<2.4.2" ], @@ -14508,9 +14518,9 @@ }, { "advisory": "Bokeh 2.4.2 updates its dependency 'jquery-ui' to v1.13.0 to include security fixes.", - "cve": "CVE-2021-41184", - "id": "pyup.io-42815", - "more_info_path": "/vulnerabilities/CVE-2021-41184/42815", + "cve": "CVE-2021-41183", + "id": "pyup.io-42814", + "more_info_path": "/vulnerabilities/CVE-2021-41183/42814", "specs": [ "<2.4.2" ], @@ -14592,16 +14602,6 @@ } ], "borgmatic": [ - { - "advisory": "Borgmatic is vulnerable to shell injection within the command hook variable/constant interpolation.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2", - "cve": "PVE-2024-64395", - "id": "pyup.io-64395", - "more_info_path": "/vulnerabilities/PVE-2024-64395/64395", - "specs": [ - "<1.8.7" - ], - "v": "<1.8.7" - }, { "advisory": "Borgmatic is vulnerable to shell injection within the SQLite hook.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2", "cve": "PVE-2024-64393", @@ -14613,10 +14613,10 @@ "v": "<1.8.7" }, { - "advisory": "Borgmatic is vulnerable to shell injection within the \"borgmatic borg\" action.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2", - "cve": "PVE-2024-64394", - "id": "pyup.io-64394", - "more_info_path": "/vulnerabilities/PVE-2024-64394/64394", + "advisory": "Borgmatic is vulnerable to shell injection within the command hook variable/constant interpolation.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2", + "cve": "PVE-2024-64395", + "id": "pyup.io-64395", + "more_info_path": "/vulnerabilities/PVE-2024-64395/64395", "specs": [ "<1.8.7" ], @@ -14632,6 +14632,16 @@ ], "v": "<1.8.7" }, + { + "advisory": "Borgmatic is vulnerable to shell injection within the \"borgmatic borg\" action.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2", + "cve": "PVE-2024-64394", + "id": "pyup.io-64394", + "more_info_path": "/vulnerabilities/PVE-2024-64394/64394", + "specs": [ + "<1.8.7" + ], + "v": "<1.8.7" + }, { "advisory": "Borgmatic is vulnerable to shell injection within the MongoDB hook.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2", "cve": "PVE-2024-64392", @@ -15193,9 +15203,9 @@ "bzt": [ { "advisory": "Bzt 1.16.2 updates its dependency 'jmeter' to v5.4.2 to include security fixes.\r\nhttps://github.com/Blazemeter/taurus/commit/f7fb13fed9ca4f871a3426c3c26fb3e86beb329a", - "cve": "CVE-2021-45046", - "id": "pyup.io-43431", - "more_info_path": "/vulnerabilities/CVE-2021-45046/43431", + "cve": "CVE-2021-44228", + "id": "pyup.io-43430", + "more_info_path": "/vulnerabilities/CVE-2021-44228/43430", "specs": [ "<1.16.2" ], @@ -15203,9 +15213,9 @@ }, { "advisory": "Bzt 1.16.2 updates its dependency 'jmeter' to v5.4.2 to include security fixes.\r\nhttps://github.com/Blazemeter/taurus/commit/f7fb13fed9ca4f871a3426c3c26fb3e86beb329a", - "cve": "CVE-2021-44228", - "id": "pyup.io-43430", - "more_info_path": "/vulnerabilities/CVE-2021-44228/43430", + "cve": "CVE-2021-45046", + "id": "pyup.io-43431", + "more_info_path": "/vulnerabilities/CVE-2021-45046/43431", "specs": [ "<1.16.2" ], @@ -15534,20 +15544,20 @@ "v": ">=0,<0.6.15" }, { - "advisory": "calibre-web is vulnerable to Business Logic Errors\n\nAffected functions:\ncalibreweb.cps.shelf.check_shelf_is_unique\ncalibreweb.cps.shelf.create_edit_shelf", - "cve": "CVE-2021-4171", - "id": "pyup.io-54146", - "more_info_path": "/vulnerabilities/CVE-2021-4171/54146", + "advisory": "calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)", + "cve": "CVE-2021-4164", + "id": "pyup.io-54147", + "more_info_path": "/vulnerabilities/CVE-2021-4164/54147", "specs": [ ">=0,<0.6.15" ], "v": ">=0,<0.6.15" }, { - "advisory": "calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)", - "cve": "CVE-2021-4164", - "id": "pyup.io-54147", - "more_info_path": "/vulnerabilities/CVE-2021-4164/54147", + "advisory": "calibre-web is vulnerable to Business Logic Errors\n\nAffected functions:\ncalibreweb.cps.shelf.check_shelf_is_unique\ncalibreweb.cps.shelf.create_edit_shelf", + "cve": "CVE-2021-4171", + "id": "pyup.io-54146", + "more_info_path": "/vulnerabilities/CVE-2021-4171/54146", "specs": [ ">=0,<0.6.15" ], @@ -15996,16 +16006,6 @@ ], "v": "<2.0.0" }, - { - "advisory": "Cashocs version 2.0.0 updates its setuptools dependency to version 65.5.1 from the previous 39.0.1, addressing the vulnerability identified as CVE-2022-40897.\r\nhttps://github.com/sblauth/cashocs/pull/137/commits/eb3fdc2bc65c87fb27d3622ada71c4d841a856a2", - "cve": "CVE-2022-40897", - "id": "pyup.io-64817", - "more_info_path": "/vulnerabilities/CVE-2022-40897/64817", - "specs": [ - "<2.0.0" - ], - "v": "<2.0.0" - }, { "advisory": "Cashocs version 2.0.0 updates its pygments dependency to version 2.7.4 from the previous 2.5.2, addressing the vulnerability identified as CVE-2021-20270.\r\nhttps://github.com/sblauth/cashocs/pull/141/commits/1fb563e91e1b4d564cb4784c7c812bf27c7e15b7", "cve": "CVE-2021-20270", @@ -16017,14 +16017,14 @@ "v": "<2.0.0" }, { - "advisory": "Cashocs version 2.1.0 updates its Numpy dependency to 1.22.2 from the earlier version 1.21.3. This upgrade is in response to addressing the security vulnerability designated as CVE-2021-34141.\r\nhttps://github.com/sblauth/cashocs/pull/345", - "cve": "CVE-2021-34141", - "id": "pyup.io-64963", - "more_info_path": "/vulnerabilities/CVE-2021-34141/64963", + "advisory": "Cashocs version 2.0.0 updates its setuptools dependency to version 65.5.1 from the previous 39.0.1, addressing the vulnerability identified as CVE-2022-40897.\r\nhttps://github.com/sblauth/cashocs/pull/137/commits/eb3fdc2bc65c87fb27d3622ada71c4d841a856a2", + "cve": "CVE-2022-40897", + "id": "pyup.io-64817", + "more_info_path": "/vulnerabilities/CVE-2022-40897/64817", "specs": [ - "<2.1.0" + "<2.0.0" ], - "v": "<2.1.0" + "v": "<2.0.0" }, { "advisory": "Cashocs version 2.1.0 updates its fonttools dependency from version 4.38.0 to 4.43.0 to address the security issue identified as CVE-2023-45139.\r\nhttps://github.com/sblauth/cashocs/pull/372/commits/c15b23e743b3046b8afae8b6a0967044f163c8ce", @@ -16037,10 +16037,10 @@ "v": "<2.1.0" }, { - "advisory": "Cashocs version 2.1.0 updates its Numpy dependency to 1.22.2 from the earlier version 1.21.3. This upgrade is in response to addressing the security vulnerability designated as CVE-2021-41495.\r\nhttps://github.com/sblauth/cashocs/pull/345", - "cve": "CVE-2021-41495", - "id": "pyup.io-64982", - "more_info_path": "/vulnerabilities/CVE-2021-41495/64982", + "advisory": "Cashocs version 2.1.0 updates its Numpy dependency to 1.22.2 from the earlier version 1.21.3. This upgrade is in response to addressing the security vulnerability designated as CVE-2021-34141.\r\nhttps://github.com/sblauth/cashocs/pull/345", + "cve": "CVE-2021-34141", + "id": "pyup.io-64963", + "more_info_path": "/vulnerabilities/CVE-2021-34141/64963", "specs": [ "<2.1.0" ], @@ -16055,6 +16055,16 @@ "<2.1.0" ], "v": "<2.1.0" + }, + { + "advisory": "Cashocs version 2.1.0 updates its Numpy dependency to 1.22.2 from the earlier version 1.21.3. This upgrade is in response to addressing the security vulnerability designated as CVE-2021-41495.\r\nhttps://github.com/sblauth/cashocs/pull/345", + "cve": "CVE-2021-41495", + "id": "pyup.io-64982", + "more_info_path": "/vulnerabilities/CVE-2021-41495/64982", + "specs": [ + "<2.1.0" + ], + "v": "<2.1.0" } ], "cassandra-medusa": [ @@ -16533,20 +16543,20 @@ "v": "<0.0.83" }, { - "advisory": "Cdk-ecr-deployment 2.0.7 updates its GO dependency 'opencontainers/runc' to v1.0.3 to include a security fix.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/74e8412f370f4ab00be5b5a1f509c2615a874a46", - "cve": "CVE-2021-43784", - "id": "pyup.io-54973", - "more_info_path": "/vulnerabilities/CVE-2021-43784/54973", + "advisory": "Cdk-ecr-deployment 2.0.7 updates its GO dependency 'containerd' to v1.5.9 to include a security fix.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/74e8412f370f4ab00be5b5a1f509c2615a874a46", + "cve": "CVE-2021-43816", + "id": "pyup.io-44474", + "more_info_path": "/vulnerabilities/CVE-2021-43816/44474", "specs": [ "<2.0.7" ], "v": "<2.0.7" }, { - "advisory": "Cdk-ecr-deployment 2.0.7 updates its GO dependency 'containerd' to v1.5.9 to include a security fix.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/74e8412f370f4ab00be5b5a1f509c2615a874a46", - "cve": "CVE-2021-43816", - "id": "pyup.io-44474", - "more_info_path": "/vulnerabilities/CVE-2021-43816/44474", + "advisory": "Cdk-ecr-deployment 2.0.7 updates its GO dependency 'opencontainers/runc' to v1.0.3 to include a security fix.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/74e8412f370f4ab00be5b5a1f509c2615a874a46", + "cve": "CVE-2021-43784", + "id": "pyup.io-54973", + "more_info_path": "/vulnerabilities/CVE-2021-43784/54973", "specs": [ "<2.0.7" ], @@ -21378,16 +21388,6 @@ ], "v": "<1.8.1rc4" }, - { - "advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.", - "cve": "CVE-2023-2135", - "id": "pyup.io-64106", - "more_info_path": "/vulnerabilities/CVE-2023-2135/64106", - "specs": [ - "<1.8.1rc4" - ], - "v": "<1.8.1rc4" - }, { "advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.", "cve": "CVE-2023-2033", @@ -21419,14 +21419,14 @@ "v": "<1.8.1rc4" }, { - "advisory": "Chia-blockchain 2.0.0rc4 updates its NPM dependency 'Electron' to 25.4.0 to include security fixes.\r\nhttps://github.com/Chia-Network/chia-blockchain-gui/pull/1976", - "cve": "CVE-2023-3730", - "id": "pyup.io-64109", - "more_info_path": "/vulnerabilities/CVE-2023-3730/64109", + "advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.", + "cve": "CVE-2023-2135", + "id": "pyup.io-64106", + "more_info_path": "/vulnerabilities/CVE-2023-2135/64106", "specs": [ - "<2.0.0rc4" + "<1.8.1rc4" ], - "v": "<2.0.0rc4" + "v": "<1.8.1rc4" }, { "advisory": "Chia-blockchain 2.0.0rc4 updates its NPM dependency 'Electron' to 25.4.0 to include security fixes.\r\nhttps://github.com/Chia-Network/chia-blockchain-gui/pull/1976", @@ -21438,6 +21438,16 @@ ], "v": "<2.0.0rc4" }, + { + "advisory": "Chia-blockchain 2.0.0rc4 updates its NPM dependency 'Electron' to 25.4.0 to include security fixes.\r\nhttps://github.com/Chia-Network/chia-blockchain-gui/pull/1976", + "cve": "CVE-2023-3730", + "id": "pyup.io-64109", + "more_info_path": "/vulnerabilities/CVE-2023-3730/64109", + "specs": [ + "<2.0.0rc4" + ], + "v": "<2.0.0rc4" + }, { "advisory": "Chia-blockchain 2.0.0rc4 updates its NPM dependency 'Electron' to 25.4.0 to include security fixes.\r\nhttps://github.com/Chia-Network/chia-blockchain-gui/pull/1976", "cve": "CVE-2023-3732", @@ -21901,6 +21911,26 @@ ], "v": "<1.8.1" }, + { + "advisory": "Several CKAN plugins, including XLoader, DataPusher, Resource Proxy, and ckanext-archiver, are vulnerable to SSRF attacks due to a lack of URL validation. Malicious users can exploit these plugins by creating resources with URLs that access unauthorized locations. To mitigate this, users should use an HTTP proxy, implement firewall rules, or apply custom URL validators. The latest plugin versions support the ckan.download_proxy setting.", + "cve": "CVE-2024-43371", + "id": "pyup.io-72975", + "more_info_path": "/vulnerabilities/CVE-2024-43371/72975", + "specs": [ + "<2.10.5" + ], + "v": "<2.10.5" + }, + { + "advisory": "CKAN affected versions may expose sensitive information, including internal Solr URLs and potential credentials, in error messages when connection issues occur with the Solr server. This vulnerability arises during package_search API calls, where an unsuccessful connection to Solr could result in the leaking of internal configuration details as part of the returned error message.", + "cve": "CVE-2024-41674", + "id": "pyup.io-72977", + "more_info_path": "/vulnerabilities/CVE-2024-41674/72977", + "specs": [ + "<2.10.5" + ], + "v": "<2.10.5" + }, { "advisory": "Ckan 2.6.9, 2.7.7 and 2.8.4 fix a code injection issue in the autocomplete module. \r\nhttps://github.com/ckan/ckan/pull/5064", "cve": "PVE-2021-39613", @@ -21978,6 +22008,16 @@ ], "v": ">=2.0,<2.9.10,>=2.10.0,<2.10.3" }, + { + "advisory": "CKAN's datatables_view plugin affected versions are vulnerable to a Cross-Site Scripting (XSS) attack due to improper escaping of record data from the DataStore, allowing attackers to inject malicious scripts into tabular data previews. This issue was addressed by implementing proper HTML escaping of data within the plugin, ensuring that any potentially harmful content is neutralized before being rendered in the browser. As a precaution, administrators should prevent importing tabular files from untrusted sources until they have applied the patch.", + "cve": "CVE-2024-41675", + "id": "pyup.io-72976", + "more_info_path": "/vulnerabilities/CVE-2024-41675/72976", + "specs": [ + ">=2.7.0,<2.10.5" + ], + "v": ">=2.7.0,<2.10.5" + }, { "advisory": "In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users\u2019 profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim\u2019s browser when they open the malicious profile picture", "cve": "CVE-2021-25967", @@ -22129,20 +22169,20 @@ "v": "<=1.14.2" }, { - "advisory": "A cross-site scripting (XSS) vulnerability in all versions of the web server component of Allegro AI\u2019s ClearML platform allows a remote attacker to execute a JavaScript payload when a user views the Debug Samples tab in the web UI.", - "cve": "CVE-2024-24594", - "id": "pyup.io-66779", - "more_info_path": "/vulnerabilities/CVE-2024-24594/66779", + "advisory": "Lack of authentication in all versions of the fileserver component of Allegro AI\u2019s ClearML platform allows a remote attacker to arbitrarily access, create, modify and delete files.", + "cve": "CVE-2024-24592", + "id": "pyup.io-66781", + "more_info_path": "/vulnerabilities/CVE-2024-24592/66781", "specs": [ ">=0" ], "v": ">=0" }, { - "advisory": "Lack of authentication in all versions of the fileserver component of Allegro AI\u2019s ClearML platform allows a remote attacker to arbitrarily access, create, modify and delete files.", - "cve": "CVE-2024-24592", - "id": "pyup.io-66781", - "more_info_path": "/vulnerabilities/CVE-2024-24592/66781", + "advisory": "A cross-site scripting (XSS) vulnerability in all versions of the web server component of Allegro AI\u2019s ClearML platform allows a remote attacker to execute a JavaScript payload when a user views the Debug Samples tab in the web UI.", + "cve": "CVE-2024-24594", + "id": "pyup.io-66779", + "more_info_path": "/vulnerabilities/CVE-2024-24594/66779", "specs": [ ">=0" ], @@ -23536,20 +23576,20 @@ "v": "<2.6.0" }, { - "advisory": "Compliance-trestle 3.3.0 has updated `urllib3` to versions 1.26.17 and 1.26.19 to address vulnerabilities such as CVE-2024-37891.", - "cve": "CVE-2024-37891", - "id": "pyup.io-72186", - "more_info_path": "/vulnerabilities/CVE-2024-37891/72186", + "advisory": "Compliance-trestle 3.3.0 has updated `Jinja2 ` to versions 3.1.3 and 3.1.4 to address vulnerabilities such as CVE-2024-34064.", + "cve": "CVE-2024-34064", + "id": "pyup.io-72184", + "more_info_path": "/vulnerabilities/CVE-2024-34064/72184", "specs": [ "<3.3.0" ], "v": "<3.3.0" }, { - "advisory": "Compliance-trestle 3.3.0 has updated `Jinja2 ` to versions 3.1.3 and 3.1.4 to address vulnerabilities such as CVE-2024-34064.", - "cve": "CVE-2024-34064", - "id": "pyup.io-72184", - "more_info_path": "/vulnerabilities/CVE-2024-34064/72184", + "advisory": "Compliance-trestle 3.3.0 has updated `urllib3` to versions 1.26.17 and 1.26.19 to address vulnerabilities such as CVE-2024-37891.", + "cve": "CVE-2024-37891", + "id": "pyup.io-72186", + "more_info_path": "/vulnerabilities/CVE-2024-37891/72186", "specs": [ "<3.3.0" ], @@ -23557,16 +23597,6 @@ } ], "composer": [ - { - "advisory": "Composer 0.13.0 updates its dependency 'ipython' to v8.11.0 in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "CVE-2023-24816", - "id": "pyup.io-53697", - "more_info_path": "/vulnerabilities/CVE-2023-24816/53697", - "specs": [ - "<0.13.0" - ], - "v": "<0.13.0" - }, { "advisory": "Composer 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", "cve": "PVE-2021-44525", @@ -23579,9 +23609,9 @@ }, { "advisory": "Composer 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "CVE-2021-34552", - "id": "pyup.io-53694", - "more_info_path": "/vulnerabilities/CVE-2021-34552/53694", + "cve": "PVE-2022-44524", + "id": "pyup.io-53692", + "more_info_path": "/vulnerabilities/PVE-2022-44524/53692", "specs": [ "<0.13.0" ], @@ -23589,9 +23619,9 @@ }, { "advisory": "Composer 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "PVE-2022-44524", - "id": "pyup.io-53692", - "more_info_path": "/vulnerabilities/PVE-2022-44524/53692", + "cve": "CVE-2021-34552", + "id": "pyup.io-53694", + "more_info_path": "/vulnerabilities/CVE-2021-34552/53694", "specs": [ "<0.13.0" ], @@ -23607,16 +23637,6 @@ ], "v": "<0.13.0" }, - { - "advisory": "Composer 0.13.0 updates its dependency 'urllib3' requirement to '>=1.26.5,<2'' in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "CVE-2021-33503", - "id": "pyup.io-53696", - "more_info_path": "/vulnerabilities/CVE-2021-33503/53696", - "specs": [ - "<0.13.0" - ], - "v": "<0.13.0" - }, { "advisory": "Composer 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", "cve": "CVE-2022-22816", @@ -23637,6 +23657,26 @@ ], "v": "<0.13.0" }, + { + "advisory": "Composer 0.13.0 updates its dependency 'urllib3' requirement to '>=1.26.5,<2'' in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", + "cve": "CVE-2021-33503", + "id": "pyup.io-53696", + "more_info_path": "/vulnerabilities/CVE-2021-33503/53696", + "specs": [ + "<0.13.0" + ], + "v": "<0.13.0" + }, + { + "advisory": "Composer 0.13.0 updates its dependency 'ipython' to v8.11.0 in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", + "cve": "CVE-2023-24816", + "id": "pyup.io-53697", + "more_info_path": "/vulnerabilities/CVE-2023-24816/53697", + "specs": [ + "<0.13.0" + ], + "v": "<0.13.0" + }, { "advisory": "Composer 0.9.0 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/mosaicml/composer/pull/1328", "cve": "PVE-2023-60601", @@ -23736,50 +23776,40 @@ "v": "<1.6.0" }, { - "advisory": "In confidant 5.0.0 updates its dependency 'pyopenssl' to v19.0.0 to include security fixes.", - "cve": "CVE-2018-1000808", - "id": "pyup.io-45032", - "more_info_path": "/vulnerabilities/CVE-2018-1000808/45032", - "specs": [ - "<5.0.0" - ], - "v": "<5.0.0" - }, - { - "advisory": "In confidant 5.0.0 updates its dependency 'flask' to v1.1.1 to include security fixes.", - "cve": "CVE-2018-1000656", - "id": "pyup.io-45034", - "more_info_path": "/vulnerabilities/CVE-2018-1000656/45034", + "advisory": "In confidant 5.0.0 updates its dependency 'gunicorn' to a version >=19.9.0 to include security fixes.", + "cve": "PVE-2021-40103", + "id": "pyup.io-45038", + "more_info_path": "/vulnerabilities/PVE-2021-40103/45038", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { - "advisory": "In confidant 5.0.0 updates its dependency 'flask' to v1.1.1 to include security fixes.", - "cve": "CVE-2019-1010083", - "id": "pyup.io-45033", - "more_info_path": "/vulnerabilities/CVE-2019-1010083/45033", + "advisory": "In confidant 5.0.0 updates its dependency 'python3-saml' to v1.8.0 to include a security fix.", + "cve": "PVE-2021-39454", + "id": "pyup.io-45042", + "more_info_path": "/vulnerabilities/PVE-2021-39454/45042", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { - "advisory": "In confidant 5.0.0 updates its dependency 'requests' to a version >=2.22.0 to include a security fix.", - "cve": "CVE-2018-18074", - "id": "pyup.io-45035", - "more_info_path": "/vulnerabilities/CVE-2018-18074/45035", + "advisory": "In confidant 5.0.0 updates its dependency 'gunicorn' to a version >=19.9.0 to include security fixes.", + "cve": "CVE-2018-1000164", + "id": "pyup.io-45037", + "more_info_path": "/vulnerabilities/CVE-2018-1000164/45037", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { - "advisory": "In confidant 5.0.0 updates its dependency 'lxml' to v4.4.1 to include security fixes.", - "cve": "CVE-2018-19787", - "id": "pyup.io-45040", - "more_info_path": "/vulnerabilities/CVE-2018-19787/45040", + "advisory": "Confidant 5.0.0 updates its dependency 'werkzeug' to v0.15.6 to include a security fix.", + "cve": "CVE-2019-14806", + "id": "pyup.io-45043", + "more_info_path": "/vulnerabilities/CVE-2019-14806/45043", "specs": [ "<5.0.0" ], @@ -23796,50 +23826,50 @@ "v": "<5.0.0" }, { - "advisory": "Confidant 5.0.0 updates its dependency 'werkzeug' to v0.15.6 to include a security fix.", - "cve": "CVE-2019-14806", - "id": "pyup.io-45043", - "more_info_path": "/vulnerabilities/CVE-2019-14806/45043", + "advisory": "In confidant 5.0.0 updates its dependency 'lxml' to v4.4.1 to include security fixes.", + "cve": "CVE-2018-19787", + "id": "pyup.io-45040", + "more_info_path": "/vulnerabilities/CVE-2018-19787/45040", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { - "advisory": "In confidant 5.0.0 updates its dependency 'gunicorn' to a version >=19.9.0 to include security fixes.", - "cve": "CVE-2018-1000164", - "id": "pyup.io-45037", - "more_info_path": "/vulnerabilities/CVE-2018-1000164/45037", + "advisory": "In confidant 5.0.0 updates its dependency 'requests' to a version >=2.22.0 to include a security fix.", + "cve": "CVE-2018-18074", + "id": "pyup.io-45035", + "more_info_path": "/vulnerabilities/CVE-2018-18074/45035", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { - "advisory": "In confidant 5.0.0 updates its dependency 'python3-saml' to v1.8.0 to include a security fix.", - "cve": "PVE-2021-39454", - "id": "pyup.io-45042", - "more_info_path": "/vulnerabilities/PVE-2021-39454/45042", + "advisory": "In confidant 5.0.0 updates its dependency 'flask' to v1.1.1 to include security fixes.", + "cve": "CVE-2019-1010083", + "id": "pyup.io-45033", + "more_info_path": "/vulnerabilities/CVE-2019-1010083/45033", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { - "advisory": "In confidant 5.0.0 updates its dependency 'gunicorn' to a version >=19.9.0 to include security fixes.", - "cve": "PVE-2021-40103", - "id": "pyup.io-45038", - "more_info_path": "/vulnerabilities/PVE-2021-40103/45038", + "advisory": "In confidant 5.0.0 updates its dependency 'pyopenssl' to v19.0.0 to include security fixes.", + "cve": "CVE-2018-1000808", + "id": "pyup.io-45032", + "more_info_path": "/vulnerabilities/CVE-2018-1000808/45032", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { - "advisory": "In confidant 5.0.0 updates its dependency 'pyyaml' to v5.1.2 to include a security fix.", - "cve": "CVE-2017-18342", - "id": "pyup.io-45036", - "more_info_path": "/vulnerabilities/CVE-2017-18342/45036", + "advisory": "Confidant 5.0.0 updates its dependency 'jinja2' to v2.10.1 to include a security fix.", + "cve": "CVE-2019-10906", + "id": "pyup.io-45039", + "more_info_path": "/vulnerabilities/CVE-2019-10906/45039", "specs": [ "<5.0.0" ], @@ -23856,10 +23886,20 @@ "v": "<5.0.0" }, { - "advisory": "Confidant 5.0.0 updates its dependency 'jinja2' to v2.10.1 to include a security fix.", - "cve": "CVE-2019-10906", - "id": "pyup.io-45039", - "more_info_path": "/vulnerabilities/CVE-2019-10906/45039", + "advisory": "In confidant 5.0.0 updates its dependency 'pyyaml' to v5.1.2 to include a security fix.", + "cve": "CVE-2017-18342", + "id": "pyup.io-45036", + "more_info_path": "/vulnerabilities/CVE-2017-18342/45036", + "specs": [ + "<5.0.0" + ], + "v": "<5.0.0" + }, + { + "advisory": "In confidant 5.0.0 updates its dependency 'flask' to v1.1.1 to include security fixes.", + "cve": "CVE-2018-1000656", + "id": "pyup.io-45034", + "more_info_path": "/vulnerabilities/CVE-2018-1000656/45034", "specs": [ "<5.0.0" ], @@ -24587,11 +24627,31 @@ } ], "crate-docs-theme": [ + { + "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", + "cve": "CVE-2018-14042", + "id": "pyup.io-49067", + "more_info_path": "/vulnerabilities/CVE-2018-14042/49067", + "specs": [ + "<0.13.0" + ], + "v": "<0.13.0" + }, + { + "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", + "cve": "CVE-2018-20677", + "id": "pyup.io-49064", + "more_info_path": "/vulnerabilities/CVE-2018-20677/49064", + "specs": [ + "<0.13.0" + ], + "v": "<0.13.0" + }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", - "cve": "CVE-2011-4969", - "id": "pyup.io-39529", - "more_info_path": "/vulnerabilities/CVE-2011-4969/39529", + "cve": "CVE-2020-7656", + "id": "pyup.io-49062", + "more_info_path": "/vulnerabilities/CVE-2020-7656/49062", "specs": [ "<0.13.0" ], @@ -24599,9 +24659,9 @@ }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", - "cve": "CVE-2018-14042", - "id": "pyup.io-49067", - "more_info_path": "/vulnerabilities/CVE-2018-14042/49067", + "cve": "CVE-2016-10735", + "id": "pyup.io-49068", + "more_info_path": "/vulnerabilities/CVE-2016-10735/49068", "specs": [ "<0.13.0" ], @@ -24619,9 +24679,9 @@ }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", - "cve": "CVE-2012-6708", - "id": "pyup.io-49057", - "more_info_path": "/vulnerabilities/CVE-2012-6708/49057", + "cve": "CVE-2011-4969", + "id": "pyup.io-39529", + "more_info_path": "/vulnerabilities/CVE-2011-4969/39529", "specs": [ "<0.13.0" ], @@ -24649,19 +24709,9 @@ }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", - "cve": "CVE-2012-6708", - "id": "pyup.io-49056", - "more_info_path": "/vulnerabilities/CVE-2012-6708/49056", - "specs": [ - "<0.13.0" - ], - "v": "<0.13.0" - }, - { - "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", - "cve": "CVE-2020-7656", - "id": "pyup.io-49062", - "more_info_path": "/vulnerabilities/CVE-2020-7656/49062", + "cve": "CVE-2019-11358", + "id": "pyup.io-49060", + "more_info_path": "/vulnerabilities/CVE-2019-11358/49060", "specs": [ "<0.13.0" ], @@ -24689,29 +24739,19 @@ }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", - "cve": "CVE-2019-11358", - "id": "pyup.io-49060", - "more_info_path": "/vulnerabilities/CVE-2019-11358/49060", - "specs": [ - "<0.13.0" - ], - "v": "<0.13.0" - }, - { - "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", - "cve": "CVE-2016-10735", - "id": "pyup.io-49068", - "more_info_path": "/vulnerabilities/CVE-2016-10735/49068", + "cve": "CVE-2012-6708", + "id": "pyup.io-49056", + "more_info_path": "/vulnerabilities/CVE-2012-6708/49056", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { - "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", - "cve": "CVE-2018-20677", - "id": "pyup.io-49064", - "more_info_path": "/vulnerabilities/CVE-2018-20677/49064", + "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", + "cve": "CVE-2012-6708", + "id": "pyup.io-49057", + "more_info_path": "/vulnerabilities/CVE-2012-6708/49057", "specs": [ "<0.13.0" ], @@ -26429,9 +26469,9 @@ "dagster-cloud": [ { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-1587", - "id": "pyup.io-52157", - "more_info_path": "/vulnerabilities/CVE-2022-1587/52157", + "cve": "CVE-2022-1664", + "id": "pyup.io-52146", + "more_info_path": "/vulnerabilities/CVE-2022-1664/52146", "specs": [ "<1.1.4" ], @@ -26439,9 +26479,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-1664", - "id": "pyup.io-52146", - "more_info_path": "/vulnerabilities/CVE-2022-1664/52146", + "cve": "CVE-2022-2068", + "id": "pyup.io-52155", + "more_info_path": "/vulnerabilities/CVE-2022-2068/52155", "specs": [ "<1.1.4" ], @@ -26449,9 +26489,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-1271", - "id": "pyup.io-52159", - "more_info_path": "/vulnerabilities/CVE-2022-1271/52159", + "cve": "CVE-2022-37434", + "id": "pyup.io-52156", + "more_info_path": "/vulnerabilities/CVE-2022-37434/52156", "specs": [ "<1.1.4" ], @@ -26459,9 +26499,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-40674", - "id": "pyup.io-52150", - "more_info_path": "/vulnerabilities/CVE-2022-40674/52150", + "cve": "CVE-2022-2509", + "id": "pyup.io-52163", + "more_info_path": "/vulnerabilities/CVE-2022-2509/52163", "specs": [ "<1.1.4" ], @@ -26469,9 +26509,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-2068", - "id": "pyup.io-52155", - "more_info_path": "/vulnerabilities/CVE-2022-2068/52155", + "cve": "CVE-2021-3999", + "id": "pyup.io-52160", + "more_info_path": "/vulnerabilities/CVE-2021-3999/52160", "specs": [ "<1.1.4" ], @@ -26479,9 +26519,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2018-25032", - "id": "pyup.io-52166", - "more_info_path": "/vulnerabilities/CVE-2018-25032/52166", + "cve": "CVE-2021-46828", + "id": "pyup.io-52164", + "more_info_path": "/vulnerabilities/CVE-2021-46828/52164", "specs": [ "<1.1.4" ], @@ -26489,9 +26529,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2021-4209", - "id": "pyup.io-52168", - "more_info_path": "/vulnerabilities/CVE-2021-4209/52168", + "cve": "CVE-2021-33574", + "id": "pyup.io-52153", + "more_info_path": "/vulnerabilities/CVE-2021-33574/52153", "specs": [ "<1.1.4" ], @@ -26499,9 +26539,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-37434", - "id": "pyup.io-52156", - "more_info_path": "/vulnerabilities/CVE-2022-37434/52156", + "cve": "CVE-2022-23219", + "id": "pyup.io-52151", + "more_info_path": "/vulnerabilities/CVE-2022-23219/52151", "specs": [ "<1.1.4" ], @@ -26509,9 +26549,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-1292", - "id": "pyup.io-52154", - "more_info_path": "/vulnerabilities/CVE-2022-1292/52154", + "cve": "CVE-2021-3997", + "id": "pyup.io-52170", + "more_info_path": "/vulnerabilities/CVE-2021-3997/52170", "specs": [ "<1.1.4" ], @@ -26519,9 +26559,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-0778", - "id": "pyup.io-52165", - "more_info_path": "/vulnerabilities/CVE-2022-0778/52165", + "cve": "CVE-2022-23218", + "id": "pyup.io-52152", + "more_info_path": "/vulnerabilities/CVE-2022-23218/52152", "specs": [ "<1.1.4" ], @@ -26529,9 +26569,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2021-46828", - "id": "pyup.io-52164", - "more_info_path": "/vulnerabilities/CVE-2021-46828/52164", + "cve": "CVE-2022-1292", + "id": "pyup.io-52154", + "more_info_path": "/vulnerabilities/CVE-2022-1292/52154", "specs": [ "<1.1.4" ], @@ -26539,9 +26579,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-23218", - "id": "pyup.io-52152", - "more_info_path": "/vulnerabilities/CVE-2022-23218/52152", + "cve": "CVE-2022-40674", + "id": "pyup.io-52150", + "more_info_path": "/vulnerabilities/CVE-2022-40674/52150", "specs": [ "<1.1.4" ], @@ -26549,9 +26589,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2021-3999", - "id": "pyup.io-52160", - "more_info_path": "/vulnerabilities/CVE-2021-3999/52160", + "cve": "CVE-2018-25032", + "id": "pyup.io-52166", + "more_info_path": "/vulnerabilities/CVE-2018-25032/52166", "specs": [ "<1.1.4" ], @@ -26559,9 +26599,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-2509", - "id": "pyup.io-52163", - "more_info_path": "/vulnerabilities/CVE-2022-2509/52163", + "cve": "CVE-2022-0778", + "id": "pyup.io-52165", + "more_info_path": "/vulnerabilities/CVE-2022-0778/52165", "specs": [ "<1.1.4" ], @@ -26569,9 +26609,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2021-4160", - "id": "pyup.io-52169", - "more_info_path": "/vulnerabilities/CVE-2021-4160/52169", + "cve": "CVE-2022-1271", + "id": "pyup.io-52159", + "more_info_path": "/vulnerabilities/CVE-2022-1271/52159", "specs": [ "<1.1.4" ], @@ -26579,9 +26619,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-1586", - "id": "pyup.io-52158", - "more_info_path": "/vulnerabilities/CVE-2022-1586/52158", + "cve": "CVE-2022-34903", + "id": "pyup.io-52167", + "more_info_path": "/vulnerabilities/CVE-2022-34903/52167", "specs": [ "<1.1.4" ], @@ -26589,9 +26629,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2021-3997", - "id": "pyup.io-52170", - "more_info_path": "/vulnerabilities/CVE-2021-3997/52170", + "cve": "CVE-2022-1587", + "id": "pyup.io-52157", + "more_info_path": "/vulnerabilities/CVE-2022-1587/52157", "specs": [ "<1.1.4" ], @@ -26599,9 +26639,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2021-33574", - "id": "pyup.io-52153", - "more_info_path": "/vulnerabilities/CVE-2021-33574/52153", + "cve": "CVE-2021-4209", + "id": "pyup.io-52168", + "more_info_path": "/vulnerabilities/CVE-2021-4209/52168", "specs": [ "<1.1.4" ], @@ -26609,9 +26649,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-34903", - "id": "pyup.io-52167", - "more_info_path": "/vulnerabilities/CVE-2022-34903/52167", + "cve": "CVE-2022-1586", + "id": "pyup.io-52158", + "more_info_path": "/vulnerabilities/CVE-2022-1586/52158", "specs": [ "<1.1.4" ], @@ -26619,9 +26659,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-23219", - "id": "pyup.io-52151", - "more_info_path": "/vulnerabilities/CVE-2022-23219/52151", + "cve": "CVE-2021-4160", + "id": "pyup.io-52169", + "more_info_path": "/vulnerabilities/CVE-2021-4160/52169", "specs": [ "<1.1.4" ], @@ -26827,6 +26867,18 @@ "v": "<4.0.42" } ], + "darwin-py": [ + { + "advisory": "Affected versions of darwin-py include workflows with overly broad permissions, which attackers could exploit to perform unauthorized actions. This poses a significant security risk, especially when strict access control is crucial.", + "cve": "PVE-2024-72920", + "id": "pyup.io-72920", + "more_info_path": "/vulnerabilities/PVE-2024-72920/72920", + "specs": [ + "<1.0.7" + ], + "v": "<1.0.7" + } + ], "dash": [ { "advisory": "Dash 1.20.0 fixes a potential XSS vulnerability by starting to validate callback request fields.\r\nhttps://github.com/plotly/dash/pull/1546", @@ -27142,6 +27194,18 @@ "v": "<2023.3.0" } ], + "data-safe-haven": [ + { + "advisory": "Data Safe Haven affected versions incorrectly handled CRAN package case sensitivity and privilege configurations, increasing the risk of typosquatting attacks. The update addresses these issues by preserving the original case of CRAN package names and correcting privilege path expressions. These changes prevent unauthorized package access, ensure accurate package allowlisting, and protect against typosquatting.", + "cve": "PVE-2024-72914", + "id": "pyup.io-72914", + "more_info_path": "/vulnerabilities/PVE-2024-72914/72914", + "specs": [ + "<4.1.0" + ], + "v": "<4.1.0" + } + ], "database-sanitizer": [ { "advisory": "Database-Sanitizer 1.1.0 includes a security patch for the function 'from_file' in 'database_sanitizer/config.py'. It used the unsafe yaml.load(), that allows instantiation of arbitrary objects. Consider yaml.safe_load().\r\nhttps://github.com/andersinno/python-database-sanitizer/commit/ace4e0823d7b81c6f3bf683eb97193b36cc6c040#diff-6090be0559642595d2ff5ff2e9d265c6d152a75ef98845380436d0f06e0b3c19", @@ -27710,16 +27774,6 @@ ], "v": "<1.5.0" }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-27780", - "id": "pyup.io-50405", - "more_info_path": "/vulnerabilities/CVE-2022-27780/50405", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23571", @@ -28420,6 +28474,16 @@ ], "v": "<1.5.0" }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-27780", + "id": "pyup.io-50405", + "more_info_path": "/vulnerabilities/CVE-2022-27780/50405", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29202", @@ -28585,10 +28649,10 @@ "v": "<1.2.9" }, { - "advisory": "Dawgie 1.3.0 and 1.2.13 include a fix for an open redirect vulnerability.\r\nhttps://github.com/al-niessner/DAWGIE/issues/146", - "cve": "PVE-2022-50443", - "id": "pyup.io-50443", - "more_info_path": "/vulnerabilities/PVE-2022-50443/50443", + "advisory": "Dawgie 1.3.0 and 1.2.13 adds HTML sanitization to prevent injection attacks.\r\nhttps://github.com/al-niessner/DAWGIE/pull/93/commits/c4a4a2ffd88ea80a7c68a57c10d159c1e429e169", + "cve": "PVE-2022-50444", + "id": "pyup.io-50444", + "more_info_path": "/vulnerabilities/PVE-2022-50444/50444", "specs": [ ">=1.3.0rc0,<1.3.0", "<1.2.13" @@ -28596,10 +28660,10 @@ "v": ">=1.3.0rc0,<1.3.0,<1.2.13" }, { - "advisory": "Dawgie 1.3.0 and 1.2.13 adds HTML sanitization to prevent injection attacks.\r\nhttps://github.com/al-niessner/DAWGIE/pull/93/commits/c4a4a2ffd88ea80a7c68a57c10d159c1e429e169", - "cve": "PVE-2022-50444", - "id": "pyup.io-50444", - "more_info_path": "/vulnerabilities/PVE-2022-50444/50444", + "advisory": "Dawgie 1.3.0 and 1.2.13 include a fix for an open redirect vulnerability.\r\nhttps://github.com/al-niessner/DAWGIE/issues/146", + "cve": "PVE-2022-50443", + "id": "pyup.io-50443", + "more_info_path": "/vulnerabilities/PVE-2022-50443/50443", "specs": [ ">=1.3.0rc0,<1.3.0", "<1.2.13" @@ -29235,16 +29299,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37688", - "id": "pyup.io-48896", - "more_info_path": "/vulnerabilities/CVE-2021-37688/48896", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29614", @@ -29275,26 +29329,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29595", - "id": "pyup.io-48819", - "more_info_path": "/vulnerabilities/CVE-2021-29595/48819", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29599", - "id": "pyup.io-48823", - "more_info_path": "/vulnerabilities/CVE-2021-29599/48823", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29593", @@ -29305,16 +29339,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29532", - "id": "pyup.io-48756", - "more_info_path": "/vulnerabilities/CVE-2021-29532/48756", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29586", @@ -29355,26 +29379,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29548", - "id": "pyup.io-48772", - "more_info_path": "/vulnerabilities/CVE-2021-29548/48772", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29524", - "id": "pyup.io-48748", - "more_info_path": "/vulnerabilities/CVE-2021-29524/48748", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29579", @@ -29395,56 +29399,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29561", - "id": "pyup.io-48785", - "more_info_path": "/vulnerabilities/CVE-2021-29561/48785", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29608", - "id": "pyup.io-48832", - "more_info_path": "/vulnerabilities/CVE-2021-29608/48832", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29521", - "id": "pyup.io-48745", - "more_info_path": "/vulnerabilities/CVE-2021-29521/48745", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29578", - "id": "pyup.io-48802", - "more_info_path": "/vulnerabilities/CVE-2021-29578/48802", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37683", - "id": "pyup.io-48891", - "more_info_path": "/vulnerabilities/CVE-2021-37683/48891", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29597", @@ -29465,16 +29419,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29604", - "id": "pyup.io-48828", - "more_info_path": "/vulnerabilities/CVE-2021-29604/48828", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37673", @@ -29487,9 +29431,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29594", - "id": "pyup.io-48818", - "more_info_path": "/vulnerabilities/CVE-2021-29594/48818", + "cve": "CVE-2021-29604", + "id": "pyup.io-48828", + "more_info_path": "/vulnerabilities/CVE-2021-29604/48828", "specs": [ "<0.10.0rc1" ], @@ -29535,16 +29479,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29546", - "id": "pyup.io-48770", - "more_info_path": "/vulnerabilities/CVE-2021-29546/48770", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37644", @@ -29557,9 +29491,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37637", - "id": "pyup.io-48846", - "more_info_path": "/vulnerabilities/CVE-2021-37637/48846", + "cve": "CVE-2021-29603", + "id": "pyup.io-48827", + "more_info_path": "/vulnerabilities/CVE-2021-29603/48827", "specs": [ "<0.10.0rc1" ], @@ -29567,9 +29501,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29603", - "id": "pyup.io-48827", - "more_info_path": "/vulnerabilities/CVE-2021-29603/48827", + "cve": "CVE-2021-37637", + "id": "pyup.io-48846", + "more_info_path": "/vulnerabilities/CVE-2021-37637/48846", "specs": [ "<0.10.0rc1" ], @@ -29595,16 +29529,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29564", - "id": "pyup.io-48788", - "more_info_path": "/vulnerabilities/CVE-2021-29564/48788", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29568", @@ -29665,16 +29589,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29523", - "id": "pyup.io-48747", - "more_info_path": "/vulnerabilities/CVE-2021-29523/48747", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29538", @@ -29695,16 +29609,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29562", - "id": "pyup.io-48786", - "more_info_path": "/vulnerabilities/CVE-2021-29562/48786", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29577", @@ -29725,16 +29629,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29582", - "id": "pyup.io-48806", - "more_info_path": "/vulnerabilities/CVE-2021-29582/48806", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29583", @@ -29745,16 +29639,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29584", - "id": "pyup.io-48808", - "more_info_path": "/vulnerabilities/CVE-2021-29584/48808", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29587", @@ -29785,16 +29669,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29602", - "id": "pyup.io-48826", - "more_info_path": "/vulnerabilities/CVE-2021-29602/48826", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29606", @@ -29855,26 +29729,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37666", - "id": "pyup.io-48874", - "more_info_path": "/vulnerabilities/CVE-2021-37666/48874", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29519", - "id": "pyup.io-48743", - "more_info_path": "/vulnerabilities/CVE-2021-29519/48743", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29560", @@ -29885,16 +29739,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29576", - "id": "pyup.io-48800", - "more_info_path": "/vulnerabilities/CVE-2021-29576/48800", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29574", @@ -29915,16 +29759,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37662", - "id": "pyup.io-48870", - "more_info_path": "/vulnerabilities/CVE-2021-37662/48870", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29526", @@ -29955,16 +29789,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29522", - "id": "pyup.io-48746", - "more_info_path": "/vulnerabilities/CVE-2021-29522/48746", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37651", @@ -29975,16 +29799,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2020-8177", - "id": "pyup.io-48727", - "more_info_path": "/vulnerabilities/CVE-2020-8177/48727", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29547", @@ -29997,19 +29811,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-22901", - "id": "pyup.io-48735", - "more_info_path": "/vulnerabilities/CVE-2021-22901/48735", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-22897", - "id": "pyup.io-48733", - "more_info_path": "/vulnerabilities/CVE-2021-22897/48733", + "cve": "CVE-2021-37672", + "id": "pyup.io-48880", + "more_info_path": "/vulnerabilities/CVE-2021-37672/48880", "specs": [ "<0.10.0rc1" ], @@ -30025,16 +29829,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37672", - "id": "pyup.io-48880", - "more_info_path": "/vulnerabilities/CVE-2021-37672/48880", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29559", @@ -30055,16 +29849,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37652", - "id": "pyup.io-48860", - "more_info_path": "/vulnerabilities/CVE-2021-37652/48860", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29566", @@ -30105,26 +29889,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29530", - "id": "pyup.io-48754", - "more_info_path": "/vulnerabilities/CVE-2021-29530/48754", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29545", - "id": "pyup.io-48769", - "more_info_path": "/vulnerabilities/CVE-2021-29545/48769", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37674", @@ -30135,16 +29899,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29555", - "id": "pyup.io-48779", - "more_info_path": "/vulnerabilities/CVE-2021-29555/48779", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29550", @@ -30157,9 +29911,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29605", - "id": "pyup.io-48829", - "more_info_path": "/vulnerabilities/CVE-2021-29605/48829", + "cve": "CVE-2021-29555", + "id": "pyup.io-48779", + "more_info_path": "/vulnerabilities/CVE-2021-29555/48779", "specs": [ "<0.10.0rc1" ], @@ -30167,9 +29921,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29607", - "id": "pyup.io-48831", - "more_info_path": "/vulnerabilities/CVE-2021-29607/48831", + "cve": "CVE-2021-29605", + "id": "pyup.io-48829", + "more_info_path": "/vulnerabilities/CVE-2021-29605/48829", "specs": [ "<0.10.0rc1" ], @@ -30195,16 +29949,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37670", - "id": "pyup.io-48878", - "more_info_path": "/vulnerabilities/CVE-2021-37670/48878", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37675", @@ -30265,16 +30009,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37643", - "id": "pyup.io-48851", - "more_info_path": "/vulnerabilities/CVE-2021-37643/48851", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37663", @@ -30287,9 +30021,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29615", - "id": "pyup.io-48839", - "more_info_path": "/vulnerabilities/CVE-2021-29615/48839", + "cve": "CVE-2021-37635", + "id": "pyup.io-48844", + "more_info_path": "/vulnerabilities/CVE-2021-37635/48844", "specs": [ "<0.10.0rc1" ], @@ -30297,9 +30031,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37635", - "id": "pyup.io-48844", - "more_info_path": "/vulnerabilities/CVE-2021-37635/48844", + "cve": "CVE-2021-37643", + "id": "pyup.io-48851", + "more_info_path": "/vulnerabilities/CVE-2021-37643/48851", "specs": [ "<0.10.0rc1" ], @@ -30357,9 +30091,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29528", - "id": "pyup.io-48752", - "more_info_path": "/vulnerabilities/CVE-2021-29528/48752", + "cve": "CVE-2021-29585", + "id": "pyup.io-48809", + "more_info_path": "/vulnerabilities/CVE-2021-29585/48809", "specs": [ "<0.10.0rc1" ], @@ -30367,9 +30101,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29609", - "id": "pyup.io-48833", - "more_info_path": "/vulnerabilities/CVE-2021-29609/48833", + "cve": "CVE-2021-29528", + "id": "pyup.io-48752", + "more_info_path": "/vulnerabilities/CVE-2021-29528/48752", "specs": [ "<0.10.0rc1" ], @@ -30377,9 +30111,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29585", - "id": "pyup.io-48809", - "more_info_path": "/vulnerabilities/CVE-2021-29585/48809", + "cve": "CVE-2021-29600", + "id": "pyup.io-48824", + "more_info_path": "/vulnerabilities/CVE-2021-29600/48824", "specs": [ "<0.10.0rc1" ], @@ -30397,9 +30131,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29600", - "id": "pyup.io-48824", - "more_info_path": "/vulnerabilities/CVE-2021-29600/48824", + "cve": "CVE-2021-29609", + "id": "pyup.io-48833", + "more_info_path": "/vulnerabilities/CVE-2021-29609/48833", "specs": [ "<0.10.0rc1" ], @@ -30417,9 +30151,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29542", - "id": "pyup.io-48766", - "more_info_path": "/vulnerabilities/CVE-2021-29542/48766", + "cve": "CVE-2021-29544", + "id": "pyup.io-48768", + "more_info_path": "/vulnerabilities/CVE-2021-29544/48768", "specs": [ "<0.10.0rc1" ], @@ -30427,9 +30161,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29544", - "id": "pyup.io-48768", - "more_info_path": "/vulnerabilities/CVE-2021-29544/48768", + "cve": "CVE-2021-29542", + "id": "pyup.io-48766", + "more_info_path": "/vulnerabilities/CVE-2021-29542/48766", "specs": [ "<0.10.0rc1" ], @@ -30437,9 +30171,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29565", - "id": "pyup.io-48789", - "more_info_path": "/vulnerabilities/CVE-2021-29565/48789", + "cve": "CVE-2021-29552", + "id": "pyup.io-48776", + "more_info_path": "/vulnerabilities/CVE-2021-29552/48776", "specs": [ "<0.10.0rc1" ], @@ -30447,9 +30181,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29552", - "id": "pyup.io-48776", - "more_info_path": "/vulnerabilities/CVE-2021-29552/48776", + "cve": "CVE-2021-29565", + "id": "pyup.io-48789", + "more_info_path": "/vulnerabilities/CVE-2021-29565/48789", "specs": [ "<0.10.0rc1" ], @@ -30485,26 +30219,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37654", - "id": "pyup.io-48862", - "more_info_path": "/vulnerabilities/CVE-2021-37654/48862", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37656", - "id": "pyup.io-48864", - "more_info_path": "/vulnerabilities/CVE-2021-37656/48864", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37668", @@ -30517,9 +30231,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37689", - "id": "pyup.io-48897", - "more_info_path": "/vulnerabilities/CVE-2021-37689/48897", + "cve": "CVE-2021-37654", + "id": "pyup.io-48862", + "more_info_path": "/vulnerabilities/CVE-2021-37654/48862", "specs": [ "<0.10.0rc1" ], @@ -30527,9 +30241,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29591", - "id": "pyup.io-48815", - "more_info_path": "/vulnerabilities/CVE-2021-29591/48815", + "cve": "CVE-2021-37656", + "id": "pyup.io-48864", + "more_info_path": "/vulnerabilities/CVE-2021-37656/48864", "specs": [ "<0.10.0rc1" ], @@ -30537,9 +30251,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37665", - "id": "pyup.io-48873", - "more_info_path": "/vulnerabilities/CVE-2021-37665/48873", + "cve": "CVE-2021-37689", + "id": "pyup.io-48897", + "more_info_path": "/vulnerabilities/CVE-2021-37689/48897", "specs": [ "<0.10.0rc1" ], @@ -30585,26 +30299,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29589", - "id": "pyup.io-48813", - "more_info_path": "/vulnerabilities/CVE-2021-29589/48813", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29556", - "id": "pyup.io-48780", - "more_info_path": "/vulnerabilities/CVE-2021-29556/48780", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29537", @@ -30615,16 +30309,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29534", - "id": "pyup.io-48758", - "more_info_path": "/vulnerabilities/CVE-2021-29534/48758", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29514", @@ -30655,16 +30339,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37677", - "id": "pyup.io-48885", - "more_info_path": "/vulnerabilities/CVE-2021-37677/48885", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29518", @@ -30677,9 +30351,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37657", - "id": "pyup.io-48865", - "more_info_path": "/vulnerabilities/CVE-2021-37657/48865", + "cve": "CVE-2021-37677", + "id": "pyup.io-48885", + "more_info_path": "/vulnerabilities/CVE-2021-37677/48885", "specs": [ "<0.10.0rc1" ], @@ -30687,9 +30361,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37686", - "id": "pyup.io-48894", - "more_info_path": "/vulnerabilities/CVE-2021-37686/48894", + "cve": "CVE-2021-37657", + "id": "pyup.io-48865", + "more_info_path": "/vulnerabilities/CVE-2021-37657/48865", "specs": [ "<0.10.0rc1" ], @@ -30717,9 +30391,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29563", - "id": "pyup.io-48787", - "more_info_path": "/vulnerabilities/CVE-2021-29563/48787", + "cve": "CVE-2021-37686", + "id": "pyup.io-48894", + "more_info_path": "/vulnerabilities/CVE-2021-37686/48894", "specs": [ "<0.10.0rc1" ], @@ -30727,9 +30401,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-29610", - "id": "pyup.io-48834", - "more_info_path": "/vulnerabilities/CVE-2021-29610/48834", + "cve": "CVE-2021-29563", + "id": "pyup.io-48787", + "more_info_path": "/vulnerabilities/CVE-2021-29563/48787", "specs": [ "<0.10.0rc1" ], @@ -30767,9 +30441,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37682", - "id": "pyup.io-48890", - "more_info_path": "/vulnerabilities/CVE-2021-37682/48890", + "cve": "CVE-2021-29610", + "id": "pyup.io-48834", + "more_info_path": "/vulnerabilities/CVE-2021-29610/48834", "specs": [ "<0.10.0rc1" ], @@ -30777,9 +30451,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37685", - "id": "pyup.io-48893", - "more_info_path": "/vulnerabilities/CVE-2021-37685/48893", + "cve": "CVE-2021-37682", + "id": "pyup.io-48890", + "more_info_path": "/vulnerabilities/CVE-2021-37682/48890", "specs": [ "<0.10.0rc1" ], @@ -30835,16 +30509,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2021-37660", - "id": "pyup.io-48868", - "more_info_path": "/vulnerabilities/CVE-2021-37660/48868", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37687", @@ -30865,16 +30529,6 @@ ], "v": "<0.10.0rc1" }, - { - "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2020-8169", - "id": "pyup.io-48723", - "more_info_path": "/vulnerabilities/CVE-2020-8169/48723", - "specs": [ - "<0.10.0rc1" - ], - "v": "<0.10.0rc1" - }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29527", @@ -30927,9 +30581,9 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2020-8231", - "id": "pyup.io-48728", - "more_info_path": "/vulnerabilities/CVE-2020-8231/48728", + "cve": "CVE-2021-37688", + "id": "pyup.io-48896", + "more_info_path": "/vulnerabilities/CVE-2021-37688/48896", "specs": [ "<0.10.0rc1" ], @@ -30937,9 +30591,399 @@ }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", - "cve": "CVE-2020-8284", - "id": "pyup.io-48729", - "more_info_path": "/vulnerabilities/CVE-2020-8284/48729", + "cve": "CVE-2021-29595", + "id": "pyup.io-48819", + "more_info_path": "/vulnerabilities/CVE-2021-29595/48819", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29599", + "id": "pyup.io-48823", + "more_info_path": "/vulnerabilities/CVE-2021-29599/48823", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29532", + "id": "pyup.io-48756", + "more_info_path": "/vulnerabilities/CVE-2021-29532/48756", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29548", + "id": "pyup.io-48772", + "more_info_path": "/vulnerabilities/CVE-2021-29548/48772", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29524", + "id": "pyup.io-48748", + "more_info_path": "/vulnerabilities/CVE-2021-29524/48748", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29561", + "id": "pyup.io-48785", + "more_info_path": "/vulnerabilities/CVE-2021-29561/48785", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29608", + "id": "pyup.io-48832", + "more_info_path": "/vulnerabilities/CVE-2021-29608/48832", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29521", + "id": "pyup.io-48745", + "more_info_path": "/vulnerabilities/CVE-2021-29521/48745", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29578", + "id": "pyup.io-48802", + "more_info_path": "/vulnerabilities/CVE-2021-29578/48802", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-37683", + "id": "pyup.io-48891", + "more_info_path": "/vulnerabilities/CVE-2021-37683/48891", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29594", + "id": "pyup.io-48818", + "more_info_path": "/vulnerabilities/CVE-2021-29594/48818", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29546", + "id": "pyup.io-48770", + "more_info_path": "/vulnerabilities/CVE-2021-29546/48770", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29564", + "id": "pyup.io-48788", + "more_info_path": "/vulnerabilities/CVE-2021-29564/48788", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29523", + "id": "pyup.io-48747", + "more_info_path": "/vulnerabilities/CVE-2021-29523/48747", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29562", + "id": "pyup.io-48786", + "more_info_path": "/vulnerabilities/CVE-2021-29562/48786", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29582", + "id": "pyup.io-48806", + "more_info_path": "/vulnerabilities/CVE-2021-29582/48806", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29584", + "id": "pyup.io-48808", + "more_info_path": "/vulnerabilities/CVE-2021-29584/48808", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29602", + "id": "pyup.io-48826", + "more_info_path": "/vulnerabilities/CVE-2021-29602/48826", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-37666", + "id": "pyup.io-48874", + "more_info_path": "/vulnerabilities/CVE-2021-37666/48874", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29519", + "id": "pyup.io-48743", + "more_info_path": "/vulnerabilities/CVE-2021-29519/48743", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29576", + "id": "pyup.io-48800", + "more_info_path": "/vulnerabilities/CVE-2021-29576/48800", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-37662", + "id": "pyup.io-48870", + "more_info_path": "/vulnerabilities/CVE-2021-37662/48870", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29522", + "id": "pyup.io-48746", + "more_info_path": "/vulnerabilities/CVE-2021-29522/48746", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2020-8177", + "id": "pyup.io-48727", + "more_info_path": "/vulnerabilities/CVE-2020-8177/48727", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-22901", + "id": "pyup.io-48735", + "more_info_path": "/vulnerabilities/CVE-2021-22901/48735", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-22897", + "id": "pyup.io-48733", + "more_info_path": "/vulnerabilities/CVE-2021-22897/48733", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-37652", + "id": "pyup.io-48860", + "more_info_path": "/vulnerabilities/CVE-2021-37652/48860", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29530", + "id": "pyup.io-48754", + "more_info_path": "/vulnerabilities/CVE-2021-29530/48754", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29545", + "id": "pyup.io-48769", + "more_info_path": "/vulnerabilities/CVE-2021-29545/48769", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29607", + "id": "pyup.io-48831", + "more_info_path": "/vulnerabilities/CVE-2021-29607/48831", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-37670", + "id": "pyup.io-48878", + "more_info_path": "/vulnerabilities/CVE-2021-37670/48878", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29615", + "id": "pyup.io-48839", + "more_info_path": "/vulnerabilities/CVE-2021-29615/48839", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29591", + "id": "pyup.io-48815", + "more_info_path": "/vulnerabilities/CVE-2021-29591/48815", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-37665", + "id": "pyup.io-48873", + "more_info_path": "/vulnerabilities/CVE-2021-37665/48873", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29589", + "id": "pyup.io-48813", + "more_info_path": "/vulnerabilities/CVE-2021-29589/48813", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29556", + "id": "pyup.io-48780", + "more_info_path": "/vulnerabilities/CVE-2021-29556/48780", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-29534", + "id": "pyup.io-48758", + "more_info_path": "/vulnerabilities/CVE-2021-29534/48758", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-37685", + "id": "pyup.io-48893", + "more_info_path": "/vulnerabilities/CVE-2021-37685/48893", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2021-37660", + "id": "pyup.io-48868", + "more_info_path": "/vulnerabilities/CVE-2021-37660/48868", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2020-8169", + "id": "pyup.io-48723", + "more_info_path": "/vulnerabilities/CVE-2020-8169/48723", "specs": [ "<0.10.0rc1" ], @@ -30956,14 +31000,24 @@ "v": "<0.10.0rc1" }, { - "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41228", - "id": "pyup.io-48938", - "more_info_path": "/vulnerabilities/CVE-2021-41228/48938", + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2020-8231", + "id": "pyup.io-48728", + "more_info_path": "/vulnerabilities/CVE-2020-8231/48728", "specs": [ - "<0.12.0rc0" + "<0.10.0rc1" ], - "v": "<0.12.0rc0" + "v": "<0.10.0rc1" + }, + { + "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", + "cve": "CVE-2020-8284", + "id": "pyup.io-48729", + "more_info_path": "/vulnerabilities/CVE-2020-8284/48729", + "specs": [ + "<0.10.0rc1" + ], + "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", @@ -31017,19 +31071,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21725", - "id": "pyup.io-48939", - "more_info_path": "/vulnerabilities/CVE-2022-21725/48939", - "specs": [ - "<0.12.0rc0" - ], - "v": "<0.12.0rc0" - }, - { - "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41217", - "id": "pyup.io-48928", - "more_info_path": "/vulnerabilities/CVE-2021-41217/48928", + "cve": "CVE-2022-21732", + "id": "pyup.io-48946", + "more_info_path": "/vulnerabilities/CVE-2022-21732/48946", "specs": [ "<0.12.0rc0" ], @@ -31047,9 +31091,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21732", - "id": "pyup.io-48946", - "more_info_path": "/vulnerabilities/CVE-2022-21732/48946", + "cve": "CVE-2022-21725", + "id": "pyup.io-48939", + "more_info_path": "/vulnerabilities/CVE-2022-21725/48939", "specs": [ "<0.12.0rc0" ], @@ -31077,9 +31121,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23577", - "id": "pyup.io-48976", - "more_info_path": "/vulnerabilities/CVE-2022-23577/48976", + "cve": "CVE-2021-41210", + "id": "pyup.io-48921", + "more_info_path": "/vulnerabilities/CVE-2021-41210/48921", "specs": [ "<0.12.0rc0" ], @@ -31087,9 +31131,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41210", - "id": "pyup.io-48921", - "more_info_path": "/vulnerabilities/CVE-2021-41210/48921", + "cve": "CVE-2022-23575", + "id": "pyup.io-48974", + "more_info_path": "/vulnerabilities/CVE-2022-23575/48974", "specs": [ "<0.12.0rc0" ], @@ -31097,9 +31141,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21731", - "id": "pyup.io-48945", - "more_info_path": "/vulnerabilities/CVE-2022-21731/48945", + "cve": "CVE-2021-41212", + "id": "pyup.io-48923", + "more_info_path": "/vulnerabilities/CVE-2021-41212/48923", "specs": [ "<0.12.0rc0" ], @@ -31107,9 +31151,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23575", - "id": "pyup.io-48974", - "more_info_path": "/vulnerabilities/CVE-2022-23575/48974", + "cve": "CVE-2022-23583", + "id": "pyup.io-48982", + "more_info_path": "/vulnerabilities/CVE-2022-23583/48982", "specs": [ "<0.12.0rc0" ], @@ -31117,9 +31161,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41212", - "id": "pyup.io-48923", - "more_info_path": "/vulnerabilities/CVE-2021-41212/48923", + "cve": "CVE-2022-23589", + "id": "pyup.io-48988", + "more_info_path": "/vulnerabilities/CVE-2022-23589/48988", "specs": [ "<0.12.0rc0" ], @@ -31127,9 +31171,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41223", - "id": "pyup.io-48933", - "more_info_path": "/vulnerabilities/CVE-2021-41223/48933", + "cve": "CVE-2021-41216", + "id": "pyup.io-48927", + "more_info_path": "/vulnerabilities/CVE-2021-41216/48927", "specs": [ "<0.12.0rc0" ], @@ -31137,9 +31181,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23583", - "id": "pyup.io-48982", - "more_info_path": "/vulnerabilities/CVE-2022-23583/48982", + "cve": "CVE-2021-41208", + "id": "pyup.io-48919", + "more_info_path": "/vulnerabilities/CVE-2021-41208/48919", "specs": [ "<0.12.0rc0" ], @@ -31147,9 +31191,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23589", - "id": "pyup.io-48988", - "more_info_path": "/vulnerabilities/CVE-2022-23589/48988", + "cve": "CVE-2021-41213", + "id": "pyup.io-48924", + "more_info_path": "/vulnerabilities/CVE-2021-41213/48924", "specs": [ "<0.12.0rc0" ], @@ -31157,9 +31201,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41206", - "id": "pyup.io-48917", - "more_info_path": "/vulnerabilities/CVE-2021-41206/48917", + "cve": "CVE-2021-41209", + "id": "pyup.io-48920", + "more_info_path": "/vulnerabilities/CVE-2021-41209/48920", "specs": [ "<0.12.0rc0" ], @@ -31167,9 +31211,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41201", - "id": "pyup.io-48912", - "more_info_path": "/vulnerabilities/CVE-2021-41201/48912", + "cve": "CVE-2022-23569", + "id": "pyup.io-48968", + "more_info_path": "/vulnerabilities/CVE-2022-23569/48968", "specs": [ "<0.12.0rc0" ], @@ -31177,9 +31221,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41216", - "id": "pyup.io-48927", - "more_info_path": "/vulnerabilities/CVE-2021-41216/48927", + "cve": "CVE-2022-23568", + "id": "pyup.io-48967", + "more_info_path": "/vulnerabilities/CVE-2022-23568/48967", "specs": [ "<0.12.0rc0" ], @@ -31187,9 +31231,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23586", - "id": "pyup.io-48985", - "more_info_path": "/vulnerabilities/CVE-2022-23586/48985", + "cve": "CVE-2022-23567", + "id": "pyup.io-48966", + "more_info_path": "/vulnerabilities/CVE-2022-23567/48966", "specs": [ "<0.12.0rc0" ], @@ -31197,9 +31241,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41208", - "id": "pyup.io-48919", - "more_info_path": "/vulnerabilities/CVE-2021-41208/48919", + "cve": "CVE-2022-23574", + "id": "pyup.io-48973", + "more_info_path": "/vulnerabilities/CVE-2022-23574/48973", "specs": [ "<0.12.0rc0" ], @@ -31207,9 +31251,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41213", - "id": "pyup.io-48924", - "more_info_path": "/vulnerabilities/CVE-2021-41213/48924", + "cve": "CVE-2022-23580", + "id": "pyup.io-48979", + "more_info_path": "/vulnerabilities/CVE-2022-23580/48979", "specs": [ "<0.12.0rc0" ], @@ -31217,9 +31261,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41209", - "id": "pyup.io-48920", - "more_info_path": "/vulnerabilities/CVE-2021-41209/48920", + "cve": "CVE-2021-41227", + "id": "pyup.io-48937", + "more_info_path": "/vulnerabilities/CVE-2021-41227/48937", "specs": [ "<0.12.0rc0" ], @@ -31227,9 +31271,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41219", - "id": "pyup.io-48930", - "more_info_path": "/vulnerabilities/CVE-2021-41219/48930", + "cve": "CVE-2022-21734", + "id": "pyup.io-48948", + "more_info_path": "/vulnerabilities/CVE-2022-21734/48948", "specs": [ "<0.12.0rc0" ], @@ -31237,9 +31281,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23582", - "id": "pyup.io-48981", - "more_info_path": "/vulnerabilities/CVE-2022-23582/48981", + "cve": "CVE-2022-21728", + "id": "pyup.io-48942", + "more_info_path": "/vulnerabilities/CVE-2022-21728/48942", "specs": [ "<0.12.0rc0" ], @@ -31247,9 +31291,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41218", - "id": "pyup.io-48929", - "more_info_path": "/vulnerabilities/CVE-2021-41218/48929", + "cve": "CVE-2022-23591", + "id": "pyup.io-48989", + "more_info_path": "/vulnerabilities/CVE-2022-23591/48989", "specs": [ "<0.12.0rc0" ], @@ -31257,9 +31301,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21733", - "id": "pyup.io-48947", - "more_info_path": "/vulnerabilities/CVE-2022-21733/48947", + "cve": "CVE-2022-23588", + "id": "pyup.io-48987", + "more_info_path": "/vulnerabilities/CVE-2022-23588/48987", "specs": [ "<0.12.0rc0" ], @@ -31267,9 +31311,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23569", - "id": "pyup.io-48968", - "more_info_path": "/vulnerabilities/CVE-2022-23569/48968", + "cve": "CVE-2021-41204", + "id": "pyup.io-48915", + "more_info_path": "/vulnerabilities/CVE-2021-41204/48915", "specs": [ "<0.12.0rc0" ], @@ -31277,9 +31321,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41197", - "id": "pyup.io-48908", - "more_info_path": "/vulnerabilities/CVE-2021-41197/48908", + "cve": "CVE-2021-41225", + "id": "pyup.io-48935", + "more_info_path": "/vulnerabilities/CVE-2021-41225/48935", "specs": [ "<0.12.0rc0" ], @@ -31287,9 +31331,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21737", - "id": "pyup.io-48951", - "more_info_path": "/vulnerabilities/CVE-2022-21737/48951", + "cve": "CVE-2022-23557", + "id": "pyup.io-48956", + "more_info_path": "/vulnerabilities/CVE-2022-23557/48956", "specs": [ "<0.12.0rc0" ], @@ -31297,9 +31341,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23567", - "id": "pyup.io-48966", - "more_info_path": "/vulnerabilities/CVE-2022-23567/48966", + "cve": "CVE-2022-23579", + "id": "pyup.io-48978", + "more_info_path": "/vulnerabilities/CVE-2022-23579/48978", "specs": [ "<0.12.0rc0" ], @@ -31307,9 +31351,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23568", - "id": "pyup.io-48967", - "more_info_path": "/vulnerabilities/CVE-2022-23568/48967", + "cve": "CVE-2022-23571", + "id": "pyup.io-48970", + "more_info_path": "/vulnerabilities/CVE-2022-23571/48970", "specs": [ "<0.12.0rc0" ], @@ -31317,9 +31361,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23574", - "id": "pyup.io-48973", - "more_info_path": "/vulnerabilities/CVE-2022-23574/48973", + "cve": "CVE-2022-23566", + "id": "pyup.io-48965", + "more_info_path": "/vulnerabilities/CVE-2022-23566/48965", "specs": [ "<0.12.0rc0" ], @@ -31327,9 +31371,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23580", - "id": "pyup.io-48979", - "more_info_path": "/vulnerabilities/CVE-2022-23580/48979", + "cve": "CVE-2022-23595", + "id": "pyup.io-48990", + "more_info_path": "/vulnerabilities/CVE-2022-23595/48990", "specs": [ "<0.12.0rc0" ], @@ -31337,9 +31381,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41196", - "id": "pyup.io-48907", - "more_info_path": "/vulnerabilities/CVE-2021-41196/48907", + "cve": "CVE-2022-23578", + "id": "pyup.io-48977", + "more_info_path": "/vulnerabilities/CVE-2022-23578/48977", "specs": [ "<0.12.0rc0" ], @@ -31347,9 +31391,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41214", - "id": "pyup.io-48925", - "more_info_path": "/vulnerabilities/CVE-2021-41214/48925", + "cve": "CVE-2022-21726", + "id": "pyup.io-48940", + "more_info_path": "/vulnerabilities/CVE-2022-21726/48940", "specs": [ "<0.12.0rc0" ], @@ -31357,9 +31401,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41227", - "id": "pyup.io-48937", - "more_info_path": "/vulnerabilities/CVE-2021-41227/48937", + "cve": "CVE-2021-41224", + "id": "pyup.io-48934", + "more_info_path": "/vulnerabilities/CVE-2021-41224/48934", "specs": [ "<0.12.0rc0" ], @@ -31367,9 +31411,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21734", - "id": "pyup.io-48948", - "more_info_path": "/vulnerabilities/CVE-2022-21734/48948", + "cve": "CVE-2022-23562", + "id": "pyup.io-48961", + "more_info_path": "/vulnerabilities/CVE-2022-23562/48961", "specs": [ "<0.12.0rc0" ], @@ -31377,9 +31421,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21728", - "id": "pyup.io-48942", - "more_info_path": "/vulnerabilities/CVE-2022-21728/48942", + "cve": "CVE-2022-23581", + "id": "pyup.io-48980", + "more_info_path": "/vulnerabilities/CVE-2022-23581/48980", "specs": [ "<0.12.0rc0" ], @@ -31387,9 +31431,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21729", - "id": "pyup.io-48943", - "more_info_path": "/vulnerabilities/CVE-2022-21729/48943", + "cve": "CVE-2021-41221", + "id": "pyup.io-48931", + "more_info_path": "/vulnerabilities/CVE-2021-41221/48931", "specs": [ "<0.12.0rc0" ], @@ -31397,9 +31441,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21738", - "id": "pyup.io-48952", - "more_info_path": "/vulnerabilities/CVE-2022-21738/48952", + "cve": "CVE-2022-21735", + "id": "pyup.io-48949", + "more_info_path": "/vulnerabilities/CVE-2022-21735/48949", "specs": [ "<0.12.0rc0" ], @@ -31407,9 +31451,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23591", - "id": "pyup.io-48989", - "more_info_path": "/vulnerabilities/CVE-2022-23591/48989", + "cve": "CVE-2021-41207", + "id": "pyup.io-48918", + "more_info_path": "/vulnerabilities/CVE-2021-41207/48918", "specs": [ "<0.12.0rc0" ], @@ -31417,9 +31461,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23588", - "id": "pyup.io-48987", - "more_info_path": "/vulnerabilities/CVE-2022-23588/48987", + "cve": "CVE-2021-41195", + "id": "pyup.io-48906", + "more_info_path": "/vulnerabilities/CVE-2021-41195/48906", "specs": [ "<0.12.0rc0" ], @@ -31427,9 +31471,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41204", - "id": "pyup.io-48915", - "more_info_path": "/vulnerabilities/CVE-2021-41204/48915", + "cve": "CVE-2022-23587", + "id": "pyup.io-48986", + "more_info_path": "/vulnerabilities/CVE-2022-23587/48986", "specs": [ "<0.12.0rc0" ], @@ -31437,9 +31481,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41215", - "id": "pyup.io-48926", - "more_info_path": "/vulnerabilities/CVE-2021-41215/48926", + "cve": "CVE-2021-41222", + "id": "pyup.io-48932", + "more_info_path": "/vulnerabilities/CVE-2021-41222/48932", "specs": [ "<0.12.0rc0" ], @@ -31447,9 +31491,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41225", - "id": "pyup.io-48935", - "more_info_path": "/vulnerabilities/CVE-2021-41225/48935", + "cve": "CVE-2022-23564", + "id": "pyup.io-48963", + "more_info_path": "/vulnerabilities/CVE-2022-23564/48963", "specs": [ "<0.12.0rc0" ], @@ -31457,9 +31501,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21727", - "id": "pyup.io-48941", - "more_info_path": "/vulnerabilities/CVE-2022-21727/48941", + "cve": "CVE-2021-41205", + "id": "pyup.io-48916", + "more_info_path": "/vulnerabilities/CVE-2021-41205/48916", "specs": [ "<0.12.0rc0" ], @@ -31467,9 +31511,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23557", - "id": "pyup.io-48956", - "more_info_path": "/vulnerabilities/CVE-2022-23557/48956", + "cve": "CVE-2022-23565", + "id": "pyup.io-48964", + "more_info_path": "/vulnerabilities/CVE-2022-23565/48964", "specs": [ "<0.12.0rc0" ], @@ -31477,9 +31521,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23579", - "id": "pyup.io-48978", - "more_info_path": "/vulnerabilities/CVE-2022-23579/48978", + "cve": "CVE-2022-23558", + "id": "pyup.io-48957", + "more_info_path": "/vulnerabilities/CVE-2022-23558/48957", "specs": [ "<0.12.0rc0" ], @@ -31487,9 +31531,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2020-10531", - "id": "pyup.io-48900", - "more_info_path": "/vulnerabilities/CVE-2020-10531/48900", + "cve": "CVE-2022-23585", + "id": "pyup.io-48984", + "more_info_path": "/vulnerabilities/CVE-2022-23585/48984", "specs": [ "<0.12.0rc0" ], @@ -31497,9 +31541,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21730", - "id": "pyup.io-48944", - "more_info_path": "/vulnerabilities/CVE-2022-21730/48944", + "cve": "CVE-2021-41202", + "id": "pyup.io-48913", + "more_info_path": "/vulnerabilities/CVE-2021-41202/48913", "specs": [ "<0.12.0rc0" ], @@ -31507,9 +31551,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23572", - "id": "pyup.io-48971", - "more_info_path": "/vulnerabilities/CVE-2022-23572/48971", + "cve": "CVE-2021-41198", + "id": "pyup.io-48909", + "more_info_path": "/vulnerabilities/CVE-2021-41198/48909", "specs": [ "<0.12.0rc0" ], @@ -31517,9 +31561,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23576", - "id": "pyup.io-48975", - "more_info_path": "/vulnerabilities/CVE-2022-23576/48975", + "cve": "CVE-2022-23559", + "id": "pyup.io-48958", + "more_info_path": "/vulnerabilities/CVE-2022-23559/48958", "specs": [ "<0.12.0rc0" ], @@ -31527,9 +31571,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23571", - "id": "pyup.io-48970", - "more_info_path": "/vulnerabilities/CVE-2022-23571/48970", + "cve": "CVE-2022-23561", + "id": "pyup.io-48960", + "more_info_path": "/vulnerabilities/CVE-2022-23561/48960", "specs": [ "<0.12.0rc0" ], @@ -31537,9 +31581,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-22924", - "id": "pyup.io-48903", - "more_info_path": "/vulnerabilities/CVE-2021-22924/48903", + "cve": "CVE-2021-41228", + "id": "pyup.io-48938", + "more_info_path": "/vulnerabilities/CVE-2021-41228/48938", "specs": [ "<0.12.0rc0" ], @@ -31547,9 +31591,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23566", - "id": "pyup.io-48965", - "more_info_path": "/vulnerabilities/CVE-2022-23566/48965", + "cve": "CVE-2021-41217", + "id": "pyup.io-48928", + "more_info_path": "/vulnerabilities/CVE-2021-41217/48928", "specs": [ "<0.12.0rc0" ], @@ -31557,9 +31601,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23595", - "id": "pyup.io-48990", - "more_info_path": "/vulnerabilities/CVE-2022-23595/48990", + "cve": "CVE-2022-23577", + "id": "pyup.io-48976", + "more_info_path": "/vulnerabilities/CVE-2022-23577/48976", "specs": [ "<0.12.0rc0" ], @@ -31567,9 +31611,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23578", - "id": "pyup.io-48977", - "more_info_path": "/vulnerabilities/CVE-2022-23578/48977", + "cve": "CVE-2022-21731", + "id": "pyup.io-48945", + "more_info_path": "/vulnerabilities/CVE-2022-21731/48945", "specs": [ "<0.12.0rc0" ], @@ -31577,9 +31621,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41224", - "id": "pyup.io-48934", - "more_info_path": "/vulnerabilities/CVE-2021-41224/48934", + "cve": "CVE-2021-41223", + "id": "pyup.io-48933", + "more_info_path": "/vulnerabilities/CVE-2021-41223/48933", "specs": [ "<0.12.0rc0" ], @@ -31587,9 +31631,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21726", - "id": "pyup.io-48940", - "more_info_path": "/vulnerabilities/CVE-2022-21726/48940", + "cve": "CVE-2021-41206", + "id": "pyup.io-48917", + "more_info_path": "/vulnerabilities/CVE-2021-41206/48917", "specs": [ "<0.12.0rc0" ], @@ -31597,9 +31641,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21740", - "id": "pyup.io-48954", - "more_info_path": "/vulnerabilities/CVE-2022-21740/48954", + "cve": "CVE-2021-41201", + "id": "pyup.io-48912", + "more_info_path": "/vulnerabilities/CVE-2021-41201/48912", "specs": [ "<0.12.0rc0" ], @@ -31607,9 +31651,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23562", - "id": "pyup.io-48961", - "more_info_path": "/vulnerabilities/CVE-2022-23562/48961", + "cve": "CVE-2022-23586", + "id": "pyup.io-48985", + "more_info_path": "/vulnerabilities/CVE-2022-23586/48985", "specs": [ "<0.12.0rc0" ], @@ -31617,9 +31661,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41211", - "id": "pyup.io-48922", - "more_info_path": "/vulnerabilities/CVE-2021-41211/48922", + "cve": "CVE-2021-41219", + "id": "pyup.io-48930", + "more_info_path": "/vulnerabilities/CVE-2021-41219/48930", "specs": [ "<0.12.0rc0" ], @@ -31627,9 +31671,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23581", - "id": "pyup.io-48980", - "more_info_path": "/vulnerabilities/CVE-2022-23581/48980", + "cve": "CVE-2022-23582", + "id": "pyup.io-48981", + "more_info_path": "/vulnerabilities/CVE-2022-23582/48981", "specs": [ "<0.12.0rc0" ], @@ -31637,9 +31681,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41221", - "id": "pyup.io-48931", - "more_info_path": "/vulnerabilities/CVE-2021-41221/48931", + "cve": "CVE-2021-41218", + "id": "pyup.io-48929", + "more_info_path": "/vulnerabilities/CVE-2021-41218/48929", "specs": [ "<0.12.0rc0" ], @@ -31647,9 +31691,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21735", - "id": "pyup.io-48949", - "more_info_path": "/vulnerabilities/CVE-2022-21735/48949", + "cve": "CVE-2022-21733", + "id": "pyup.io-48947", + "more_info_path": "/vulnerabilities/CVE-2022-21733/48947", "specs": [ "<0.12.0rc0" ], @@ -31657,9 +31701,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41195", - "id": "pyup.io-48906", - "more_info_path": "/vulnerabilities/CVE-2021-41195/48906", + "cve": "CVE-2021-41197", + "id": "pyup.io-48908", + "more_info_path": "/vulnerabilities/CVE-2021-41197/48908", "specs": [ "<0.12.0rc0" ], @@ -31667,9 +31711,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41207", - "id": "pyup.io-48918", - "more_info_path": "/vulnerabilities/CVE-2021-41207/48918", + "cve": "CVE-2022-21737", + "id": "pyup.io-48951", + "more_info_path": "/vulnerabilities/CVE-2022-21737/48951", "specs": [ "<0.12.0rc0" ], @@ -31677,9 +31721,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23587", - "id": "pyup.io-48986", - "more_info_path": "/vulnerabilities/CVE-2022-23587/48986", + "cve": "CVE-2021-41196", + "id": "pyup.io-48907", + "more_info_path": "/vulnerabilities/CVE-2021-41196/48907", "specs": [ "<0.12.0rc0" ], @@ -31687,9 +31731,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41222", - "id": "pyup.io-48932", - "more_info_path": "/vulnerabilities/CVE-2021-41222/48932", + "cve": "CVE-2021-41214", + "id": "pyup.io-48925", + "more_info_path": "/vulnerabilities/CVE-2021-41214/48925", "specs": [ "<0.12.0rc0" ], @@ -31697,9 +31741,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23564", - "id": "pyup.io-48963", - "more_info_path": "/vulnerabilities/CVE-2022-23564/48963", + "cve": "CVE-2022-21729", + "id": "pyup.io-48943", + "more_info_path": "/vulnerabilities/CVE-2022-21729/48943", "specs": [ "<0.12.0rc0" ], @@ -31707,9 +31751,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41205", - "id": "pyup.io-48916", - "more_info_path": "/vulnerabilities/CVE-2021-41205/48916", + "cve": "CVE-2022-21738", + "id": "pyup.io-48952", + "more_info_path": "/vulnerabilities/CVE-2022-21738/48952", "specs": [ "<0.12.0rc0" ], @@ -31717,9 +31761,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23565", - "id": "pyup.io-48964", - "more_info_path": "/vulnerabilities/CVE-2022-23565/48964", + "cve": "CVE-2021-41215", + "id": "pyup.io-48926", + "more_info_path": "/vulnerabilities/CVE-2021-41215/48926", "specs": [ "<0.12.0rc0" ], @@ -31727,9 +31771,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23558", - "id": "pyup.io-48957", - "more_info_path": "/vulnerabilities/CVE-2022-23558/48957", + "cve": "CVE-2022-21727", + "id": "pyup.io-48941", + "more_info_path": "/vulnerabilities/CVE-2022-21727/48941", "specs": [ "<0.12.0rc0" ], @@ -31737,9 +31781,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23585", - "id": "pyup.io-48984", - "more_info_path": "/vulnerabilities/CVE-2022-23585/48984", + "cve": "CVE-2020-10531", + "id": "pyup.io-48900", + "more_info_path": "/vulnerabilities/CVE-2020-10531/48900", "specs": [ "<0.12.0rc0" ], @@ -31747,9 +31791,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41202", - "id": "pyup.io-48913", - "more_info_path": "/vulnerabilities/CVE-2021-41202/48913", + "cve": "CVE-2022-21730", + "id": "pyup.io-48944", + "more_info_path": "/vulnerabilities/CVE-2022-21730/48944", "specs": [ "<0.12.0rc0" ], @@ -31757,9 +31801,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23573", - "id": "pyup.io-48972", - "more_info_path": "/vulnerabilities/CVE-2022-23573/48972", + "cve": "CVE-2022-23572", + "id": "pyup.io-48971", + "more_info_path": "/vulnerabilities/CVE-2022-23572/48971", "specs": [ "<0.12.0rc0" ], @@ -31767,9 +31811,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41203", - "id": "pyup.io-48914", - "more_info_path": "/vulnerabilities/CVE-2021-41203/48914", + "cve": "CVE-2022-23576", + "id": "pyup.io-48975", + "more_info_path": "/vulnerabilities/CVE-2022-23576/48975", "specs": [ "<0.12.0rc0" ], @@ -31777,9 +31821,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21741", - "id": "pyup.io-48955", - "more_info_path": "/vulnerabilities/CVE-2022-21741/48955", + "cve": "CVE-2021-22924", + "id": "pyup.io-48903", + "more_info_path": "/vulnerabilities/CVE-2021-22924/48903", "specs": [ "<0.12.0rc0" ], @@ -31787,9 +31831,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41198", - "id": "pyup.io-48909", - "more_info_path": "/vulnerabilities/CVE-2021-41198/48909", + "cve": "CVE-2022-21740", + "id": "pyup.io-48954", + "more_info_path": "/vulnerabilities/CVE-2022-21740/48954", "specs": [ "<0.12.0rc0" ], @@ -31797,9 +31841,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23570", - "id": "pyup.io-48969", - "more_info_path": "/vulnerabilities/CVE-2022-23570/48969", + "cve": "CVE-2021-41211", + "id": "pyup.io-48922", + "more_info_path": "/vulnerabilities/CVE-2021-41211/48922", "specs": [ "<0.12.0rc0" ], @@ -31807,9 +31851,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23559", - "id": "pyup.io-48958", - "more_info_path": "/vulnerabilities/CVE-2022-23559/48958", + "cve": "CVE-2022-23573", + "id": "pyup.io-48972", + "more_info_path": "/vulnerabilities/CVE-2022-23573/48972", "specs": [ "<0.12.0rc0" ], @@ -31817,9 +31861,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23561", - "id": "pyup.io-48960", - "more_info_path": "/vulnerabilities/CVE-2022-23561/48960", + "cve": "CVE-2021-41203", + "id": "pyup.io-48914", + "more_info_path": "/vulnerabilities/CVE-2021-41203/48914", "specs": [ "<0.12.0rc0" ], @@ -31827,9 +31871,9 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-22922", - "id": "pyup.io-48901", - "more_info_path": "/vulnerabilities/CVE-2021-22922/48901", + "cve": "CVE-2022-21741", + "id": "pyup.io-48955", + "more_info_path": "/vulnerabilities/CVE-2022-21741/48955", "specs": [ "<0.12.0rc0" ], @@ -31837,9 +31881,19 @@ }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-22925", - "id": "pyup.io-48904", - "more_info_path": "/vulnerabilities/CVE-2021-22925/48904", + "cve": "CVE-2022-23570", + "id": "pyup.io-48969", + "more_info_path": "/vulnerabilities/CVE-2022-23570/48969", + "specs": [ + "<0.12.0rc0" + ], + "v": "<0.12.0rc0" + }, + { + "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2021-22922", + "id": "pyup.io-48901", + "more_info_path": "/vulnerabilities/CVE-2021-22922/48901", "specs": [ "<0.12.0rc0" ], @@ -31865,6 +31919,16 @@ ], "v": "<0.12.0rc0" }, + { + "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2021-22925", + "id": "pyup.io-48904", + "more_info_path": "/vulnerabilities/CVE-2021-22925/48904", + "specs": [ + "<0.12.0rc0" + ], + "v": "<0.12.0rc0" + }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-13434", @@ -31897,9 +31961,9 @@ }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15209", - "id": "pyup.io-48701", - "more_info_path": "/vulnerabilities/CVE-2020-15209/48701", + "cve": "CVE-2020-15206", + "id": "pyup.io-48698", + "more_info_path": "/vulnerabilities/CVE-2020-15206/48698", "specs": [ "<0.8" ], @@ -31907,9 +31971,9 @@ }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15206", - "id": "pyup.io-48698", - "more_info_path": "/vulnerabilities/CVE-2020-15206/48698", + "cve": "CVE-2020-15209", + "id": "pyup.io-48701", + "more_info_path": "/vulnerabilities/CVE-2020-15209/48701", "specs": [ "<0.8" ], @@ -31955,16 +32019,6 @@ ], "v": "<0.8" }, - { - "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-26270", - "id": "pyup.io-48708", - "more_info_path": "/vulnerabilities/CVE-2020-26270/48708", - "specs": [ - "<0.8" - ], - "v": "<0.8" - }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2019-19244", @@ -32045,26 +32099,6 @@ ], "v": "<0.8" }, - { - "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-26268", - "id": "pyup.io-48707", - "more_info_path": "/vulnerabilities/CVE-2020-26268/48707", - "specs": [ - "<0.8" - ], - "v": "<0.8" - }, - { - "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-14155", - "id": "pyup.io-48690", - "more_info_path": "/vulnerabilities/CVE-2020-14155/48690", - "specs": [ - "<0.8" - ], - "v": "<0.8" - }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-13631", @@ -32137,9 +32171,9 @@ }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2019-16778", - "id": "pyup.io-48674", - "more_info_path": "/vulnerabilities/CVE-2019-16778/48674", + "cve": "CVE-2018-19664", + "id": "pyup.io-48668", + "more_info_path": "/vulnerabilities/CVE-2018-19664/48668", "specs": [ "<0.8" ], @@ -32147,9 +32181,9 @@ }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2018-19664", - "id": "pyup.io-48668", - "more_info_path": "/vulnerabilities/CVE-2018-19664/48668", + "cve": "CVE-2019-16778", + "id": "pyup.io-48674", + "more_info_path": "/vulnerabilities/CVE-2019-16778/48674", "specs": [ "<0.8" ], @@ -32217,9 +32251,9 @@ }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2018-17190", - "id": "pyup.io-48667", - "more_info_path": "/vulnerabilities/CVE-2018-17190/48667", + "cve": "CVE-2020-26270", + "id": "pyup.io-48708", + "more_info_path": "/vulnerabilities/CVE-2020-26270/48708", "specs": [ "<0.8" ], @@ -32227,9 +32261,9 @@ }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-13871", - "id": "pyup.io-48689", - "more_info_path": "/vulnerabilities/CVE-2020-13871/48689", + "cve": "CVE-2020-26268", + "id": "pyup.io-48707", + "more_info_path": "/vulnerabilities/CVE-2020-26268/48707", "specs": [ "<0.8" ], @@ -32237,9 +32271,9 @@ }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-13630", - "id": "pyup.io-48686", - "more_info_path": "/vulnerabilities/CVE-2020-13630/48686", + "cve": "CVE-2020-14155", + "id": "pyup.io-48690", + "more_info_path": "/vulnerabilities/CVE-2020-14155/48690", "specs": [ "<0.8" ], @@ -32247,9 +32281,9 @@ }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-13790", - "id": "pyup.io-48688", - "more_info_path": "/vulnerabilities/CVE-2020-13790/48688", + "cve": "CVE-2020-13871", + "id": "pyup.io-48689", + "more_info_path": "/vulnerabilities/CVE-2020-13871/48689", "specs": [ "<0.8" ], @@ -32277,9 +32311,9 @@ }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2019-10099", - "id": "pyup.io-48670", - "more_info_path": "/vulnerabilities/CVE-2019-10099/48670", + "cve": "CVE-2019-20838", + "id": "pyup.io-48679", + "more_info_path": "/vulnerabilities/CVE-2019-20838/48679", "specs": [ "<0.8" ], @@ -32287,9 +32321,39 @@ }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2019-20838", - "id": "pyup.io-48679", - "more_info_path": "/vulnerabilities/CVE-2019-20838/48679", + "cve": "CVE-2018-17190", + "id": "pyup.io-48667", + "more_info_path": "/vulnerabilities/CVE-2018-17190/48667", + "specs": [ + "<0.8" + ], + "v": "<0.8" + }, + { + "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", + "cve": "CVE-2020-13630", + "id": "pyup.io-48686", + "more_info_path": "/vulnerabilities/CVE-2020-13630/48686", + "specs": [ + "<0.8" + ], + "v": "<0.8" + }, + { + "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", + "cve": "CVE-2020-13790", + "id": "pyup.io-48688", + "more_info_path": "/vulnerabilities/CVE-2020-13790/48688", + "specs": [ + "<0.8" + ], + "v": "<0.8" + }, + { + "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", + "cve": "CVE-2019-10099", + "id": "pyup.io-48670", + "more_info_path": "/vulnerabilities/CVE-2019-10099/48670", "specs": [ "<0.8" ], @@ -32315,16 +32379,6 @@ ], "v": "<0.8" }, - { - "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", - "cve": "CVE-2020-26271", - "id": "pyup.io-48722", - "more_info_path": "/vulnerabilities/CVE-2020-26271/48722", - "specs": [ - "<0.9" - ], - "v": "<0.9" - }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2020-26266", @@ -32345,16 +32399,6 @@ ], "v": "<0.9" }, - { - "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", - "cve": "CVE-2020-13790", - "id": "pyup.io-48713", - "more_info_path": "/vulnerabilities/CVE-2020-13790/48713", - "specs": [ - "<0.9" - ], - "v": "<0.9" - }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2020-14155", @@ -32405,6 +32449,26 @@ ], "v": "<0.9" }, + { + "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", + "cve": "CVE-2020-26271", + "id": "pyup.io-48722", + "more_info_path": "/vulnerabilities/CVE-2020-26271/48722", + "specs": [ + "<0.9" + ], + "v": "<0.9" + }, + { + "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", + "cve": "CVE-2020-13790", + "id": "pyup.io-48713", + "more_info_path": "/vulnerabilities/CVE-2020-13790/48713", + "specs": [ + "<0.9" + ], + "v": "<0.9" + }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2020-15250", @@ -32676,18 +32740,6 @@ "v": "<0.6.2" } ], - "deepspeed": [ - { - "advisory": "Deepspeed 0.6.2 updates its GEM dependency 'commonmarker' to v0.23.4 to include a security fix.", - "cve": "CVE-2022-24724", - "id": "pyup.io-48298", - "more_info_path": "/vulnerabilities/CVE-2022-24724/48298", - "specs": [ - "<0.6.2" - ], - "v": "<0.6.2" - } - ], "definitions": [ { "advisory": "There is a vulnerability in load() method in definitions/parser.py in the Danijar Hafner definitions package for Python. It can execute arbitrary python commands resulting in command execution.", @@ -33099,16 +33151,6 @@ ], "v": "<0.17.0rc0" }, - { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41210", - "id": "pyup.io-43338", - "more_info_path": "/vulnerabilities/CVE-2021-41210/43338", - "specs": [ - "<0.17.4rc0" - ], - "v": "<0.17.4rc0" - }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41198", @@ -33171,9 +33213,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41212", - "id": "pyup.io-43337", - "more_info_path": "/vulnerabilities/CVE-2021-41212/43337", + "cve": "CVE-2021-41197", + "id": "pyup.io-43342", + "more_info_path": "/vulnerabilities/CVE-2021-41197/43342", "specs": [ "<0.17.4rc0" ], @@ -33181,9 +33223,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41197", - "id": "pyup.io-43342", - "more_info_path": "/vulnerabilities/CVE-2021-41197/43342", + "cve": "CVE-2021-41212", + "id": "pyup.io-43337", + "more_info_path": "/vulnerabilities/CVE-2021-41212/43337", "specs": [ "<0.17.4rc0" ], @@ -33231,9 +33273,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41208", - "id": "pyup.io-43334", - "more_info_path": "/vulnerabilities/CVE-2021-41208/43334", + "cve": "CVE-2021-41201", + "id": "pyup.io-43341", + "more_info_path": "/vulnerabilities/CVE-2021-41201/43341", "specs": [ "<0.17.4rc0" ], @@ -33241,9 +33283,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41201", - "id": "pyup.io-43341", - "more_info_path": "/vulnerabilities/CVE-2021-41201/43341", + "cve": "CVE-2021-41226", + "id": "pyup.io-43322", + "more_info_path": "/vulnerabilities/CVE-2021-41226/43322", "specs": [ "<0.17.4rc0" ], @@ -33251,9 +33293,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41209", - "id": "pyup.io-43325", - "more_info_path": "/vulnerabilities/CVE-2021-41209/43325", + "cve": "CVE-2021-41215", + "id": "pyup.io-43333", + "more_info_path": "/vulnerabilities/CVE-2021-41215/43333", "specs": [ "<0.17.4rc0" ], @@ -33291,9 +33333,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41200", - "id": "pyup.io-43317", - "more_info_path": "/vulnerabilities/CVE-2021-41200/43317", + "cve": "CVE-2021-41202", + "id": "pyup.io-43340", + "more_info_path": "/vulnerabilities/CVE-2021-41202/43340", "specs": [ "<0.17.4rc0" ], @@ -33301,9 +33343,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41202", - "id": "pyup.io-43340", - "more_info_path": "/vulnerabilities/CVE-2021-41202/43340", + "cve": "CVE-2021-41195", + "id": "pyup.io-43343", + "more_info_path": "/vulnerabilities/CVE-2021-41195/43343", "specs": [ "<0.17.4rc0" ], @@ -33311,9 +33353,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41195", - "id": "pyup.io-43343", - "more_info_path": "/vulnerabilities/CVE-2021-41195/43343", + "cve": "CVE-2021-41224", + "id": "pyup.io-43330", + "more_info_path": "/vulnerabilities/CVE-2021-41224/43330", "specs": [ "<0.17.4rc0" ], @@ -33321,9 +33363,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41221", - "id": "pyup.io-43324", - "more_info_path": "/vulnerabilities/CVE-2021-41221/43324", + "cve": "CVE-2021-41208", + "id": "pyup.io-43334", + "more_info_path": "/vulnerabilities/CVE-2021-41208/43334", "specs": [ "<0.17.4rc0" ], @@ -33331,9 +33373,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41215", - "id": "pyup.io-43333", - "more_info_path": "/vulnerabilities/CVE-2021-41215/43333", + "cve": "CVE-2021-41209", + "id": "pyup.io-43325", + "more_info_path": "/vulnerabilities/CVE-2021-41209/43325", "specs": [ "<0.17.4rc0" ], @@ -33351,9 +33393,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41219", - "id": "pyup.io-43320", - "more_info_path": "/vulnerabilities/CVE-2021-41219/43320", + "cve": "CVE-2021-41227", + "id": "pyup.io-43323", + "more_info_path": "/vulnerabilities/CVE-2021-41227/43323", "specs": [ "<0.17.4rc0" ], @@ -33361,9 +33403,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41227", - "id": "pyup.io-43323", - "more_info_path": "/vulnerabilities/CVE-2021-41227/43323", + "cve": "CVE-2021-41200", + "id": "pyup.io-43317", + "more_info_path": "/vulnerabilities/CVE-2021-41200/43317", "specs": [ "<0.17.4rc0" ], @@ -33391,9 +33433,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41226", - "id": "pyup.io-43322", - "more_info_path": "/vulnerabilities/CVE-2021-41226/43322", + "cve": "CVE-2021-41221", + "id": "pyup.io-43324", + "more_info_path": "/vulnerabilities/CVE-2021-41221/43324", "specs": [ "<0.17.4rc0" ], @@ -33401,9 +33443,19 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41224", - "id": "pyup.io-43330", - "more_info_path": "/vulnerabilities/CVE-2021-41224/43330", + "cve": "CVE-2021-41210", + "id": "pyup.io-43338", + "more_info_path": "/vulnerabilities/CVE-2021-41210/43338", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41219", + "id": "pyup.io-43320", + "more_info_path": "/vulnerabilities/CVE-2021-41219/43320", "specs": [ "<0.17.4rc0" ], @@ -33431,9 +33483,9 @@ }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", - "cve": "CVE-2020-10108", - "id": "pyup.io-44642", - "more_info_path": "/vulnerabilities/CVE-2020-10108/44642", + "cve": "CVE-2019-14234", + "id": "pyup.io-54970", + "more_info_path": "/vulnerabilities/CVE-2019-14234/54970", "specs": [ "<0.17.6" ], @@ -33441,9 +33493,9 @@ }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", - "cve": "CVE-2019-14234", - "id": "pyup.io-54970", - "more_info_path": "/vulnerabilities/CVE-2019-14234/54970", + "cve": "CVE-2020-7471", + "id": "pyup.io-54968", + "more_info_path": "/vulnerabilities/CVE-2020-7471/54968", "specs": [ "<0.17.6" ], @@ -33461,9 +33513,9 @@ }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", - "cve": "CVE-2020-7471", - "id": "pyup.io-54968", - "more_info_path": "/vulnerabilities/CVE-2020-7471/54968", + "cve": "CVE-2020-10108", + "id": "pyup.io-44642", + "more_info_path": "/vulnerabilities/CVE-2020-10108/44642", "specs": [ "<0.17.6" ], @@ -33491,9 +33543,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29216", - "id": "pyup.io-49560", - "more_info_path": "/vulnerabilities/CVE-2022-29216/49560", + "cve": "CVE-2022-29197", + "id": "pyup.io-49544", + "more_info_path": "/vulnerabilities/CVE-2022-29197/49544", "specs": [ "<0.18.2" ], @@ -33521,19 +33573,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-27775", - "id": "pyup.io-49531", - "more_info_path": "/vulnerabilities/CVE-2022-27775/49531", - "specs": [ - "<0.18.2" - ], - "v": "<0.18.2" - }, - { - "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29198", - "id": "pyup.io-49545", - "more_info_path": "/vulnerabilities/CVE-2022-29198/49545", + "cve": "CVE-2022-29212", + "id": "pyup.io-49558", + "more_info_path": "/vulnerabilities/CVE-2022-29212/49558", "specs": [ "<0.18.2" ], @@ -33541,9 +33583,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29212", - "id": "pyup.io-49558", - "more_info_path": "/vulnerabilities/CVE-2022-29212/49558", + "cve": "CVE-2022-29199", + "id": "pyup.io-49546", + "more_info_path": "/vulnerabilities/CVE-2022-29199/49546", "specs": [ "<0.18.2" ], @@ -33561,9 +33603,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29202", - "id": "pyup.io-49549", - "more_info_path": "/vulnerabilities/CVE-2022-29202/49549", + "cve": "CVE-2022-29209", + "id": "pyup.io-49556", + "more_info_path": "/vulnerabilities/CVE-2022-29209/49556", "specs": [ "<0.18.2" ], @@ -33571,9 +33613,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29207", - "id": "pyup.io-49554", - "more_info_path": "/vulnerabilities/CVE-2022-29207/49554", + "cve": "CVE-2022-27776", + "id": "pyup.io-49532", + "more_info_path": "/vulnerabilities/CVE-2022-27776/49532", "specs": [ "<0.18.2" ], @@ -33581,9 +33623,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29193", - "id": "pyup.io-49540", - "more_info_path": "/vulnerabilities/CVE-2022-29193/49540", + "cve": "CVE-2022-29200", + "id": "pyup.io-49547", + "more_info_path": "/vulnerabilities/CVE-2022-29200/49547", "specs": [ "<0.18.2" ], @@ -33591,9 +33633,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29201", - "id": "pyup.io-49548", - "more_info_path": "/vulnerabilities/CVE-2022-29201/49548", + "cve": "CVE-2022-27780", + "id": "pyup.io-49536", + "more_info_path": "/vulnerabilities/CVE-2022-27780/49536", "specs": [ "<0.18.2" ], @@ -33601,9 +33643,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-27778", - "id": "pyup.io-49534", - "more_info_path": "/vulnerabilities/CVE-2022-27778/49534", + "cve": "CVE-2022-29193", + "id": "pyup.io-49540", + "more_info_path": "/vulnerabilities/CVE-2022-29193/49540", "specs": [ "<0.18.2" ], @@ -33611,9 +33653,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29204", - "id": "pyup.io-49551", - "more_info_path": "/vulnerabilities/CVE-2022-29204/49551", + "cve": "CVE-2022-29196", + "id": "pyup.io-49543", + "more_info_path": "/vulnerabilities/CVE-2022-29196/49543", "specs": [ "<0.18.2" ], @@ -33631,9 +33673,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29197", - "id": "pyup.io-49544", - "more_info_path": "/vulnerabilities/CVE-2022-29197/49544", + "cve": "CVE-2022-30115", + "id": "pyup.io-49561", + "more_info_path": "/vulnerabilities/CVE-2022-30115/49561", "specs": [ "<0.18.2" ], @@ -33641,9 +33683,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-27774", - "id": "pyup.io-49530", - "more_info_path": "/vulnerabilities/CVE-2022-27774/49530", + "cve": "CVE-2022-29198", + "id": "pyup.io-49545", + "more_info_path": "/vulnerabilities/CVE-2022-29198/49545", "specs": [ "<0.18.2" ], @@ -33651,9 +33693,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-30115", - "id": "pyup.io-49561", - "more_info_path": "/vulnerabilities/CVE-2022-30115/49561", + "cve": "CVE-2022-27775", + "id": "pyup.io-49531", + "more_info_path": "/vulnerabilities/CVE-2022-27775/49531", "specs": [ "<0.18.2" ], @@ -33671,9 +33713,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29211", - "id": "pyup.io-49557", - "more_info_path": "/vulnerabilities/CVE-2022-29211/49557", + "cve": "CVE-2022-29208", + "id": "pyup.io-49555", + "more_info_path": "/vulnerabilities/CVE-2022-29208/49555", "specs": [ "<0.18.2" ], @@ -33681,9 +33723,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29208", - "id": "pyup.io-49555", - "more_info_path": "/vulnerabilities/CVE-2022-29208/49555", + "cve": "CVE-2022-29207", + "id": "pyup.io-49554", + "more_info_path": "/vulnerabilities/CVE-2022-29207/49554", "specs": [ "<0.18.2" ], @@ -33691,9 +33733,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-27780", - "id": "pyup.io-49536", - "more_info_path": "/vulnerabilities/CVE-2022-27780/49536", + "cve": "CVE-2022-27778", + "id": "pyup.io-49534", + "more_info_path": "/vulnerabilities/CVE-2022-27778/49534", "specs": [ "<0.18.2" ], @@ -33701,9 +33743,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29209", - "id": "pyup.io-49556", - "more_info_path": "/vulnerabilities/CVE-2022-29209/49556", + "cve": "CVE-2022-29204", + "id": "pyup.io-49551", + "more_info_path": "/vulnerabilities/CVE-2022-29204/49551", "specs": [ "<0.18.2" ], @@ -33711,9 +33753,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29196", - "id": "pyup.io-49543", - "more_info_path": "/vulnerabilities/CVE-2022-29196/49543", + "cve": "CVE-2022-29216", + "id": "pyup.io-49560", + "more_info_path": "/vulnerabilities/CVE-2022-29216/49560", "specs": [ "<0.18.2" ], @@ -33731,9 +33773,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29194", - "id": "pyup.io-49541", - "more_info_path": "/vulnerabilities/CVE-2022-29194/49541", + "cve": "CVE-2022-29195", + "id": "pyup.io-49542", + "more_info_path": "/vulnerabilities/CVE-2022-29195/49542", "specs": [ "<0.18.2" ], @@ -33741,9 +33783,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-27776", - "id": "pyup.io-49532", - "more_info_path": "/vulnerabilities/CVE-2022-27776/49532", + "cve": "CVE-2022-29201", + "id": "pyup.io-49548", + "more_info_path": "/vulnerabilities/CVE-2022-29201/49548", "specs": [ "<0.18.2" ], @@ -33751,9 +33793,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-22576", - "id": "pyup.io-49529", - "more_info_path": "/vulnerabilities/CVE-2022-22576/49529", + "cve": "CVE-2022-29213", + "id": "pyup.io-49559", + "more_info_path": "/vulnerabilities/CVE-2022-29213/49559", "specs": [ "<0.18.2" ], @@ -33761,9 +33803,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29200", - "id": "pyup.io-49547", - "more_info_path": "/vulnerabilities/CVE-2022-29200/49547", + "cve": "CVE-2022-29202", + "id": "pyup.io-49549", + "more_info_path": "/vulnerabilities/CVE-2022-29202/49549", "specs": [ "<0.18.2" ], @@ -33771,9 +33813,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29213", - "id": "pyup.io-49559", - "more_info_path": "/vulnerabilities/CVE-2022-29213/49559", + "cve": "CVE-2022-27774", + "id": "pyup.io-49530", + "more_info_path": "/vulnerabilities/CVE-2022-27774/49530", "specs": [ "<0.18.2" ], @@ -33781,9 +33823,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29199", - "id": "pyup.io-49546", - "more_info_path": "/vulnerabilities/CVE-2022-29199/49546", + "cve": "CVE-2022-29211", + "id": "pyup.io-49557", + "more_info_path": "/vulnerabilities/CVE-2022-29211/49557", "specs": [ "<0.18.2" ], @@ -33791,9 +33833,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2018-25032", - "id": "pyup.io-49422", - "more_info_path": "/vulnerabilities/CVE-2018-25032/49422", + "cve": "CVE-2022-29194", + "id": "pyup.io-49541", + "more_info_path": "/vulnerabilities/CVE-2022-29194/49541", "specs": [ "<0.18.2" ], @@ -33811,23 +33853,23 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29195", - "id": "pyup.io-49542", - "more_info_path": "/vulnerabilities/CVE-2022-29195/49542", + "cve": "CVE-2018-25032", + "id": "pyup.io-49422", + "more_info_path": "/vulnerabilities/CVE-2018-25032/49422", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { - "advisory": "Determined 0.19.3 updates its NPM dependency 'terser' to v4.8.1 to include a security fix.", - "cve": "CVE-2022-25858", - "id": "pyup.io-50977", - "more_info_path": "/vulnerabilities/CVE-2022-25858/50977", + "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", + "cve": "CVE-2022-22576", + "id": "pyup.io-49529", + "more_info_path": "/vulnerabilities/CVE-2022-22576/49529", "specs": [ - "<0.19.3" + "<0.18.2" ], - "v": "<0.19.3" + "v": "<0.18.2" }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'moment' to v2.29.4 to include a security fix.", @@ -33840,40 +33882,40 @@ "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 updates its NPM dependency 'async' to v2.6.4 to include a security fix.", - "cve": "CVE-2021-43138", - "id": "pyup.io-50972", - "more_info_path": "/vulnerabilities/CVE-2021-43138/50972", + "advisory": "Determined 0.19.3 stops using the NPM package 'trim-newlines', preventing a security issue.", + "cve": "CVE-2021-33623", + "id": "pyup.io-50978", + "more_info_path": "/vulnerabilities/CVE-2021-33623/50978", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", - "cve": "CVE-2022-0512", - "id": "pyup.io-50982", - "more_info_path": "/vulnerabilities/CVE-2022-0512/50982", + "advisory": "Determined 0.19.3 updates its NPM dependency 'eventsource' to v1.1.2 to include a security fix.", + "cve": "CVE-2022-1650", + "id": "pyup.io-50973", + "more_info_path": "/vulnerabilities/CVE-2022-1650/50973", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 updates its NPM dependency 'follow-redirects' to v1.15.1 to include security fixes.", - "cve": "CVE-2022-0536", - "id": "pyup.io-50974", - "more_info_path": "/vulnerabilities/CVE-2022-0536/50974", + "advisory": "Determined 0.19.3 updates its NPM dependency 'terser' to v4.8.1 to include a security fix.", + "cve": "CVE-2022-25858", + "id": "pyup.io-50977", + "more_info_path": "/vulnerabilities/CVE-2022-25858/50977", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 updates its NPM dependency 'ansi-regex' to v3.0.1 to include a security fix.", - "cve": "CVE-2021-3807", - "id": "pyup.io-50971", - "more_info_path": "/vulnerabilities/CVE-2021-3807/50971", + "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", + "cve": "CVE-2022-0691", + "id": "pyup.io-50981", + "more_info_path": "/vulnerabilities/CVE-2022-0691/50981", "specs": [ "<0.19.3" ], @@ -33881,9 +33923,9 @@ }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'follow-redirects' to v1.15.1 to include security fixes.", - "cve": "CVE-2022-0155", - "id": "pyup.io-50975", - "more_info_path": "/vulnerabilities/CVE-2022-0155/50975", + "cve": "CVE-2022-0536", + "id": "pyup.io-50974", + "more_info_path": "/vulnerabilities/CVE-2022-0536/50974", "specs": [ "<0.19.3" ], @@ -33900,10 +33942,20 @@ "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 updates its NPM dependency 'eventsource' to v1.1.2 to include a security fix.", - "cve": "CVE-2022-1650", - "id": "pyup.io-50973", - "more_info_path": "/vulnerabilities/CVE-2022-1650/50973", + "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", + "cve": "CVE-2022-0686", + "id": "pyup.io-50980", + "more_info_path": "/vulnerabilities/CVE-2022-0686/50980", + "specs": [ + "<0.19.3" + ], + "v": "<0.19.3" + }, + { + "advisory": "Determined 0.19.3 updates its NPM dependency 'ansi-regex' to v3.0.1 to include a security fix.", + "cve": "CVE-2021-3807", + "id": "pyup.io-50971", + "more_info_path": "/vulnerabilities/CVE-2021-3807/50971", "specs": [ "<0.19.3" ], @@ -33911,29 +33963,29 @@ }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", - "cve": "CVE-2022-0691", - "id": "pyup.io-50981", - "more_info_path": "/vulnerabilities/CVE-2022-0691/50981", + "cve": "CVE-2022-0512", + "id": "pyup.io-50982", + "more_info_path": "/vulnerabilities/CVE-2022-0512/50982", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 stops using the NPM package 'trim-newlines', preventing a security issue.", - "cve": "CVE-2021-33623", - "id": "pyup.io-50978", - "more_info_path": "/vulnerabilities/CVE-2021-33623/50978", + "advisory": "Determined 0.19.3 updates its NPM dependency 'follow-redirects' to v1.15.1 to include security fixes.", + "cve": "CVE-2022-0155", + "id": "pyup.io-50975", + "more_info_path": "/vulnerabilities/CVE-2022-0155/50975", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", - "cve": "CVE-2022-0686", - "id": "pyup.io-50980", - "more_info_path": "/vulnerabilities/CVE-2022-0686/50980", + "advisory": "Determined 0.19.3 updates its NPM dependency 'async' to v2.6.4 to include a security fix.", + "cve": "CVE-2021-43138", + "id": "pyup.io-50972", + "more_info_path": "/vulnerabilities/CVE-2021-43138/50972", "specs": [ "<0.19.3" ], @@ -34913,10 +34965,10 @@ "v": "<1.3.4,>=1.4a1,<1.4.2" }, { - "advisory": "Django 1.4.11, 1.5.6, 1.6.3 and 1.7b2 include a fix for CVE-2014-0473: The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.\r\nhttps://www.djangoproject.com/weblog/2014/apr/21/security", - "cve": "CVE-2014-0473", - "id": "pyup.io-35511", - "more_info_path": "/vulnerabilities/CVE-2014-0473/35511", + "advisory": "Django 1.4.11, 1.5.6, 1.6.3 and 1.7b2 include a fix for CVE-2014-0472: The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\r\nhttps://www.djangoproject.com/weblog/2014/apr/21/security", + "cve": "CVE-2014-0472", + "id": "pyup.io-35510", + "more_info_path": "/vulnerabilities/CVE-2014-0472/35510", "specs": [ "<1.4.11", ">=1.5a1,<1.5.6", @@ -34926,10 +34978,10 @@ "v": "<1.4.11,>=1.5a1,<1.5.6,>=1.6a1,<1.6.3,>=1.7a1,<1.7b2" }, { - "advisory": "Django 1.4.11, 1.5.6, 1.6.3 and 1.7b2 include a fix for CVE-2014-0472: The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\r\nhttps://www.djangoproject.com/weblog/2014/apr/21/security", - "cve": "CVE-2014-0472", - "id": "pyup.io-35510", - "more_info_path": "/vulnerabilities/CVE-2014-0472/35510", + "advisory": "Django 1.4.11, 1.5.6, 1.6.3 and 1.7b2 include a fix for CVE-2014-0473: The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.\r\nhttps://www.djangoproject.com/weblog/2014/apr/21/security", + "cve": "CVE-2014-0473", + "id": "pyup.io-35511", + "more_info_path": "/vulnerabilities/CVE-2014-0473/35511", "specs": [ "<1.4.11", ">=1.5a1,<1.5.6", @@ -34952,10 +35004,10 @@ "v": "<1.4.13,>=1.5a1,<1.5.8,>=1.6a1,<1.6.5,>=1.7a1,<1.7b4" }, { - "advisory": "Django 1.4.14, 1.5.9, 1.6.6 and 1.7rc3 include a fix for CVE-2014-0482: The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.", - "cve": "CVE-2014-0482", - "id": "pyup.io-35515", - "more_info_path": "/vulnerabilities/CVE-2014-0482/35515", + "advisory": "The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. See: CVE-2014-0483.", + "cve": "CVE-2014-0483", + "id": "pyup.io-35516", + "more_info_path": "/vulnerabilities/CVE-2014-0483/35516", "specs": [ "<1.4.14", ">=1.5a1,<1.5.9", @@ -34965,10 +35017,10 @@ "v": "<1.4.14,>=1.5a1,<1.5.9,>=1.6a1,<1.6.6,>=1.7a1,<1.7rc3" }, { - "advisory": "The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. See: CVE-2014-0483.", - "cve": "CVE-2014-0483", - "id": "pyup.io-35516", - "more_info_path": "/vulnerabilities/CVE-2014-0483/35516", + "advisory": "Django 1.4.14, 1.5.9, 1.6.6 and 1.7rc3 include a fix for CVE-2014-0482: The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.", + "cve": "CVE-2014-0482", + "id": "pyup.io-35515", + "more_info_path": "/vulnerabilities/CVE-2014-0482/35515", "specs": [ "<1.4.14", ">=1.5a1,<1.5.9", @@ -35228,10 +35280,10 @@ "v": "<2.2.26,>=3.0a1,<3.2.11,>=4.0a1,<4.0.1" }, { - "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45452: Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases/", - "cve": "CVE-2021-45452", - "id": "pyup.io-44426", - "more_info_path": "/vulnerabilities/CVE-2021-45452/44426", + "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45115: UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases/", + "cve": "CVE-2021-45115", + "id": "pyup.io-44423", + "more_info_path": "/vulnerabilities/CVE-2021-45115/44423", "specs": [ "<2.2.26", ">=3.0a1,<3.2.11", @@ -35240,10 +35292,10 @@ "v": "<2.2.26,>=3.0a1,<3.2.11,>=4.0a1,<4.0.1" }, { - "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45115: UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases/", - "cve": "CVE-2021-45115", - "id": "pyup.io-44423", - "more_info_path": "/vulnerabilities/CVE-2021-45115/44423", + "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45452: Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases/", + "cve": "CVE-2021-45452", + "id": "pyup.io-44426", + "more_info_path": "/vulnerabilities/CVE-2021-45452/44426", "specs": [ "<2.2.26", ">=3.0a1,<3.2.11", @@ -35430,10 +35482,10 @@ "v": "<3.2.25,>=4.0a1,<4.2.11,>=5.0a1,<5.0.3" }, { - "advisory": "Affected versions of Django are affected by a username enumeration vulnerability caused by timing differences in the django.contrib.auth.backends.ModelBackend.authenticate() method. This method allowed remote attackers to enumerate users through a timing attack involving login requests for users with unusable passwords. The timing difference in the authentication process exposed whether a username was valid or not, potentially aiding attackers in gaining unauthorized access.", - "cve": "CVE-2024-39329", - "id": "pyup.io-72109", - "more_info_path": "/vulnerabilities/CVE-2024-39329/72109", + "advisory": "Affected versions of Django are affected by a directory-traversal vulnerability in the Storage.save() method. Derived classes of the django.core.files.storage.Storage base class that overrides the generate_filename() method without replicating the file path validations existing in the parent class could allow for directory traversal via certain inputs when calling save(). This could enable an attacker to manipulate file paths and access unintended directories.", + "cve": "CVE-2024-39330", + "id": "pyup.io-72110", + "more_info_path": "/vulnerabilities/CVE-2024-39330/72110", "specs": [ "<4.2.14", ">=5.0a1,<5.0.7" @@ -35441,10 +35493,10 @@ "v": "<4.2.14,>=5.0a1,<5.0.7" }, { - "advisory": "Affected versions of Django are affected by a directory-traversal vulnerability in the Storage.save() method. Derived classes of the django.core.files.storage.Storage base class that overrides the generate_filename() method without replicating the file path validations existing in the parent class could allow for directory traversal via certain inputs when calling save(). This could enable an attacker to manipulate file paths and access unintended directories.", - "cve": "CVE-2024-39330", - "id": "pyup.io-72110", - "more_info_path": "/vulnerabilities/CVE-2024-39330/72110", + "advisory": "Affected versions of Django are affected by a username enumeration vulnerability caused by timing differences in the django.contrib.auth.backends.ModelBackend.authenticate() method. This method allowed remote attackers to enumerate users through a timing attack involving login requests for users with unusable passwords. The timing difference in the authentication process exposed whether a username was valid or not, potentially aiding attackers in gaining unauthorized access.", + "cve": "CVE-2024-39329", + "id": "pyup.io-72109", + "more_info_path": "/vulnerabilities/CVE-2024-39329/72109", "specs": [ "<4.2.14", ">=5.0a1,<5.0.7" @@ -35473,6 +35525,50 @@ ], "v": "<4.2.14,>=5.0a1,<5.0.7" }, + { + "advisory": "Django has a potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget. The urlize and urlizetrunc functions, along with AdminURLFieldWidget, are vulnerable to denial-of-service attacks when handling inputs with a very large number of Unicode characters.", + "cve": "CVE-2024-41991", + "id": "pyup.io-72520", + "more_info_path": "/vulnerabilities/CVE-2024-41991/72520", + "specs": [ + "<4.2.15", + ">=5.0a1,<5.0.8" + ], + "v": "<4.2.15,>=5.0a1,<5.0.8" + }, + { + "advisory": "Django has a potential SQL injection vulnerability in the QuerySet.values() and QuerySet.values_list() methods. When used on models with a JSONField, these methods are susceptible to SQL injection through column aliases if a crafted JSON object key is passed as an argument.", + "cve": "CVE-2024-42005", + "id": "pyup.io-72521", + "more_info_path": "/vulnerabilities/CVE-2024-42005/72521", + "specs": [ + "<4.2.15", + ">=5.0a1,<5.0.8" + ], + "v": "<4.2.15,>=5.0a1,<5.0.8" + }, + { + "advisory": "Django has a potential denial-of-service vulnerability in django.utils.html.urlize(). The urlize and urlizetrunc functions are susceptible to a possible attack through huge inputs containing a specific sequence of characters.", + "cve": "CVE-2024-41990", + "id": "pyup.io-72519", + "more_info_path": "/vulnerabilities/CVE-2024-41990/72519", + "specs": [ + "<4.2.15", + ">=5.0a1,<5.0.8" + ], + "v": "<4.2.15,>=5.0a1,<5.0.8" + }, + { + "advisory": "Django addresses a memory exhaustion issue in django.utils.numberformat.floatformat(). When floatformat receives a string representation of a number in scientific notation with a large exponent, it could lead to excessive memory consumption. To prevent this, decimals with more than 200 digits are now returned as-is.", + "cve": "CVE-2024-41990", + "id": "pyup.io-72515", + "more_info_path": "/vulnerabilities/CVE-2024-41990/72515", + "specs": [ + "<4.2.15", + ">=5.0a1,<5.0.8" + ], + "v": "<4.2.15,>=5.0a1,<5.0.8" + }, { "advisory": "bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.", "cve": "CVE-2007-0404", @@ -36551,6 +36647,18 @@ "v": "<5.20.0" } ], + "django-background-tasks": [ + { + "advisory": "Django-background-tasks resolves database race conditions during multi-threading in affected versions by assigning individual database connections to each thread. Unused database connections are now properly closed when a thread starts and when it terminates.", + "cve": "PVE-2024-72679", + "id": "pyup.io-72679", + "more_info_path": "/vulnerabilities/PVE-2024-72679/72679", + "specs": [ + "<1.1.6" + ], + "v": "<1.1.6" + } + ], "django-basic-auth-ip-whitelist": [ { "advisory": "Django-basic-auth-ip-whitelist 0.3.4 fixes a potential timing attack if basic authentication is enabled.", @@ -36978,6 +37086,16 @@ "<1.3.0" ], "v": "<1.3.0" + }, + { + "advisory": "Django-descope 1.4.0 updates its dependency 'black' to include a security fix.", + "cve": "CVE-2024-21503", + "id": "pyup.io-72706", + "more_info_path": "/vulnerabilities/CVE-2024-21503/72706", + "specs": [ + "<1.4.0" + ], + "v": "<1.4.0" } ], "django-discord-bind": [ @@ -37983,9 +38101,9 @@ }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", - "cve": "CVE-2021-25291", - "id": "pyup.io-45498", - "more_info_path": "/vulnerabilities/CVE-2021-25291/45498", + "cve": "CVE-2021-27922", + "id": "pyup.io-45501", + "more_info_path": "/vulnerabilities/CVE-2021-27922/45501", "specs": [ "<0.4.3" ], @@ -37993,9 +38111,9 @@ }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", - "cve": "CVE-2021-27922", - "id": "pyup.io-45501", - "more_info_path": "/vulnerabilities/CVE-2021-27922/45501", + "cve": "CVE-2021-27923", + "id": "pyup.io-45502", + "more_info_path": "/vulnerabilities/CVE-2021-27923/45502", "specs": [ "<0.4.3" ], @@ -38003,9 +38121,9 @@ }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", - "cve": "CVE-2021-27921", - "id": "pyup.io-45500", - "more_info_path": "/vulnerabilities/CVE-2021-27921/45500", + "cve": "CVE-2021-25292", + "id": "pyup.io-45499", + "more_info_path": "/vulnerabilities/CVE-2021-25292/45499", "specs": [ "<0.4.3" ], @@ -38013,9 +38131,9 @@ }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", - "cve": "CVE-2021-28678", - "id": "pyup.io-45404", - "more_info_path": "/vulnerabilities/CVE-2021-28678/45404", + "cve": "CVE-2021-25287", + "id": "pyup.io-45494", + "more_info_path": "/vulnerabilities/CVE-2021-25287/45494", "specs": [ "<0.4.3" ], @@ -38033,9 +38151,9 @@ }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", - "cve": "CVE-2021-25287", - "id": "pyup.io-45494", - "more_info_path": "/vulnerabilities/CVE-2021-25287/45494", + "cve": "CVE-2021-28678", + "id": "pyup.io-45404", + "more_info_path": "/vulnerabilities/CVE-2021-28678/45404", "specs": [ "<0.4.3" ], @@ -38043,9 +38161,9 @@ }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", - "cve": "CVE-2021-27923", - "id": "pyup.io-45502", - "more_info_path": "/vulnerabilities/CVE-2021-27923/45502", + "cve": "CVE-2021-27921", + "id": "pyup.io-45500", + "more_info_path": "/vulnerabilities/CVE-2021-27921/45500", "specs": [ "<0.4.3" ], @@ -38053,9 +38171,9 @@ }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", - "cve": "CVE-2021-25292", - "id": "pyup.io-45499", - "more_info_path": "/vulnerabilities/CVE-2021-25292/45499", + "cve": "CVE-2021-25291", + "id": "pyup.io-45498", + "more_info_path": "/vulnerabilities/CVE-2021-25291/45498", "specs": [ "<0.4.3" ], @@ -38063,9 +38181,9 @@ }, { "advisory": "Django-loci 1.0.1 updates its dependency 'pillow' to v9.1.0 to include security fixes.", - "cve": "CVE-2022-22817", - "id": "pyup.io-48230", - "more_info_path": "/vulnerabilities/CVE-2022-22817/48230", + "cve": "CVE-2022-24303", + "id": "pyup.io-48223", + "more_info_path": "/vulnerabilities/CVE-2022-24303/48223", "specs": [ "<1.0.1" ], @@ -38073,9 +38191,9 @@ }, { "advisory": "Django-loci 1.0.1 updates its dependency 'pillow' to v9.1.0 to include security fixes.", - "cve": "CVE-2022-24303", - "id": "pyup.io-48223", - "more_info_path": "/vulnerabilities/CVE-2022-24303/48223", + "cve": "CVE-2022-22817", + "id": "pyup.io-48230", + "more_info_path": "/vulnerabilities/CVE-2022-22817/48230", "specs": [ "<1.0.1" ], @@ -39322,9 +39440,9 @@ }, { "advisory": "Django-spectator 12.0.1 updates its dependency 'pillow' to v9.0.1 to include security fixes.", - "cve": "CVE-2022-22817", - "id": "pyup.io-47776", - "more_info_path": "/vulnerabilities/CVE-2022-22817/47776", + "cve": "CVE-2022-22816", + "id": "pyup.io-47779", + "more_info_path": "/vulnerabilities/CVE-2022-22816/47779", "specs": [ "<12.0.1" ], @@ -39332,9 +39450,9 @@ }, { "advisory": "Django-spectator 12.0.1 updates its dependency 'pillow' to v9.0.1 to include security fixes.", - "cve": "CVE-2022-22815", - "id": "pyup.io-47780", - "more_info_path": "/vulnerabilities/CVE-2022-22815/47780", + "cve": "CVE-2022-22817", + "id": "pyup.io-47776", + "more_info_path": "/vulnerabilities/CVE-2022-22817/47776", "specs": [ "<12.0.1" ], @@ -39342,9 +39460,9 @@ }, { "advisory": "Django-spectator 12.0.1 updates its dependency 'pillow' to v9.0.1 to include security fixes.", - "cve": "CVE-2022-22816", - "id": "pyup.io-47779", - "more_info_path": "/vulnerabilities/CVE-2022-22816/47779", + "cve": "CVE-2022-24303", + "id": "pyup.io-47772", + "more_info_path": "/vulnerabilities/CVE-2022-24303/47772", "specs": [ "<12.0.1" ], @@ -39352,9 +39470,9 @@ }, { "advisory": "Django-spectator 12.0.1 updates its dependency 'pillow' to v9.0.1 to include security fixes.", - "cve": "PVE-2021-44525", - "id": "pyup.io-47777", - "more_info_path": "/vulnerabilities/PVE-2021-44525/47777", + "cve": "CVE-2022-22815", + "id": "pyup.io-47780", + "more_info_path": "/vulnerabilities/CVE-2022-22815/47780", "specs": [ "<12.0.1" ], @@ -39362,9 +39480,9 @@ }, { "advisory": "Django-spectator 12.0.1 updates its dependency 'pillow' to v9.0.1 to include security fixes.", - "cve": "CVE-2022-24303", - "id": "pyup.io-47772", - "more_info_path": "/vulnerabilities/CVE-2022-24303/47772", + "cve": "PVE-2021-44525", + "id": "pyup.io-47777", + "more_info_path": "/vulnerabilities/PVE-2021-44525/47777", "specs": [ "<12.0.1" ], @@ -40548,20 +40666,20 @@ ], "djblets": [ { - "advisory": "Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django allows remote attackers to inject arbitrary web script or HTML via a user display name.", - "cve": "CVE-2014-3995", - "id": "pyup.io-35572", - "more_info_path": "/vulnerabilities/CVE-2014-3995/35572", + "advisory": "Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name.", + "cve": "CVE-2014-3994", + "id": "pyup.io-35571", + "more_info_path": "/vulnerabilities/CVE-2014-3994/35571", "specs": [ "<0.8.3" ], "v": "<0.8.3" }, { - "advisory": "Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name.", - "cve": "CVE-2014-3994", - "id": "pyup.io-35571", - "more_info_path": "/vulnerabilities/CVE-2014-3994/35571", + "advisory": "Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django allows remote attackers to inject arbitrary web script or HTML via a user display name.", + "cve": "CVE-2014-3995", + "id": "pyup.io-35572", + "more_info_path": "/vulnerabilities/CVE-2014-3995/35572", "specs": [ "<0.8.3" ], @@ -40747,9 +40865,9 @@ "dnspython": [ { "advisory": "Dnspython 2.6.0 fixes a DoS vulnerability highlighted in the \"TuDoor\" paper (CVE-2023-29483), where spoofed DNS responses could disrupt service. The update prevents denial of service by ignoring malicious packets, allowing the resolver to wait for valid responses until a query's timeout. This mitigation ensures continued service despite attempted attacks, enhancing the resolver's reliability and security.", - "cve": "PVE-2024-65401", + "cve": "CVE-2023-29483", "id": "pyup.io-65401", - "more_info_path": "/vulnerabilities/PVE-2024-65401/65401", + "more_info_path": "/vulnerabilities/CVE-2023-29483/65401", "specs": [ "<2.6.0" ], @@ -40811,6 +40929,16 @@ ], "v": "<1.0.12,>=1.1.0,<1.1.113,>=1.2.0,<1.2.65" }, + { + "advisory": "Docassemble version 1.4.97 addresses a critical security flaw, impacting versions from 1.4.53 to 1.4.96, where file contents within the filesystem could potentially be exposed. Given the high severity of this issue, users are strongly advised to update to the latest version immediately to secure their systems.", + "cve": "PVE-2024-65732", + "id": "pyup.io-65732", + "more_info_path": "/vulnerabilities/PVE-2024-65732/65732", + "specs": [ + "<1.4.97" + ], + "v": "<1.4.97" + }, { "advisory": "Docassemble version 1.4.97 rectifies a security vulnerability present in versions up to 1.4.96. This flaw allowed for the creation of open redirect URLs.\r\nhttps://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa", "cve": "PVE-2024-65739", @@ -40830,16 +40958,6 @@ "<1.4.97" ], "v": "<1.4.97" - }, - { - "advisory": "Docassemble version 1.4.97 addresses a critical security flaw, impacting versions from 1.4.53 to 1.4.96, where file contents within the filesystem could potentially be exposed. Given the high severity of this issue, users are strongly advised to update to the latest version immediately to secure their systems.", - "cve": "PVE-2024-65732", - "id": "pyup.io-65732", - "more_info_path": "/vulnerabilities/PVE-2024-65732/65732", - "specs": [ - "<1.4.97" - ], - "v": "<1.4.97" } ], "docassemble-base": [ @@ -41236,6 +41354,28 @@ "v": "==0.3.0" } ], + "dora-rs": [ + { + "advisory": "Dora-rs 0.2.0\r\n\r\n- **Vulnerability Type** | Race Condition, Vulnerable Dependency \r\n- **Impact** | Potential unauthorized access, DoS\r\n- **Attack Vector** | Network, Exploit of Vulnerable Dependency\r\n- **Affected Functions/Methods** | Not specified \r\n- **Vulnerable Configuration** | Use of vulnerable 'remove_dir_all' dependency\r\n- **Remediation** | Upgrade 'dora' package to version with fixes for race condition and vulnerable dependency\r\n\r\nAnalysis Details:\r\n- Fix provided for known race condition vulnerability 'race condition' \r\n links: https://github.com/dora-rs/dora/pull/202\r\n\r\n - Fix provided to address vulnerable dependency - 'remove_dir_all'\r\n link: https://github.com/dora-rs/dora/pull/202 \r\n\r\nWe have clear confirmation of a race condition vulnerability and vulnerable third-party dependency being addressed.", + "cve": "PVE-2024-72877", + "id": "pyup.io-72877", + "more_info_path": "/vulnerabilities/PVE-2024-72877/72877", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + }, + { + "advisory": "Dora-rs 0.3.3\r\n\r\nGitHub Advisory : https://github.com/advisories/GHSA-r8w9-5wcg-vfj7\r\nPackage: dora \r\n\r\nVulnerability: Medium severity vulnerability in mio crate \r\n\r\nDescription: The dora project updated the mio crate dependency to version 0.8.11 to patch a security vulnerability. The mio crate is a networking library. Without further details on the vulnerability, the exact impact is unknown but was serious enough to warrant a patch.\r\n\r\n- **Vulnerability Type | Description (MANDATORY)**: Medium severity vulnerability in mio crate (network library used by dora)\r\n- **Impact (DESIRABLE)**: Unknown without further details \r\n- **Attack Vector (DESIRABLE)**: Unknown \r\n- **Affected Functions | Methods (OPTIONAL)**: Unknown\r\n- **Vulnerable Configuration (OPTIONAL)**: dora crate versions 0.8.10 and prior\r\n- **Exploitability Information (OPTIONAL)**: Unknown\r\n- **Mitigation | Remediation (OPTIONAL)**: Update to dora crate version 0.8.11 or later\r\n- **Explanation on why our information is better that public sources, if that is the case (OPTIONAL)**: Provides analysis and recommendations based on changelog details\r\n\r\nWhile the exact details of the vulnerability are unknown, a medium severity issue was patched by updating from mio crate version 0.8.10 to 0.8.11. Users of the dora crate should update to the latest version to patch this vulnerability, and maintainers should label prior versions as vulnerable.\r\n\r\nRecommendation: Users of the dora crate should update to version 0.8.11 or later. Maintainers of the dora crate should label version 0.8.10 and prior as vulnerable.", + "cve": "PVE-2024-72875", + "id": "pyup.io-72875", + "more_info_path": "/vulnerabilities/PVE-2024-72875/72875", + "specs": [ + "<0.3.3" + ], + "v": "<0.3.3" + } + ], "dosma": [ { "advisory": "Dosma 0.0.13 includes a security patch for the function 'init' in 'dosma/defaults.py'. It used the unsafe yaml.load(), that allows instantiation of arbitrary objects. Consider yaml.safe_load(). See also: https://github.com/ad12/DOSMA/commit/44457025faac9f09ac0bd26c93185adc612da7dc#", @@ -42002,7 +42142,7 @@ "v": ">=0" }, { - "advisory": "The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure.\r\nhttps://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp", + "advisory": "The python-ecdsa library, which implements ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This vulnerability arises because scalar multiplication is not performed in constant time, affecting ECDSA signatures, key generation, and ECDH operations. ECDSA signature verification remains unaffected. The project maintainers have stated that there is no plan to release a fix for this vulnerability, citing their security policy:\r\n\"As stated in the security policy, side-channel vulnerabilities are outside the scope of the project. This is not due to a lack of interest in side-channel secure implementations but rather because the main goal of the project is to be pure Python. Implementing side-channel-free code in pure Python is impossible. Therefore, we do not plan to release a fix for this vulnerability.\"\r\nNOTE: The specs we include in this advisory differ from the publicly available on other sources. That's because research by Safety CLI Cybersecurity Team confirms that there is no plan to address this vulnerability.", "cve": "CVE-2024-23342", "id": "pyup.io-64459", "more_info_path": "/vulnerabilities/CVE-2024-23342/64459", @@ -42207,6 +42347,16 @@ "<1.1.2" ], "v": "<1.1.2" + }, + { + "advisory": "eKuiper affected versions contain a SQL Injection vulnerability in the `Get` and `Delete` methods of `sqlKvStore`. A malicious user can exploit this by injecting arbitrary SQL through the `rule id` parameter, allowing unauthorized execution of SQL queries. This vulnerability is present in several endpoints, including `explainRuleHandler`, `sourceManageHandler`, `asyncTaskCancelHandler`, and `pluginHandler`, potentially leading to data breaches or unauthorized data manipulation.", + "cve": "CVE-2024-43406", + "id": "pyup.io-72979", + "more_info_path": "/vulnerabilities/CVE-2024-43406/72979", + "specs": [ + "<1.14.2" + ], + "v": "<1.14.2" } ], "elastic-apm": [ @@ -42635,20 +42785,20 @@ ], "embedchain": [ { - "advisory": "The JSON loader in Embedchain before 0.1.57 allows a ReDoS (regular expression denial of service) via a long string to json.py.", - "cve": "CVE-2024-23732", - "id": "pyup.io-66692", - "more_info_path": "/vulnerabilities/CVE-2024-23732/66692", + "advisory": "The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument.", + "cve": "CVE-2024-23731", + "id": "pyup.io-66691", + "more_info_path": "/vulnerabilities/CVE-2024-23731/66691", "specs": [ "<0.1.57" ], "v": "<0.1.57" }, { - "advisory": "The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument.", - "cve": "CVE-2024-23731", - "id": "pyup.io-66691", - "more_info_path": "/vulnerabilities/CVE-2024-23731/66691", + "advisory": "The JSON loader in Embedchain before 0.1.57 allows a ReDoS (regular expression denial of service) via a long string to json.py.", + "cve": "CVE-2024-23732", + "id": "pyup.io-66692", + "more_info_path": "/vulnerabilities/CVE-2024-23732/66692", "specs": [ "<0.1.57" ], @@ -42668,9 +42818,9 @@ }, { "advisory": "Embedded-topic-model 1.2.0 updates its dependency 'scipy' to versions '>=1.11.*' to include security fixes.", - "cve": "CVE-2023-29824", - "id": "pyup.io-61024", - "more_info_path": "/vulnerabilities/CVE-2023-29824/61024", + "cve": "CVE-2023-25399", + "id": "pyup.io-61025", + "more_info_path": "/vulnerabilities/CVE-2023-25399/61025", "specs": [ "<1.2.0" ], @@ -42678,9 +42828,9 @@ }, { "advisory": "Embedded-topic-model 1.2.0 updates its dependency 'scipy' to versions '>=1.11.*' to include security fixes.", - "cve": "CVE-2023-25399", - "id": "pyup.io-61025", - "more_info_path": "/vulnerabilities/CVE-2023-25399/61025", + "cve": "CVE-2023-29824", + "id": "pyup.io-61024", + "more_info_path": "/vulnerabilities/CVE-2023-29824/61024", "specs": [ "<1.2.0" ], @@ -43195,20 +43345,20 @@ "v": "<2.15.1" }, { - "advisory": "Ethyca's Fides 2.22.1 patches a high-severity SSRF vulnerability (CVE-2023-46124) affecting versions before 2.22.1. This vulnerability allowed attackers with certain API access to make internal system requests that could lead to data breaches. The update is crucial for users with CONNECTOR_TEMPLATE_REGISTER scope and should be applied immediately to secure systems.\r\nhttps://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4", - "cve": "CVE-2023-46124", - "id": "pyup.io-63347", - "more_info_path": "/vulnerabilities/CVE-2023-46124/63347", + "advisory": "Ethyca-fides 2.22.1 addresses the moderate severity vulnerability CVE-2023-46126. This issue affected versions of Fides before 2.22.1, where the privacy policy URL field in consent and privacy notices was not properly validated. Malicious users with contributor access or higher could exploit this to execute arbitrary JavaScript on integrated websites. The patch now properly sanitizes input, preventing such attacks. https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83", + "cve": "CVE-2023-46126", + "id": "pyup.io-63526", + "more_info_path": "/vulnerabilities/CVE-2023-46126/63526", "specs": [ "<2.22.1" ], "v": "<2.22.1" }, { - "advisory": "Ethyca-fides 2.22.1 addresses the moderate severity vulnerability CVE-2023-46126. This issue affected versions of Fides before 2.22.1, where the privacy policy URL field in consent and privacy notices was not properly validated. Malicious users with contributor access or higher could exploit this to execute arbitrary JavaScript on integrated websites. The patch now properly sanitizes input, preventing such attacks. https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83", - "cve": "CVE-2023-46126", - "id": "pyup.io-63526", - "more_info_path": "/vulnerabilities/CVE-2023-46126/63526", + "advisory": "Ethyca's Fides 2.22.1 patches a high-severity SSRF vulnerability (CVE-2023-46124) affecting versions before 2.22.1. This vulnerability allowed attackers with certain API access to make internal system requests that could lead to data breaches. The update is crucial for users with CONNECTOR_TEMPLATE_REGISTER scope and should be applied immediately to secure systems.\r\nhttps://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4", + "cve": "CVE-2023-46124", + "id": "pyup.io-63347", + "more_info_path": "/vulnerabilities/CVE-2023-46124/63347", "specs": [ "<2.22.1" ], @@ -43533,10 +43683,10 @@ "v": "<0.8" }, { - "advisory": "Evennia 0.8 updates its dependency 'Django' minimum requirement to v1.11 to include security fixes.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0", - "cve": "CVE-2016-9013", - "id": "pyup.io-52035", - "more_info_path": "/vulnerabilities/CVE-2016-9013/52035", + "advisory": "Evennia 0.8 updates its dependency 'pillow' to v5.2.0 to include security fixes.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0", + "cve": "CVE-2016-0775", + "id": "pyup.io-52041", + "more_info_path": "/vulnerabilities/CVE-2016-0775/52041", "specs": [ "<0.8" ], @@ -43544,19 +43694,19 @@ }, { "advisory": "Evennia 0.8 updates its dependency 'pillow' to v5.2.0 to include security fixes.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0", - "cve": "CVE-2016-0740", - "id": "pyup.io-52040", - "more_info_path": "/vulnerabilities/CVE-2016-0740/52040", + "cve": "CVE-2016-9189", + "id": "pyup.io-52037", + "more_info_path": "/vulnerabilities/CVE-2016-9189/52037", "specs": [ "<0.8" ], "v": "<0.8" }, { - "advisory": "Evennia 0.8 updates its dependency 'Django' minimum requirement to v1.11 to include security fixes.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0", - "cve": "CVE-2016-9014", - "id": "pyup.io-52034", - "more_info_path": "/vulnerabilities/CVE-2016-9014/52034", + "advisory": "Evennia 0.8 updates its dependency 'pillow' to v5.2.0 to include security fixes.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0", + "cve": "CVE-2016-4009", + "id": "pyup.io-52036", + "more_info_path": "/vulnerabilities/CVE-2016-4009/52036", "specs": [ "<0.8" ], @@ -43573,10 +43723,10 @@ "v": "<0.8" }, { - "advisory": "Evennia 0.8 updates its dependency 'pillow' to v5.2.0 to include security fixes.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0", - "cve": "CVE-2016-4009", - "id": "pyup.io-52036", - "more_info_path": "/vulnerabilities/CVE-2016-4009/52036", + "advisory": "Evennia 0.8 updates its dependency 'Django' minimum requirement to v1.11 to include security fixes.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0", + "cve": "CVE-2016-9014", + "id": "pyup.io-52034", + "more_info_path": "/vulnerabilities/CVE-2016-9014/52034", "specs": [ "<0.8" ], @@ -43584,19 +43734,19 @@ }, { "advisory": "Evennia 0.8 updates its dependency 'pillow' to v5.2.0 to include security fixes.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0", - "cve": "CVE-2016-9189", - "id": "pyup.io-52037", - "more_info_path": "/vulnerabilities/CVE-2016-9189/52037", + "cve": "CVE-2016-0740", + "id": "pyup.io-52040", + "more_info_path": "/vulnerabilities/CVE-2016-0740/52040", "specs": [ "<0.8" ], "v": "<0.8" }, { - "advisory": "Evennia 0.8 updates its dependency 'pillow' to v5.2.0 to include security fixes.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0", - "cve": "CVE-2016-0775", - "id": "pyup.io-52041", - "more_info_path": "/vulnerabilities/CVE-2016-0775/52041", + "advisory": "Evennia 0.8 updates its dependency 'Django' minimum requirement to v1.11 to include security fixes.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0", + "cve": "CVE-2016-9013", + "id": "pyup.io-52035", + "more_info_path": "/vulnerabilities/CVE-2016-9013/52035", "specs": [ "<0.8" ], @@ -43624,9 +43774,9 @@ }, { "advisory": "Evennia 0.9.5 updates its dependency 'twisted' minimum requirement to \">=20.3.0\" to include security fixes.", - "cve": "CVE-2020-10109", - "id": "pyup.io-52045", - "more_info_path": "/vulnerabilities/CVE-2020-10109/52045", + "cve": "CVE-2020-10108", + "id": "pyup.io-51936", + "more_info_path": "/vulnerabilities/CVE-2020-10108/51936", "specs": [ "<0.9.5" ], @@ -43634,9 +43784,9 @@ }, { "advisory": "Evennia 0.9.5 updates its dependency 'twisted' minimum requirement to \">=20.3.0\" to include security fixes.", - "cve": "CVE-2020-10108", - "id": "pyup.io-51936", - "more_info_path": "/vulnerabilities/CVE-2020-10108/51936", + "cve": "CVE-2020-10109", + "id": "pyup.io-52045", + "more_info_path": "/vulnerabilities/CVE-2020-10109/52045", "specs": [ "<0.9.5" ], @@ -43693,20 +43843,20 @@ "v": "<3.0.0" }, { - "advisory": "Evennia 4.0.0 addresses an issue with inefficient regex in the rpsystem, optimizing pattern matching to enhance performance and reduce processing load. This fix significantly improves the efficiency of roleplay system operations.\r\nhttps://github.com/evennia/evennia/commit/3a0b434e422b2dea3e4a34d5dc15fb9e853fe7ff", - "cve": "PVE-2024-66763", - "id": "pyup.io-66763", - "more_info_path": "/vulnerabilities/PVE-2024-66763/66763", + "advisory": "Evennia 4.0.0 enhances security on the website character page by implementing URL validation for redirects. \r\nhttps://github.com/evennia/evennia/commit/23b9d06db5e6e8b0e48198dd46b85ce57fd0f10d", + "cve": "PVE-2024-66790", + "id": "pyup.io-66790", + "more_info_path": "/vulnerabilities/PVE-2024-66790/66790", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { - "advisory": "Evennia 4.0.0 enhances security on the website character page by implementing URL validation for redirects. \r\nhttps://github.com/evennia/evennia/commit/23b9d06db5e6e8b0e48198dd46b85ce57fd0f10d", - "cve": "PVE-2024-66790", - "id": "pyup.io-66790", - "more_info_path": "/vulnerabilities/PVE-2024-66790/66790", + "advisory": "Evennia 4.0.0 addresses an issue with inefficient regex in the rpsystem, optimizing pattern matching to enhance performance and reduce processing load. This fix significantly improves the efficiency of roleplay system operations.\r\nhttps://github.com/evennia/evennia/commit/3a0b434e422b2dea3e4a34d5dc15fb9e853fe7ff", + "cve": "PVE-2024-66763", + "id": "pyup.io-66763", + "more_info_path": "/vulnerabilities/PVE-2024-66763/66763", "specs": [ "<4.0.0" ], @@ -43795,20 +43945,20 @@ ], "exasol-bucketfs": [ { - "advisory": "Exasol-bucketfs 0.12.0 addresses CVE-2024-35195, a vulnerability in the requests package in versions below 2.32.0.", - "cve": "CVE-2024-35195", - "id": "pyup.io-72131", - "more_info_path": "/vulnerabilities/CVE-2024-35195/72131", + "advisory": "Exasol-bucketfs 0.12.0 addresses CVE-2024-21503, a vulnerability in the black package that is included as a transitive dependency via exasol-toolbox.", + "cve": "CVE-2024-21503", + "id": "pyup.io-72123", + "more_info_path": "/vulnerabilities/CVE-2024-21503/72123", "specs": [ "<0.12.0" ], "v": "<0.12.0" }, { - "advisory": "Exasol-bucketfs 0.12.0 addresses CVE-2024-21503, a vulnerability in the black package that is included as a transitive dependency via exasol-toolbox.", - "cve": "CVE-2024-21503", - "id": "pyup.io-72123", - "more_info_path": "/vulnerabilities/CVE-2024-21503/72123", + "advisory": "Exasol-bucketfs 0.12.0 addresses CVE-2024-35195, a vulnerability in the requests package in versions below 2.32.0.", + "cve": "CVE-2024-35195", + "id": "pyup.io-72131", + "more_info_path": "/vulnerabilities/CVE-2024-35195/72131", "specs": [ "<0.12.0" ], @@ -43816,9 +43966,9 @@ }, { "advisory": "Exasol-bucketfs 0.8.0 updates its dependency 'cryptography' to include security fixes.", - "cve": "CVE-2023-23931", - "id": "pyup.io-53776", - "more_info_path": "/vulnerabilities/CVE-2023-23931/53776", + "cve": "CVE-2023-0286", + "id": "pyup.io-53774", + "more_info_path": "/vulnerabilities/CVE-2023-0286/53774", "specs": [ "<0.8.0" ], @@ -43826,9 +43976,9 @@ }, { "advisory": "Exasol-bucketfs 0.8.0 updates its dependency 'cryptography' to include security fixes.", - "cve": "CVE-2023-0286", - "id": "pyup.io-53774", - "more_info_path": "/vulnerabilities/CVE-2023-0286/53774", + "cve": "CVE-2023-23931", + "id": "pyup.io-53776", + "more_info_path": "/vulnerabilities/CVE-2023-23931/53776", "specs": [ "<0.8.0" ], @@ -44028,16 +44178,6 @@ } ], "exiv2": [ - { - "advisory": "A stack out of bounds read vulnerability exists in Exiv2 library 0.26 within the webp parser.", - "cve": "CVE-2017-1000126", - "id": "pyup.io-66886", - "more_info_path": "/vulnerabilities/CVE-2017-1000126/66886", - "specs": [ - "==0.26" - ], - "v": "==0.26" - }, { "advisory": "Exiv2 0.26 contains a heap buffer overflow in tiff parser.", "cve": "CVE-2017-1000127", @@ -44058,6 +44198,16 @@ ], "v": "==0.26" }, + { + "advisory": "A stack out of bounds read vulnerability exists in Exiv2 library 0.26 within the webp parser.", + "cve": "CVE-2017-1000126", + "id": "pyup.io-66886", + "more_info_path": "/vulnerabilities/CVE-2017-1000126/66886", + "specs": [ + "==0.26" + ], + "v": "==0.26" + }, { "advisory": "Exiv2 (Python bindings to exiv2 C++ library) 0.15.0 and 0.14.1 ship with libexiv2 version 0.28.0, which is affected by CVE-2023-44398: An out-of-bounds write was found in Exiv2 version v0.28.0. The vulnerable function, 'BmffImage::brotliUncompress', is new in v0.28.0, so earlier versions of Exiv2 are _not_ affected. The out-of-bounds write is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file.\r\nhttps://github.com/jim-easterbrook/python-exiv2/commit/61c1365e4fcd09aaf391ad1d8435d9fab0715db7\r\nhttps://github.com/Exiv2/exiv2/security/advisories/GHSA-hrw9-ggg3-3r4r", "cve": "CVE-2023-44398", @@ -44523,20 +44673,20 @@ "v": "<4.3.1" }, { - "advisory": "Falocalrepo 4.3.4 updates its dependency 'falocalrepo-server' to v3.2.7 to include a security fix.", + "advisory": "Falocalrepo 4.3.4 updates its dependency 'faapi' to v3.7.4 to include a security fix.", "cve": "CVE-2022-2309", - "id": "pyup.io-50174", - "more_info_path": "/vulnerabilities/CVE-2022-2309/50174", + "id": "pyup.io-50141", + "more_info_path": "/vulnerabilities/CVE-2022-2309/50141", "specs": [ "<4.3.4" ], "v": "<4.3.4" }, { - "advisory": "Falocalrepo 4.3.4 updates its dependency 'faapi' to v3.7.4 to include a security fix.", + "advisory": "Falocalrepo 4.3.4 updates its dependency 'falocalrepo-server' to v3.2.7 to include a security fix.", "cve": "CVE-2022-2309", - "id": "pyup.io-50141", - "more_info_path": "/vulnerabilities/CVE-2022-2309/50141", + "id": "pyup.io-50174", + "more_info_path": "/vulnerabilities/CVE-2022-2309/50174", "specs": [ "<4.3.4" ], @@ -44595,10 +44745,10 @@ "v": "<3.2.7" }, { - "advisory": "Falocalrepo-server 3.3.4 updates its dependency 'fastapi' to v0.103.2 to include a security fix.", - "cve": "CVE-2023-29159", - "id": "pyup.io-61806", - "more_info_path": "/vulnerabilities/CVE-2023-29159/61806", + "advisory": "Falocalrepo-server 3.3.4 updates its dependency 'pillow' to v10.0.1 to include a security fix.", + "cve": "CVE-2023-4863", + "id": "pyup.io-61801", + "more_info_path": "/vulnerabilities/CVE-2023-4863/61801", "specs": [ "<3.3.4" ], @@ -44615,10 +44765,10 @@ "v": "<3.3.4" }, { - "advisory": "Falocalrepo-server 3.3.4 updates its dependency 'pillow' to v10.0.1 to include a security fix.", - "cve": "CVE-2023-4863", - "id": "pyup.io-61801", - "more_info_path": "/vulnerabilities/CVE-2023-4863/61801", + "advisory": "Falocalrepo-server 3.3.4 updates its dependency 'fastapi' to v0.103.2 to include a security fix.", + "cve": "CVE-2023-29159", + "id": "pyup.io-61806", + "more_info_path": "/vulnerabilities/CVE-2023-29159/61806", "specs": [ "<3.3.4" ], @@ -44744,6 +44894,16 @@ ], "v": "<0.65.2" }, + { + "advisory": "Fastapi 0.75.2 updates its NPM dependency 'swagger-ui' to include security fixes.", + "cve": "CVE-2021-46708", + "id": "pyup.io-48161", + "more_info_path": "/vulnerabilities/CVE-2021-46708/48161", + "specs": [ + "<0.75.2" + ], + "v": "<0.75.2" + }, { "advisory": "Fastapi 0.75.2 updates its dependency 'ujson' ranges to include a security fix.", "cve": "CVE-2021-45958", @@ -44764,16 +44924,6 @@ ], "v": "<0.75.2" }, - { - "advisory": "Fastapi 0.75.2 updates its NPM dependency 'swagger-ui' to include security fixes.", - "cve": "CVE-2021-46708", - "id": "pyup.io-48161", - "more_info_path": "/vulnerabilities/CVE-2021-46708/48161", - "specs": [ - "<0.75.2" - ], - "v": "<0.75.2" - }, { "advisory": "Fastapi 0.92.0 updates its dependency 'Starlette' to v0.25.0 to include a security fix.", "cve": "CVE-2023-30798", @@ -44805,6 +44955,18 @@ "v": "<=0.109.0" } ], + "fastapi-admin": [ + { + "advisory": "A cross-site scripting (XSS) vulnerability in the Create Product function of fastapi-admin, in affected versions, allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Product Name parameter.", + "cve": "CVE-2024-42816", + "id": "pyup.io-72966", + "more_info_path": "/vulnerabilities/CVE-2024-42816/72966", + "specs": [ + ">=0" + ], + "v": ">=0" + } + ], "fastapi-azure-auth": [ { "advisory": "Fastapi-azure-auth version 4.4.0 migrates from python-jose to PyJWT due to the security vulnerability identified as CVE-2024-33663.", @@ -45055,20 +45217,20 @@ "v": "<2.0.0" }, { - "advisory": "Fastapi-opa has updated `idna` to versions 3.6 and 3.7 due to the CVE-2024-3651.", - "cve": "CVE-2024-3651", - "id": "pyup.io-72180", - "more_info_path": "/vulnerabilities/CVE-2024-3651/72180", + "advisory": "Fastapi-opa has updated `cryptography` to versions 42.0.4 and 42.0.8 to address vulnerabilities such as CVE-2024-4603.", + "cve": "CVE-2024-4603", + "id": "pyup.io-72179", + "more_info_path": "/vulnerabilities/CVE-2024-4603/72179", "specs": [ "<2.0.1" ], "v": "<2.0.1" }, { - "advisory": "Fastapi-opa has updated `cryptography` to versions 42.0.4 and 42.0.8 to address vulnerabilities such as CVE-2024-4603.", - "cve": "CVE-2024-4603", - "id": "pyup.io-72179", - "more_info_path": "/vulnerabilities/CVE-2024-4603/72179", + "advisory": "Fastapi-opa has updated `idna` to versions 3.6 and 3.7 due to the CVE-2024-3651.", + "cve": "CVE-2024-3651", + "id": "pyup.io-72180", + "more_info_path": "/vulnerabilities/CVE-2024-3651/72180", "specs": [ "<2.0.1" ], @@ -45373,20 +45535,20 @@ "v": "<1.0.3" }, { - "advisory": "Featurebyte version 1.0.3 updates its `orjson` dependency from `^3.8.3` to `^3.9.15` to address the security vulnerability identified in CVE-2024-27454. This update ensures that users are protected from the issues present in the older version of `orjson`.", - "cve": "CVE-2024-27454", - "id": "pyup.io-71082", - "more_info_path": "/vulnerabilities/CVE-2024-27454/71082", + "advisory": "Featurebyte version 1.0.3 updates its `cryptography` dependency from `^41.0.3` to `^42.0.4` to address the security vulnerability identified as CVE-2024-26130. This update ensures that users are protected from issues present in the older version of the `cryptography` library.", + "cve": "CVE-2024-26130", + "id": "pyup.io-71108", + "more_info_path": "/vulnerabilities/CVE-2024-26130/71108", "specs": [ "<1.0.3" ], "v": "<1.0.3" }, { - "advisory": "Featurebyte version 1.0.3 updates its `cryptography` dependency from `^41.0.3` to `^42.0.4` to address the security vulnerability identified as CVE-2024-26130. This update ensures that users are protected from issues present in the older version of the `cryptography` library.", - "cve": "CVE-2024-26130", - "id": "pyup.io-71108", - "more_info_path": "/vulnerabilities/CVE-2024-26130/71108", + "advisory": "Featurebyte version 1.0.3 updates its `orjson` dependency from `^3.8.3` to `^3.9.15` to address the security vulnerability identified in CVE-2024-27454. This update ensures that users are protected from the issues present in the older version of `orjson`.", + "cve": "CVE-2024-27454", + "id": "pyup.io-71082", + "more_info_path": "/vulnerabilities/CVE-2024-27454/71082", "specs": [ "<1.0.3" ], @@ -45612,9 +45774,9 @@ }, { "advisory": "Fhir-pyrate 0.2.0b1 updates its dependency \"numpy\" to v1.23.1 to include security fixes.", - "cve": "CVE-2021-41496", - "id": "pyup.io-50794", - "more_info_path": "/vulnerabilities/CVE-2021-41496/50794", + "cve": "CVE-2021-41495", + "id": "pyup.io-50793", + "more_info_path": "/vulnerabilities/CVE-2021-41495/50793", "specs": [ "<0.2.0b1" ], @@ -45622,9 +45784,9 @@ }, { "advisory": "Fhir-pyrate 0.2.0b1 updates its dependency \"numpy\" to v1.23.1 to include security fixes.", - "cve": "CVE-2021-34141", - "id": "pyup.io-50784", - "more_info_path": "/vulnerabilities/CVE-2021-34141/50784", + "cve": "CVE-2021-41496", + "id": "pyup.io-50794", + "more_info_path": "/vulnerabilities/CVE-2021-41496/50794", "specs": [ "<0.2.0b1" ], @@ -45632,9 +45794,9 @@ }, { "advisory": "Fhir-pyrate 0.2.0b1 updates its dependency \"numpy\" to v1.23.1 to include security fixes.", - "cve": "CVE-2021-41495", - "id": "pyup.io-50793", - "more_info_path": "/vulnerabilities/CVE-2021-41495/50793", + "cve": "CVE-2021-34141", + "id": "pyup.io-50784", + "more_info_path": "/vulnerabilities/CVE-2021-34141/50784", "specs": [ "<0.2.0b1" ], @@ -45999,20 +46161,20 @@ ], "fittrackee": [ { - "advisory": "Fittrackee 0.5.7 sets autoescape on jinja templates.\r\nhttps://github.com/SamR1/FitTrackee/pull/152", - "cve": "PVE-2022-44973", - "id": "pyup.io-44973", - "more_info_path": "/vulnerabilities/PVE-2022-44973/44973", + "advisory": "Fittrackee 0.5.7 sanitizes input when serving images, map titles and in username.\r\nhttps://github.com/SamR1/FitTrackee/pull/151", + "cve": "PVE-2022-45387", + "id": "pyup.io-45387", + "more_info_path": "/vulnerabilities/PVE-2022-45387/45387", "specs": [ "<0.5.7" ], "v": "<0.5.7" }, { - "advisory": "Fittrackee 0.5.7 sanitizes input when serving images, map titles and in username.\r\nhttps://github.com/SamR1/FitTrackee/pull/151", - "cve": "PVE-2022-45387", - "id": "pyup.io-45387", - "more_info_path": "/vulnerabilities/PVE-2022-45387/45387", + "advisory": "Fittrackee 0.5.7 sets autoescape on jinja templates.\r\nhttps://github.com/SamR1/FitTrackee/pull/152", + "cve": "PVE-2022-44973", + "id": "pyup.io-44973", + "more_info_path": "/vulnerabilities/PVE-2022-44973/44973", "specs": [ "<0.5.7" ], @@ -46472,6 +46634,16 @@ ">0" ], "v": ">0" + }, + { + "advisory": "A vulnerability in corydolphin/flask-cors allows the Access-Control-Allow-Private-Network CORS header to be set to true by default, without any configuration option. This behaviour can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, access to sensitive information, and potential network intrusions.", + "cve": "CVE-2024-6221", + "id": "pyup.io-72731", + "more_info_path": "/vulnerabilities/CVE-2024-6221/72731", + "specs": [ + ">=0" + ], + "v": ">=0" } ], "flask-exceptions": [ @@ -46685,9 +46857,9 @@ }, { "advisory": "Flask-restx 1.1.0 updates its NPM dependency 'swagger-ui-dist' to v4.15.0 to include security fixes.", - "cve": "CVE-2018-25031", - "id": "pyup.io-53555", - "more_info_path": "/vulnerabilities/CVE-2018-25031/53555", + "cve": "CVE-2021-46708", + "id": "pyup.io-53551", + "more_info_path": "/vulnerabilities/CVE-2021-46708/53551", "specs": [ "<1.1.0" ], @@ -46695,9 +46867,9 @@ }, { "advisory": "Flask-restx 1.1.0 updates its NPM dependency 'swagger-ui-dist' to v4.15.0 to include security fixes.", - "cve": "CVE-2021-46708", - "id": "pyup.io-53551", - "more_info_path": "/vulnerabilities/CVE-2021-46708/53551", + "cve": "CVE-2018-25031", + "id": "pyup.io-53555", + "more_info_path": "/vulnerabilities/CVE-2018-25031/53555", "specs": [ "<1.1.0" ], @@ -46725,6 +46897,36 @@ ], "v": "<3.1.0" }, + { + "advisory": "In affected versions of Flask-Security, a GET request to /login?include_auth_token returns an authentication token without performing a CSRF check.", + "cve": "PVE-2024-72456", + "id": "pyup.io-72456", + "more_info_path": "/vulnerabilities/PVE-2024-72456/72456", + "specs": [ + "<3.4.5" + ], + "v": "<3.4.5" + }, + { + "advisory": "In affected versions of Flask-Security, a GET request to /tf-qrcode returns the QR code without requiring a CSRF token. If other security measures, such as CORS, fail, an attacker could load this image on a third-party site visited by a logged-in user, allowing them to obtain the TOTP secret and generate valid 2FA codes in the future, as the secret does not change.", + "cve": "PVE-2024-72455", + "id": "pyup.io-72455", + "more_info_path": "/vulnerabilities/PVE-2024-72455/72455", + "specs": [ + "<4.0.0rc2" + ], + "v": "<4.0.0rc2" + }, + { + "advisory": "Reports indicate that all versions of Flask-Security have an open redirect vulnerability. This vulnerability occurs because Flask-Security does not fully check whether a redirect URL is relative or absolute, and modern browsers can 'fill in the blanks' for slightly malformed URLs. As a result, a URL such as http://myapp.com/login?next=\\\\\\github.com can cause many browsers to redirect to github.com after a successful login to your app.", + "cve": "PVE-2024-72454", + "id": "pyup.io-72454", + "more_info_path": "/vulnerabilities/PVE-2024-72454/72454", + "specs": [ + "<4.1.0" + ], + "v": "<4.1.0" + }, { "advisory": "All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\\\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. \r\nNote: Flask-Security is not maintained anymore.", "cve": "CVE-2021-23385", @@ -47152,20 +47354,20 @@ "v": "<0.30.0" }, { - "advisory": "Flytekit 1.1.0 updates its dependency 'cookiecutter' to v2.1.1 to include a security fix.", - "cve": "CVE-2022-24065", - "id": "pyup.io-49722", - "more_info_path": "/vulnerabilities/CVE-2022-24065/49722", + "advisory": "Flytekit 1.1.0 updates its dependency 'pillow' to v9.1.1 to include a security fix.", + "cve": "CVE-2022-30595", + "id": "pyup.io-49721", + "more_info_path": "/vulnerabilities/CVE-2022-30595/49721", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Flytekit 1.1.0 updates its dependency 'pillow' to v9.1.1 to include a security fix.", - "cve": "CVE-2022-30595", - "id": "pyup.io-49721", - "more_info_path": "/vulnerabilities/CVE-2022-30595/49721", + "advisory": "Flytekit 1.1.0 updates its dependency 'cookiecutter' to v2.1.1 to include a security fix.", + "cve": "CVE-2022-24065", + "id": "pyup.io-49722", + "more_info_path": "/vulnerabilities/CVE-2022-24065/49722", "specs": [ "<1.1.0" ], @@ -47181,6 +47383,16 @@ ], "v": "<1.2.0" }, + { + "advisory": "Flytekit 1.2.0 updates its dependency 'cookiecutter' to v2.1.1 to include a security fix.", + "cve": "CVE-2022-24065", + "id": "pyup.io-51331", + "more_info_path": "/vulnerabilities/CVE-2022-24065/51331", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + }, { "advisory": "Flytekit 1.2.0 updates its dependency 'mistune' to v2.0.3 to include a security fix.", "cve": "CVE-2022-34749", @@ -47212,10 +47424,10 @@ "v": "<1.2.0" }, { - "advisory": "Flytekit 1.2.0 updates its dependency 'cookiecutter' to v2.1.1 to include a security fix.", - "cve": "CVE-2022-24065", - "id": "pyup.io-51331", - "more_info_path": "/vulnerabilities/CVE-2022-24065/51331", + "advisory": "Flytekit 1.2.0 updates its dependency 'oauthlib' to v3.2.1 to include a security fix.", + "cve": "CVE-2022-36087", + "id": "pyup.io-51333", + "more_info_path": "/vulnerabilities/CVE-2022-36087/51333", "specs": [ "<1.2.0" ], @@ -47230,16 +47442,6 @@ "<1.2.0" ], "v": "<1.2.0" - }, - { - "advisory": "Flytekit 1.2.0 updates its dependency 'oauthlib' to v3.2.1 to include a security fix.", - "cve": "CVE-2022-36087", - "id": "pyup.io-51333", - "more_info_path": "/vulnerabilities/CVE-2022-36087/51333", - "specs": [ - "<1.2.0" - ], - "v": "<1.2.0" } ], "fmeval": [ @@ -47514,20 +47716,20 @@ "v": "<1.3.0a3" }, { - "advisory": "Fractal-server 1.3.0a3 updates its dependency 'requests' to version '2.31.0' to include a security fix.\r\nhttps://github.com/fractal-analytics-platform/fractal-server/pull/723", - "cve": "CVE-2023-32681", - "id": "pyup.io-59000", - "more_info_path": "/vulnerabilities/CVE-2023-32681/59000", + "advisory": "Fractal-server 1.3.0a3 updates its dependency 'cryptography' to version '41.0.1' to include a security fix.\r\nhttps://github.com/fractal-analytics-platform/fractal-server/pull/739/commits/ec5bbd57acabf5a1fc357cfb96c21e059c619475", + "cve": "CVE-2023-2650", + "id": "pyup.io-59002", + "more_info_path": "/vulnerabilities/CVE-2023-2650/59002", "specs": [ "<1.3.0a3" ], "v": "<1.3.0a3" }, { - "advisory": "Fractal-server 1.3.0a3 updates its dependency 'cryptography' to version '41.0.1' to include a security fix.\r\nhttps://github.com/fractal-analytics-platform/fractal-server/pull/739/commits/ec5bbd57acabf5a1fc357cfb96c21e059c619475", - "cve": "CVE-2023-2650", - "id": "pyup.io-59002", - "more_info_path": "/vulnerabilities/CVE-2023-2650/59002", + "advisory": "Fractal-server 1.3.0a3 updates its dependency 'requests' to version '2.31.0' to include a security fix.\r\nhttps://github.com/fractal-analytics-platform/fractal-server/pull/723", + "cve": "CVE-2023-32681", + "id": "pyup.io-59000", + "more_info_path": "/vulnerabilities/CVE-2023-32681/59000", "specs": [ "<1.3.0a3" ], @@ -48161,20 +48363,20 @@ ], "fundaml": [ { - "advisory": "Fundaml 0.1.32 updates its dependency 'ipython' to version '8.10.0' to include a fix for a Remote Code Execution vulnerability.\r\nhttps://github.com/tzoght/fundaml/commit/02e60c4d8474aa673f02a65556fef2382fe4cf16", - "cve": "CVE-2023-24816", - "id": "pyup.io-59401", - "more_info_path": "/vulnerabilities/CVE-2023-24816/59401", + "advisory": "Fundaml 0.1.32 updates its dependency 'setuptools' to version '65.5.1' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/tzoght/fundaml/commit/95aeda8943821f08e322cf77b4411047afba861e", + "cve": "CVE-2022-40897", + "id": "pyup.io-59397", + "more_info_path": "/vulnerabilities/CVE-2022-40897/59397", "specs": [ "<0.1.32" ], "v": "<0.1.32" }, { - "advisory": "Fundaml 0.1.32 updates its dependency 'setuptools' to version '65.5.1' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/tzoght/fundaml/commit/95aeda8943821f08e322cf77b4411047afba861e", - "cve": "CVE-2022-40897", - "id": "pyup.io-59397", - "more_info_path": "/vulnerabilities/CVE-2022-40897/59397", + "advisory": "Fundaml 0.1.32 updates its dependency 'ipython' to version '8.10.0' to include a fix for a Remote Code Execution vulnerability.\r\nhttps://github.com/tzoght/fundaml/commit/02e60c4d8474aa673f02a65556fef2382fe4cf16", + "cve": "CVE-2023-24816", + "id": "pyup.io-59401", + "more_info_path": "/vulnerabilities/CVE-2023-24816/59401", "specs": [ "<0.1.32" ], @@ -48724,6 +48926,18 @@ "v": "<1.3.1" } ], + "geonius": [ + { + "advisory": "Geonius fixes a SQL injection vulnerability in affected versions by refactoring SQL queries to enhance security.", + "cve": "PVE-2024-72668", + "id": "pyup.io-72668", + "more_info_path": "/vulnerabilities/PVE-2024-72668/72668", + "specs": [ + "<1.3.0" + ], + "v": "<1.3.0" + } + ], "geonode": [ { "advisory": "Geonode 2.10 updates 'urllib3' to v1.24.2 to include security fixes.", @@ -49052,6 +49266,16 @@ ], "v": "<1.18.0" }, + { + "advisory": "Ggshield 1.18.0 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/GitGuardian/ggshield/commit/3c67771a4d66accede14fa23dfce9ea51571e082", + "cve": "CVE-2023-3817", + "id": "pyup.io-60443", + "more_info_path": "/vulnerabilities/CVE-2023-3817/60443", + "specs": [ + "<1.18.0" + ], + "v": "<1.18.0" + }, { "advisory": "Ggshield 1.18.0 updates its dependency 'cryptography' to version '41.0.3' to include a fix for an Insufficient Verification of Data Authenticity vulnerability.\r\nhttps://github.com/GitGuardian/ggshield/commit/3c67771a4d66accede14fa23dfce9ea51571e082", "cve": "CVE-2023-3446", @@ -49063,14 +49287,14 @@ "v": "<1.18.0" }, { - "advisory": "Ggshield 1.18.0 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/GitGuardian/ggshield/commit/3c67771a4d66accede14fa23dfce9ea51571e082", - "cve": "CVE-2023-3817", - "id": "pyup.io-60443", - "more_info_path": "/vulnerabilities/CVE-2023-3817/60443", + "advisory": "Ggshield updates `httpx` to version ^0.23 to fix the critical vulnerability CVE-2021-41945.", + "cve": "CVE-2021-41945", + "id": "pyup.io-72504", + "more_info_path": "/vulnerabilities/CVE-2021-41945/72504", "specs": [ - "<1.18.0" + "<1.30.2" ], - "v": "<1.18.0" + "v": "<1.30.2" } ], "ghga-service-commons": [ @@ -49570,20 +49794,20 @@ "v": "<11.0.1,==12.0.0" }, { - "advisory": "An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service.", - "cve": "CVE-2017-7200", - "id": "pyup.io-67541", - "more_info_path": "/vulnerabilities/CVE-2017-7200/67541", + "advisory": "The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image.", + "cve": "CVE-2013-1840", + "id": "pyup.io-67955", + "more_info_path": "/vulnerabilities/CVE-2013-1840/67955", "specs": [ "<13.0.0" ], "v": "<13.0.0" }, { - "advisory": "The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image.", - "cve": "CVE-2013-1840", - "id": "pyup.io-67955", - "more_info_path": "/vulnerabilities/CVE-2013-1840/67955", + "advisory": "An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service.", + "cve": "CVE-2017-7200", + "id": "pyup.io-67541", + "more_info_path": "/vulnerabilities/CVE-2017-7200/67541", "specs": [ "<13.0.0" ], @@ -51197,8 +51421,8 @@ { "advisory": "An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.", "cve": "CVE-2024-1561", - "id": "pyup.io-71889", - "more_info_path": "/vulnerabilities/CVE-2024-1561/71889", + "id": "pyup.io-71654", + "more_info_path": "/vulnerabilities/CVE-2024-1561/71654", "specs": [ "<4.13.0" ], @@ -51207,8 +51431,8 @@ { "advisory": "An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.", "cve": "CVE-2024-1561", - "id": "pyup.io-71654", - "more_info_path": "/vulnerabilities/CVE-2024-1561/71654", + "id": "pyup.io-71889", + "more_info_path": "/vulnerabilities/CVE-2024-1561/71889", "specs": [ "<4.13.0" ], @@ -51615,6 +51839,18 @@ "v": "<0.7.0" } ], + "gratient": [ + { + "advisory": "Gratient is a user-facing library for generating colour gradients in text. Affected versions include obfuscated malicious code that targets Windows platforms, harvesting information and credentials from the user's system and transmitting them to a remote server. The affected services may include Mullvad VPN and Telegram.", + "cve": "PVE-2024-72961", + "id": "pyup.io-72961", + "more_info_path": "/vulnerabilities/PVE-2024-72961/72961", + "specs": [ + ">=0" + ], + "v": ">=0" + } + ], "gretel-client": [ { "advisory": "Gretel-client 0.16.2 updates its dependency 'urllib3' requirement to '>=1.26.5' to include a security fix.", @@ -51682,16 +51918,6 @@ ], "v": "<1.2.0" }, - { - "advisory": "Grpcio 1.3.0 includes a fix for CVE-2017-9431: Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.\r\nhttps://github.com/grpc/grpc/pull/10492/commits/c6ec1155d026c91b1badb07ef1605bb747cff064", - "cve": "CVE-2017-9431", - "id": "pyup.io-47264", - "more_info_path": "/vulnerabilities/CVE-2017-9431/47264", - "specs": [ - "<1.3.0" - ], - "v": "<1.3.0" - }, { "advisory": "Grpcio 1.3.0 includes a fix for CVE-2017-8359: Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.\r\nhttps://github.com/grpc/grpc/pull/10353/commits/aab6992c006be6fb80df73fd9f218365099c016d", "cve": "CVE-2017-8359", @@ -51703,20 +51929,20 @@ "v": "<1.3.0" }, { - "advisory": "Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. \r\nhttps://github.com/advisories/GHSA-6628-q6j9-w8vg", - "cve": "CVE-2023-1428", - "id": "pyup.io-59867", - "more_info_path": "/vulnerabilities/CVE-2023-1428/59867", + "advisory": "Grpcio 1.3.0 includes a fix for CVE-2017-9431: Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.\r\nhttps://github.com/grpc/grpc/pull/10492/commits/c6ec1155d026c91b1badb07ef1605bb747cff064", + "cve": "CVE-2017-9431", + "id": "pyup.io-47264", + "more_info_path": "/vulnerabilities/CVE-2017-9431/47264", "specs": [ - "<1.53.0" + "<1.3.0" ], - "v": "<1.53.0" + "v": "<1.3.0" }, { - "advisory": "There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.", - "cve": "CVE-2023-1428", - "id": "pyup.io-71994", - "more_info_path": "/vulnerabilities/CVE-2023-1428/71994", + "advisory": "When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.", + "cve": "CVE-2023-32731", + "id": "pyup.io-71993", + "more_info_path": "/vulnerabilities/CVE-2023-32731/71993", "specs": [ "<1.53.0" ], @@ -51733,20 +51959,20 @@ "v": "<1.53.0" }, { - "advisory": "gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.", - "cve": "CVE-2023-32732", - "id": "pyup.io-71995", - "more_info_path": "/vulnerabilities/CVE-2023-32732/71995", + "advisory": "There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.", + "cve": "CVE-2023-1428", + "id": "pyup.io-71994", + "more_info_path": "/vulnerabilities/CVE-2023-1428/71994", "specs": [ "<1.53.0" ], "v": "<1.53.0" }, { - "advisory": "When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.", - "cve": "CVE-2023-32731", - "id": "pyup.io-71993", - "more_info_path": "/vulnerabilities/CVE-2023-32731/71993", + "advisory": "gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.", + "cve": "CVE-2023-32732", + "id": "pyup.io-71995", + "more_info_path": "/vulnerabilities/CVE-2023-32732/71995", "specs": [ "<1.53.0" ], @@ -51762,6 +51988,16 @@ ], "v": "<1.53.0" }, + { + "advisory": "Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. \r\nhttps://github.com/advisories/GHSA-6628-q6j9-w8vg", + "cve": "CVE-2023-1428", + "id": "pyup.io-59867", + "more_info_path": "/vulnerabilities/CVE-2023-1428/59867", + "specs": [ + "<1.53.0" + ], + "v": "<1.53.0" + }, { "advisory": "gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.", "cve": "CVE-2023-33953", @@ -52029,6 +52265,16 @@ ], "v": "<19.5.0" }, + { + "advisory": "A time-based vulnerability in Gunicorn affected versions allows an attacker to disrupt service by manipulating the system clock, causing premature worker timeouts and potential denial-of-service (DoS) conditions. The issue stems from the use of time.time() in the worker timeout logic, which can be exploited if an attacker gains the ability to change the system time.", + "cve": "PVE-2024-72780", + "id": "pyup.io-72780", + "more_info_path": "/vulnerabilities/PVE-2024-72780/72780", + "specs": [ + "<21.2.0" + ], + "v": "<21.2.0" + }, { "advisory": "Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.", "cve": "CVE-2024-1135", @@ -52038,6 +52284,16 @@ "<22.0.0" ], "v": "<22.0.0" + }, + { + "advisory": "A vulnerability in Gunicorn allowed the TolerateDangerousFraming setting to process conflicting headers (Transfer-Encoding and Content-Length) and dangerous characters in HTTP header fields. This could lead to HTTP request smuggling and header injection attacks. The issue was resolved by removing this setting and enforcing stricter header validation. \r\nNote: It happens due to an incomplete fix for CVE-2024-1135.", + "cve": "PVE-2024-72809", + "id": "pyup.io-72809", + "more_info_path": "/vulnerabilities/PVE-2024-72809/72809", + "specs": [ + ">=22.0.0,<23.0.0" + ], + "v": ">=22.0.0,<23.0.0" } ], "gvar": [ @@ -52128,7 +52384,207 @@ ], "h2o": [ { - "advisory": "In h2oai/h2o-3 affected versions, the `run_tool` command in the `rapids` component allows the `main` function of any class under the `water.tools` namespace to be called. One such class, `MojoConvertTool`, crashes the server when invoked with an invalid argument, causing a denial of service.", + "advisory": "H2o 3.34.0.7 updates its MAVEN dependency 'log4j' to version 2.17.0 to address critical and severe vulnerabilities. \r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2021-45105", + "id": "pyup.io-43439", + "more_info_path": "/vulnerabilities/CVE-2021-45105/43439", + "specs": [ + "<3.34.0.7" + ], + "v": "<3.34.0.7" + }, + { + "advisory": "H2o 3.34.0.7 updates its MAVEN dependency 'log4j' to version 2.17.0 to address critical and severe vulnerabilities. \r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2021-44228", + "id": "pyup.io-43397", + "more_info_path": "/vulnerabilities/CVE-2021-44228/43397", + "specs": [ + "<3.34.0.7" + ], + "v": "<3.34.0.7" + }, + { + "advisory": "H2o 3.34.0.7 updates its MAVEN dependency 'log4j' to version 2.17.0 to address critical and severe vulnerabilities. \r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2021-45046", + "id": "pyup.io-43398", + "more_info_path": "/vulnerabilities/CVE-2021-45046/43398", + "specs": [ + "<3.34.0.7" + ], + "v": "<3.34.0.7" + }, + { + "advisory": "H2o 3.36.0.1 updates its MAVEN dependency 'log4j' to v2.17.1 to fix a medium severity vulnerability.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2021-44832", + "id": "pyup.io-44451", + "more_info_path": "/vulnerabilities/CVE-2021-44832/44451", + "specs": [ + "<3.36.0.1" + ], + "v": "<3.36.0.1" + }, + { + "advisory": "H2o 3.36.1.3 updates its MAVEN dependency 'com.google.code.gson:gson' to '2.9.0' to fix CVE-2022-25647.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2022-25647", + "id": "pyup.io-59343", + "more_info_path": "/vulnerabilities/CVE-2022-25647/59343", + "specs": [ + "<3.36.1.3" + ], + "v": "<3.36.1.3" + }, + { + "advisory": "H2o 3.38.0.2 updates its MAVEN dependency 'org.apache.commons:commons-text' to '1.10.0' to fix CVE-2022-42889.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2022-42889", + "id": "pyup.io-59339", + "more_info_path": "/vulnerabilities/CVE-2022-42889/59339", + "specs": [ + "<3.38.0.2" + ], + "v": "<3.38.0.2" + }, + { + "advisory": "H2o 3.38.0.2 updates its MAVEN dependency 'com.fasterxml.jackson.core:jackson-databind' to '2.13.4.2' to fix CVE-2022-42003.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2022-42003", + "id": "pyup.io-59338", + "more_info_path": "/vulnerabilities/CVE-2022-42003/59338", + "specs": [ + "<3.38.0.2" + ], + "v": "<3.38.0.2" + }, + { + "advisory": "H2o 3.38.0.4 updates its dependency 'com.google.cloud:google-cloud-storage' to '2.13.1' to fix CVE-2022-3509.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2022-3509", + "id": "pyup.io-59337", + "more_info_path": "/vulnerabilities/CVE-2022-3509/59337", + "specs": [ + "<3.38.0.4" + ], + "v": "<3.38.0.4" + }, + { + "advisory": "H2o 3.42.0.1 updates its MAVEN dependency 'guava' to '32.0.1-jre' to fix CVE-2023-2976.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2023-2976", + "id": "pyup.io-59320", + "more_info_path": "/vulnerabilities/CVE-2023-2976/59320", + "specs": [ + "<3.42.0.1" + ], + "v": "<3.42.0.1" + }, + { + "advisory": "H2o 3.42.0.3 deletes its MAVEN dependency 'no.priv.garshol.duke:duke', as it has an unfixed code injection vulnerability.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "PVE-2023-60620", + "id": "pyup.io-60620", + "more_info_path": "/vulnerabilities/PVE-2023-60620/60620", + "specs": [ + "<3.42.0.3" + ], + "v": "<3.42.0.3" + }, + { + "advisory": "H2o 3.44.0.1 updates its MAVEN dependency 'org.codehaus.jettison:jettison' to '1.5.4' to fix CVE-2022-40150.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2022-40150", + "id": "pyup.io-59334", + "more_info_path": "/vulnerabilities/CVE-2022-40150/59334", + "specs": [ + "<3.44.0.1" + ], + "v": "<3.44.0.1" + }, + { + "advisory": "H2o 3.44.0.1 updates its MAVEN dependency 'org.codehaus.jettison:jettison' to '1.5.4' to fix CVE-2023-1436.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2023-1436", + "id": "pyup.io-59331", + "more_info_path": "/vulnerabilities/CVE-2023-1436/59331", + "specs": [ + "<3.44.0.1" + ], + "v": "<3.44.0.1" + }, + { + "advisory": "H2o 3.44.0.1 updates its MAVEN dependency 'net.minidev:json-smart' to '2.4.10' to fix CVE-2023-1370.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2023-1370", + "id": "pyup.io-59335", + "more_info_path": "/vulnerabilities/CVE-2023-1370/59335", + "specs": [ + "<3.44.0.1" + ], + "v": "<3.44.0.1" + }, + { + "advisory": "H2o 3.44.0.1 updates its MAVEN dependency 'org.codehaus.jettison:jettison' to '1.5.4' to fix CVE-2022-40149.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2022-40149", + "id": "pyup.io-72501", + "more_info_path": "/vulnerabilities/CVE-2022-40149/72501", + "specs": [ + "<3.44.0.1" + ], + "v": "<3.44.0.1" + }, + { + "advisory": "H2o 3.44.0.1 updates its MAVEN dependency 'org.codehaus.jettison:jettison' to '1.5.4' to fix CVE-2022-45685.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2022-45685", + "id": "pyup.io-59333", + "more_info_path": "/vulnerabilities/CVE-2022-45685/59333", + "specs": [ + "<3.44.0.1" + ], + "v": "<3.44.0.1" + }, + { + "advisory": "H2o 3.44.0.1 updates its MAVEN dependency 'org.codehaus.jettison:jettison' to '1.5.4' to fix CVE-2022-45693.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2022-45693", + "id": "pyup.io-59332", + "more_info_path": "/vulnerabilities/CVE-2022-45693/59332", + "specs": [ + "<3.44.0.1" + ], + "v": "<3.44.0.1" + }, + { + "advisory": "H2o 3.44.0.2 updates its MAVEN dependency org.python:jython due to a Use After Free vulnerability of com.github.jnr:jnr-posix.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "PVE-2023-63047", + "id": "pyup.io-63047", + "more_info_path": "/vulnerabilities/PVE-2023-63047/63047", + "specs": [ + "<3.44.0.2" + ], + "v": "<3.44.0.2" + }, + { + "advisory": "H2o 3.46.0.4 updates its MAVEN dependency 'com.fasterxml.jackson.core:jackson-databind' to '2.16.1' to fix PRISMA-2023-0067.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "PVE-2024-72502", + "id": "pyup.io-72502", + "more_info_path": "/vulnerabilities/PVE-2024-72502/72502", + "specs": [ + "<3.46.0.4" + ], + "v": "<3.46.0.4" + }, + { + "advisory": "H2o 3.46.0.4 updates its MAVEN dependency 'com.fasterxml.jackson.core:jackson-databind' to '2.16.1' to fix CVE-2023-35116.\r\nThe dependency is included in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2023-35116", + "id": "pyup.io-72503", + "more_info_path": "/vulnerabilities/CVE-2023-35116/72503", + "specs": [ + "<3.46.0.4" + ], + "v": "<3.46.0.4" + }, + { + "advisory": "Affected versions of H2o are vulnerable to External Control of File Name or Path. Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data. The data that the attacker can control is not entirely arbitrary. H2o writes a CSV/XLS/etc file to disk, so the attacker data is wrapped in quotations and starts with \"C1\", if they're exporting as CSV.\r\nThe vulnerable code is found in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2023-6569", + "id": "pyup.io-65214", + "more_info_path": "/vulnerabilities/CVE-2023-6569/65214", + "specs": [ + ">=0" + ], + "v": ">=0" + }, + { + "advisory": "Affected versions of H2o are vulnerable to CVE-2024-5979: The 'run_tool' command in the 'rapids' component allows the 'main' function of any class under the 'water.tools' namespace to be called. One such class, 'MojoConvertTool', crashes the server when invoked with an invalid argument, causing a denial of service.\r\nThe vulnerable code is found in /h2o/backend/bin/h2o.jar", "cve": "CVE-2024-5979", "id": "pyup.io-72091", "more_info_path": "/vulnerabilities/CVE-2024-5979/72091", @@ -52136,6 +52592,16 @@ ">=0" ], "v": ">=0" + }, + { + "advisory": "Affected versions of H2o are vulnerable to Exposure of Sensitive Information due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.\r\nThe vulnerable code is found in /h2o/backend/bin/h2o.jar", + "cve": "CVE-2024-5550", + "id": "pyup.io-72522", + "more_info_path": "/vulnerabilities/CVE-2024-5550/72522", + "specs": [ + ">=0" + ], + "v": ">=0" } ], "hail": [ @@ -52151,9 +52617,9 @@ }, { "advisory": "Hail 0.2.80 updates dependencies related to 'log4j' to fix critical and severe vulnerabilities.\r\nhttps://github.com/hail-is/hail/commit/1ad3b9822d4f2d77442d6da93ea4d9ca87796d22", - "cve": "CVE-2021-44228", - "id": "pyup.io-43597", - "more_info_path": "/vulnerabilities/CVE-2021-44228/43597", + "cve": "CVE-2021-45046", + "id": "pyup.io-43598", + "more_info_path": "/vulnerabilities/CVE-2021-45046/43598", "specs": [ "<0.2.80" ], @@ -52161,9 +52627,9 @@ }, { "advisory": "Hail 0.2.80 updates dependencies related to 'log4j' to fix critical and severe vulnerabilities.\r\nhttps://github.com/hail-is/hail/commit/1ad3b9822d4f2d77442d6da93ea4d9ca87796d22", - "cve": "CVE-2021-45046", - "id": "pyup.io-43598", - "more_info_path": "/vulnerabilities/CVE-2021-45046/43598", + "cve": "CVE-2021-44228", + "id": "pyup.io-43597", + "more_info_path": "/vulnerabilities/CVE-2021-44228/43597", "specs": [ "<0.2.80" ], @@ -52832,20 +53298,20 @@ "v": "<2023.8.1" }, { - "advisory": "Homeassistant 2023.8.1 updates its dependency 'cryptography' to version '41.0.3' to include a fix for an Insufficient Verification of Data Authenticity vulnerability.\r\nhttps://github.com/home-assistant/core/pull/97611", - "cve": "CVE-2023-2975", - "id": "pyup.io-60230", - "more_info_path": "/vulnerabilities/CVE-2023-2975/60230", + "advisory": "Homeassistant 2023.8.1 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/home-assistant/core/pull/97611", + "cve": "CVE-2023-3817", + "id": "pyup.io-60215", + "more_info_path": "/vulnerabilities/CVE-2023-3817/60215", "specs": [ "<2023.8.1" ], "v": "<2023.8.1" }, { - "advisory": "Homeassistant 2023.8.1 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/home-assistant/core/pull/97611", - "cve": "CVE-2023-3817", - "id": "pyup.io-60215", - "more_info_path": "/vulnerabilities/CVE-2023-3817/60215", + "advisory": "Homeassistant 2023.8.1 updates its dependency 'cryptography' to version '41.0.3' to include a fix for an Insufficient Verification of Data Authenticity vulnerability.\r\nhttps://github.com/home-assistant/core/pull/97611", + "cve": "CVE-2023-2975", + "id": "pyup.io-60230", + "more_info_path": "/vulnerabilities/CVE-2023-2975/60230", "specs": [ "<2023.8.1" ], @@ -52872,20 +53338,20 @@ "v": "<2023.9.0" }, { - "advisory": "Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", - "cve": "CVE-2023-41894", - "id": "pyup.io-70403", - "more_info_path": "/vulnerabilities/CVE-2023-41894/70403", + "advisory": "Home assistant is an open source home automation. The audit team\u2019s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim\u2019s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim\u2019s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", + "cve": "CVE-2023-41893", + "id": "pyup.io-65361", + "more_info_path": "/vulnerabilities/CVE-2023-41893/65361", "specs": [ "<2023.9.0" ], "v": "<2023.9.0" }, { - "advisory": "Home assistant is an open source home automation. The audit team\u2019s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim\u2019s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim\u2019s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", - "cve": "CVE-2023-41893", - "id": "pyup.io-65361", - "more_info_path": "/vulnerabilities/CVE-2023-41893/65361", + "advisory": "Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", + "cve": "CVE-2023-41894", + "id": "pyup.io-70403", + "more_info_path": "/vulnerabilities/CVE-2023-41894/70403", "specs": [ "<2023.9.0" ], @@ -52988,20 +53454,20 @@ ], "honeybee-radiance-postprocess": [ { - "advisory": "Honeybee-radiance-postprocess 0.4.166 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", - "cve": "CVE-2022-40897", - "id": "pyup.io-53623", - "more_info_path": "/vulnerabilities/CVE-2022-40897/53623", + "advisory": "Honeybee-radiance-postprocess 0.4.166 updates its dependency 'wheel' to v0.38.1 to include a security fix.", + "cve": "CVE-2022-40898", + "id": "pyup.io-53615", + "more_info_path": "/vulnerabilities/CVE-2022-40898/53615", "specs": [ "<0.4.166" ], "v": "<0.4.166" }, { - "advisory": "Honeybee-radiance-postprocess 0.4.166 updates its dependency 'wheel' to v0.38.1 to include a security fix.", - "cve": "CVE-2022-40898", - "id": "pyup.io-53615", - "more_info_path": "/vulnerabilities/CVE-2022-40898/53615", + "advisory": "Honeybee-radiance-postprocess 0.4.166 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", + "cve": "CVE-2022-40897", + "id": "pyup.io-53623", + "more_info_path": "/vulnerabilities/CVE-2022-40897/53623", "specs": [ "<0.4.166" ], @@ -53287,20 +53753,20 @@ "v": ">2010,<2015.1.1" }, { - "advisory": "Cross-site scripting (XSS) vulnerability in the refresh mechanism in the log viewer in horizon/static/horizon/js/horizon.js in OpenStack Dashboard (Horizon) folsom-1 and 2012.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the guest console.", - "cve": "CVE-2012-2094", - "id": "pyup.io-68011", - "more_info_path": "/vulnerabilities/CVE-2012-2094/68011", + "advisory": "Open redirect vulnerability in views/auth_forms.py in OpenStack Dashboard (Horizon) Essex (2012.1) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter to auth/login/. NOTE: this issue was originally assigned CVE-2012-3542 by mistake.", + "cve": "CVE-2012-3540", + "id": "pyup.io-68014", + "more_info_path": "/vulnerabilities/CVE-2012-3540/68014", "specs": [ ">2010,<=2012.1" ], "v": ">2010,<=2012.1" }, { - "advisory": "Open redirect vulnerability in views/auth_forms.py in OpenStack Dashboard (Horizon) Essex (2012.1) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter to auth/login/. NOTE: this issue was originally assigned CVE-2012-3542 by mistake.", - "cve": "CVE-2012-3540", - "id": "pyup.io-68014", - "more_info_path": "/vulnerabilities/CVE-2012-3540/68014", + "advisory": "Cross-site scripting (XSS) vulnerability in the refresh mechanism in the log viewer in horizon/static/horizon/js/horizon.js in OpenStack Dashboard (Horizon) folsom-1 and 2012.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the guest console.", + "cve": "CVE-2012-2094", + "id": "pyup.io-68011", + "more_info_path": "/vulnerabilities/CVE-2012-2094/68011", "specs": [ ">2010,<=2012.1" ], @@ -57573,6 +58039,16 @@ "<0.14.0" ], "v": "<0.14.0" + }, + { + "advisory": "Inference 0.16.0 updates its dependency 'setuptools' to include a security fix.", + "cve": "CVE-2024-6345", + "id": "pyup.io-72684", + "more_info_path": "/vulnerabilities/CVE-2024-6345/72684", + "specs": [ + "<0.16.0" + ], + "v": "<0.16.0" } ], "influx-prompt": [ @@ -57965,6 +58441,18 @@ "v": "<1.35.0" } ], + "intel-extension-for-tensorflow": [ + { + "advisory": "Improper buffer restrictions in Intel(R) Optimization for TensorFlow before version 2.13.0 may allow an authenticated user to potentially enable escalation of privilege via local access. See CVE-2023-30767.", + "cve": "CVE-2023-30767", + "id": "pyup.io-65691", + "more_info_path": "/vulnerabilities/CVE-2023-30767/65691", + "specs": [ + "<2.13.0" + ], + "v": "<2.13.0" + } + ], "intel-extension-for-transformers": [ { "advisory": "Intel-extension-for-transformers 1.2.2 escapes SQL strings for SDL to prevent SQL injections.\r\nhttps://github.com/intel/intel-extension-for-transformers/commit/43e8b9a9ee9fa7b27176fe14505f435f7add3620", @@ -58030,6 +58518,18 @@ ], "v": "<1.15.0" }, + { + "advisory": "Intel-tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"libjpeg-turbo\" to handle CVE-2019-13960.", + "cve": "CVE-2019-13960", + "id": "pyup.io-57063", + "more_info_path": "/vulnerabilities/CVE-2019-13960/57063", + "specs": [ + "<1.15.3", + ">=2.0.0a0,<2.0.2", + ">=2.1.0rc0,<2.1.1" + ], + "v": "<1.15.3,>=2.0.0a0,<2.0.2,>=2.1.0rc0,<2.1.1" + }, { "advisory": "Intel-tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"SQLite\" to handle CVE-2019-19645.", "cve": "CVE-2019-19645", @@ -58090,18 +58590,6 @@ ], "v": "<1.15.3,>=2.0.0a0,<2.0.2,>=2.1.0rc0,<2.1.1" }, - { - "advisory": "Intel-tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"libjpeg-turbo\" to handle CVE-2019-13960.", - "cve": "CVE-2019-13960", - "id": "pyup.io-57063", - "more_info_path": "/vulnerabilities/CVE-2019-13960/57063", - "specs": [ - "<1.15.3", - ">=2.0.0a0,<2.0.2", - ">=2.1.0rc0,<2.1.1" - ], - "v": "<1.15.3,>=2.0.0a0,<2.0.2,>=2.1.0rc0,<2.1.1" - }, { "advisory": "Intel-tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"Apache Spark\" to handle CVE-2019-10099.", "cve": "CVE-2019-10099", @@ -65873,19 +66361,6 @@ ], "v": "<2.5.3,>=2.6.0rc0,<2.6.3,>=2.7.0rc0,<2.7.1,>=2.8.0rc0,<2.8.0" }, - { - "advisory": "Intel-tensorflow-avx512 versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27780.", - "cve": "CVE-2022-27780", - "id": "pyup.io-57207", - "more_info_path": "/vulnerabilities/CVE-2022-27780/57207", - "specs": [ - "<2.6.4", - ">=2.7.0rc0,<2.7.2", - ">=2.8.0rc0,<2.8.1", - ">=2.9.0rc0,<2.9.0" - ], - "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" - }, { "advisory": "Intel-tensorflow-avx512 versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27774.", "cve": "CVE-2022-27774", @@ -66029,6 +66504,19 @@ ], "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" }, + { + "advisory": "Intel-tensorflow-avx512 versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27780.", + "cve": "CVE-2022-27780", + "id": "pyup.io-57207", + "more_info_path": "/vulnerabilities/CVE-2022-27780/57207", + "specs": [ + "<2.6.4", + ">=2.7.0rc0,<2.7.2", + ">=2.8.0rc0,<2.8.1", + ">=2.9.0rc0,<2.9.0" + ], + "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" + }, { "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29200: Missing validation which causes denial of service via 'LSTMBlockCell'.", "cve": "CVE-2022-29200", @@ -70252,10 +70740,10 @@ "v": "<0.8.0" }, { - "advisory": "Inventree 0.7.2 includes a fix for CVE-2022-2111: Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.", - "cve": "CVE-2022-2111", - "id": "pyup.io-54084", - "more_info_path": "/vulnerabilities/CVE-2022-2111/54084", + "advisory": "Inventree 0.7.2 includes a security fix: Affected versions can have malicious javascript code injected into the users browser by other authenticated users, as data fields retrieved from the database are not properly sanitized before displaying in various front-end views.\r\n- https://huntr.dev/bounties/4cae8442-c042-43c2-ad89-6f666eaf3d57/\r\n- https://huntr.dev/bounties/9d640ef2-c52c-4106-b043-f7497d577078/\r\n- https://huntr.dev/bounties/b114e82f-6c02-485b-82ea-e242f89169c2/\r\n- https://huntr.dev/bounties/22783cd3-1b2c-48fc-b31f-03b53c86da0b/", + "cve": "PVE-2023-55205", + "id": "pyup.io-55205", + "more_info_path": "/vulnerabilities/PVE-2023-55205/55205", "specs": [ ">=0,<0.7.2" ], @@ -70272,10 +70760,10 @@ "v": ">=0,<0.7.2" }, { - "advisory": "Inventree 0.7.2 includes a security fix: Affected versions can have malicious javascript code injected into the users browser by other authenticated users, as data fields retrieved from the database are not properly sanitized before displaying in various front-end views.\r\n- https://huntr.dev/bounties/4cae8442-c042-43c2-ad89-6f666eaf3d57/\r\n- https://huntr.dev/bounties/9d640ef2-c52c-4106-b043-f7497d577078/\r\n- https://huntr.dev/bounties/b114e82f-6c02-485b-82ea-e242f89169c2/\r\n- https://huntr.dev/bounties/22783cd3-1b2c-48fc-b31f-03b53c86da0b/", - "cve": "PVE-2023-55205", - "id": "pyup.io-55205", - "more_info_path": "/vulnerabilities/PVE-2023-55205/55205", + "advisory": "Inventree 0.7.2 includes a fix for CVE-2022-2111: Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.", + "cve": "CVE-2022-2111", + "id": "pyup.io-54084", + "more_info_path": "/vulnerabilities/CVE-2022-2111/54084", "specs": [ ">=0,<0.7.2" ], @@ -72968,7 +73456,7 @@ "v": "<3.1.4" }, { - "advisory": "In Jinja2, the from_string function is prone to Server Side Template Injection (SSTI) where it takes the \"source\" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. \r\nNOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing.", + "advisory": "In Jinja2, the from_string function is prone to Server Side Template Injection (SSTI) where it takes the source parameter as a template object, renders it, and then returns it. The attacker can exploit it with INJECTION COMMANDS in a URI. \r\nNOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing.", "cve": "CVE-2019-8341", "id": "pyup.io-70612", "more_info_path": "/vulnerabilities/CVE-2019-8341/70612", @@ -73218,7 +73706,7 @@ "v": "<1.2.0" }, { - "advisory": "Joblib 1.2.0 includes a fix for CVE-2022-21797: The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.\r\nhttps://github.com/joblib/joblib/issues/1128", + "advisory": "Affected versions of Joblib are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.", "cve": "CVE-2022-21797", "id": "pyup.io-51242", "more_info_path": "/vulnerabilities/CVE-2022-21797/51242", @@ -73494,9 +73982,9 @@ }, { "advisory": "Juntagrico 1.5.5 updates its dependency 'django' requirement to \"~=4.0.8\" to include security fixes.", - "cve": "CVE-2022-36359", - "id": "pyup.io-51983", - "more_info_path": "/vulnerabilities/CVE-2022-36359/51983", + "cve": "CVE-2022-28347", + "id": "pyup.io-51967", + "more_info_path": "/vulnerabilities/CVE-2022-28347/51967", "specs": [ "<1.5.5" ], @@ -73504,9 +73992,9 @@ }, { "advisory": "Juntagrico 1.5.5 updates its dependency 'django' requirement to \"~=4.0.8\" to include security fixes.", - "cve": "CVE-2022-28346", - "id": "pyup.io-51981", - "more_info_path": "/vulnerabilities/CVE-2022-28346/51981", + "cve": "CVE-2022-36359", + "id": "pyup.io-51983", + "more_info_path": "/vulnerabilities/CVE-2022-36359/51983", "specs": [ "<1.5.5" ], @@ -73514,9 +74002,9 @@ }, { "advisory": "Juntagrico 1.5.5 updates its dependency 'django' requirement to \"~=4.0.8\" to include security fixes.", - "cve": "CVE-2022-28347", - "id": "pyup.io-51967", - "more_info_path": "/vulnerabilities/CVE-2022-28347/51967", + "cve": "CVE-2022-34265", + "id": "pyup.io-51982", + "more_info_path": "/vulnerabilities/CVE-2022-34265/51982", "specs": [ "<1.5.5" ], @@ -73524,9 +74012,9 @@ }, { "advisory": "Juntagrico 1.5.5 updates its dependency 'django' requirement to \"~=4.0.8\" to include security fixes.", - "cve": "CVE-2022-34265", - "id": "pyup.io-51982", - "more_info_path": "/vulnerabilities/CVE-2022-34265/51982", + "cve": "CVE-2022-28346", + "id": "pyup.io-51981", + "more_info_path": "/vulnerabilities/CVE-2022-28346/51981", "specs": [ "<1.5.5" ], @@ -74061,6 +74549,17 @@ ], "v": "<4.1.0" }, + { + "advisory": "In jupyterhub affected versions, if a user is granted the `admin:users` scope, they may escalate their privileges by making themselves a full admin user. The impact is relatively small because `admin:users` is already an extremely privileged scope only granted to trusted users. In effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents escalation to the built-in JupyterHub admin role with unrestricted permissions. It does not prevent users with e.g. `groups` permissions from granting themselves or other users permissions via group membership, which is intentional.", + "cve": "CVE-2024-41942", + "id": "pyup.io-72556", + "more_info_path": "/vulnerabilities/CVE-2024-41942/72556", + "specs": [ + "<4.1.6", + ">=5.0.0,<5.1.0" + ], + "v": "<4.1.6,>=5.0.0,<5.1.0" + }, { "advisory": "The maintainers of jupyterhub acknowledge in their changelog notes for version 0.2 that when the environment dictionary is used for authentication as an admin, jupyterhub becomes vulnerable to pre-existing security issues because these environment variables may be passed to the user via the batch submit command.", "cve": "PVE-2021-38973", @@ -74181,6 +74680,17 @@ ], "v": "<3.1.0b2" }, + { + "advisory": "JupyterLab is vulnerable to HTML injection, leading to DOM Clobbering, which allows attackers to access sensitive data and perform arbitrary actions as the compromised user. This vulnerability occurs when a user opens a malicious notebook with Markdown cells or a Markdown file in JupyterLab.", + "cve": "CVE-2024-43805", + "id": "pyup.io-72962", + "more_info_path": "/vulnerabilities/CVE-2024-43805/72962", + "specs": [ + "<=3.6.7", + ">=4.0.0,<=4.2.4" + ], + "v": "<=3.6.7,>=4.0.0,<=4.2.4" + }, { "advisory": "Jupyterlab versions 3.1.4, 3.0.17, 2.3.2, 2.2.10 and 1.2.21 include a fix for CVE-2021-32797: In affected versions, an untrusted notebook can execute code on load. In particular, jupyterlab doesn\u2019t sanitize the action attribute of html \"
\". Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook.\r\nhttps://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx\r\nhttps://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed", "cve": "CVE-2021-32797", @@ -75894,6 +76404,16 @@ "<1.14.0" ], "v": "<1.14.0" + }, + { + "advisory": "Khoj affected versions contain a vulnerability in the Automation feature that allows users to inject arbitrary HTML or JavaScript, leading to Stored Cross-site Scripting (XSS) attacks. This issue occurs because the q parameter in the /api/automation endpoint was not properly sanitized when rendered on the page. Recent commits addressed this by improving input handling and ensuring proper sanitization, preventing the execution of malicious scripts within the application.", + "cve": "CVE-2024-43396", + "id": "pyup.io-72980", + "more_info_path": "/vulnerabilities/CVE-2024-43396/72980", + "specs": [ + "<1.15.0" + ], + "v": "<1.15.0" } ], "khoj-assistant": [ @@ -77348,20 +77868,20 @@ "v": "<1.10.1" }, { - "advisory": "Label Studio before 1.11.0 is vulnerable to cross-site scripting (XSS) because it fails to properly sanitize data uploaded via the file upload feature before it is rendered within Choices or Labels tags. This vulnerability allows attackers to inject malicious scripts that could execute within the user's browser session. However, exploitation is contingent upon the attacker having permission to use the \"data import\" function.", - "cve": "CVE-2024-26152", - "id": "pyup.io-66696", - "more_info_path": "/vulnerabilities/CVE-2024-26152/66696", + "advisory": "Label-studio 1.11.0 addresses the CVE-2023-47116 by introducing more exhaustive IP validation for Server Side Request Forgery (SSRF) defenses. This includes banning all IPs within reserved blocks, for both IPv4 and IPv6, by default. The system also allows users to ban additional blocks using USER_ADDITIONAL_BANNED_SUBNETS, or to specify their full list of banned IP blocks themselves using USE_DEFAULT_BANNED_SUBNETS. By default, USE_DEFAULT_BANNED_SUBNETS is set to True. Additionally, the error message has been made more informative when SSRF protection blocks an upload.\r\nhttps://github.com/HumanSignal/label-studio/pull/5316", + "cve": "CVE-2023-47116", + "id": "pyup.io-64822", + "more_info_path": "/vulnerabilities/CVE-2023-47116/64822", "specs": [ "<1.11.0" ], "v": "<1.11.0" }, { - "advisory": "Label-studio 1.11.0 addresses the CVE-2023-47116 by introducing more exhaustive IP validation for Server Side Request Forgery (SSRF) defenses. This includes banning all IPs within reserved blocks, for both IPv4 and IPv6, by default. The system also allows users to ban additional blocks using USER_ADDITIONAL_BANNED_SUBNETS, or to specify their full list of banned IP blocks themselves using USE_DEFAULT_BANNED_SUBNETS. By default, USE_DEFAULT_BANNED_SUBNETS is set to True. Additionally, the error message has been made more informative when SSRF protection blocks an upload.\r\nhttps://github.com/HumanSignal/label-studio/pull/5316", - "cve": "CVE-2023-47116", - "id": "pyup.io-64822", - "more_info_path": "/vulnerabilities/CVE-2023-47116/64822", + "advisory": "Label Studio before 1.11.0 is vulnerable to cross-site scripting (XSS) because it fails to properly sanitize data uploaded via the file upload feature before it is rendered within Choices or Labels tags. This vulnerability allows attackers to inject malicious scripts that could execute within the user's browser session. However, exploitation is contingent upon the attacker having permission to use the \"data import\" function.", + "cve": "CVE-2024-26152", + "id": "pyup.io-66696", + "more_info_path": "/vulnerabilities/CVE-2024-26152/66696", "specs": [ "<1.11.0" ], @@ -77462,9 +77982,9 @@ "label-studio-converter": [ { "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", - "cve": "CVE-2021-28676", - "id": "pyup.io-50644", - "more_info_path": "/vulnerabilities/CVE-2021-28676/50644", + "cve": "CVE-2021-25291", + "id": "pyup.io-50650", + "more_info_path": "/vulnerabilities/CVE-2021-25291/50650", "specs": [ "<0.0.43" ], @@ -77472,9 +77992,9 @@ }, { "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", - "cve": "CVE-2021-34552", - "id": "pyup.io-50641", - "more_info_path": "/vulnerabilities/CVE-2021-34552/50641", + "cve": "CVE-2021-25292", + "id": "pyup.io-50651", + "more_info_path": "/vulnerabilities/CVE-2021-25292/50651", "specs": [ "<0.0.43" ], @@ -77482,9 +78002,9 @@ }, { "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", - "cve": "CVE-2021-25287", - "id": "pyup.io-50646", - "more_info_path": "/vulnerabilities/CVE-2021-25287/50646", + "cve": "CVE-2021-25289", + "id": "pyup.io-50648", + "more_info_path": "/vulnerabilities/CVE-2021-25289/50648", "specs": [ "<0.0.43" ], @@ -77492,9 +78012,9 @@ }, { "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", - "cve": "CVE-2021-28677", - "id": "pyup.io-50645", - "more_info_path": "/vulnerabilities/CVE-2021-28677/50645", + "cve": "CVE-2021-25290", + "id": "pyup.io-50649", + "more_info_path": "/vulnerabilities/CVE-2021-25290/50649", "specs": [ "<0.0.43" ], @@ -77512,9 +78032,9 @@ }, { "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", - "cve": "CVE-2021-25290", - "id": "pyup.io-50649", - "more_info_path": "/vulnerabilities/CVE-2021-25290/50649", + "cve": "CVE-2021-28677", + "id": "pyup.io-50645", + "more_info_path": "/vulnerabilities/CVE-2021-28677/50645", "specs": [ "<0.0.43" ], @@ -77522,9 +78042,9 @@ }, { "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", - "cve": "CVE-2021-25289", - "id": "pyup.io-50648", - "more_info_path": "/vulnerabilities/CVE-2021-25289/50648", + "cve": "CVE-2021-25287", + "id": "pyup.io-50646", + "more_info_path": "/vulnerabilities/CVE-2021-25287/50646", "specs": [ "<0.0.43" ], @@ -77532,9 +78052,9 @@ }, { "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", - "cve": "CVE-2021-25292", - "id": "pyup.io-50651", - "more_info_path": "/vulnerabilities/CVE-2021-25292/50651", + "cve": "CVE-2021-34552", + "id": "pyup.io-50641", + "more_info_path": "/vulnerabilities/CVE-2021-34552/50641", "specs": [ "<0.0.43" ], @@ -77542,9 +78062,9 @@ }, { "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", - "cve": "CVE-2021-25291", - "id": "pyup.io-50650", - "more_info_path": "/vulnerabilities/CVE-2021-25291/50650", + "cve": "CVE-2021-28676", + "id": "pyup.io-50644", + "more_info_path": "/vulnerabilities/CVE-2021-28676/50644", "specs": [ "<0.0.43" ], @@ -77573,20 +78093,20 @@ ], "labelme2datasets": [ { - "advisory": "Labelme2datasets version 0.0.3 has upgraded its dependency scikit-learn from at least version 0.24.2 to at least version 1.4.2. This update was made in response to the security vulnerability identified in CVE-2020-28975.", - "cve": "CVE-2020-28975", - "id": "pyup.io-70963", - "more_info_path": "/vulnerabilities/CVE-2020-28975/70963", + "advisory": "Labelme2datasets version 0.0.3 has upgraded its dependency from setuptools at least version 58.0.4 to at least version 69.5.1. This update was made in response to the security vulnerability identified in CVE-2022-40897.", + "cve": "CVE-2022-40897", + "id": "pyup.io-70977", + "more_info_path": "/vulnerabilities/CVE-2022-40897/70977", "specs": [ "<0.0.3" ], "v": "<0.0.3" }, { - "advisory": "Labelme2datasets version 0.0.3 has upgraded its dependency from setuptools at least version 58.0.4 to at least version 69.5.1. This update was made in response to the security vulnerability identified in CVE-2022-40897.", - "cve": "CVE-2022-40897", - "id": "pyup.io-70977", - "more_info_path": "/vulnerabilities/CVE-2022-40897/70977", + "advisory": "Labelme2datasets version 0.0.3 has upgraded its dependency scikit-learn from at least version 0.24.2 to at least version 1.4.2. This update was made in response to the security vulnerability identified in CVE-2020-28975.", + "cve": "CVE-2020-28975", + "id": "pyup.io-70963", + "more_info_path": "/vulnerabilities/CVE-2020-28975/70963", "specs": [ "<0.0.3" ], @@ -77925,20 +78445,20 @@ "v": "<0.0.247" }, { - "advisory": "Langchain 0.0.247 includes a fix for CVE-2023-36189: SQL injection vulnerability allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.\r\nhttps://github.com/langchain-ai/langchain/issues/5923", - "cve": "CVE-2023-36189", - "id": "pyup.io-60080", - "more_info_path": "/vulnerabilities/CVE-2023-36189/60080", + "advisory": "Langchain 0.0.247 includes a fix for CVE-2023-34541: Arbitrary code execution in load_prompt.\r\nhttps://github.com/hwchase17/langchain/issues/4849\r\nhttps://github.com/langchain-ai/langchain/pull/8425", + "cve": "CVE-2023-34541", + "id": "pyup.io-59347", + "more_info_path": "/vulnerabilities/CVE-2023-34541/59347", "specs": [ "<0.0.247" ], "v": "<0.0.247" }, { - "advisory": "Langchain 0.0.247 includes a fix for CVE-2023-34541: Arbitrary code execution in load_prompt.\r\nhttps://github.com/hwchase17/langchain/issues/4849\r\nhttps://github.com/langchain-ai/langchain/pull/8425", - "cve": "CVE-2023-34541", - "id": "pyup.io-59347", - "more_info_path": "/vulnerabilities/CVE-2023-34541/59347", + "advisory": "Langchain 0.0.247 includes a fix for CVE-2023-36189: SQL injection vulnerability allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.\r\nhttps://github.com/langchain-ai/langchain/issues/5923", + "cve": "CVE-2023-36189", + "id": "pyup.io-60080", + "more_info_path": "/vulnerabilities/CVE-2023-36189/60080", "specs": [ "<0.0.247" ], @@ -78015,7 +78535,7 @@ "v": "<0.1.0" }, { - "advisory": "Langchain 0.1.12 addresses path traversal vulnerability CVE-2024-28088 by deprecating certain functionality in its recursive URL loader, enhancing security against unsanitized user input exploitation.\r\nhttps://github.com/langchain-ai/langchain/pull/18600", + "advisory": "Langchain addresses path traversal vulnerability CVE-2024-28088 by deprecating certain functionality in its recursive URL loader, enhancing security against unsanitized user input exploitation.\r\nhttps://github.com/langchain-ai/langchain/pull/18600", "cve": "CVE-2024-28088", "id": "pyup.io-66051", "more_info_path": "/vulnerabilities/CVE-2024-28088/66051", @@ -79418,10 +79938,10 @@ ], "lightning": [ { - "advisory": "Lightning 2.0.4 updates its dependency 'ipython' to version '8.14.0' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/98e1aabd0c711e508d33f599265de011ca5dfba8", - "cve": "CVE-2023-24816", - "id": "pyup.io-59170", - "more_info_path": "/vulnerabilities/CVE-2023-24816/59170", + "advisory": "Lightning 2.0.4 updates its dependency 'redis' to version '4.5.5' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/0831e138c02e492bdd384be99079d949c93b1e8e", + "cve": "CVE-2023-28858", + "id": "pyup.io-59186", + "more_info_path": "/vulnerabilities/CVE-2023-28858/59186", "specs": [ "<2.0.4" ], @@ -79438,20 +79958,20 @@ "v": "<2.0.4" }, { - "advisory": "Lightning 2.0.4 updates its dependency 'requests' to '2.31.0' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/37be44d2a3804dad52f0d4e4dcc5419bcb48391f", - "cve": "CVE-2023-32681", - "id": "pyup.io-59187", - "more_info_path": "/vulnerabilities/CVE-2023-32681/59187", + "advisory": "Lightning 2.0.4 updates its dependency 'ipython' to version '8.14.0' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/98e1aabd0c711e508d33f599265de011ca5dfba8", + "cve": "CVE-2023-24816", + "id": "pyup.io-59170", + "more_info_path": "/vulnerabilities/CVE-2023-24816/59170", "specs": [ "<2.0.4" ], "v": "<2.0.4" }, { - "advisory": "Lightning 2.0.4 updates its dependency 'redis' to version '4.5.5' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/0831e138c02e492bdd384be99079d949c93b1e8e", - "cve": "CVE-2023-28858", - "id": "pyup.io-59186", - "more_info_path": "/vulnerabilities/CVE-2023-28858/59186", + "advisory": "Lightning 2.0.4 updates its dependency 'requests' to '2.31.0' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/37be44d2a3804dad52f0d4e4dcc5419bcb48391f", + "cve": "CVE-2023-32681", + "id": "pyup.io-59187", + "more_info_path": "/vulnerabilities/CVE-2023-32681/59187", "specs": [ "<2.0.4" ], @@ -79490,20 +80010,20 @@ ], "lilac": [ { - "advisory": "Lilac 0.3.7 upgrades its pyarrow dependency to version ^13.0.0 from ^14.0.1 in response to CVE-2023-47248.\r\nhttps://github.com/lilacai/lilac/pull/1191/commits/493dd721e01019185fa62beb0c162286d24dbbbe", - "cve": "CVE-2023-47248", - "id": "pyup.io-65676", - "more_info_path": "/vulnerabilities/CVE-2023-47248/65676", + "advisory": "Lilac 0.3.7 upgrades its pillow dependency to version ^10.2.0 from ^9.3.0 in response to CVE-2023-50447.\r\nhttps://github.com/lilacai/lilac/pull/1191/commits/493dd721e01019185fa62beb0c162286d24dbbbe", + "cve": "CVE-2023-50447", + "id": "pyup.io-65642", + "more_info_path": "/vulnerabilities/CVE-2023-50447/65642", "specs": [ "<0.3.7" ], "v": "<0.3.7" }, { - "advisory": "Lilac 0.3.7 upgrades its pillow dependency to version ^10.2.0 from ^9.3.0 in response to CVE-2023-50447.\r\nhttps://github.com/lilacai/lilac/pull/1191/commits/493dd721e01019185fa62beb0c162286d24dbbbe", - "cve": "CVE-2023-50447", - "id": "pyup.io-65642", - "more_info_path": "/vulnerabilities/CVE-2023-50447/65642", + "advisory": "Lilac 0.3.7 upgrades its pyarrow dependency to version ^13.0.0 from ^14.0.1 in response to CVE-2023-47248.\r\nhttps://github.com/lilacai/lilac/pull/1191/commits/493dd721e01019185fa62beb0c162286d24dbbbe", + "cve": "CVE-2023-47248", + "id": "pyup.io-65676", + "more_info_path": "/vulnerabilities/CVE-2023-47248/65676", "specs": [ "<0.3.7" ], @@ -79690,20 +80210,20 @@ "v": "<0.1.11" }, { - "advisory": "Lintegrate 0.1.11 updates its dependency 'numpy' to versions '>=1.21' to include security fixes.", - "cve": "CVE-2021-33430", - "id": "pyup.io-44758", - "more_info_path": "/vulnerabilities/CVE-2021-33430/44758", + "advisory": "Lintegrate 0.1.11 updates its dependency 'numpy' to v>=1.21 to include security fixes.", + "cve": "CVE-2019-6446", + "id": "pyup.io-44709", + "more_info_path": "/vulnerabilities/CVE-2019-6446/44709", "specs": [ "<0.1.11" ], "v": "<0.1.11" }, { - "advisory": "Lintegrate 0.1.11 updates its dependency 'numpy' to v>=1.21 to include security fixes.", - "cve": "CVE-2019-6446", - "id": "pyup.io-44709", - "more_info_path": "/vulnerabilities/CVE-2019-6446/44709", + "advisory": "Lintegrate 0.1.11 updates its dependency 'numpy' to versions '>=1.21' to include security fixes.", + "cve": "CVE-2021-33430", + "id": "pyup.io-44758", + "more_info_path": "/vulnerabilities/CVE-2021-33430/44758", "specs": [ "<0.1.11" ], @@ -79834,20 +80354,20 @@ "v": ">=0" }, { - "advisory": "A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the `eval` function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the `/config/update` endpoint, which allows for the update of settings in `proxy_server_config.yaml`.", - "cve": "CVE-2024-4264", - "id": "pyup.io-71722", - "more_info_path": "/vulnerabilities/CVE-2024-4264/71722", + "advisory": "A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' parameter in the raw SQL query used for deleting users. An attacker can exploit this vulnerability by injecting malicious SQL commands through the 'user_id' parameter, leading to potential unauthorized access to sensitive information such as API keys, user information, and tokens stored in the database.", + "cve": "CVE-2024-4890", + "id": "pyup.io-71721", + "more_info_path": "/vulnerabilities/CVE-2024-4890/71721", "specs": [ ">=0" ], "v": ">=0" }, { - "advisory": "A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' parameter in the raw SQL query used for deleting users. An attacker can exploit this vulnerability by injecting malicious SQL commands through the 'user_id' parameter, leading to potential unauthorized access to sensitive information such as API keys, user information, and tokens stored in the database.", - "cve": "CVE-2024-4890", - "id": "pyup.io-71721", - "more_info_path": "/vulnerabilities/CVE-2024-4890/71721", + "advisory": "A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the `eval` function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the `/config/update` endpoint, which allows for the update of settings in `proxy_server_config.yaml`.", + "cve": "CVE-2024-4264", + "id": "pyup.io-71722", + "more_info_path": "/vulnerabilities/CVE-2024-4264/71722", "specs": [ ">=0" ], @@ -79855,6 +80375,16 @@ } ], "litestar": [ + { + "advisory": "Litestar, an Asynchronous Server Gateway Interface (ASGI) framework, is vulnerable in affected versions due to an Environment Variable injection flaw in its `docs-preview.yml` workflow. This vulnerability could lead to secret exfiltration and repository manipulation, allowing a malicious actor to write issues, read metadata, and create pull requests. Additionally, the `DOCS_PREVIEW_DEPLOY_TOKEN` may be exposed to the attacker.", + "cve": "CVE-2024-42370", + "id": "pyup.io-72610", + "more_info_path": "/vulnerabilities/CVE-2024-42370/72610", + "specs": [ + "<=2.10.0" + ], + "v": "<=2.10.0" + }, { "advisory": "Affected versions of Litestar are vulnerable to Path Traversal. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server.", "cve": "CVE-2024-32982", @@ -79989,6 +80519,16 @@ } ], "llama-index-core": [ + { + "advisory": "A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for prompt injection leading to arbitrary code execution. This issue arises due to insufficient validation of input, which can be exploited to bypass method restrictions and execute unauthorized code. The vulnerability is a bypass of the previously addressed CVE-2023-39662, demonstrated through a proof of concept that creates a file on the system by exploiting the flaw.", + "cve": "CVE-2024-3098", + "id": "pyup.io-71653", + "more_info_path": "/vulnerabilities/CVE-2024-3098/71653", + "specs": [ + "<0.10.24" + ], + "v": "<0.10.24" + }, { "advisory": "A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved by crafting input that does not contain an underscore but still results in the execution of OS commands. The vulnerability allows for remote code execution (RCE) on the server hosting the application.", "cve": "CVE-2024-3271", @@ -80000,14 +80540,14 @@ "v": "<0.10.24" }, { - "advisory": "A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for prompt injection leading to arbitrary code execution. This issue arises due to insufficient validation of input, which can be exploited to bypass method restrictions and execute unauthorized code. The vulnerability is a bypass of the previously addressed CVE-2023-39662, demonstrated through a proof of concept that creates a file on the system by exploiting the flaw.", - "cve": "CVE-2024-3098", - "id": "pyup.io-71653", - "more_info_path": "/vulnerabilities/CVE-2024-3098/71653", + "advisory": "Llama-index-core affected versions contain a vulnerability related to the use of exec() in the download_integration function. This issue allows for the potential execution of arbitrary code if an attacker can manipulate the input parameters. The vulnerability is mitigated by replacing the exec() function with a safer method using importlib.util", + "cve": "CVE-2024-45201", + "id": "pyup.io-72972", + "more_info_path": "/vulnerabilities/CVE-2024-45201/72972", "specs": [ - "<0.10.24" + "<0.10.38" ], - "v": "<0.10.24" + "v": "<0.10.38" } ], "llama-index-llms-rungpt": [ @@ -80714,20 +81254,20 @@ ], "logprep": [ { - "advisory": "Logprep 7.0.0 updates its dependency 'aiohttp' to include a security fix.", - "cve": "CVE-2023-37276", - "id": "pyup.io-61805", - "more_info_path": "/vulnerabilities/CVE-2023-37276/61805", + "advisory": "Logprep 7.0.0 updates its dependency 'certifi' to include a security fix.", + "cve": "CVE-2023-37920", + "id": "pyup.io-61802", + "more_info_path": "/vulnerabilities/CVE-2023-37920/61802", "specs": [ "<7.0.0" ], "v": "<7.0.0" }, { - "advisory": "Logprep 7.0.0 updates its dependency 'certifi' to include a security fix.", - "cve": "CVE-2023-37920", - "id": "pyup.io-61802", - "more_info_path": "/vulnerabilities/CVE-2023-37920/61802", + "advisory": "Logprep 7.0.0 updates its dependency 'aiohttp' to include a security fix.", + "cve": "CVE-2023-37276", + "id": "pyup.io-61805", + "more_info_path": "/vulnerabilities/CVE-2023-37276/61805", "specs": [ "<7.0.0" ], @@ -81311,6 +81851,16 @@ ], "v": "<0.9.62" }, + { + "advisory": "Mage-ai 0.9.62 has updated its GitPython dependency from 3.1.34 to 3.1.41 to address the security issue identified as CVE-2024-22190.", + "cve": "CVE-2024-22190", + "id": "pyup.io-65070", + "more_info_path": "/vulnerabilities/CVE-2024-22190/65070", + "specs": [ + "<0.9.62" + ], + "v": "<0.9.62" + }, { "advisory": "Mage-ai 0.9.62 has updated its pyarrow dependency from 10.0.1 to 14.0.1 to address the security issue identified as CVE-2019-12410.", "cve": "CVE-2019-12410", @@ -81331,16 +81881,6 @@ ], "v": "<0.9.62" }, - { - "advisory": "Mage-ai 0.9.62 has updated its GitPython dependency from 3.1.34 to 3.1.41 to address the security issue identified as CVE-2024-22190.", - "cve": "CVE-2024-22190", - "id": "pyup.io-65070", - "more_info_path": "/vulnerabilities/CVE-2024-22190/65070", - "specs": [ - "<0.9.62" - ], - "v": "<0.9.62" - }, { "advisory": "Mage-ai version 0.9.65 updates its Jinja2 dependency to 3.1.3 from the previous 3.1.2 in response to the security vulnerability CVE-2024-22195.\r\nhttps://github.com/mage-ai/mage-ai/pull/4444/commits/6fd7c487c4accb1af62438b07b876d732d3c301a", "cve": "CVE-2024-22195", @@ -81361,6 +81901,56 @@ ], "v": "<0.9.65" }, + { + "advisory": "Mage AI has a path traversal vulnerability that allows remote users with the \"Viewer\" role to access and leak arbitrary files from the Mage server through the \"File Content\" request.", + "cve": "CVE-2024-45188", + "id": "pyup.io-72968", + "more_info_path": "/vulnerabilities/CVE-2024-45188/72968", + "specs": [ + ">=0" + ], + "v": ">=0" + }, + { + "advisory": "In the Mage AI framework, guest users who remain logged in after their accounts are deleted are mistakenly granted elevated privileges, including the ability to remotely execute arbitrary code via the Mage AI terminal server.", + "cve": "CVE-2024-45187", + "id": "pyup.io-72967", + "more_info_path": "/vulnerabilities/CVE-2024-45187/72967", + "specs": [ + ">=0" + ], + "v": ">=0" + }, + { + "advisory": "Mage AI contains a path traversal vulnerability that enables remote users with the \"Viewer\" role to access and leak arbitrary files from the Mage server via the \"Git Content\" request.", + "cve": "CVE-2024-45189", + "id": "pyup.io-72969", + "more_info_path": "/vulnerabilities/CVE-2024-45189/72969", + "specs": [ + ">=0" + ], + "v": ">=0" + }, + { + "advisory": "Mage AI has a path traversal vulnerability that allows remote users with the \"Viewer\" role to leak arbitrary files from the Mage server via the \"Pipeline Interaction\" request.", + "cve": "CVE-2024-45190", + "id": "pyup.io-72970", + "more_info_path": "/vulnerabilities/CVE-2024-45190/72970", + "specs": [ + ">=0" + ], + "v": ">=0" + }, + { + "advisory": "Mage AI allows remote, unauthenticated attackers to access and leak the terminal server command history of arbitrary users.", + "cve": "CVE-2024-8072", + "id": "pyup.io-72973", + "more_info_path": "/vulnerabilities/CVE-2024-8072/72973", + "specs": [ + ">=0" + ], + "v": ">=0" + }, { "advisory": "mage-ai is an open-source data pipeline tool for transforming and integrating data. Those who use Mage starting in version 0.8.34 and prior to 0.8.72 with user authentication enabled may be affected by a vulnerability. The terminal could be accessed by users who are not signed in or do not have editor permissions. Version 0.8.72 contains a fix for this issue.", "cve": "CVE-2023-31143", @@ -83026,20 +83616,20 @@ "v": "<1.25.0" }, { - "advisory": "Matrix-synapse 1.27.0 includes a fix for CVE-2021-21333: In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker.", - "cve": "CVE-2021-21333", - "id": "pyup.io-40107", - "more_info_path": "/vulnerabilities/CVE-2021-21333/40107", + "advisory": "Matrix-synapse 1.27.0 includes a fix for CVE-2021-21332: In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.", + "cve": "CVE-2021-21332", + "id": "pyup.io-40106", + "more_info_path": "/vulnerabilities/CVE-2021-21332/40106", "specs": [ "<1.27.0" ], "v": "<1.27.0" }, { - "advisory": "Matrix-synapse 1.27.0 includes a fix for CVE-2021-21332: In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.", - "cve": "CVE-2021-21332", - "id": "pyup.io-40106", - "more_info_path": "/vulnerabilities/CVE-2021-21332/40106", + "advisory": "Matrix-synapse 1.27.0 includes a fix for CVE-2021-21333: In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker.", + "cve": "CVE-2021-21333", + "id": "pyup.io-40107", + "more_info_path": "/vulnerabilities/CVE-2021-21333/40107", "specs": [ "<1.27.0" ], @@ -83708,6 +84298,16 @@ ], "v": ">=0,<3.2.4" }, + { + "advisory": "Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository.", + "cve": "CVE-2016-3069", + "id": "pyup.io-54114", + "more_info_path": "/vulnerabilities/CVE-2016-3069/54114", + "specs": [ + ">=0,<3.7.3" + ], + "v": ">=0,<3.7.3" + }, { "advisory": "The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.", "cve": "CVE-2016-3630", @@ -83728,16 +84328,6 @@ ], "v": ">=0,<3.7.3" }, - { - "advisory": "Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository.", - "cve": "CVE-2016-3069", - "id": "pyup.io-54114", - "more_info_path": "/vulnerabilities/CVE-2016-3069/54114", - "specs": [ - ">=0,<3.7.3" - ], - "v": ">=0,<3.7.3" - }, { "advisory": "The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name.", "cve": "CVE-2016-3105", @@ -83789,20 +84379,20 @@ "v": ">=0,<4.5.1" }, { - "advisory": "mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.", - "cve": "CVE-2018-13347", - "id": "pyup.io-54003", - "more_info_path": "/vulnerabilities/CVE-2018-13347/54003", + "advisory": "The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.", + "cve": "CVE-2018-13348", + "id": "pyup.io-54004", + "more_info_path": "/vulnerabilities/CVE-2018-13348/54004", "specs": [ ">=0,<4.6.1" ], "v": ">=0,<4.6.1" }, { - "advisory": "The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.", - "cve": "CVE-2018-13348", - "id": "pyup.io-54004", - "more_info_path": "/vulnerabilities/CVE-2018-13348/54004", + "advisory": "mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.", + "cve": "CVE-2018-13347", + "id": "pyup.io-54003", + "more_info_path": "/vulnerabilities/CVE-2018-13347/54003", "specs": [ ">=0,<4.6.1" ], @@ -83935,20 +84525,20 @@ ], "metricflow": [ { - "advisory": "Metricflow 0.100.0 updates its dependency 'snowflake-connector-python' to 2.7.8 to include a security fix.", - "cve": "CVE-2022-29217", - "id": "pyup.io-50267", - "more_info_path": "/vulnerabilities/CVE-2022-29217/50267", + "advisory": "Metricflow 0.100.0 updates its dependency 'numpy' to v1.22.2 to include a security fix.", + "cve": "CVE-2021-41495", + "id": "pyup.io-50258", + "more_info_path": "/vulnerabilities/CVE-2021-41495/50258", "specs": [ "<0.100.0" ], "v": "<0.100.0" }, { - "advisory": "Metricflow 0.100.0 updates its dependency 'numpy' to v1.22.2 to include a security fix.", - "cve": "CVE-2021-41495", - "id": "pyup.io-50258", - "more_info_path": "/vulnerabilities/CVE-2021-41495/50258", + "advisory": "Metricflow 0.100.0 updates its dependency 'snowflake-connector-python' to 2.7.8 to include a security fix.", + "cve": "CVE-2022-29217", + "id": "pyup.io-50267", + "more_info_path": "/vulnerabilities/CVE-2022-29217/50267", "specs": [ "<0.100.0" ], @@ -84186,9 +84776,9 @@ "microstructpy": [ { "advisory": "Microstructpy 1.5.4 updates its dependency 'numpy' to v1.22.0 to include security fixes.", - "cve": "CVE-2021-34141", - "id": "pyup.io-50914", - "more_info_path": "/vulnerabilities/CVE-2021-34141/50914", + "cve": "CVE-2021-33430", + "id": "pyup.io-50871", + "more_info_path": "/vulnerabilities/CVE-2021-33430/50871", "specs": [ "<1.5.4" ], @@ -84196,9 +84786,9 @@ }, { "advisory": "Microstructpy 1.5.4 updates its dependency 'numpy' to v1.22.0 to include security fixes.", - "cve": "CVE-2021-41496", - "id": "pyup.io-50915", - "more_info_path": "/vulnerabilities/CVE-2021-41496/50915", + "cve": "CVE-2021-34141", + "id": "pyup.io-50914", + "more_info_path": "/vulnerabilities/CVE-2021-34141/50914", "specs": [ "<1.5.4" ], @@ -84206,9 +84796,9 @@ }, { "advisory": "Microstructpy 1.5.4 updates its dependency 'numpy' to v1.22.0 to include security fixes.", - "cve": "CVE-2021-33430", - "id": "pyup.io-50871", - "more_info_path": "/vulnerabilities/CVE-2021-33430/50871", + "cve": "CVE-2021-41496", + "id": "pyup.io-50915", + "more_info_path": "/vulnerabilities/CVE-2021-41496/50915", "specs": [ "<1.5.4" ], @@ -84396,16 +84986,6 @@ ], "v": "<0.5.0beta" }, - { - "advisory": "Mindspore 0.5.0beta upgrades the 'SQLite' dependency to 3.32.2 to handle CVE-2020-13434.", - "cve": "CVE-2020-13434", - "id": "pyup.io-40840", - "more_info_path": "/vulnerabilities/CVE-2020-13434/40840", - "specs": [ - "<0.5.0beta" - ], - "v": "<0.5.0beta" - }, { "advisory": "Mindspore 0.5.0beta upgrades its dependency 'SQLite' to handle CVE-2020-13630.", "cve": "CVE-2020-13630", @@ -84417,10 +84997,10 @@ "v": "<0.5.0beta" }, { - "advisory": "Mindspore 0.5.0beta upgrades its dependency 'SQLite' to handle CVE-2020-13871.", - "cve": "CVE-2020-13871", - "id": "pyup.io-40833", - "more_info_path": "/vulnerabilities/CVE-2020-13871/40833", + "advisory": "Mindspore 0.5.0beta upgrades the 'SQLite' dependency to 3.32.2 to handle CVE-2020-13434.", + "cve": "CVE-2020-13434", + "id": "pyup.io-40840", + "more_info_path": "/vulnerabilities/CVE-2020-13434/40840", "specs": [ "<0.5.0beta" ], @@ -84456,6 +85036,16 @@ ], "v": "<0.5.0beta" }, + { + "advisory": "Mindspore 0.5.0beta upgrades its dependency 'SQLite' to handle CVE-2020-13871.", + "cve": "CVE-2020-13871", + "id": "pyup.io-40833", + "more_info_path": "/vulnerabilities/CVE-2020-13871/40833", + "specs": [ + "<0.5.0beta" + ], + "v": "<0.5.0beta" + }, { "advisory": "Mindspore 0.5.0beta upgrades the 'SQLite' dependency to 3.32.2 to handle CVE-2020-13435.", "cve": "CVE-2020-13435", @@ -84689,6 +85279,28 @@ "v": "<1.4.5" } ], + "misp-modules": [ + { + "advisory": "Misp-modules 2.4.106 updates its dependency 'urllib3' to include a security fix.", + "cve": "CVE-2019-11324", + "id": "pyup.io-72797", + "more_info_path": "/vulnerabilities/CVE-2019-11324/72797", + "specs": [ + "<2.4.106" + ], + "v": "<2.4.106" + }, + { + "advisory": "Misp-modules 2.4.114 prevents symlink attacks.", + "cve": "PVE-2024-72793", + "id": "pyup.io-72793", + "more_info_path": "/vulnerabilities/PVE-2024-72793/72793", + "specs": [ + "<2.4.114" + ], + "v": "<2.4.114" + } + ], "mistral": [ { "advisory": "Mistral 7.0.1 includes a fix for CVE-2018-16849: By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.", @@ -85034,6 +85646,16 @@ ], "v": "<9.1.13" }, + { + "advisory": "MKDocs Material addresses an RXSS vulnerability found in deep links within search results.", + "cve": "PVE-2024-72715", + "id": "pyup.io-72715", + "more_info_path": "/vulnerabilities/PVE-2024-72715/72715", + "specs": [ + "<9.5.32" + ], + "v": "<9.5.32" + }, { "advisory": "Mkdocs-material 9.5.5 includes a change in its dependency on Pillow. Previously set to approximately version 9.4, it has now been updated to version 10.22. This change was made in response to the security vulnerability identified as CVE-2023-504477.\r\nhttps://github.com/squidfunk/mkdocs-material/commit/fe11bc0cabd692d37bc4cc4e8034dbe6783ef36b", "cve": "CVE-2023-50447", @@ -85366,16 +85988,6 @@ ], "v": "<2.9.2" }, - { - "advisory": "A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the `_delete_artifact_mlflow_artifacts` handler and `local_file_uri_to_path` function, allowing for the deletion of arbitrary directories on the server's filesystem. This vulnerability is due to an extra unquote operation in the `delete_artifacts` function of `local_artifact_repo.py`, which fails to sanitize user-supplied paths properly. The issue is present on affected versions, despite attempts to fix a similar issue in CVE-2023-6831.", - "cve": "CVE-2024-1560", - "id": "pyup.io-71588", - "more_info_path": "/vulnerabilities/CVE-2024-1560/71588", - "specs": [ - "<2.9.2" - ], - "v": "<2.9.2" - }, { "advisory": "mlflow 2.9.2 addresses an Improper Neutralization of Special Elements Used in a Template Engine.\r\nhttps://github.com/mlflow/mlflow/pull/10640/commits/930eb808c6394360d1aa217a9eaa33891c1d244d", "cve": "CVE-2023-6709", @@ -85396,6 +86008,16 @@ ], "v": "<2.9.2" }, + { + "advisory": "A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the `_delete_artifact_mlflow_artifacts` handler and `local_file_uri_to_path` function, allowing for the deletion of arbitrary directories on the server's filesystem. This vulnerability is due to an extra unquote operation in the `delete_artifacts` function of `local_artifact_repo.py`, which fails to sanitize user-supplied paths properly. The issue is present on affected versions, despite attempts to fix a similar issue in CVE-2023-6831.", + "cve": "CVE-2024-1560", + "id": "pyup.io-71588", + "more_info_path": "/vulnerabilities/CVE-2024-1560/71588", + "specs": [ + "<2.9.2" + ], + "v": "<2.9.2" + }, { "advisory": "An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.\r\nhttps://github.com/mlflow/mlflow/pull/10526/commits/e4f71857f9f5013e240538656ba1171a7419db6d", "cve": "CVE-2023-43472", @@ -85436,16 +86058,6 @@ ], "v": ">=0,<2.9.2" }, - { - "advisory": "Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.", - "cve": "CVE-2023-6909", - "id": "pyup.io-65217", - "more_info_path": "/vulnerabilities/CVE-2023-6909/65217", - "specs": [ - ">=0,<2.9.2" - ], - "v": ">=0,<2.9.2" - }, { "advisory": "This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.", "cve": "CVE-2023-6976", @@ -85466,6 +86078,16 @@ ], "v": ">=0,<2.9.2" }, + { + "advisory": "Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.", + "cve": "CVE-2023-6909", + "id": "pyup.io-65217", + "more_info_path": "/vulnerabilities/CVE-2023-6909/65217", + "specs": [ + ">=0,<2.9.2" + ], + "v": ">=0,<2.9.2" + }, { "advisory": "Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.", "cve": "CVE-2023-6831", @@ -85632,20 +86254,20 @@ "v": "<0.9.0rc7" }, { - "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", - "cve": "CVE-2022-24303", - "id": "pyup.io-49217", - "more_info_path": "/vulnerabilities/CVE-2022-24303/49217", + "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", + "cve": "CVE-2021-37712", + "id": "pyup.io-49212", + "more_info_path": "/vulnerabilities/CVE-2021-37712/49212", "specs": [ "<1.0.3rc1" ], "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds \"notebook~=6.4\" to requirements to tackle vulnerabilities.", - "cve": "CVE-2022-24758", - "id": "pyup.io-49215", - "more_info_path": "/vulnerabilities/CVE-2022-24758/49215", + "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", + "cve": "CVE-2021-23343", + "id": "pyup.io-49207", + "more_info_path": "/vulnerabilities/CVE-2021-23343/49207", "specs": [ "<1.0.3rc1" ], @@ -85653,9 +86275,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-32803", - "id": "pyup.io-49210", - "more_info_path": "/vulnerabilities/CVE-2021-32803/49210", + "cve": "CVE-2021-3918", + "id": "pyup.io-49171", + "more_info_path": "/vulnerabilities/CVE-2021-3918/49171", "specs": [ "<1.0.3rc1" ], @@ -85663,9 +86285,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2022-23219", - "id": "pyup.io-49178", - "more_info_path": "/vulnerabilities/CVE-2022-23219/49178", + "cve": "CVE-2021-33503", + "id": "pyup.io-49213", + "more_info_path": "/vulnerabilities/CVE-2021-33503/49213", "specs": [ "<1.0.3rc1" ], @@ -85673,9 +86295,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-32797", - "id": "pyup.io-49174", - "more_info_path": "/vulnerabilities/CVE-2021-32797/49174", + "cve": "CVE-2021-3326", + "id": "pyup.io-49179", + "more_info_path": "/vulnerabilities/CVE-2021-3326/49179", "specs": [ "<1.0.3rc1" ], @@ -85691,16 +86313,6 @@ ], "v": "<1.0.3rc1" }, - { - "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-3999", - "id": "pyup.io-49188", - "more_info_path": "/vulnerabilities/CVE-2021-3999/49188", - "specs": [ - "<1.0.3rc1" - ], - "v": "<1.0.3rc1" - }, { "advisory": "Mlrun 1.0.3rc1 adds \"notebook~=6.4\" to requirements to tackle vulnerabilities.", "cve": "CVE-2021-32798", @@ -85713,19 +86325,19 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2022-23218", - "id": "pyup.io-49180", - "more_info_path": "/vulnerabilities/CVE-2022-23218/49180", + "cve": "CVE-2021-27645", + "id": "pyup.io-49177", + "more_info_path": "/vulnerabilities/CVE-2021-27645/49177", "specs": [ "<1.0.3rc1" ], "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-27645", - "id": "pyup.io-49177", - "more_info_path": "/vulnerabilities/CVE-2021-27645/49177", + "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e\r\nhttps://github.com/advisories/GHSA-hxwm-x553-x359", + "cve": "PVE-2022-49161", + "id": "pyup.io-49165", + "more_info_path": "/vulnerabilities/PVE-2022-49161/49165", "specs": [ "<1.0.3rc1" ], @@ -85733,9 +86345,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-33503", - "id": "pyup.io-49213", - "more_info_path": "/vulnerabilities/CVE-2021-33503/49213", + "cve": "CVE-2021-33910", + "id": "pyup.io-49202", + "more_info_path": "/vulnerabilities/CVE-2021-33910/49202", "specs": [ "<1.0.3rc1" ], @@ -85743,29 +86355,29 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2022-0155", - "id": "pyup.io-49169", - "more_info_path": "/vulnerabilities/CVE-2022-0155/49169", + "cve": "CVE-2021-35942", + "id": "pyup.io-49175", + "more_info_path": "/vulnerabilities/CVE-2021-35942/49175", "specs": [ "<1.0.3rc1" ], "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-23343", - "id": "pyup.io-49207", - "more_info_path": "/vulnerabilities/CVE-2021-23343/49207", + "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", + "cve": "CVE-2022-22816", + "id": "pyup.io-49218", + "more_info_path": "/vulnerabilities/CVE-2022-22816/49218", "specs": [ "<1.0.3rc1" ], "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", - "cve": "CVE-2022-22817", - "id": "pyup.io-49220", - "more_info_path": "/vulnerabilities/CVE-2022-22817/49220", + "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", + "cve": "CVE-2021-3807", + "id": "pyup.io-49166", + "more_info_path": "/vulnerabilities/CVE-2021-3807/49166", "specs": [ "<1.0.3rc1" ], @@ -85773,19 +86385,19 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2022-24785", - "id": "pyup.io-49205", - "more_info_path": "/vulnerabilities/CVE-2022-24785/49205", + "cve": "CVE-2022-23219", + "id": "pyup.io-49178", + "more_info_path": "/vulnerabilities/CVE-2022-23219/49178", "specs": [ "<1.0.3rc1" ], "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", - "cve": "CVE-2022-22815", - "id": "pyup.io-49219", - "more_info_path": "/vulnerabilities/CVE-2022-22815/49219", + "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", + "cve": "CVE-2021-32797", + "id": "pyup.io-49174", + "more_info_path": "/vulnerabilities/CVE-2021-32797/49174", "specs": [ "<1.0.3rc1" ], @@ -85793,9 +86405,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-35942", - "id": "pyup.io-49175", - "more_info_path": "/vulnerabilities/CVE-2021-35942/49175", + "cve": "CVE-2021-32804", + "id": "pyup.io-49208", + "more_info_path": "/vulnerabilities/CVE-2021-32804/49208", "specs": [ "<1.0.3rc1" ], @@ -85803,9 +86415,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-33910", - "id": "pyup.io-49202", - "more_info_path": "/vulnerabilities/CVE-2021-33910/49202", + "cve": "CVE-2022-0536", + "id": "pyup.io-49168", + "more_info_path": "/vulnerabilities/CVE-2022-0536/49168", "specs": [ "<1.0.3rc1" ], @@ -85813,9 +86425,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-37712", - "id": "pyup.io-49212", - "more_info_path": "/vulnerabilities/CVE-2021-37712/49212", + "cve": "CVE-2021-32803", + "id": "pyup.io-49210", + "more_info_path": "/vulnerabilities/CVE-2021-32803/49210", "specs": [ "<1.0.3rc1" ], @@ -85823,9 +86435,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-3807", - "id": "pyup.io-49166", - "more_info_path": "/vulnerabilities/CVE-2021-3807/49166", + "cve": "CVE-2022-0155", + "id": "pyup.io-49169", + "more_info_path": "/vulnerabilities/CVE-2022-0155/49169", "specs": [ "<1.0.3rc1" ], @@ -85833,9 +86445,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-3918", - "id": "pyup.io-49171", - "more_info_path": "/vulnerabilities/CVE-2021-3918/49171", + "cve": "CVE-2022-24785", + "id": "pyup.io-49205", + "more_info_path": "/vulnerabilities/CVE-2022-24785/49205", "specs": [ "<1.0.3rc1" ], @@ -85843,9 +86455,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2020-27618", - "id": "pyup.io-49176", - "more_info_path": "/vulnerabilities/CVE-2020-27618/49176", + "cve": "CVE-2022-23218", + "id": "pyup.io-49180", + "more_info_path": "/vulnerabilities/CVE-2022-23218/49180", "specs": [ "<1.0.3rc1" ], @@ -85853,29 +86465,29 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-39134", - "id": "pyup.io-49164", - "more_info_path": "/vulnerabilities/CVE-2021-39134/49164", + "cve": "CVE-2021-3999", + "id": "pyup.io-49188", + "more_info_path": "/vulnerabilities/CVE-2021-3999/49188", "specs": [ "<1.0.3rc1" ], "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2022-0536", - "id": "pyup.io-49168", - "more_info_path": "/vulnerabilities/CVE-2022-0536/49168", + "advisory": "Mlrun 1.0.3rc1 adds \"notebook~=6.4\" to requirements to tackle vulnerabilities.", + "cve": "CVE-2022-24758", + "id": "pyup.io-49215", + "more_info_path": "/vulnerabilities/CVE-2022-24758/49215", "specs": [ "<1.0.3rc1" ], "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", - "cve": "CVE-2022-22816", - "id": "pyup.io-49218", - "more_info_path": "/vulnerabilities/CVE-2022-22816/49218", + "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", + "cve": "CVE-2020-27618", + "id": "pyup.io-49176", + "more_info_path": "/vulnerabilities/CVE-2020-27618/49176", "specs": [ "<1.0.3rc1" ], @@ -85892,20 +86504,20 @@ "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e\r\nhttps://github.com/advisories/GHSA-hxwm-x553-x359", - "cve": "PVE-2022-49161", - "id": "pyup.io-49165", - "more_info_path": "/vulnerabilities/PVE-2022-49161/49165", + "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", + "cve": "CVE-2022-24757", + "id": "pyup.io-49172", + "more_info_path": "/vulnerabilities/CVE-2022-24757/49172", "specs": [ "<1.0.3rc1" ], "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-32804", - "id": "pyup.io-49208", - "more_info_path": "/vulnerabilities/CVE-2021-32804/49208", + "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", + "cve": "CVE-2022-22815", + "id": "pyup.io-49219", + "more_info_path": "/vulnerabilities/CVE-2022-22815/49219", "specs": [ "<1.0.3rc1" ], @@ -85941,16 +86553,6 @@ ], "v": "<1.0.3rc1" }, - { - "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-3326", - "id": "pyup.io-49179", - "more_info_path": "/vulnerabilities/CVE-2021-3326/49179", - "specs": [ - "<1.0.3rc1" - ], - "v": "<1.0.3rc1" - }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", "cve": "CVE-2021-41247", @@ -85971,11 +86573,21 @@ ], "v": "<1.0.3rc1" }, + { + "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", + "cve": "CVE-2022-24303", + "id": "pyup.io-49217", + "more_info_path": "/vulnerabilities/CVE-2022-24303/49217", + "specs": [ + "<1.0.3rc1" + ], + "v": "<1.0.3rc1" + }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-37701", - "id": "pyup.io-49211", - "more_info_path": "/vulnerabilities/CVE-2021-37701/49211", + "cve": "CVE-2021-39134", + "id": "pyup.io-49164", + "more_info_path": "/vulnerabilities/CVE-2021-39134/49164", "specs": [ "<1.0.3rc1" ], @@ -86001,11 +86613,21 @@ ], "v": "<1.0.3rc1" }, + { + "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", + "cve": "CVE-2022-22817", + "id": "pyup.io-49220", + "more_info_path": "/vulnerabilities/CVE-2022-22817/49220", + "specs": [ + "<1.0.3rc1" + ], + "v": "<1.0.3rc1" + }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2019-25013", - "id": "pyup.io-49185", - "more_info_path": "/vulnerabilities/CVE-2019-25013/49185", + "cve": "CVE-2021-37701", + "id": "pyup.io-49211", + "more_info_path": "/vulnerabilities/CVE-2021-37701/49211", "specs": [ "<1.0.3rc1" ], @@ -86013,9 +86635,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2022-24757", - "id": "pyup.io-49172", - "more_info_path": "/vulnerabilities/CVE-2022-24757/49172", + "cve": "CVE-2019-25013", + "id": "pyup.io-49185", + "more_info_path": "/vulnerabilities/CVE-2019-25013/49185", "specs": [ "<1.0.3rc1" ], @@ -86033,9 +86655,9 @@ }, { "advisory": "Mlrun 1.0.4rc1 updates its dependency 'storey' to v1.0.5 to fix transitive vulnerabilities related to NumPy.", - "cve": "CVE-2021-41495", - "id": "pyup.io-49372", - "more_info_path": "/vulnerabilities/CVE-2021-41495/49372", + "cve": "CVE-2021-41496", + "id": "pyup.io-49352", + "more_info_path": "/vulnerabilities/CVE-2021-41496/49352", "specs": [ "<1.0.4rc1" ], @@ -86043,9 +86665,9 @@ }, { "advisory": "Mlrun 1.0.4rc1 updates its dependency 'storey' to v1.0.5 to fix transitive vulnerabilities related to NumPy.", - "cve": "CVE-2021-41496", - "id": "pyup.io-49352", - "more_info_path": "/vulnerabilities/CVE-2021-41496/49352", + "cve": "CVE-2021-41495", + "id": "pyup.io-49372", + "more_info_path": "/vulnerabilities/CVE-2021-41495/49372", "specs": [ "<1.0.4rc1" ], @@ -86062,120 +86684,120 @@ "v": "<1.0.4rc1" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package '@npmcli/arborist' in its base image to include security fixes.", - "cve": "CVE-2021-39134", - "id": "pyup.io-50985", - "more_info_path": "/vulnerabilities/CVE-2021-39134/50985", + "advisory": "Mlrun 1.1.0 updates the NPM package 'async' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-43138", + "id": "pyup.io-50988", + "more_info_path": "/vulnerabilities/CVE-2021-43138/50988", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the Python package 'numpy' in its base image to include a security fix.", - "cve": "CVE-2021-33430", - "id": "pyup.io-51005", - "more_info_path": "/vulnerabilities/CVE-2021-33430/51005", + "advisory": "Mlrun 1.1.0 updates the Python package 'ipython' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2022-21699", + "id": "pyup.io-51004", + "more_info_path": "/vulnerabilities/CVE-2022-21699/51004", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'json-schema' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-3918", - "id": "pyup.io-50991", - "more_info_path": "/vulnerabilities/CVE-2021-3918/50991", + "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2016-10228", + "id": "pyup.io-51015", + "more_info_path": "/vulnerabilities/CVE-2016-10228/51015", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-3999", - "id": "pyup.io-51013", - "more_info_path": "/vulnerabilities/CVE-2021-3999/51013", + "advisory": "Mlrun 1.1.0 updates the packages 'libsystemd0' and 'libudev1' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-33910", + "id": "pyup.io-51018", + "more_info_path": "/vulnerabilities/CVE-2021-33910/51018", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2019-25013", - "id": "pyup.io-51017", - "more_info_path": "/vulnerabilities/CVE-2019-25013/51017", + "advisory": "Mlrun 1.1.0 updates the packages 'libsystemd0' and 'libudev1' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2020-13529", + "id": "pyup.io-51019", + "more_info_path": "/vulnerabilities/CVE-2020-13529/51019", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-27645", - "id": "pyup.io-51009", - "more_info_path": "/vulnerabilities/CVE-2021-27645/51009", + "advisory": "Mlrun 1.1.0 updates the packages 'libsystemd0' and 'libudev1' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-3997", + "id": "pyup.io-51020", + "more_info_path": "/vulnerabilities/CVE-2021-3997/51020", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'follow-redirects' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2022-0155", - "id": "pyup.io-50990", - "more_info_path": "/vulnerabilities/CVE-2022-0155/50990", + "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2020-6096", + "id": "pyup.io-51014", + "more_info_path": "/vulnerabilities/CVE-2020-6096/51014", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package '@npmcli/arborist' in its base image to include security fixes.", - "cve": "CVE-2021-39135", - "id": "pyup.io-50919", - "more_info_path": "/vulnerabilities/CVE-2021-39135/50919", + "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-37713", + "id": "pyup.io-50995", + "more_info_path": "/vulnerabilities/CVE-2021-37713/50995", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libsystemd0' and 'libudev1' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-3997", - "id": "pyup.io-51020", - "more_info_path": "/vulnerabilities/CVE-2021-3997/51020", + "advisory": "Mlrun 1.1.0 updates the NPM package 'json-schema' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-3918", + "id": "pyup.io-50991", + "more_info_path": "/vulnerabilities/CVE-2021-3918/50991", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'follow-redirects' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2022-0536", - "id": "pyup.io-50989", - "more_info_path": "/vulnerabilities/CVE-2022-0536/50989", + "advisory": "Mlrun 1.1.0 updates the NPM package '@npmcli/arborist' in its base image to include security fixes.", + "cve": "CVE-2021-39135", + "id": "pyup.io-50919", + "more_info_path": "/vulnerabilities/CVE-2021-39135/50919", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2016-10228", - "id": "pyup.io-51015", - "more_info_path": "/vulnerabilities/CVE-2016-10228/51015", + "advisory": "Mlrun 1.1.0 updates the NPM package 'follow-redirects' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2022-0536", + "id": "pyup.io-50989", + "more_info_path": "/vulnerabilities/CVE-2022-0536/50989", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'async' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-43138", - "id": "pyup.io-50988", - "more_info_path": "/vulnerabilities/CVE-2021-43138/50988", + "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2022-23219", + "id": "pyup.io-51010", + "more_info_path": "/vulnerabilities/CVE-2022-23219/51010", "specs": [ "<1.1.0" ], @@ -86183,59 +86805,59 @@ }, { "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-35942", - "id": "pyup.io-51007", - "more_info_path": "/vulnerabilities/CVE-2021-35942/51007", + "cve": "CVE-2020-29562", + "id": "pyup.io-51016", + "more_info_path": "/vulnerabilities/CVE-2020-29562/51016", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the Python package 'ipython' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2022-21699", - "id": "pyup.io-51004", - "more_info_path": "/vulnerabilities/CVE-2022-21699/51004", + "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-32804", + "id": "pyup.io-50994", + "more_info_path": "/vulnerabilities/CVE-2021-32804/50994", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libsystemd0' and 'libudev1' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-33910", - "id": "pyup.io-51018", - "more_info_path": "/vulnerabilities/CVE-2021-33910/51018", + "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-27645", + "id": "pyup.io-51009", + "more_info_path": "/vulnerabilities/CVE-2021-27645/51009", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-37701", - "id": "pyup.io-50997", - "more_info_path": "/vulnerabilities/CVE-2021-37701/50997", + "advisory": "Mlrun 1.1.0 updates the Python package 'numpy' in its base image to include a security fix.", + "cve": "CVE-2021-33430", + "id": "pyup.io-51005", + "more_info_path": "/vulnerabilities/CVE-2021-33430/51005", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-3326", - "id": "pyup.io-51011", - "more_info_path": "/vulnerabilities/CVE-2021-3326/51011", + "advisory": "Mlrun 1.1.0 updates the NPM package 'follow-redirects' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2022-0155", + "id": "pyup.io-50990", + "more_info_path": "/vulnerabilities/CVE-2022-0155/50990", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libsystemd0' and 'libudev1' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2020-13529", - "id": "pyup.io-51019", - "more_info_path": "/vulnerabilities/CVE-2020-13529/51019", + "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-3999", + "id": "pyup.io-51013", + "more_info_path": "/vulnerabilities/CVE-2021-3999/51013", "specs": [ "<1.1.0" ], @@ -86252,30 +86874,20 @@ "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the Python package 'jupyter-server' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2022-24757", - "id": "pyup.io-51001", - "more_info_path": "/vulnerabilities/CVE-2022-24757/51001", - "specs": [ - "<1.1.0" - ], - "v": "<1.1.0" - }, - { - "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2022-23219", - "id": "pyup.io-51010", - "more_info_path": "/vulnerabilities/CVE-2022-23219/51010", + "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-32803", + "id": "pyup.io-50996", + "more_info_path": "/vulnerabilities/CVE-2021-32803/50996", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the Python package 'jupyterhub' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-41247", - "id": "pyup.io-51002", - "more_info_path": "/vulnerabilities/CVE-2021-41247/51002", + "advisory": "Mlrun 1.1.0 updates the Python package 'jupyter-server' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2022-24757", + "id": "pyup.io-51001", + "more_info_path": "/vulnerabilities/CVE-2022-24757/51001", "specs": [ "<1.1.0" ], @@ -86303,29 +86915,29 @@ }, { "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2020-6096", - "id": "pyup.io-51014", - "more_info_path": "/vulnerabilities/CVE-2020-6096/51014", + "cve": "CVE-2021-3326", + "id": "pyup.io-51011", + "more_info_path": "/vulnerabilities/CVE-2021-3326/51011", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-32803", - "id": "pyup.io-50996", - "more_info_path": "/vulnerabilities/CVE-2021-32803/50996", + "advisory": "Mlrun 1.1.0 updates the Python package 'jupyterlab' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-32797", + "id": "pyup.io-51003", + "more_info_path": "/vulnerabilities/CVE-2021-32797/51003", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-37712", - "id": "pyup.io-51000", - "more_info_path": "/vulnerabilities/CVE-2021-37712/51000", + "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2019-25013", + "id": "pyup.io-51017", + "more_info_path": "/vulnerabilities/CVE-2019-25013/51017", "specs": [ "<1.1.0" ], @@ -86341,6 +86953,16 @@ ], "v": "<1.1.0" }, + { + "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-35942", + "id": "pyup.io-51007", + "more_info_path": "/vulnerabilities/CVE-2021-35942/51007", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, { "advisory": "Mlrun 1.1.0 updates the NPM package 'moment' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", "cve": "CVE-2022-24785", @@ -86362,30 +86984,30 @@ "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-37713", - "id": "pyup.io-50995", - "more_info_path": "/vulnerabilities/CVE-2021-37713/50995", + "advisory": "Mlrun 1.1.0 updates the NPM package '@npmcli/arborist' in its base image to include security fixes.", + "cve": "CVE-2021-39134", + "id": "pyup.io-50985", + "more_info_path": "/vulnerabilities/CVE-2021-39134/50985", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2020-29562", - "id": "pyup.io-51016", - "more_info_path": "/vulnerabilities/CVE-2020-29562/51016", + "advisory": "Mlrun 1.1.0 updates the NPM package 'ansi-regex' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-3807", + "id": "pyup.io-50987", + "more_info_path": "/vulnerabilities/CVE-2021-3807/50987", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the Python package 'jupyterlab' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-32797", - "id": "pyup.io-51003", - "more_info_path": "/vulnerabilities/CVE-2021-32797/51003", + "advisory": "Mlrun 1.1.0 updates the Python package 'jupyterhub' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-41247", + "id": "pyup.io-51002", + "more_info_path": "/vulnerabilities/CVE-2021-41247/51002", "specs": [ "<1.1.0" ], @@ -86393,19 +87015,19 @@ }, { "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-32804", - "id": "pyup.io-50994", - "more_info_path": "/vulnerabilities/CVE-2021-32804/50994", + "cve": "CVE-2021-37712", + "id": "pyup.io-51000", + "more_info_path": "/vulnerabilities/CVE-2021-37712/51000", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'ansi-regex' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-3807", - "id": "pyup.io-50987", - "more_info_path": "/vulnerabilities/CVE-2021-3807/50987", + "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-37701", + "id": "pyup.io-50997", + "more_info_path": "/vulnerabilities/CVE-2021-37701/50997", "specs": [ "<1.1.0" ], @@ -86472,25 +87094,35 @@ "v": "<1.4.0rc9" }, { - "advisory": "Mlrun version 1.6.2rc1 upgrades its FastAPI dependency to approximately version 0.110.0 from 0.103.2 to mitigate the security risks identified in CVE-2024-24762.\r\nhttps://github.com/mlrun/mlrun/pull/5205/commits/71647ae50e2f6a97adbad3312c1737db46b7eb38", + "advisory": "Mlrun version 1.6.2rc1 upgrades its Cryptography dependency to approximately version 41.0 from 42.0 to mitigate the security risks identified in CVE-2024-24762.\r\nhttps://github.com/mlrun/mlrun/pull/5205/commits/71647ae50e2f6a97adbad3312c1737db46b7eb38", "cve": "CVE-2024-24762", - "id": "pyup.io-65893", - "more_info_path": "/vulnerabilities/CVE-2024-24762/65893", + "id": "pyup.io-65950", + "more_info_path": "/vulnerabilities/CVE-2024-24762/65950", "specs": [ "<1.6.2rc1" ], "v": "<1.6.2rc1" }, { - "advisory": "Mlrun version 1.6.2rc1 upgrades its Cryptography dependency to approximately version 41.0 from 42.0 to mitigate the security risks identified in CVE-2024-24762.\r\nhttps://github.com/mlrun/mlrun/pull/5205/commits/71647ae50e2f6a97adbad3312c1737db46b7eb38", + "advisory": "Mlrun version 1.6.2rc1 upgrades its FastAPI dependency to approximately version 0.110.0 from 0.103.2 to mitigate the security risks identified in CVE-2024-24762.\r\nhttps://github.com/mlrun/mlrun/pull/5205/commits/71647ae50e2f6a97adbad3312c1737db46b7eb38", "cve": "CVE-2024-24762", - "id": "pyup.io-65950", - "more_info_path": "/vulnerabilities/CVE-2024-24762/65950", + "id": "pyup.io-65893", + "more_info_path": "/vulnerabilities/CVE-2024-24762/65893", "specs": [ "<1.6.2rc1" ], "v": "<1.6.2rc1" }, + { + "advisory": "Mlrun affected versions prior to this update used raw SQL queries, exposing the system to SQL injection risks. The update replaces these with prepared statements via the taosws library, ensuring all inputs are securely parameterized and preventing malicious query manipulation. Additionally, it standardizes type conversions, enhancing data integrity.", + "cve": "PVE-2024-72912", + "id": "pyup.io-72912", + "more_info_path": "/vulnerabilities/PVE-2024-72912/72912", + "specs": [ + "<1.7.0rc39" + ], + "v": "<1.7.0rc39" + }, { "advisory": "Mlrun 1.7.0rc5 addresses a race condition related to the buffer pool, ensuring more stable and reliable buffer management during concurrent operations.\r\nhttps://github.com/mlrun/mlrun/pull/5281", "cve": "PVE-2024-66055", @@ -86935,6 +87567,16 @@ ], "v": "<3.6.0" }, + { + "advisory": "The Mobile Security Framework (MobSF) contains a critical Zip Slip vulnerability in the processing of .a static library files. A flaw was identified in the Static Libraries analysis module, where the safeguard against Zip Slip attacks is improperly implemented. This vulnerability allows an attacker to bypass protections and extract files to any arbitrary location on the server running MobSF, resulting in a significant security risk.", + "cve": "CVE-2024-43399", + "id": "pyup.io-72732", + "more_info_path": "/vulnerabilities/CVE-2024-43399/72732", + "specs": [ + "<4.0.7" + ], + "v": "<4.0.7" + }, { "advisory": "Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. \r\nNOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication could, for example, use a reverse proxy server.", "cve": "CVE-2023-42261", @@ -87082,20 +87724,20 @@ ], "modelstore": [ { - "advisory": "Modelstore 0.0.76 includes a fix for CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.", - "cve": "CVE-2007-4559", - "id": "pyup.io-51644", - "more_info_path": "/vulnerabilities/CVE-2007-4559/51644", + "advisory": "Modelstore 0.0.76 updates its dependency 'protobuf' to v3.19.5 to include a security fix.", + "cve": "CVE-2022-1941", + "id": "pyup.io-51642", + "more_info_path": "/vulnerabilities/CVE-2022-1941/51642", "specs": [ "<0.0.76" ], "v": "<0.0.76" }, { - "advisory": "Modelstore 0.0.76 updates its dependency 'protobuf' to v3.19.5 to include a security fix.", - "cve": "CVE-2022-1941", - "id": "pyup.io-51642", - "more_info_path": "/vulnerabilities/CVE-2022-1941/51642", + "advisory": "Modelstore 0.0.76 includes a fix for CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.", + "cve": "CVE-2007-4559", + "id": "pyup.io-51644", + "more_info_path": "/vulnerabilities/CVE-2007-4559/51644", "specs": [ "<0.0.76" ], @@ -87146,20 +87788,20 @@ "v": "<2.0.5" }, { - "advisory": "Modoboa 2.1.0 includes a fix for a CSRF vulnerability in edit operations.\r\nhttps://github.com/modoboa/modoboa/pull/2889/commits/5d886f3d06373d2c3292911bac0772bcd5102343", - "cve": "PVE-2023-55109", - "id": "pyup.io-55109", - "more_info_path": "/vulnerabilities/PVE-2023-55109/55109", + "advisory": "Modoboa 2.1.0 includes a fix for a weak password requirement vulnerability.\r\nhttps://github.com/modoboa/modoboa/pull/2949/commits/130257c96a2392ada795785a91178e656e27015c", + "cve": "CVE-2023-2160", + "id": "pyup.io-55104", + "more_info_path": "/vulnerabilities/CVE-2023-2160/55104", "specs": [ "<2.1.0" ], "v": "<2.1.0" }, { - "advisory": "Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.1.0.", - "cve": "CVE-2023-2228", - "id": "pyup.io-62887", - "more_info_path": "/vulnerabilities/CVE-2023-2228/62887", + "advisory": "Modoboa 2.1.0 includes a fix for a CSRF vulnerability in edit operations.\r\nhttps://github.com/modoboa/modoboa/pull/2889/commits/5d886f3d06373d2c3292911bac0772bcd5102343", + "cve": "PVE-2023-55109", + "id": "pyup.io-55109", + "more_info_path": "/vulnerabilities/PVE-2023-55109/55109", "specs": [ "<2.1.0" ], @@ -87176,50 +87818,50 @@ "v": "<2.1.0" }, { - "advisory": "Modoboa 2.1.0 includes a fix for a weak password requirement vulnerability.\r\nhttps://github.com/modoboa/modoboa/pull/2949/commits/130257c96a2392ada795785a91178e656e27015c", - "cve": "CVE-2023-2160", - "id": "pyup.io-55104", - "more_info_path": "/vulnerabilities/CVE-2023-2160/55104", + "advisory": "Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.1.0.", + "cve": "CVE-2023-2228", + "id": "pyup.io-62887", + "more_info_path": "/vulnerabilities/CVE-2023-2228/62887", "specs": [ "<2.1.0" ], "v": "<2.1.0" }, { - "advisory": "Modoboa 2.2.2 prevents a CSRF error due to multiple click.\r\nhttps://github.com/modoboa/modoboa/pull/3085/commits/305b080259ab635855503db829b0ed2b5f368e34", - "cve": "PVE-2023-63091", - "id": "pyup.io-63091", - "more_info_path": "/vulnerabilities/PVE-2023-63091/63091", + "advisory": "Modoboa 2.2.2 includes a fix for CVE-2023-5689: Cross-site Scripting (XSS) - DOM.\r\nhttps://github.com/modoboa/modoboa/commit/d33d3cd2d11dbfebd8162c46e2c2a9873919a967", + "cve": "CVE-2023-5689", + "id": "pyup.io-63075", + "more_info_path": "/vulnerabilities/CVE-2023-5689/63075", "specs": [ "<2.2.2" ], "v": "<2.2.2" }, { - "advisory": "Modoboa 2.2.2 fixes a XSS vulnerability when displaying the form error messages.\r\nhttps://github.com/modoboa/modoboa/pull/3095/commits/6fdb077ca51407162109c9ed0d97882d7c7138eb", - "cve": "PVE-2023-63090", - "id": "pyup.io-63090", - "more_info_path": "/vulnerabilities/PVE-2023-63090/63090", + "advisory": "Modoboa 2.2.2 fixes a CSRF vulnerability on the logout view.\r\nhttps://github.com/modoboa/modoboa/pull/3090/commits/2d33d34279566932b293d3407be6823fc1d7219f", + "cve": "PVE-2023-63089", + "id": "pyup.io-63089", + "more_info_path": "/vulnerabilities/PVE-2023-63089/63089", "specs": [ "<2.2.2" ], "v": "<2.2.2" }, { - "advisory": "Modoboa 2.2.2 fixes a CSRF vulnerability on the logout view.\r\nhttps://github.com/modoboa/modoboa/pull/3090/commits/2d33d34279566932b293d3407be6823fc1d7219f", - "cve": "PVE-2023-63089", - "id": "pyup.io-63089", - "more_info_path": "/vulnerabilities/PVE-2023-63089/63089", + "advisory": "Modoboa 2.2.2 fixes a XSS vulnerability when displaying the form error messages.\r\nhttps://github.com/modoboa/modoboa/pull/3095/commits/6fdb077ca51407162109c9ed0d97882d7c7138eb", + "cve": "PVE-2023-63090", + "id": "pyup.io-63090", + "more_info_path": "/vulnerabilities/PVE-2023-63090/63090", "specs": [ "<2.2.2" ], "v": "<2.2.2" }, { - "advisory": "Modoboa 2.2.2 includes a fix for CVE-2023-5689: Cross-site Scripting (XSS) - DOM.\r\nhttps://github.com/modoboa/modoboa/commit/d33d3cd2d11dbfebd8162c46e2c2a9873919a967", - "cve": "CVE-2023-5689", - "id": "pyup.io-63075", - "more_info_path": "/vulnerabilities/CVE-2023-5689/63075", + "advisory": "Modoboa 2.2.2 prevents a CSRF error due to multiple click.\r\nhttps://github.com/modoboa/modoboa/pull/3085/commits/305b080259ab635855503db829b0ed2b5f368e34", + "cve": "PVE-2023-63091", + "id": "pyup.io-63091", + "more_info_path": "/vulnerabilities/PVE-2023-63091/63091", "specs": [ "<2.2.2" ], @@ -87276,20 +87918,20 @@ "v": ">=0,<2.0.4" }, { - "advisory": "Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.", - "cve": "CVE-2023-0438", - "id": "pyup.io-54624", - "more_info_path": "/vulnerabilities/CVE-2023-0438/54624", + "advisory": "Improper Restriction of Excessive Authentication Attempts in GitHub repository modoboa/modoboa-installer prior to 2.0.4.", + "cve": "CVE-2023-0860", + "id": "pyup.io-54656", + "more_info_path": "/vulnerabilities/CVE-2023-0860/54656", "specs": [ ">=0,<2.0.4" ], "v": ">=0,<2.0.4" }, { - "advisory": "Improper Restriction of Excessive Authentication Attempts in GitHub repository modoboa/modoboa-installer prior to 2.0.4.", - "cve": "CVE-2023-0860", - "id": "pyup.io-54656", - "more_info_path": "/vulnerabilities/CVE-2023-0860/54656", + "advisory": "Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.", + "cve": "CVE-2023-0438", + "id": "pyup.io-54624", + "more_info_path": "/vulnerabilities/CVE-2023-0438/54624", "specs": [ ">=0,<2.0.4" ], @@ -87439,20 +88081,20 @@ "v": "<1.9.10" }, { - "advisory": "Moin 1.9.10 includes a security fix for CVE-2016-9119.", - "cve": "CVE-2016-9119", - "id": "pyup.io-39587", - "more_info_path": "/vulnerabilities/CVE-2016-9119/39587", + "advisory": "Moin 1.9.10 includes a security fix for CVE-2016-7146.", + "cve": "CVE-2016-7146", + "id": "pyup.io-39588", + "more_info_path": "/vulnerabilities/CVE-2016-7146/39588", "specs": [ "<1.9.10" ], "v": "<1.9.10" }, { - "advisory": "Moin 1.9.10 includes a security fix for CVE-2016-7146.", - "cve": "CVE-2016-7146", - "id": "pyup.io-39588", - "more_info_path": "/vulnerabilities/CVE-2016-7146/39588", + "advisory": "Moin 1.9.10 includes a security fix for CVE-2016-9119.", + "cve": "CVE-2016-9119", + "id": "pyup.io-39587", + "more_info_path": "/vulnerabilities/CVE-2016-9119/39587", "specs": [ "<1.9.10" ], @@ -87548,16 +88190,6 @@ ], "v": "==1.9.8" }, - { - "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Info pages in MoinMoin 1.5.7 allow remote attackers to inject arbitrary web script or HTML via the (1) hitcounts and (2) general parameters, different vectors than CVE-2007-0857. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.", - "cve": "CVE-2007-0901", - "id": "pyup.io-61205", - "more_info_path": "/vulnerabilities/CVE-2007-0901/61205", - "specs": [ - ">1.5.6,<=1.5.7" - ], - "v": ">1.5.6,<=1.5.7" - }, { "advisory": "Unspecified vulnerability in the \"Show debugging information\" feature in MoinMoin 1.5.7 allows remote attackers to obtain sensitive information. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.", "cve": "CVE-2007-0902", @@ -87578,6 +88210,16 @@ ], "v": ">1.5.6,<=1.5.7" }, + { + "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Info pages in MoinMoin 1.5.7 allow remote attackers to inject arbitrary web script or HTML via the (1) hitcounts and (2) general parameters, different vectors than CVE-2007-0857. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.", + "cve": "CVE-2007-0901", + "id": "pyup.io-61205", + "more_info_path": "/vulnerabilities/CVE-2007-0901/61205", + "specs": [ + ">1.5.6,<=1.5.7" + ], + "v": ">1.5.6,<=1.5.7" + }, { "advisory": "The rst parser (parser/text_rst.py) in MoinMoin 1.6.1 does not check the ACL of an included page, which allows attackers to read unauthorized include files via unknown vectors.", "cve": "CVE-2008-6548", @@ -87980,30 +88622,30 @@ ], "mosaicml": [ { - "advisory": "Mosaicml 0.13.0 updates its dependency 'ipython' to v8.11.0 in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "CVE-2023-24816", - "id": "pyup.io-53698", - "more_info_path": "/vulnerabilities/CVE-2023-24816/53698", + "advisory": "Mosaicml 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", + "cve": "PVE-2021-44525", + "id": "pyup.io-53702", + "more_info_path": "/vulnerabilities/PVE-2021-44525/53702", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { - "advisory": "Mosaicml 0.13.0 updates its dependency 'urllib3' requirement to '>=1.26.5,<2'' in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "CVE-2021-33503", - "id": "pyup.io-53699", - "more_info_path": "/vulnerabilities/CVE-2021-33503/53699", + "advisory": "Mosaicml 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", + "cve": "CVE-2022-22816", + "id": "pyup.io-53704", + "more_info_path": "/vulnerabilities/CVE-2022-22816/53704", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { - "advisory": "Mosaicml 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "PVE-2021-44525", - "id": "pyup.io-53702", - "more_info_path": "/vulnerabilities/PVE-2021-44525/53702", + "advisory": "Mosaicml 0.13.0 updates its dependency 'certifi' requirement to '>=2022.12.7' in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", + "cve": "CVE-2022-23491", + "id": "pyup.io-53700", + "more_info_path": "/vulnerabilities/CVE-2022-23491/53700", "specs": [ "<0.13.0" ], @@ -88011,29 +88653,29 @@ }, { "advisory": "Mosaicml 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "CVE-2022-22816", - "id": "pyup.io-53704", - "more_info_path": "/vulnerabilities/CVE-2022-22816/53704", + "cve": "PVE-2022-44524", + "id": "pyup.io-53703", + "more_info_path": "/vulnerabilities/PVE-2022-44524/53703", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { - "advisory": "Mosaicml 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "CVE-2021-34552", - "id": "pyup.io-53701", - "more_info_path": "/vulnerabilities/CVE-2021-34552/53701", + "advisory": "Mosaicml 0.13.0 updates its dependency 'ipython' to v8.11.0 in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", + "cve": "CVE-2023-24816", + "id": "pyup.io-53698", + "more_info_path": "/vulnerabilities/CVE-2023-24816/53698", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { - "advisory": "Mosaicml 0.13.0 updates its dependency 'certifi' requirement to '>=2022.12.7' in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "CVE-2022-23491", - "id": "pyup.io-53700", - "more_info_path": "/vulnerabilities/CVE-2022-23491/53700", + "advisory": "Mosaicml 0.13.0 updates its dependency 'urllib3' requirement to '>=1.26.5,<2'' in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", + "cve": "CVE-2021-33503", + "id": "pyup.io-53699", + "more_info_path": "/vulnerabilities/CVE-2021-33503/53699", "specs": [ "<0.13.0" ], @@ -88041,9 +88683,9 @@ }, { "advisory": "Mosaicml 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "PVE-2022-44524", - "id": "pyup.io-53703", - "more_info_path": "/vulnerabilities/PVE-2022-44524/53703", + "cve": "CVE-2021-34552", + "id": "pyup.io-53701", + "more_info_path": "/vulnerabilities/CVE-2021-34552/53701", "specs": [ "<0.13.0" ], @@ -89360,6 +90002,16 @@ ], "v": "<1.4.19" }, + { + "advisory": "Muttlib 1.4.19 updates its dependency 'numpy' to include security fixes.", + "cve": "CVE-2021-33430", + "id": "pyup.io-50847", + "more_info_path": "/vulnerabilities/CVE-2021-33430/50847", + "specs": [ + "<1.4.19" + ], + "v": "<1.4.19" + }, { "advisory": "Muttlib 1.4.19 updates its dependency 'numpy' to include security fixes.", "cve": "CVE-2021-34141", @@ -89419,16 +90071,6 @@ "<1.4.19" ], "v": "<1.4.19" - }, - { - "advisory": "Muttlib 1.4.19 updates its dependency 'numpy' to include security fixes.", - "cve": "CVE-2021-33430", - "id": "pyup.io-50847", - "more_info_path": "/vulnerabilities/CVE-2021-33430/50847", - "specs": [ - "<1.4.19" - ], - "v": "<1.4.19" } ], "mwdb-core": [ @@ -89794,20 +90436,20 @@ ], "nanite": [ { - "advisory": "Nanite 3.7.0 updates its dependency 'scipy' to version '1.10.0' to include a fix for a vulnerability.", + "advisory": "Nanite 3.7.0 updates its dependency 'scipy' to version '1.10.0' to include a fix for a Denial of Service vulnerability.", "cve": "CVE-2023-25399", - "id": "pyup.io-59894", - "more_info_path": "/vulnerabilities/CVE-2023-25399/59894", + "id": "pyup.io-59794", + "more_info_path": "/vulnerabilities/CVE-2023-25399/59794", "specs": [ "<3.7.0" ], "v": "<3.7.0" }, { - "advisory": "Nanite 3.7.0 updates its dependency 'scipy' to version '1.10.0' to include a fix for a Denial of Service vulnerability.", + "advisory": "Nanite 3.7.0 updates its dependency 'scipy' to version '1.10.0' to include a fix for a vulnerability.", "cve": "CVE-2023-25399", - "id": "pyup.io-59794", - "more_info_path": "/vulnerabilities/CVE-2023-25399/59794", + "id": "pyup.io-59894", + "more_info_path": "/vulnerabilities/CVE-2023-25399/59894", "specs": [ "<3.7.0" ], @@ -90109,10 +90751,10 @@ "v": "<1.2.3" }, { - "advisory": "Nautobot 1.2.4 upgrades its `Pillow` dependency to 9.0.0 for Python versions >=3.7 to fix CVEs. This change is in response to the security vulnerability identified as CVE-2022-22816.\r\nhttps://github.com/nautobot/nautobot/pull/1270/commits/6434eff5b26ff28a4e06985e3bbb00ae64b8b324", - "cve": "CVE-2022-22816", - "id": "pyup.io-63593", - "more_info_path": "/vulnerabilities/CVE-2022-22816/63593", + "advisory": "Nautobot 1.2.4 upgrades its `Pillow` dependency to 9.0.0 for Python versions >=3.7 to fix CVEs. This change is in response to the security vulnerability identified as CVE-2022-22817. \r\nhttps://github.com/nautobot/nautobot/pull/1270/commits/6434eff5b26ff28a4e06985e3bbb00ae64b8b324", + "cve": "CVE-2022-22817", + "id": "pyup.io-63594", + "more_info_path": "/vulnerabilities/CVE-2022-22817/63594", "specs": [ "<1.2.4" ], @@ -90129,10 +90771,10 @@ "v": "<1.2.4" }, { - "advisory": "Nautobot 1.2.4 upgrades its `Pillow` dependency to 9.0.0 for Python versions >=3.7 to fix CVEs. This change is in response to the security vulnerability identified as CVE-2022-22817. \r\nhttps://github.com/nautobot/nautobot/pull/1270/commits/6434eff5b26ff28a4e06985e3bbb00ae64b8b324", - "cve": "CVE-2022-22817", - "id": "pyup.io-63594", - "more_info_path": "/vulnerabilities/CVE-2022-22817/63594", + "advisory": "Nautobot 1.2.4 upgrades its `Pillow` dependency to 9.0.0 for Python versions >=3.7 to fix CVEs. This change is in response to the security vulnerability identified as CVE-2022-22816.\r\nhttps://github.com/nautobot/nautobot/pull/1270/commits/6434eff5b26ff28a4e06985e3bbb00ae64b8b324", + "cve": "CVE-2022-22816", + "id": "pyup.io-63593", + "more_info_path": "/vulnerabilities/CVE-2022-22816/63593", "specs": [ "<1.2.4" ], @@ -90189,10 +90831,10 @@ "v": "<1.5.7" }, { - "advisory": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2.", - "cve": "CVE-2024-23345", - "id": "pyup.io-66715", - "more_info_path": "/vulnerabilities/CVE-2024-23345/66715", + "advisory": "Nautobot is affected by a potential XSS vulnerability in rendered Markdown fields (comments, description, notes, etc.).\r\nhttps://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h", + "cve": "PVE-2024-64427", + "id": "pyup.io-64427", + "more_info_path": "/vulnerabilities/PVE-2024-64427/64427", "specs": [ "<1.6.10", ">=2.0.0,<2.1.2" @@ -90200,10 +90842,10 @@ "v": "<1.6.10,>=2.0.0,<2.1.2" }, { - "advisory": "Nautobot is affected by a potential XSS vulnerability in rendered Markdown fields (comments, description, notes, etc.).\r\nhttps://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h", - "cve": "PVE-2024-64427", - "id": "pyup.io-64427", - "more_info_path": "/vulnerabilities/PVE-2024-64427/64427", + "advisory": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2.", + "cve": "CVE-2024-23345", + "id": "pyup.io-66715", + "more_info_path": "/vulnerabilities/CVE-2024-23345/66715", "specs": [ "<1.6.10", ">=2.0.0,<2.1.2" @@ -90255,10 +90897,10 @@ "v": "<1.6.6,>=2.0.0,<2.0.5" }, { - "advisory": "Nautobot 1.6.8 and 2.1.0 updates its paramiko dependency from version 3.3.1 to 3.4.0. This change is in response to the security vulnerability identified as CVE-2023-48795.\r\nhttps://github.com/nautobot/nautobot/pull/5002/commits/e8e2bfdf4c0c0e8d923d936b44d53e91405eb256", - "cve": "CVE-2023-48795", - "id": "pyup.io-63586", - "more_info_path": "/vulnerabilities/CVE-2023-48795/63586", + "advisory": "Nautobot 1.6.8 updates its cryptography dependency from version 41.0.5 to 41.0.6. This change is in response to the security vulnerability identified as CVE-2023-49083.\r\nhttps://github.com/nautobot/nautobot/pull/4876/commits/c10507a8f9f70f5741711dc85f4c87adb08600cc", + "cve": "CVE-2023-49083", + "id": "pyup.io-63585", + "more_info_path": "/vulnerabilities/CVE-2023-49083/63585", "specs": [ "<1.6.8", ">=2.0.0rc1,<2.1.0" @@ -90266,10 +90908,10 @@ "v": "<1.6.8,>=2.0.0rc1,<2.1.0" }, { - "advisory": "Nautobot 1.6.8 updates its cryptography dependency from version 41.0.5 to 41.0.6. This change is in response to the security vulnerability identified as CVE-2023-49083.\r\nhttps://github.com/nautobot/nautobot/pull/4876/commits/c10507a8f9f70f5741711dc85f4c87adb08600cc", - "cve": "CVE-2023-49083", - "id": "pyup.io-63585", - "more_info_path": "/vulnerabilities/CVE-2023-49083/63585", + "advisory": "Nautobot 1.6.8 and 2.1.0 updates its paramiko dependency from version 3.3.1 to 3.4.0. This change is in response to the security vulnerability identified as CVE-2023-48795.\r\nhttps://github.com/nautobot/nautobot/pull/5002/commits/e8e2bfdf4c0c0e8d923d936b44d53e91405eb256", + "cve": "CVE-2023-48795", + "id": "pyup.io-63586", + "more_info_path": "/vulnerabilities/CVE-2023-48795/63586", "specs": [ "<1.6.8", ">=2.0.0rc1,<2.1.0" @@ -90475,9 +91117,9 @@ "nba-api": [ { "advisory": "Nba-api 1.1.14 updates its dependency 'numpy' to v1.22.2 to include a security fix.", - "cve": "CVE-2021-34141", - "id": "pyup.io-61646", - "more_info_path": "/vulnerabilities/CVE-2021-34141/61646", + "cve": "CVE-2021-41496", + "id": "pyup.io-61610", + "more_info_path": "/vulnerabilities/CVE-2021-41496/61610", "specs": [ "<1.1.14" ], @@ -90485,9 +91127,9 @@ }, { "advisory": "Nba-api 1.1.14 updates its dependency 'numpy' to v1.22.2 to include a security fix.", - "cve": "CVE-2021-41496", - "id": "pyup.io-61610", - "more_info_path": "/vulnerabilities/CVE-2021-41496/61610", + "cve": "CVE-2021-34141", + "id": "pyup.io-61646", + "more_info_path": "/vulnerabilities/CVE-2021-34141/61646", "specs": [ "<1.1.14" ], @@ -90803,9 +91445,9 @@ }, { "advisory": "Nemo 1.14.4 updates its dependency 'django' to v1.11.23 to include security fixes.", - "cve": "CVE-2019-14235", - "id": "pyup.io-52539", - "more_info_path": "/vulnerabilities/CVE-2019-14235/52539", + "cve": "CVE-2019-14233", + "id": "pyup.io-52537", + "more_info_path": "/vulnerabilities/CVE-2019-14233/52537", "specs": [ "<1.14.4" ], @@ -90813,9 +91455,9 @@ }, { "advisory": "Nemo 1.14.4 updates its dependency 'django' to v1.11.23 to include security fixes.", - "cve": "CVE-2019-14234", - "id": "pyup.io-52403", - "more_info_path": "/vulnerabilities/CVE-2019-14234/52403", + "cve": "CVE-2019-14235", + "id": "pyup.io-52539", + "more_info_path": "/vulnerabilities/CVE-2019-14235/52539", "specs": [ "<1.14.4" ], @@ -90823,9 +91465,9 @@ }, { "advisory": "Nemo 1.14.4 updates its dependency 'django' to v1.11.23 to include security fixes.", - "cve": "CVE-2019-14233", - "id": "pyup.io-52537", - "more_info_path": "/vulnerabilities/CVE-2019-14233/52537", + "cve": "CVE-2019-14234", + "id": "pyup.io-52403", + "more_info_path": "/vulnerabilities/CVE-2019-14234/52403", "specs": [ "<1.14.4" ], @@ -90883,9 +91525,9 @@ }, { "advisory": "Nemo 3.14.0 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "CVE-2022-22815", - "id": "pyup.io-44750", - "more_info_path": "/vulnerabilities/CVE-2022-22815/44750", + "cve": "CVE-2022-22816", + "id": "pyup.io-44730", + "more_info_path": "/vulnerabilities/CVE-2022-22816/44730", "specs": [ "<3.14.0" ], @@ -90893,9 +91535,9 @@ }, { "advisory": "Nemo 3.14.0 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "CVE-2022-22816", - "id": "pyup.io-44730", - "more_info_path": "/vulnerabilities/CVE-2022-22816/44730", + "cve": "CVE-2022-22817", + "id": "pyup.io-44751", + "more_info_path": "/vulnerabilities/CVE-2022-22817/44751", "specs": [ "<3.14.0" ], @@ -90903,9 +91545,9 @@ }, { "advisory": "Nemo 3.14.0 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "CVE-2022-22817", - "id": "pyup.io-44751", - "more_info_path": "/vulnerabilities/CVE-2022-22817/44751", + "cve": "CVE-2022-22815", + "id": "pyup.io-44750", + "more_info_path": "/vulnerabilities/CVE-2022-22815/44750", "specs": [ "<3.14.0" ], @@ -90913,9 +91555,9 @@ }, { "advisory": "Nemo 3.15.0 updates its dependency 'Django' to v2.2.27 to include security fixes.", - "cve": "CVE-2022-22818", - "id": "pyup.io-45284", - "more_info_path": "/vulnerabilities/CVE-2022-22818/45284", + "cve": "CVE-2022-23833", + "id": "pyup.io-45313", + "more_info_path": "/vulnerabilities/CVE-2022-23833/45313", "specs": [ "<3.15.0" ], @@ -90923,9 +91565,9 @@ }, { "advisory": "Nemo 3.15.0 updates its dependency 'Django' to v2.2.27 to include security fixes.", - "cve": "CVE-2022-23833", - "id": "pyup.io-45313", - "more_info_path": "/vulnerabilities/CVE-2022-23833/45313", + "cve": "CVE-2022-22818", + "id": "pyup.io-45284", + "more_info_path": "/vulnerabilities/CVE-2022-22818/45284", "specs": [ "<3.15.0" ], @@ -91003,9 +91645,9 @@ }, { "advisory": "Nemo 4.2.0 updates its dependency 'Django' to v3.2.15 to include security fixes.", - "cve": "CVE-2022-36359", - "id": "pyup.io-50891", - "more_info_path": "/vulnerabilities/CVE-2022-36359/50891", + "cve": "CVE-2022-34265", + "id": "pyup.io-50884", + "more_info_path": "/vulnerabilities/CVE-2022-34265/50884", "specs": [ "<4.2.0" ], @@ -91013,9 +91655,9 @@ }, { "advisory": "Nemo 4.2.0 updates its dependency 'Django' to v3.2.15 to include security fixes.", - "cve": "CVE-2022-34265", - "id": "pyup.io-50884", - "more_info_path": "/vulnerabilities/CVE-2022-34265/50884", + "cve": "CVE-2022-36359", + "id": "pyup.io-50891", + "more_info_path": "/vulnerabilities/CVE-2022-36359/50891", "specs": [ "<4.2.0" ], @@ -91043,9 +91685,9 @@ }, { "advisory": "Nemo 4.5.0 updates its dependency 'django' to v3.2.18 to include security fixes.", - "cve": "CVE-2023-24580", - "id": "pyup.io-54983", - "more_info_path": "/vulnerabilities/CVE-2023-24580/54983", + "cve": "CVE-2023-23969", + "id": "pyup.io-54994", + "more_info_path": "/vulnerabilities/CVE-2023-23969/54994", "specs": [ "<4.5.0" ], @@ -91053,9 +91695,9 @@ }, { "advisory": "Nemo 4.5.0 updates its dependency 'django' to v3.2.18 to include security fixes.", - "cve": "CVE-2023-23969", - "id": "pyup.io-54994", - "more_info_path": "/vulnerabilities/CVE-2023-23969/54994", + "cve": "CVE-2023-24580", + "id": "pyup.io-54983", + "more_info_path": "/vulnerabilities/CVE-2023-24580/54983", "specs": [ "<4.5.0" ], @@ -91120,6 +91762,16 @@ "<5.3.0" ], "v": "<5.3.0" + }, + { + "advisory": "Nemo updates its Django dependency from version 4.2.11 to 4.2.15 to address the security vulnerability identified in CVE-2024-42005.", + "cve": "CVE-2024-42005", + "id": "pyup.io-72769", + "more_info_path": "/vulnerabilities/CVE-2024-42005/72769", + "specs": [ + "<6.0.3" + ], + "v": "<6.0.3" } ], "nemo-toolkit": [ @@ -91876,7 +92528,7 @@ ], "nextflow": [ { - "advisory": "Nextflow 23.04.4 resolves a vulnerability in the Google Batch script launcher by removing the -o allow_other mount option, which posed a shell injection risk. This update significantly enhances the security of batch job submissions to Google Cloud, ensuring safer and more secure operations. \r\nhttps://github.com/nextflow-io/nextflow/pull/4332/files", + "advisory": "Nextflow 23.04.4 resolves a vulnerability in the Google Batch script launcher by removing the -o allow_other mount option, which posed a shell injection risk. This update significantly enhances the security of batch job submissions to Google Cloud, ensuring safer and more secure operations. \r\nNote: The Nextflow launcher installer itself does not contain any vulnerable code, but installing the package will result in using a vulnerable version of the Nextflow core.", "cve": "PVE-2024-64085", "id": "pyup.io-64085", "more_info_path": "/vulnerabilities/PVE-2024-64085/64085", @@ -91884,6 +92536,36 @@ "<23.04.4" ], "v": "<23.04.4" + }, + { + "advisory": "Nextflow 23.04.5 upgrades its pf4j dependency version from 3.4.1 to 3.10.0 due to the CVE-2023-40826.\r\n# Note: The Nextflow launcher installer itself does not contain any vulnerable code, but installing the package will result in using a vulnerable version of the Nextflow core.", + "cve": "CVE-2023-40826", + "id": "pyup.io-64231", + "more_info_path": "/vulnerabilities/CVE-2023-40826/64231", + "specs": [ + "<23.04.5" + ], + "v": "<23.04.5" + }, + { + "advisory": "Nextflow 23.04.5 upgrades its Apache Ivy dependency version from 2.5.1 to 2.5.2 due to the CVE-2022-46751.\r\n# Note: The Nextflow launcher installer itself does not contain any vulnerable code, but installing the package will result in using a vulnerable version of the Nextflow core.", + "cve": "CVE-2022-46751", + "id": "pyup.io-64084", + "more_info_path": "/vulnerabilities/CVE-2022-46751/64084", + "specs": [ + "<23.04.5" + ], + "v": "<23.04.5" + }, + { + "advisory": "Nextflow 23.04.5 upgrades its Eclipse JGit dependency version from 6.5.0.202303070854-r to 6.6.1.202309021850-r due to the CVE-2023-4759.\r\n# Note: The Nextflow launcher installer itself does not contain any vulnerable code, but installing the package will result in using a vulnerable version of the Nextflow core.", + "cve": "CVE-2023-4759", + "id": "pyup.io-64230", + "more_info_path": "/vulnerabilities/CVE-2023-4759/64230", + "specs": [ + "<23.04.5" + ], + "v": "<23.04.5" } ], "nf-core": [ @@ -91961,9 +92643,9 @@ "nicegui": [ { "advisory": "Nicegui 0.7.2 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "PVE-2021-44525", - "id": "pyup.io-44597", - "more_info_path": "/vulnerabilities/PVE-2021-44525/44597", + "cve": "CVE-2022-22816", + "id": "pyup.io-44595", + "more_info_path": "/vulnerabilities/CVE-2022-22816/44595", "specs": [ "<0.7.2" ], @@ -91979,6 +92661,16 @@ ], "v": "<0.7.2" }, + { + "advisory": "Nicegui 0.7.2 updates its dependency 'pillow' to v9.0.0 to include security fixes.", + "cve": "PVE-2021-44525", + "id": "pyup.io-44597", + "more_info_path": "/vulnerabilities/PVE-2021-44525/44597", + "specs": [ + "<0.7.2" + ], + "v": "<0.7.2" + }, { "advisory": "Nicegui 0.7.2 updates its dependency 'pillow' to v9.0.0 to include security fixes.", "cve": "CVE-2022-22817", @@ -92000,14 +92692,14 @@ "v": "<0.7.2" }, { - "advisory": "Nicegui 0.7.2 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "CVE-2022-22816", - "id": "pyup.io-44595", - "more_info_path": "/vulnerabilities/CVE-2022-22816/44595", + "advisory": "Nicegui 0.9.26 updates its dependency 'pillow' to v9.3.0 to include a security fix.", + "cve": "CVE-2022-45199", + "id": "pyup.io-52528", + "more_info_path": "/vulnerabilities/CVE-2022-45199/52528", "specs": [ - "<0.7.2" + "<0.9.26" ], - "v": "<0.7.2" + "v": "<0.9.26" }, { "advisory": "Nicegui 0.9.26 updates its dependency 'cryptography' to v38.0.3 to include security fixes.", @@ -92029,16 +92721,6 @@ ], "v": "<0.9.26" }, - { - "advisory": "Nicegui 0.9.26 updates its dependency 'pillow' to v9.3.0 to include a security fix.", - "cve": "CVE-2022-45199", - "id": "pyup.io-52528", - "more_info_path": "/vulnerabilities/CVE-2022-45199/52528", - "specs": [ - "<0.9.26" - ], - "v": "<0.9.26" - }, { "advisory": "Nicegui version 1.4.16 increases the required version of python-multipart to 0.0.7. This update addresses the Regular Expression Denial of Service (ReDoS) vulnerability associated with the Content-Type header, detailed in CVE-2024-24762.\r\nhttps://github.com/zauberzeug/nicegui/pull/2569/commits/89fefcb086bdc8a3e9159585627d7bba773f8a62", "cve": "CVE-2024-24762", @@ -92148,10 +92830,10 @@ ], "nidaqmx": [ { - "advisory": "Nidaqmx 0.5.8 updates its dependency 'jinja2' to v2.11.2 to include security fixes.", - "cve": "CVE-2020-28493", - "id": "pyup.io-44700", - "more_info_path": "/vulnerabilities/CVE-2020-28493/44700", + "advisory": "Nidaqmx 0.5.8 updates its dependency 'urllib3' to v1.25.9 to include security fixes.", + "cve": "CVE-2019-11324", + "id": "pyup.io-44703", + "more_info_path": "/vulnerabilities/CVE-2019-11324/44703", "specs": [ "<0.5.8" ], @@ -92168,10 +92850,10 @@ "v": "<0.5.8" }, { - "advisory": "Nidaqmx 0.5.8 updates its dependency 'urllib3' to v1.25.9 to include security fixes.", - "cve": "CVE-2020-26137", - "id": "pyup.io-44702", - "more_info_path": "/vulnerabilities/CVE-2020-26137/44702", + "advisory": "Nidaqmx 0.5.8 updates its dependency 'jinja2' to v2.11.2 to include security fixes.", + "cve": "CVE-2020-28493", + "id": "pyup.io-44700", + "more_info_path": "/vulnerabilities/CVE-2020-28493/44700", "specs": [ "<0.5.8" ], @@ -92179,19 +92861,19 @@ }, { "advisory": "Nidaqmx 0.5.8 updates its dependency 'urllib3' to v1.25.9 to include security fixes.", - "cve": "CVE-2019-11324", - "id": "pyup.io-44703", - "more_info_path": "/vulnerabilities/CVE-2019-11324/44703", + "cve": "CVE-2018-20060", + "id": "pyup.io-44705", + "more_info_path": "/vulnerabilities/CVE-2018-20060/44705", "specs": [ "<0.5.8" ], "v": "<0.5.8" }, { - "advisory": "Nidaqmx 0.5.8 updates its dependency 'urllib3' to v1.25.9 to include security fixes.", - "cve": "CVE-2019-11236", - "id": "pyup.io-44704", - "more_info_path": "/vulnerabilities/CVE-2019-11236/44704", + "advisory": "Nidaqmx 0.5.8 updates its dependency 'jinja2' to v2.11.2 to include security fixes.", + "cve": "CVE-2019-10906", + "id": "pyup.io-44662", + "more_info_path": "/vulnerabilities/CVE-2019-10906/44662", "specs": [ "<0.5.8" ], @@ -92199,19 +92881,19 @@ }, { "advisory": "Nidaqmx 0.5.8 updates its dependency 'urllib3' to v1.25.9 to include security fixes.", - "cve": "CVE-2018-20060", - "id": "pyup.io-44705", - "more_info_path": "/vulnerabilities/CVE-2018-20060/44705", + "cve": "CVE-2020-26137", + "id": "pyup.io-44702", + "more_info_path": "/vulnerabilities/CVE-2020-26137/44702", "specs": [ "<0.5.8" ], "v": "<0.5.8" }, { - "advisory": "Nidaqmx 0.5.8 updates its dependency 'jinja2' to v2.11.2 to include security fixes.", - "cve": "CVE-2019-10906", - "id": "pyup.io-44662", - "more_info_path": "/vulnerabilities/CVE-2019-10906/44662", + "advisory": "Nidaqmx 0.5.8 updates its dependency 'urllib3' to v1.25.9 to include security fixes.", + "cve": "CVE-2019-11236", + "id": "pyup.io-44704", + "more_info_path": "/vulnerabilities/CVE-2019-11236/44704", "specs": [ "<0.5.8" ], @@ -92528,34 +93210,34 @@ "v": "<3.6.5" }, { - "advisory": "Nltk 3.8.1 includes a security fix: A reflected XSS can be achieved by creating a URL, which leads to browser hijacking and sensitive information loss.", - "cve": "PVE-2023-99957", - "id": "pyup.io-60896", - "more_info_path": "/vulnerabilities/PVE-2023-99957/60896", + "advisory": "Before version 3.8.1 of nltk, if a user opens a malicious link while the wordnet browser is active, it can result in code execution on their system. Influence from a third party to visit a link can possibly lead to remote code execution (RCE).", + "cve": "PVE-2023-99956", + "id": "pyup.io-60897", + "more_info_path": "/vulnerabilities/PVE-2023-99956/60897", "specs": [ "<3.8.1" ], "v": "<3.8.1" }, { - "advisory": "Before version 3.8.1 of nltk, if a user opens a malicious link while the wordnet browser is active, it can result in code execution on their system. Influence from a third party to visit a link can possibly lead to remote code execution (RCE).", - "cve": "PVE-2023-99956", - "id": "pyup.io-60897", - "more_info_path": "/vulnerabilities/PVE-2023-99956/60897", + "advisory": "Nltk 3.8.1 includes a security fix: A reflected XSS can be achieved by creating a URL, which leads to browser hijacking and sensitive information loss.", + "cve": "PVE-2023-99957", + "id": "pyup.io-60896", + "more_info_path": "/vulnerabilities/PVE-2023-99957/60896", "specs": [ "<3.8.1" ], "v": "<3.8.1" }, { - "advisory": "NLTK affected versions allow remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.", + "advisory": "Affected versions of NLTK are vulnerable to Remote Code Execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.", "cve": "CVE-2024-39705", "id": "pyup.io-72089", "more_info_path": "/vulnerabilities/CVE-2024-39705/72089", "specs": [ - ">=0" + "<3.9" ], - "v": ">=0" + "v": "<3.9" }, { "advisory": "NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.", @@ -93468,6 +94150,16 @@ ], "v": ">=0,<6.4.12" }, + { + "advisory": "CVE-2024-22420 describes a vulnerability in Jupyter Notebook, where user interaction with a malicious notebook or Markdown file enables an attacker to access and act with the same permissions as the user. The flaw lies in the table of contents plugin. Jupyter Notebook v7.0.7 includes a patch for this issue. Users can manually disable the plugin as a workaround. \r\nhttps://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4", + "cve": "CVE-2024-22420", + "id": "pyup.io-65183", + "more_info_path": "/vulnerabilities/CVE-2024-22420/65183", + "specs": [ + ">=7.0.0,<=7.0.6" + ], + "v": ">=7.0.0,<=7.0.6" + }, { "advisory": "CVE-2024-22421 is a vulnerability in Jupyter Notebook where clicking a malicious link could expose Authorization and XSRFToken tokens to third parties in older jupyter-server versions. Patched versions include notebook above 7.0.7. Users are advised to upgrade jupyter-server to version 2.7.2 or newer, which includes a fix for a redirect vulnerability. No other workaround has been identified. \r\nhttps://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947", "cve": "CVE-2024-22421", @@ -93479,14 +94171,14 @@ "v": ">=7.0.0,<=7.0.6" }, { - "advisory": "CVE-2024-22420 describes a vulnerability in Jupyter Notebook, where user interaction with a malicious notebook or Markdown file enables an attacker to access and act with the same permissions as the user. The flaw lies in the table of contents plugin. Jupyter Notebook v7.0.7 includes a patch for this issue. Users can manually disable the plugin as a workaround. \r\nhttps://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4", - "cve": "CVE-2024-22420", - "id": "pyup.io-65183", - "more_info_path": "/vulnerabilities/CVE-2024-22420/65183", + "advisory": "Jupyter Notebook is vulnerable to HTML injection, leading to DOM Clobbering, which allows attackers to access sensitive data and perform arbitrary actions as the compromised user. This vulnerability occurs when a user opens a malicious notebook with Markdown cells or a Markdown file in JupyterLab.", + "cve": "CVE-2024-43805", + "id": "pyup.io-72963", + "more_info_path": "/vulnerabilities/CVE-2024-43805/72963", "specs": [ - ">=7.0.0,<=7.0.6" + ">=7.0.0,<=7.2.1" ], - "v": ">=7.0.0,<=7.0.6" + "v": ">=7.0.0,<=7.2.1" } ], "notifications-python-client": [ @@ -93680,10 +94372,10 @@ "v": ">2010,<=2014.1.5" }, { - "advisory": "OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot.", - "cve": "CVE-2015-7548", - "id": "pyup.io-70437", - "more_info_path": "/vulnerabilities/CVE-2015-7548/70437", + "advisory": "The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors.", + "cve": "CVE-2015-8749", + "id": "pyup.io-70436", + "more_info_path": "/vulnerabilities/CVE-2015-8749/70436", "specs": [ ">=12.0.0,<12.0.1", ">=2010,<2015.1.3" @@ -93691,10 +94383,10 @@ "v": ">=12.0.0,<12.0.1,>=2010,<2015.1.3" }, { - "advisory": "The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors.", - "cve": "CVE-2015-8749", - "id": "pyup.io-70436", - "more_info_path": "/vulnerabilities/CVE-2015-8749/70436", + "advisory": "OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot.", + "cve": "CVE-2015-7548", + "id": "pyup.io-70437", + "more_info_path": "/vulnerabilities/CVE-2015-7548/70437", "specs": [ ">=12.0.0,<12.0.1", ">=2010,<2015.1.3" @@ -94543,7 +95235,7 @@ "v": "<1.22.0" }, { - "advisory": "Numpy 1.22.2 includes a fix for CVE-2021-41495: Null Pointer Dereference vulnerability exists in numpy.sort in NumPy in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks by repetitively creating sort arrays. \r\nNOTE: While correct that validation is missing, an error can only occur due to an exhaustion of memory. If the user can exhaust memory, they are already privileged. Further, it should be practically impossible to construct an attack which can target the memory exhaustion to occur at exactly this place.\r\nhttps://github.com/numpy/numpy/issues/19038", + "advisory": "Numpy 1.22.2 includes a fix for CVE-2021-41495: Null Pointer Dereference vulnerability exists in numpy.sort in NumPy in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks by repetitively creating sort arrays. \r\nNOTE: While correct that validation is missing, an error can only occur due to an exhaustion of memory. If the user can exhaust memory, they are already privileged. Further, it should be practically impossible to construct an attack which can target the memory exhaustion to occur at exactly this place.\r\nNOTE2: The specs we include in this advisory differ from the publicly available on other sources. For example, the advisory posted by the NVD indicate that versions up to and including 1.19.0 are affected. However, research by Safety CLI Cybersecurity confirms that the vulnerability remained unaddressed until version 1.22.2.", "cve": "CVE-2021-41495", "id": "pyup.io-44715", "more_info_path": "/vulnerabilities/CVE-2021-41495/44715", @@ -94609,20 +95301,20 @@ "v": "<2.1.1" }, { - "advisory": "Nvflare 2.1.1 fixes a bug in 'ls' command that allowed path traversal attacks.\r\nhttps://github.com/NVIDIA/NVFlare/pull/682", - "cve": "PVE-2022-49498", - "id": "pyup.io-49498", - "more_info_path": "/vulnerabilities/PVE-2022-49498/49498", + "advisory": "Nvflare 2.1.1 adds SecurityContentService for runner_process.\r\nhttps://github.com/NVIDIA/NVFlare/pull/473/files", + "cve": "PVE-2022-49496", + "id": "pyup.io-49496", + "more_info_path": "/vulnerabilities/PVE-2022-49496/49496", "specs": [ "<2.1.1" ], "v": "<2.1.1" }, { - "advisory": "Nvflare 2.1.1 adds SecurityContentService for runner_process.\r\nhttps://github.com/NVIDIA/NVFlare/pull/473/files", - "cve": "PVE-2022-49496", - "id": "pyup.io-49496", - "more_info_path": "/vulnerabilities/PVE-2022-49496/49496", + "advisory": "Nvflare 2.1.1 fixes a bug in 'ls' command that allowed path traversal attacks.\r\nhttps://github.com/NVIDIA/NVFlare/pull/682", + "cve": "PVE-2022-49498", + "id": "pyup.io-49498", + "more_info_path": "/vulnerabilities/PVE-2022-49498/49498", "specs": [ "<2.1.1" ], @@ -94658,6 +95350,36 @@ ], "v": "<2.4.0rc1" }, + { + "advisory": "Nvflare addresses a potential race condition in the PipeHandler component, where the self.pipe object could be set to None during execution, leading to uncontrolled crashes. This vulnerability could be exploited in affected versions to cause a denial of service or disrupt the application's stability. The update introduces safer handling of the self.pipe object, preventing NoneType errors and enhancing the system's robustness against such race conditions.", + "cve": "PVE-2024-72751", + "id": "pyup.io-72751", + "more_info_path": "/vulnerabilities/PVE-2024-72751/72751", + "specs": [ + "<2.4.2" + ], + "v": "<2.4.2" + }, + { + "advisory": "Certain versions of Nvflare are vulnerable to a race condition. The pipe handler has a thread for reading data from the pipe and checking the pipe status, but the pipe handler can be stopped at any time, setting the pipe object to None. This PR resolves the issue by ensuring the reading thread checks that the pipe object is not None before accessing its methods, making the thread operation safe.", + "cve": "PVE-2024-72482", + "id": "pyup.io-72482", + "more_info_path": "/vulnerabilities/PVE-2024-72482/72482", + "specs": [ + "<2.5.0rc2" + ], + "v": "<2.5.0rc2" + }, + { + "advisory": "Nvflare has upgraded the installation dependency, Werkzeug, to version 3.0.3 to address CVE-2024-34069.", + "cve": "CVE-2024-34069", + "id": "pyup.io-72506", + "more_info_path": "/vulnerabilities/CVE-2024-34069/72506", + "specs": [ + "<2.5.0rc2" + ], + "v": "<2.5.0rc2" + }, { "advisory": "### Impact\nNVIDIA FLARE contains a vulnerability in Admin Interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable\n\nAll versions before 2.0.16 are affected.\n\n### Patches\nThe patch will be included in nvflare==2.0.16.\n\n### Workarounds\nThe changes in commits https://github.com/NVIDIA/NVFlare/commit/93588b3a0dff9bd4568983071b74d8b420de3a6e and https://github.com/NVIDIA/NVFlare/commit/93588b3a0dff9bd4568983071b74d8b420de3a6e can be applied to any version of the NVIDIA FLARE without any adverse effect.\n\n### Additional information\nIssue Found on: 2022.3.3\nIssue Found by: Oliver Sellwood (@Nintorac)", "cve": "CVE-2022-21822", @@ -95318,6 +96040,16 @@ ], "v": "<0.10.4" }, + { + "advisory": "Octue 0.43.3 updates its dependency 'werkzeug' to v2.2.3 to include security fixes.", + "cve": "CVE-2023-25577", + "id": "pyup.io-53405", + "more_info_path": "/vulnerabilities/CVE-2023-25577/53405", + "specs": [ + "<0.43.3" + ], + "v": "<0.43.3" + }, { "advisory": "Octue 0.43.3 updates its dependency 'protobuf' to v3.20.3 to include a security fix.", "cve": "CVE-2022-1941", @@ -95338,16 +96070,6 @@ ], "v": "<0.43.3" }, - { - "advisory": "Octue 0.43.3 updates its dependency 'werkzeug' to v2.2.3 to include security fixes.", - "cve": "CVE-2023-25577", - "id": "pyup.io-53405", - "more_info_path": "/vulnerabilities/CVE-2023-25577/53405", - "specs": [ - "<0.43.3" - ], - "v": "<0.43.3" - }, { "advisory": "Octue 0.46.1 updates its dependency 'flask' to v2.2.5 to include a security fix.", "cve": "CVE-2023-30861", @@ -95359,20 +96081,20 @@ "v": "<0.46.1" }, { - "advisory": "Octue 0.46.2 updates its dependency 'protobuf' to version '3.20.3' to include a security fix.\r\nhttps://github.com/octue/octue-sdk-python/commit/b8dc494258381edf7d70ceac98467a89e3b0ecff", - "cve": "CVE-2022-1941", - "id": "pyup.io-59233", - "more_info_path": "/vulnerabilities/CVE-2022-1941/59233", + "advisory": "Octue 0.46.2 updates its dependency 'requests' to version '2.31.0' to include a security fix.\r\nhttps://github.com/octue/octue-sdk-python/commit/b8dc494258381edf7d70ceac98467a89e3b0ecff", + "cve": "CVE-2023-32681", + "id": "pyup.io-59220", + "more_info_path": "/vulnerabilities/CVE-2023-32681/59220", "specs": [ "<0.46.2" ], "v": "<0.46.2" }, { - "advisory": "Octue 0.46.2 updates its dependency 'requests' to version '2.31.0' to include a security fix.\r\nhttps://github.com/octue/octue-sdk-python/commit/b8dc494258381edf7d70ceac98467a89e3b0ecff", - "cve": "CVE-2023-32681", - "id": "pyup.io-59220", - "more_info_path": "/vulnerabilities/CVE-2023-32681/59220", + "advisory": "Octue 0.46.2 updates its dependency 'protobuf' to version '3.20.3' to include a security fix.\r\nhttps://github.com/octue/octue-sdk-python/commit/b8dc494258381edf7d70ceac98467a89e3b0ecff", + "cve": "CVE-2022-1941", + "id": "pyup.io-59233", + "more_info_path": "/vulnerabilities/CVE-2022-1941/59233", "specs": [ "<0.46.2" ], @@ -95563,6 +96285,16 @@ ], "v": "<0.15.2" }, + { + "advisory": "Omegaml 0.15.2 updates its dependency 'numpy' to v1.22.2 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/273", + "cve": "CVE-2021-41495", + "id": "pyup.io-52212", + "more_info_path": "/vulnerabilities/CVE-2021-41495/52212", + "specs": [ + "<0.15.2" + ], + "v": "<0.15.2" + }, { "advisory": "Omegaml 0.15.2 updates its dependency 'numpy' to v1.22.2 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/273", "cve": "CVE-2021-41496", @@ -95573,6 +96305,16 @@ ], "v": "<0.15.2" }, + { + "advisory": "Omegaml 0.15.2 updates its dependency 'numpy' to v1.22.2 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/273", + "cve": "CVE-2021-33430", + "id": "pyup.io-52214", + "more_info_path": "/vulnerabilities/CVE-2021-33430/52214", + "specs": [ + "<0.15.2" + ], + "v": "<0.15.2" + }, { "advisory": "Omegaml 0.15.2 updates its dependency 'bleach' to v3.3.0 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/273", "cve": "CVE-2020-6816", @@ -96133,16 +96875,6 @@ ], "v": "<0.15.2" }, - { - "advisory": "Omegaml 0.15.2 updates its dependency 'protobuf' to v3.18.3 to include a security fix.", - "cve": "CVE-2022-1941", - "id": "pyup.io-51480", - "more_info_path": "/vulnerabilities/CVE-2022-1941/51480", - "specs": [ - "<0.15.2" - ], - "v": "<0.15.2" - }, { "advisory": "Omegaml 0.15.2 updates its dependency 'ipython' to v7.16.3 to include a security fix.\r\nhttps://github.com/omegaml/omegaml/pull/273", "cve": "CVE-2022-21699", @@ -96343,16 +97075,6 @@ ], "v": "<0.15.2" }, - { - "advisory": "Omegaml 0.15.2 updates its dependency 'numpy' to v1.22.2 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/273", - "cve": "CVE-2021-41495", - "id": "pyup.io-52212", - "more_info_path": "/vulnerabilities/CVE-2021-41495/52212", - "specs": [ - "<0.15.2" - ], - "v": "<0.15.2" - }, { "advisory": "Omegaml 0.15.2 updates its dependency 'pillow' to v9.0.1 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/273", "cve": "CVE-2021-28677", @@ -96533,16 +97255,6 @@ ], "v": "<0.15.2" }, - { - "advisory": "Omegaml 0.15.2 updates its dependency 'numpy' to v1.22.2 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/273", - "cve": "CVE-2021-33430", - "id": "pyup.io-52214", - "more_info_path": "/vulnerabilities/CVE-2021-33430/52214", - "specs": [ - "<0.15.2" - ], - "v": "<0.15.2" - }, { "advisory": "Omegaml 0.15.2 updates 'tensorflow' in the docker image to v2.10.0rc3 to include several security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/248", "cve": "CVE-2022-27778", @@ -96563,6 +97275,16 @@ ], "v": "<0.15.2" }, + { + "advisory": "Omegaml 0.15.2 updates its dependency 'protobuf' to v3.18.3 to include a security fix.", + "cve": "CVE-2022-1941", + "id": "pyup.io-51480", + "more_info_path": "/vulnerabilities/CVE-2022-1941/51480", + "specs": [ + "<0.15.2" + ], + "v": "<0.15.2" + }, { "advisory": "Omegaml 0.15.4rc1 updates its Dockerfile dependency 'tensorflow' to v2.11.0rc1 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/290", "cve": "CVE-2022-0529", @@ -97108,20 +97830,20 @@ ], "onnxruntime": [ { - "advisory": "Onnxruntime 1.13.1 updates 'protobuf' to v3.18.3 to include a security fix.", - "cve": "CVE-2022-1941", - "id": "pyup.io-53249", - "more_info_path": "/vulnerabilities/CVE-2022-1941/53249", + "advisory": "Onnxruntime 1.13.1 updates 'onnx' to v1.12.1 to fix a vulnerability that allows reading of tensor_data outside the model directory.\r\nhttps://github.com/microsoft/onnxruntime/pull/12915", + "cve": "CVE-2022-25882", + "id": "pyup.io-53234", + "more_info_path": "/vulnerabilities/CVE-2022-25882/53234", "specs": [ "<1.13.1" ], "v": "<1.13.1" }, { - "advisory": "Onnxruntime 1.13.1 updates 'onnx' to v1.12.1 to fix a vulnerability that allows reading of tensor_data outside the model directory.\r\nhttps://github.com/microsoft/onnxruntime/pull/12915", - "cve": "CVE-2022-25882", - "id": "pyup.io-53234", - "more_info_path": "/vulnerabilities/CVE-2022-25882/53234", + "advisory": "Onnxruntime 1.13.1 updates 'protobuf' to v3.18.3 to include a security fix.", + "cve": "CVE-2022-1941", + "id": "pyup.io-53249", + "more_info_path": "/vulnerabilities/CVE-2022-1941/53249", "specs": [ "<1.13.1" ], @@ -97562,20 +98284,20 @@ ], "openbb": [ { - "advisory": "Openbb 2.3.0 updates its dependency 'certifi' to v2022.12.7 to include a security fix.", - "cve": "CVE-2022-23491", - "id": "pyup.io-53327", - "more_info_path": "/vulnerabilities/CVE-2022-23491/53327", + "advisory": "Openbb 2.3.0 updates its dependency 'cryptography' to v39.0.0 to include security fixes.", + "cve": "CVE-2022-3602", + "id": "pyup.io-53329", + "more_info_path": "/vulnerabilities/CVE-2022-3602/53329", "specs": [ "<2.3.0" ], "v": "<2.3.0" }, { - "advisory": "Openbb 2.3.0 updates its dependency 'cryptography' to v39.0.0 to include security fixes.", - "cve": "CVE-2022-3602", - "id": "pyup.io-53329", - "more_info_path": "/vulnerabilities/CVE-2022-3602/53329", + "advisory": "Openbb 2.3.0 updates its dependency 'certifi' to v2022.12.7 to include a security fix.", + "cve": "CVE-2022-23491", + "id": "pyup.io-53327", + "more_info_path": "/vulnerabilities/CVE-2022-23491/53327", "specs": [ "<2.3.0" ], @@ -97613,9 +98335,9 @@ }, { "advisory": "Openbb 2.4.0 updates its NPM dependency 'eta' to v2.0.0 to include security fixes.", - "cve": "CVE-2023-23630", - "id": "pyup.io-53366", - "more_info_path": "/vulnerabilities/CVE-2023-23630/53366", + "cve": "CVE-2022-25967", + "id": "pyup.io-53379", + "more_info_path": "/vulnerabilities/CVE-2022-25967/53379", "specs": [ "<2.4.0" ], @@ -97623,9 +98345,9 @@ }, { "advisory": "Openbb 2.4.0 updates its NPM dependency 'eta' to v2.0.0 to include security fixes.", - "cve": "CVE-2022-25967", - "id": "pyup.io-53379", - "more_info_path": "/vulnerabilities/CVE-2022-25967/53379", + "cve": "CVE-2023-23630", + "id": "pyup.io-53366", + "more_info_path": "/vulnerabilities/CVE-2023-23630/53366", "specs": [ "<2.4.0" ], @@ -102103,9 +102825,21 @@ "id": "pyup.io-67584", "more_info_path": "/vulnerabilities/CVE-2024-27454/67584", "specs": [ - "<=3.9.15" + "<3.9.15" ], - "v": "<=3.9.15" + "v": "<3.9.15" + } + ], + "ormagic": [ + { + "advisory": "Ormagic fixes an SQL injection vulnerability in `models.py` by updating it to use parameterized queries.", + "cve": "PVE-2024-72481", + "id": "pyup.io-72481", + "more_info_path": "/vulnerabilities/PVE-2024-72481/72481", + "specs": [ + "<0.8.1" + ], + "v": "<0.8.1" } ], "ormar": [ @@ -103103,6 +103837,16 @@ ], "v": "<1.2.2" }, + { + "advisory": "Palladium 1.2.2 updates its dependency 'numpy' to v1.17.0 to include a security fix.", + "cve": "CVE-2019-6446", + "id": "pyup.io-44628", + "more_info_path": "/vulnerabilities/CVE-2019-6446/44628", + "specs": [ + "<1.2.2" + ], + "v": "<1.2.2" + }, { "advisory": "Palladium 1.2.2 updates its dependency 'urllib3' to v1.25.3 to include security fixes.", "cve": "CVE-2019-11236", @@ -103123,16 +103867,6 @@ ], "v": "<1.2.2" }, - { - "advisory": "Palladium 1.2.2 updates its dependency 'numpy' to v1.17.0 to include a security fix.", - "cve": "CVE-2019-6446", - "id": "pyup.io-44628", - "more_info_path": "/vulnerabilities/CVE-2019-6446/44628", - "specs": [ - "<1.2.2" - ], - "v": "<1.2.2" - }, { "advisory": "Palladium 1.2.3 updates its dependency 'urllib3' to v1.25.9 to include security fixes.", "cve": "CVE-2020-7212", @@ -103378,20 +104112,20 @@ "v": "<0.45.0" }, { - "advisory": "Panther-analysis-tool version 0.45.0 has upgraded its aiohttp library to version 3.9.2 from the previous 3.8.6, addressing security concerns highlighted by CVE-2023-49082.", - "cve": "CVE-2023-49082", - "id": "pyup.io-67486", - "more_info_path": "/vulnerabilities/CVE-2023-49082/67486", + "advisory": "Panther-analysis-tool version 0.45.0 has upgraded its aiohttp library to version 3.9.2 from the previous 3.8.6, addressing security concerns highlighted by CVE-2023-49081", + "cve": "CVE-2023-49081", + "id": "pyup.io-67504", + "more_info_path": "/vulnerabilities/CVE-2023-49081/67504", "specs": [ "<0.45.0" ], "v": "<0.45.0" }, { - "advisory": "Panther-analysis-tool version 0.45.0 has upgraded its aiohttp library to version 3.9.2 from the previous 3.8.6, addressing security concerns highlighted by CVE-2023-49081", - "cve": "CVE-2023-49081", - "id": "pyup.io-67504", - "more_info_path": "/vulnerabilities/CVE-2023-49081/67504", + "advisory": "Panther-analysis-tool version 0.45.0 has upgraded its aiohttp library to version 3.9.2 from the previous 3.8.6, addressing security concerns highlighted by CVE-2023-49082.", + "cve": "CVE-2023-49082", + "id": "pyup.io-67486", + "more_info_path": "/vulnerabilities/CVE-2023-49082/67486", "specs": [ "<0.45.0" ], @@ -104010,9 +104744,9 @@ }, { "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2021-25288", - "id": "pyup.io-49513", - "more_info_path": "/vulnerabilities/CVE-2021-25288/49513", + "cve": "CVE-2021-25291", + "id": "pyup.io-49516", + "more_info_path": "/vulnerabilities/CVE-2021-25291/49516", "specs": [ "<1.0.6" ], @@ -104020,9 +104754,9 @@ }, { "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2021-23437", - "id": "pyup.io-49524", - "more_info_path": "/vulnerabilities/CVE-2021-23437/49524", + "cve": "CVE-2021-27922", + "id": "pyup.io-49442", + "more_info_path": "/vulnerabilities/CVE-2021-27922/49442", "specs": [ "<1.0.6" ], @@ -104030,9 +104764,9 @@ }, { "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2021-28677", - "id": "pyup.io-49510", - "more_info_path": "/vulnerabilities/CVE-2021-28677/49510", + "cve": "CVE-2022-22815", + "id": "pyup.io-49507", + "more_info_path": "/vulnerabilities/CVE-2022-22815/49507", "specs": [ "<1.0.6" ], @@ -104040,9 +104774,9 @@ }, { "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2020-35654", - "id": "pyup.io-49521", - "more_info_path": "/vulnerabilities/CVE-2020-35654/49521", + "cve": "CVE-2020-35655", + "id": "pyup.io-49522", + "more_info_path": "/vulnerabilities/CVE-2020-35655/49522", "specs": [ "<1.0.6" ], @@ -104050,9 +104784,9 @@ }, { "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2020-35653", - "id": "pyup.io-49520", - "more_info_path": "/vulnerabilities/CVE-2020-35653/49520", + "cve": "CVE-2022-22816", + "id": "pyup.io-49506", + "more_info_path": "/vulnerabilities/CVE-2022-22816/49506", "specs": [ "<1.0.6" ], @@ -104060,9 +104794,9 @@ }, { "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2022-22815", - "id": "pyup.io-49507", - "more_info_path": "/vulnerabilities/CVE-2022-22815/49507", + "cve": "CVE-2021-23437", + "id": "pyup.io-49524", + "more_info_path": "/vulnerabilities/CVE-2021-23437/49524", "specs": [ "<1.0.6" ], @@ -104070,9 +104804,9 @@ }, { "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2021-25289", - "id": "pyup.io-49514", - "more_info_path": "/vulnerabilities/CVE-2021-25289/49514", + "cve": "CVE-2021-25288", + "id": "pyup.io-49513", + "more_info_path": "/vulnerabilities/CVE-2021-25288/49513", "specs": [ "<1.0.6" ], @@ -104080,9 +104814,9 @@ }, { "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2021-28678", - "id": "pyup.io-49509", - "more_info_path": "/vulnerabilities/CVE-2021-28678/49509", + "cve": "CVE-2021-28677", + "id": "pyup.io-49510", + "more_info_path": "/vulnerabilities/CVE-2021-28677/49510", "specs": [ "<1.0.6" ], @@ -104090,9 +104824,9 @@ }, { "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2021-28676", - "id": "pyup.io-49511", - "more_info_path": "/vulnerabilities/CVE-2021-28676/49511", + "cve": "CVE-2020-35654", + "id": "pyup.io-49521", + "more_info_path": "/vulnerabilities/CVE-2020-35654/49521", "specs": [ "<1.0.6" ], @@ -104100,9 +104834,9 @@ }, { "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2021-27922", - "id": "pyup.io-49442", - "more_info_path": "/vulnerabilities/CVE-2021-27922/49442", + "cve": "CVE-2020-35653", + "id": "pyup.io-49520", + "more_info_path": "/vulnerabilities/CVE-2020-35653/49520", "specs": [ "<1.0.6" ], @@ -104110,9 +104844,9 @@ }, { "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2021-25291", - "id": "pyup.io-49516", - "more_info_path": "/vulnerabilities/CVE-2021-25291/49516", + "cve": "CVE-2021-25289", + "id": "pyup.io-49514", + "more_info_path": "/vulnerabilities/CVE-2021-25289/49514", "specs": [ "<1.0.6" ], @@ -104120,19 +104854,29 @@ }, { "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2021-27921", - "id": "pyup.io-49519", - "more_info_path": "/vulnerabilities/CVE-2021-27921/49519", + "cve": "CVE-2021-28678", + "id": "pyup.io-49509", + "more_info_path": "/vulnerabilities/CVE-2021-28678/49509", "specs": [ "<1.0.6" ], "v": "<1.0.6" }, { - "advisory": "Pdfcropmargins 1.0.6 pins its dependency 'PyPDF2' to versions \">=1.27.5\" to include a security fix.", - "cve": "CVE-2022-24859", - "id": "pyup.io-49526", - "more_info_path": "/vulnerabilities/CVE-2022-24859/49526", + "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", + "cve": "CVE-2021-28676", + "id": "pyup.io-49511", + "more_info_path": "/vulnerabilities/CVE-2021-28676/49511", + "specs": [ + "<1.0.6" + ], + "v": "<1.0.6" + }, + { + "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", + "cve": "CVE-2021-27921", + "id": "pyup.io-49519", + "more_info_path": "/vulnerabilities/CVE-2021-27921/49519", "specs": [ "<1.0.6" ], @@ -104149,10 +104893,10 @@ "v": "<1.0.6" }, { - "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2022-22816", - "id": "pyup.io-49506", - "more_info_path": "/vulnerabilities/CVE-2022-22816/49506", + "advisory": "Pdfcropmargins 1.0.6 pins its dependency 'PyPDF2' to versions \">=1.27.5\" to include a security fix.", + "cve": "CVE-2022-24859", + "id": "pyup.io-49526", + "more_info_path": "/vulnerabilities/CVE-2022-24859/49526", "specs": [ "<1.0.6" ], @@ -104178,16 +104922,6 @@ ], "v": "<1.0.6" }, - { - "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", - "cve": "CVE-2020-35655", - "id": "pyup.io-49522", - "more_info_path": "/vulnerabilities/CVE-2020-35655/49522", - "specs": [ - "<1.0.6" - ], - "v": "<1.0.6" - }, { "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "cve": "CVE-2021-27923", @@ -104210,9 +104944,9 @@ }, { "advisory": "Pdfcropmargins 1.1.1 updates its dependency 'pillow' requirement to \">=9.3.0\" to include security fixes.", - "cve": "CVE-2022-45198", - "id": "pyup.io-52359", - "more_info_path": "/vulnerabilities/CVE-2022-45198/52359", + "cve": "CVE-2022-24303", + "id": "pyup.io-52361", + "more_info_path": "/vulnerabilities/CVE-2022-24303/52361", "specs": [ "<1.1.1" ], @@ -104220,9 +104954,9 @@ }, { "advisory": "Pdfcropmargins 1.1.1 updates its dependency 'pillow' requirement to \">=9.3.0\" to include security fixes.", - "cve": "CVE-2022-24303", - "id": "pyup.io-52361", - "more_info_path": "/vulnerabilities/CVE-2022-24303/52361", + "cve": "CVE-2022-45198", + "id": "pyup.io-52359", + "more_info_path": "/vulnerabilities/CVE-2022-45198/52359", "specs": [ "<1.1.1" ], @@ -104400,9 +105134,9 @@ "peltak": [ { "advisory": "Peltak 0.28.0 updates its dependency 'pygments' requirement to \">=2.7.4\" to include security fixes.", - "cve": "CVE-2021-27291", - "id": "pyup.io-51468", - "more_info_path": "/vulnerabilities/CVE-2021-27291/51468", + "cve": "CVE-2021-20270", + "id": "pyup.io-51478", + "more_info_path": "/vulnerabilities/CVE-2021-20270/51478", "specs": [ "<0.28.0" ], @@ -104410,9 +105144,9 @@ }, { "advisory": "Peltak 0.28.0 updates its dependency 'pygments' requirement to \">=2.7.4\" to include security fixes.", - "cve": "CVE-2021-20270", - "id": "pyup.io-51478", - "more_info_path": "/vulnerabilities/CVE-2021-20270/51478", + "cve": "CVE-2021-27291", + "id": "pyup.io-51468", + "more_info_path": "/vulnerabilities/CVE-2021-27291/51468", "specs": [ "<0.28.0" ], @@ -105360,16 +106094,6 @@ ], "v": "<10.0.0" }, - { - "advisory": "Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function.\r\nhttps://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html", - "cve": "PVE-2024-64437", - "id": "pyup.io-64437", - "more_info_path": "/vulnerabilities/PVE-2024-64437/64437", - "specs": [ - "<10.2.0" - ], - "v": "<10.2.0" - }, { "advisory": "Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code.\r\nhttps://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html", "cve": "CVE-2023-50447", @@ -105411,7 +106135,7 @@ "v": "<2.3.1" }, { - "advisory": "Pillow versions 2.3.2 and 2.5.2 include a fix for CVE-2014-3589: PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.\r\nhttps://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d", + "advisory": "Pillow versions affected versions include a fix for CVE-2014-3589: PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow affected versions allow remote attackers to cause a denial of service via a crafted block size.\r\nhttps://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d", "cve": "CVE-2014-3589", "id": "pyup.io-25932", "more_info_path": "/vulnerabilities/CVE-2014-3589/25932", @@ -105851,16 +106575,6 @@ ], "v": "<9.0.1" }, - { - "advisory": "Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files.", - "cve": "CVE-2022-30595", - "id": "pyup.io-67137", - "more_info_path": "/vulnerabilities/CVE-2022-30595/67137", - "specs": [ - "<9.1.1" - ], - "v": "<9.1.1" - }, { "advisory": "Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).", "cve": "CVE-2022-45198", @@ -106015,6 +106729,16 @@ } ], "pillow-simd": [ + { + "advisory": "Pillow-simd is affected by an arbitrary code execution vulnerability. If an attacker controls the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code.", + "cve": "CVE-2023-50447", + "id": "pyup.io-72955", + "more_info_path": "/vulnerabilities/CVE-2023-50447/72955", + "specs": [ + "<10.2.0" + ], + "v": "<10.2.0" + }, { "advisory": "Pillow-simd 2.3.1 includes a fix for CVE-2014-1932: The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.", "cve": "CVE-2014-1932", @@ -106035,6 +106759,17 @@ ], "v": "<2.3.1" }, + { + "advisory": "pillow-simd affected versions are vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", + "cve": "CVE-2014-3589", + "id": "pyup.io-39576", + "more_info_path": "/vulnerabilities/CVE-2014-3589/39576", + "specs": [ + "<2.3.2", + ">=2.5.0,<2.5.2" + ], + "v": "<2.3.2,>=2.5.0,<2.5.2" + }, { "advisory": "Pillow-simd 2.5.0 includes changes to prevent shell injection. This is related to CVE-2014-1932.\r\nhttps://github.com/uploadcare/pillow-simd/commit/cd7b45994b1b1a016a29401d7ab3faf9b7c7d054", "cve": "PVE-2021-43447", @@ -106045,6 +106780,16 @@ ], "v": "<2.5.0" }, + { + "advisory": "Pillow-simd includes a fix that prevents shell injection.", + "cve": "CVE-2014-3007", + "id": "pyup.io-72856", + "more_info_path": "/vulnerabilities/CVE-2014-3007/72856", + "specs": [ + "<2.5.0" + ], + "v": "<2.5.0" + }, { "advisory": "Pillow-simd before 2.5.3 is vulnerable to CVE-2014-3598.", "cve": "CVE-2014-3598", @@ -106055,16 +106800,6 @@ ], "v": "<2.5.3" }, - { - "advisory": "pillow-simd before 2.6.0rc1 is vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", - "cve": "CVE-2014-3589", - "id": "pyup.io-39576", - "more_info_path": "/vulnerabilities/CVE-2014-3589/39576", - "specs": [ - "<2.6.0rc1" - ], - "v": "<2.6.0rc1" - }, { "advisory": "pillow-simd before 2.6.2 is vulnerable to a PNG decompression DoS (CVE-2014-9601).", "cve": "CVE-2014-9601", @@ -106076,30 +106811,30 @@ "v": "<2.6.2" }, { - "advisory": "Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file.", - "cve": "CVE-2016-0740", - "id": "pyup.io-42331", - "more_info_path": "/vulnerabilities/CVE-2016-0740/42331", + "advisory": "pillow-simd before 3.1.1 is vulnerable to multiple buffer overlows in Resample.c, PcdDecode.c, FliDecode.c and TiffDecode.c.", + "cve": "PVE-2021-25953", + "id": "pyup.io-25953", + "more_info_path": "/vulnerabilities/PVE-2021-25953/25953", "specs": [ "<3.1.1" ], "v": "<3.1.1" }, { - "advisory": "pillow-simd before 3.1.1 is vulnerable to multiple buffer overlows in Resample.c, PcdDecode.c, FliDecode.c and TiffDecode.c.", - "cve": "PVE-2021-25953", - "id": "pyup.io-25953", - "more_info_path": "/vulnerabilities/PVE-2021-25953/25953", + "advisory": "Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow-simd affected versions allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow.", + "cve": "CVE-2016-4009", + "id": "pyup.io-72855", + "more_info_path": "/vulnerabilities/CVE-2016-4009/72855", "specs": [ "<3.1.1" ], "v": "<3.1.1" }, { - "advisory": "Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.", - "cve": "CVE-2016-2533", - "id": "pyup.io-42329", - "more_info_path": "/vulnerabilities/CVE-2016-2533/42329", + "advisory": "Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file.", + "cve": "CVE-2016-0740", + "id": "pyup.io-42331", + "more_info_path": "/vulnerabilities/CVE-2016-0740/42331", "specs": [ "<3.1.1" ], @@ -106115,6 +106850,16 @@ ], "v": "<3.1.1" }, + { + "advisory": "Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.", + "cve": "CVE-2016-2533", + "id": "pyup.io-42329", + "more_info_path": "/vulnerabilities/CVE-2016-2533/42329", + "specs": [ + "<3.1.1" + ], + "v": "<3.1.1" + }, { "advisory": "pillow-simd before 3.1.2 is vulnerable to an integer overflow in Jpeg2KEncode.c causing a buffer overflow. CVE-2016-3076.", "cve": "CVE-2016-3076", @@ -106124,6 +106869,446 @@ "<3.1.2" ], "v": "<3.1.2" + }, + { + "advisory": "Pillow-simd affected versions allows context-dependent attackers to execute arbitrary code by using the \"crafted image file\" approach, related to an \"Insecure Sign Extension\" issue affecting the ImagingNew in Storage.c component.", + "cve": "CVE-2016-9190", + "id": "pyup.io-72853", + "more_info_path": "/vulnerabilities/CVE-2016-9190/72853", + "specs": [ + "<3.3.2" + ], + "v": "<3.3.2" + }, + { + "advisory": "Pillow-simd affected versions allow context-dependent attackers to obtain sensitive information by using the \"crafted image file\" approach, related to an \"Integer Overflow\" issue affecting the Image.core.map_buffer in map.c component.", + "cve": "CVE-2016-9189", + "id": "pyup.io-72854", + "more_info_path": "/vulnerabilities/CVE-2016-9189/72854", + "specs": [ + "<3.3.2" + ], + "v": "<3.3.2" + }, + { + "advisory": "Pillow-simd includes a fix for CVE-2019-16865: An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate vast amounts of memory or take an extremely long time to process the image.", + "cve": "CVE-2019-16865", + "id": "pyup.io-72850", + "more_info_path": "/vulnerabilities/CVE-2019-16865/72850", + "specs": [ + "<6.2.0" + ], + "v": "<6.2.0" + }, + { + "advisory": "libImaging/TiffDecode.c in Pillow-simd affected versions have a TIFF decoding integer overflow, related to realloc.", + "cve": "CVE-2020-5310", + "id": "pyup.io-72845", + "more_info_path": "/vulnerabilities/CVE-2020-5310/72845", + "specs": [ + "<6.2.2" + ], + "v": "<6.2.2" + }, + { + "advisory": "libImaging/FliDecode.c in Pillow-simd affected versions have an FLI buffer overflow.", + "cve": "CVE-2020-5313", + "id": "pyup.io-72846", + "more_info_path": "/vulnerabilities/CVE-2020-5313/72846", + "specs": [ + "<6.2.2" + ], + "v": "<6.2.2" + }, + { + "advisory": "There is a DoS vulnerability in Pillow-simd affected versions caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer.", + "cve": "CVE-2019-19911", + "id": "pyup.io-72847", + "more_info_path": "/vulnerabilities/CVE-2019-19911/72847", + "specs": [ + "<6.2.2" + ], + "v": "<6.2.2" + }, + { + "advisory": "libImaging/SgiRleDecode.c in Pillow-simd affected versions have an SGI buffer overflow.", + "cve": "CVE-2020-5311", + "id": "pyup.io-72848", + "more_info_path": "/vulnerabilities/CVE-2020-5311/72848", + "specs": [ + "<6.2.2" + ], + "v": "<6.2.2" + }, + { + "advisory": "libImaging/PcxDecode.c in Pillow-simd affected versions have a PCX P mode buffer overflow.", + "cve": "CVE-2020-5312", + "id": "pyup.io-72849", + "more_info_path": "/vulnerabilities/CVE-2020-5312/72849", + "specs": [ + "<6.2.2" + ], + "v": "<6.2.2" + }, + { + "advisory": "In libImaging/Jpeg2KDecode.c in Pillow-simd affected versions, there are multiple out-of-bounds reads via a crafted JP2 file.", + "cve": "CVE-2020-10994", + "id": "pyup.io-72840", + "more_info_path": "/vulnerabilities/CVE-2020-10994/72840", + "specs": [ + "<7.1.0" + ], + "v": "<7.1.0" + }, + { + "advisory": "In Pillow-simd affected versions, there are two Buffer Overflows in libImaging/TiffDecode.c.", + "cve": "CVE-2020-10379", + "id": "pyup.io-72841", + "more_info_path": "/vulnerabilities/CVE-2020-10379/72841", + "specs": [ + "<7.1.0" + ], + "v": "<7.1.0" + }, + { + "advisory": "Pillow-simd affected versions have multiple out-of-bounds reads in libImaging/FliDecode.c.", + "cve": "CVE-2020-10177", + "id": "pyup.io-72842", + "more_info_path": "/vulnerabilities/CVE-2020-10177/72842", + "specs": [ + "<7.1.0" + ], + "v": "<7.1.0" + }, + { + "advisory": "In libImaging/PcxDecode.c in Pillow-simd affected versions, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.", + "cve": "CVE-2020-10378", + "id": "pyup.io-72843", + "more_info_path": "/vulnerabilities/CVE-2020-10378/72843", + "specs": [ + "<7.1.0" + ], + "v": "<7.1.0" + }, + { + "advisory": "Pillow-simd includes an updated 'FreeType' used in binary wheels to v2.10.4 to include a security fix.", + "cve": "CVE-2020-15999", + "id": "pyup.io-72839", + "more_info_path": "/vulnerabilities/CVE-2020-15999/72839", + "specs": [ + "<8.0.1" + ], + "v": "<8.0.1" + }, + { + "advisory": "Pillow-simd includes a fix for SGI Decode buffer overrun.", + "cve": "CVE-2020-35655", + "id": "pyup.io-72836", + "more_info_path": "/vulnerabilities/CVE-2020-35655/72836", + "specs": [ + "<8.1.0" + ], + "v": "<8.1.0" + }, + { + "advisory": "In Pillow-simd affected versions, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.", + "cve": "CVE-2020-35653", + "id": "pyup.io-72837", + "more_info_path": "/vulnerabilities/CVE-2020-35653/72837", + "specs": [ + "<8.1.0" + ], + "v": "<8.1.0" + }, + { + "advisory": "Pillow-simd includes a fix for TIFF OOB Write error.", + "cve": "CVE-2020-35654", + "id": "pyup.io-72838", + "more_info_path": "/vulnerabilities/CVE-2020-35654/72838", + "specs": [ + "<8.1.0" + ], + "v": "<8.1.0" + }, + { + "advisory": "Pillow-simd includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.", + "cve": "CVE-2021-27921", + "id": "pyup.io-72834", + "more_info_path": "/vulnerabilities/CVE-2021-27921/72834", + "specs": [ + "<8.1.1" + ], + "v": "<8.1.1" + }, + { + "advisory": "Pillow-simd includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be huge.", + "cve": "CVE-2021-27922", + "id": "pyup.io-72835", + "more_info_path": "/vulnerabilities/CVE-2021-27922/72835", + "specs": [ + "<8.1.1" + ], + "v": "<8.1.1" + }, + { + "advisory": "Affected versions of Pillow-simd, a highly optimized version of the Pillow library for x86 architecture (primarily Intel and AMD CPUs), are vulnerable to CVE-2021-25291. This vulnerability, found in `TiffDecode.c`, allows an out-of-bounds read in `TiffreadRGBATile` when processing invalid tile boundaries, potentially leading to memory corruption or crashes.", + "cve": "CVE-2021-25291", + "id": "pyup.io-72603", + "more_info_path": "/vulnerabilities/CVE-2021-25291/72603", + "specs": [ + "<8.1.1" + ], + "v": "<8.1.1" + }, + { + "advisory": "Affected versions of Pillow-simd, a highly optimized version of the Pillow library for x86 architecture (primarily Intel and AMD CPUs), are vulnerable to CVE-2021-25290. This issue, identified in `TiffDecode.c`, involves a negative-offset `memcpy` operation with an invalid size, resulting in memory corruption and potential security risks.", + "cve": "CVE-2021-25290", + "id": "pyup.io-72604", + "more_info_path": "/vulnerabilities/CVE-2021-25290/72604", + "specs": [ + "<8.1.1" + ], + "v": "<8.1.1" + }, + { + "advisory": "Affected versions of Pillow-simd, a highly optimized version of the Pillow library for x86 architecture (primarily Intel and AMD CPUs), are vulnerable to CVE-2021-25293. This vulnerability in `SGIRleDecode.c` allows an out-of-bounds read, potentially leading to memory corruption or application crashes when processing specific input.", + "cve": "CVE-2021-25293", + "id": "pyup.io-72605", + "more_info_path": "/vulnerabilities/CVE-2021-25293/72605", + "specs": [ + "<8.1.1" + ], + "v": "<8.1.1" + }, + { + "advisory": "Affected versions of Pillow-simd, a highly optimized version of the Pillow library for x86 architecture (primarily Intel and AMD CPUs), are vulnerable to CVE-2021-25289. This issue, found in `TiffDecode`, involves a heap-based buffer overflow when decoding crafted YCbCr files due to certain interpretation conflicts with LibTIFF in RGBA mode. Notably, this vulnerability exists because of an incomplete fix for CVE-2020-35654.", + "cve": "CVE-2021-25289", + "id": "pyup.io-72606", + "more_info_path": "/vulnerabilities/CVE-2021-25289/72606", + "specs": [ + "<8.1.1" + ], + "v": "<8.1.1" + }, + { + "advisory": "Affected versions of Pillow-simd, a highly optimized version of the Pillow library for x86 architecture (mainly Intel and AMD CPUs), are vulnerable to CVE-2021-25292. Due to catastrophic backtracking in a regular expression, this issue allows a Regular Expression Denial of Service (ReDoS) attack through the PDF parser when processing a crafted PDF file.", + "cve": "CVE-2021-25292", + "id": "pyup.io-72571", + "more_info_path": "/vulnerabilities/CVE-2021-25292/72571", + "specs": [ + "<8.1.1" + ], + "v": "<8.1.1" + }, + { + "advisory": "Pillow-simd includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \\r and \\n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.", + "cve": "CVE-2021-28677", + "id": "pyup.io-72833", + "more_info_path": "/vulnerabilities/CVE-2021-28677/72833", + "specs": [ + "<8.2.0" + ], + "v": "<8.2.0" + }, + { + "advisory": "Pillow-simd includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run many times on empty data.", + "cve": "CVE-2021-28678", + "id": "pyup.io-72826", + "more_info_path": "/vulnerabilities/CVE-2021-28678/72826", + "specs": [ + "<8.2.0" + ], + "v": "<8.2.0" + }, + { + "advisory": "Pillow-simd includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.\r\nhttps://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode", + "cve": "CVE-2021-25287", + "id": "pyup.io-72832", + "more_info_path": "/vulnerabilities/CVE-2021-25287/72832", + "specs": [ + "<8.2.0" + ], + "v": "<8.2.0" + }, + { + "advisory": "Pillow-simd includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.", + "cve": "CVE-2021-25288", + "id": "pyup.io-72831", + "more_info_path": "/vulnerabilities/CVE-2021-25288/72831", + "specs": [ + "<8.2.0" + ], + "v": "<8.2.0" + }, + { + "advisory": "Affected versions of Pillow-simd are vulnerable to a buffer overflow in `Convert.c` (CVE-2021-34552). An attacker could exploit this vulnerability by passing controlled parameters directly into the `convert` function, leading to potential memory corruption and arbitrary code execution.", + "cve": "CVE-2021-34552", + "id": "pyup.io-72570", + "more_info_path": "/vulnerabilities/CVE-2021-34552/72570", + "specs": [ + "<8.3.0" + ], + "v": "<8.3.0" + }, + { + "advisory": "Pillow-simd fixed versions exclude carriage return in PDF regex to help prevent ReDoS.", + "cve": "PVE-2021-44525", + "id": "pyup.io-72862", + "more_info_path": "/vulnerabilities/PVE-2021-44525/72862", + "specs": [ + "<9.0.0" + ], + "v": "<9.0.0" + }, + { + "advisory": "Affected versions of Pillow-simd are vulnerable to a buffer over-read in the `path_getbbox` function within `path.c`. This issue occurs during the initialization of `ImagePath.Path`, potentially leading to unexpected behavior or crashes when handling specific image path data.", + "cve": "CVE-2022-22816", + "id": "pyup.io-72569", + "more_info_path": "/vulnerabilities/CVE-2022-22816/72569", + "specs": [ + "<9.0.0" + ], + "v": "<9.0.0" + }, + { + "advisory": "Affected versions of Pillow-simd are vulnerable due to improper initialization of `ImagePath.Path` in the `path_getbbox` function within `path.c`. This flaw can lead to unpredictable behaviour or potential security risks when processing image paths.", + "cve": "CVE-2022-22815", + "id": "pyup.io-72601", + "more_info_path": "/vulnerabilities/CVE-2022-22815/72601", + "specs": [ + "<9.0.0" + ], + "v": "<9.0.0" + }, + { + "advisory": "Pillow-simd affected versions ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks.", + "cve": "PVE-2022-44524", + "id": "pyup.io-72861", + "more_info_path": "/vulnerabilities/PVE-2022-44524/72861", + "specs": [ + "<9.0.0" + ], + "v": "<9.0.0" + }, + { + "advisory": "Affected versions of Pillow-simd are vulnerable due to improper handling in the `PIL.ImageMath.eval` function, which allows the evaluation of arbitrary expressions, including those that utilize the Python `exec` method. An attacker could exploit this by executing arbitrary code by using a lambda expression or other malicious input.", + "cve": "CVE-2022-22817", + "id": "pyup.io-72602", + "more_info_path": "/vulnerabilities/CVE-2022-22817/72602", + "specs": [ + "<9.0.1" + ], + "v": "<9.0.1" + }, + { + "advisory": "Pillow affected versions performs Improper Handling of Highly Compressed GIF Data (Data Amplification).", + "cve": "CVE-2022-45198", + "id": "pyup.io-72825", + "more_info_path": "/vulnerabilities/CVE-2022-45198/72825", + "specs": [ + "<9.2.0" + ], + "v": "<9.2.0" + }, + { + "advisory": "In libImaging/SgiRleDecode.c in Pillow-simd affected versions, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.", + "cve": "CVE-2020-11538", + "id": "pyup.io-72844", + "more_info_path": "/vulnerabilities/CVE-2020-11538/72844", + "specs": [ + "<=7.0.0" + ], + "v": "<=7.0.0" + }, + { + "advisory": "Pillow-simd affected versions are vulnerable to a denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.\r\n#Note: This CVE originates in the original package, Pillow, from which Pillow-simd is forked. However, this CVE is fixed in Pillow, but there is still no fix in Pillow-simd.", + "cve": "CVE-2023-44271", + "id": "pyup.io-72858", + "more_info_path": "/vulnerabilities/CVE-2023-44271/72858", + "specs": [ + ">=0" + ], + "v": ">=0" + }, + { + "advisory": "In _imagingcms.c in Pillow-simd affected versions, a buffer overflow exists because strcpy is used instead of strncpy.\r\n#Note: This CVE originates in the original package, Pillow, from which Pillow-simd is forked. However, this CVE is fixed in Pillow, but there is still no fix in Pillow-simd.", + "cve": "CVE-2024-28219", + "id": "pyup.io-72857", + "more_info_path": "/vulnerabilities/CVE-2024-28219/72857", + "specs": [ + ">=0" + ], + "v": ">=0" + }, + { + "advisory": "Certain versions of Pillow-simd are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels.", + "cve": "PVE-2024-69615", + "id": "pyup.io-72954", + "more_info_path": "/vulnerabilities/PVE-2024-69615/72954", + "specs": [ + ">=0,<8.1.2" + ], + "v": ">=0,<8.1.2" + }, + { + "advisory": "An issue was discovered in Pillow-simd affected versions. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open before Image.load.", + "cve": "CVE-2021-28675", + "id": "pyup.io-72859", + "more_info_path": "/vulnerabilities/CVE-2021-28675/72859", + "specs": [ + ">=0,<8.2.0" + ], + "v": ">=0,<8.2.0" + }, + { + "advisory": "Pillow-simd updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability.", + "cve": "CVE-2023-4863", + "id": "pyup.io-72953", + "more_info_path": "/vulnerabilities/CVE-2023-4863/72953", + "specs": [ + ">=2.5.0,<10.0.1" + ], + "v": ">=2.5.0,<10.0.1" + }, + { + "advisory": "Pillow-simd affected versions allow attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be huge.", + "cve": "CVE-2021-27923", + "id": "pyup.io-72852", + "more_info_path": "/vulnerabilities/CVE-2021-27923/72852", + "specs": [ + ">=4.3.0,<8.1.1" + ], + "v": ">=4.3.0,<8.1.1" + }, + { + "advisory": "Pillow-simd affected versions are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.", + "cve": "CVE-2021-23437", + "id": "pyup.io-72851", + "more_info_path": "/vulnerabilities/CVE-2021-23437/72851", + "specs": [ + ">=5.2.0,<8.3.2" + ], + "v": ">=5.2.0,<8.3.2" + }, + { + "advisory": "Pillow-simd includes a security fix: Pillow will now decode the data in its natural CMYK mode, then convert it to RGB and rearrange the channels afterwards. Trying to load the data in an incorrect mode could result in a segmentation fault.", + "cve": "PVE-2023-55182", + "id": "pyup.io-72860", + "more_info_path": "/vulnerabilities/PVE-2023-55182/72860", + "specs": [ + ">=9.1.0,<9.3.0" + ], + "v": ">=9.1.0,<9.3.0" + }, + { + "advisory": "Pillow-simd affected versions allows denial of service via SAMPLESPERPIXEL.\r\nhttps://pillow.readthedocs.io/en/stable/releasenotes/9.3.0.html#limit-samplesperpixel-to-avoid-runtime-dos", + "cve": "CVE-2022-45199", + "id": "pyup.io-72824", + "more_info_path": "/vulnerabilities/CVE-2022-45199/72824", + "specs": [ + ">=9.2.0,<9.3.0" + ], + "v": ">=9.2.0,<9.3.0" } ], "pillwo": [ @@ -106289,6 +107474,16 @@ ], "v": "<19.2" }, + { + "advisory": "An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1.\r\nNOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.", + "cve": "CVE-2018-20225", + "id": "pyup.io-67599", + "more_info_path": "/vulnerabilities/CVE-2018-20225/67599", + "specs": [ + "<21.1" + ], + "v": "<21.1" + }, { "advisory": "Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues.", "cve": "CVE-2021-28363", @@ -106309,16 +107504,6 @@ ], "v": "<21.1" }, - { - "advisory": "An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1.\r\nNOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.", - "cve": "CVE-2018-20225", - "id": "pyup.io-67599", - "more_info_path": "/vulnerabilities/CVE-2018-20225/67599", - "specs": [ - "<21.1" - ], - "v": "<21.1" - }, { "advisory": "Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie \"pip install hg+...\") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the \"hg clone\" call (ie \"--config\"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.", "cve": "CVE-2023-5752", @@ -106885,10 +108070,10 @@ "v": "<4.2.3,>=4.3a1,<4.3b1" }, { - "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5498: queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection.", - "cve": "CVE-2012-5498", - "id": "pyup.io-35390", - "more_info_path": "/vulnerabilities/CVE-2012-5498/35390", + "advisory": "Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to \"{u,}translate.\"", + "cve": "CVE-2012-5494", + "id": "pyup.io-35387", + "more_info_path": "/vulnerabilities/CVE-2012-5494/35387", "specs": [ "<4.2.3", ">=4.3a1,<4.3b1" @@ -106896,10 +108081,32 @@ "v": "<4.2.3,>=4.3a1,<4.3b1" }, { - "advisory": "The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG reseeding issue in Zope.", - "cve": "CVE-2012-5508", - "id": "pyup.io-35398", - "more_info_path": "/vulnerabilities/CVE-2012-5508/35398", + "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5499: python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns.", + "cve": "CVE-2012-5499", + "id": "pyup.io-35391", + "more_info_path": "/vulnerabilities/CVE-2012-5499/35391", + "specs": [ + "<4.2.3", + ">=4.3a1,<4.3b1" + ], + "v": "<4.2.3,>=4.3a1,<4.3b1" + }, + { + "advisory": "ftp.py in Plone before 4.2.3 and 4.3b1 allows remote attackers to read hidden folder contents via unspecified vectors.", + "cve": "CVE-2012-5503", + "id": "pyup.io-25999", + "more_info_path": "/vulnerabilities/CVE-2012-5503/25999", + "specs": [ + "<4.2.3", + ">=4.3a1,<4.3b1" + ], + "v": "<4.2.3,>=4.3a1,<4.3b1" + }, + { + "advisory": "Plone versions 4.2.3 and 4.3b1 include a fix for CVE-2012-6661, a vulnerability in its dependency \"zope\".", + "cve": "CVE-2012-6661", + "id": "pyup.io-42186", + "more_info_path": "/vulnerabilities/CVE-2012-6661/42186", "specs": [ "<4.2.3", ">=4.3a1,<4.3b1" @@ -106917,6 +108124,72 @@ ], "v": "<4.2.3,>=4.3a1,<4.3b1" }, + { + "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5504: Cross-site scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", + "cve": "CVE-2012-5504", + "id": "pyup.io-35395", + "more_info_path": "/vulnerabilities/CVE-2012-5504/35395", + "specs": [ + "<4.2.3", + ">=4.3a1,<4.3b1" + ], + "v": "<4.2.3,>=4.3a1,<4.3b1" + }, + { + "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5506: python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access.", + "cve": "CVE-2012-5506", + "id": "pyup.io-35397", + "more_info_path": "/vulnerabilities/CVE-2012-5506/35397", + "specs": [ + "<4.2.3", + ">=4.3a1,<4.3b1" + ], + "v": "<4.2.3,>=4.3a1,<4.3b1" + }, + { + "advisory": "gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors.", + "cve": "CVE-2012-5493", + "id": "pyup.io-35386", + "more_info_path": "/vulnerabilities/CVE-2012-5493/35386", + "specs": [ + "<4.2.3", + ">=4.3a1,<4.3b1" + ], + "v": "<4.2.3,>=4.3a1,<4.3b1" + }, + { + "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5500: The batch id change script (renameObjectsByPaths.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request.", + "cve": "CVE-2012-5500", + "id": "pyup.io-35392", + "more_info_path": "/vulnerabilities/CVE-2012-5500/35392", + "specs": [ + "<4.2.3", + ">=4.3a1,<4.3b1" + ], + "v": "<4.2.3,>=4.3a1,<4.3b1" + }, + { + "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5498: queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection.", + "cve": "CVE-2012-5498", + "id": "pyup.io-35390", + "more_info_path": "/vulnerabilities/CVE-2012-5498/35390", + "specs": [ + "<4.2.3", + ">=4.3a1,<4.3b1" + ], + "v": "<4.2.3,>=4.3a1,<4.3b1" + }, + { + "advisory": "The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG reseeding issue in Zope.", + "cve": "CVE-2012-5508", + "id": "pyup.io-35398", + "more_info_path": "/vulnerabilities/CVE-2012-5508/35398", + "specs": [ + "<4.2.3", + ">=4.3a1,<4.3b1" + ], + "v": "<4.2.3,>=4.3a1,<4.3b1" + }, { "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5497: membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL.", "cve": "CVE-2012-5497", @@ -106983,39 +108256,6 @@ ], "v": "<4.2.3,>=4.3a1,<4.3b1" }, - { - "advisory": "gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors.", - "cve": "CVE-2012-5493", - "id": "pyup.io-35386", - "more_info_path": "/vulnerabilities/CVE-2012-5493/35386", - "specs": [ - "<4.2.3", - ">=4.3a1,<4.3b1" - ], - "v": "<4.2.3,>=4.3a1,<4.3b1" - }, - { - "advisory": "Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to \"{u,}translate.\"", - "cve": "CVE-2012-5494", - "id": "pyup.io-35387", - "more_info_path": "/vulnerabilities/CVE-2012-5494/35387", - "specs": [ - "<4.2.3", - ">=4.3a1,<4.3b1" - ], - "v": "<4.2.3,>=4.3a1,<4.3b1" - }, - { - "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5500: The batch id change script (renameObjectsByPaths.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request.", - "cve": "CVE-2012-5500", - "id": "pyup.io-35392", - "more_info_path": "/vulnerabilities/CVE-2012-5500/35392", - "specs": [ - "<4.2.3", - ">=4.3a1,<4.3b1" - ], - "v": "<4.2.3,>=4.3a1,<4.3b1" - }, { "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5495: python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to \"go_back.\"", "cve": "CVE-2012-5495", @@ -107027,17 +108267,6 @@ ], "v": "<4.2.3,>=4.3a1,<4.3b1" }, - { - "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5499: python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns.", - "cve": "CVE-2012-5499", - "id": "pyup.io-35391", - "more_info_path": "/vulnerabilities/CVE-2012-5499/35391", - "specs": [ - "<4.2.3", - ">=4.3a1,<4.3b1" - ], - "v": "<4.2.3,>=4.3a1,<4.3b1" - }, { "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5501: at_download.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read arbitrary BLOBs (Files and Images) stored on custom content types via a crafted URL.", "cve": "CVE-2012-5501", @@ -107049,17 +108278,6 @@ ], "v": "<4.2.3,>=4.3a1,<4.3b1" }, - { - "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5504: Cross-site scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", - "cve": "CVE-2012-5504", - "id": "pyup.io-35395", - "more_info_path": "/vulnerabilities/CVE-2012-5504/35395", - "specs": [ - "<4.2.3", - ">=4.3a1,<4.3b1" - ], - "v": "<4.2.3,>=4.3a1,<4.3b1" - }, { "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5505: atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name.", "cve": "CVE-2012-5505", @@ -107071,39 +108289,6 @@ ], "v": "<4.2.3,>=4.3a1,<4.3b1" }, - { - "advisory": "Plone 4.2.3 and 4.3b1 include a fix for CVE-2012-5506: python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access.", - "cve": "CVE-2012-5506", - "id": "pyup.io-35397", - "more_info_path": "/vulnerabilities/CVE-2012-5506/35397", - "specs": [ - "<4.2.3", - ">=4.3a1,<4.3b1" - ], - "v": "<4.2.3,>=4.3a1,<4.3b1" - }, - { - "advisory": "ftp.py in Plone before 4.2.3 and 4.3b1 allows remote attackers to read hidden folder contents via unspecified vectors.", - "cve": "CVE-2012-5503", - "id": "pyup.io-25999", - "more_info_path": "/vulnerabilities/CVE-2012-5503/25999", - "specs": [ - "<4.2.3", - ">=4.3a1,<4.3b1" - ], - "v": "<4.2.3,>=4.3a1,<4.3b1" - }, - { - "advisory": "Plone versions 4.2.3 and 4.3b1 include a fix for CVE-2012-6661, a vulnerability in its dependency \"zope\".", - "cve": "CVE-2012-6661", - "id": "pyup.io-42186", - "more_info_path": "/vulnerabilities/CVE-2012-6661/42186", - "specs": [ - "<4.2.3", - ">=4.3a1,<4.3b1" - ], - "v": "<4.2.3,>=4.3a1,<4.3b1" - }, { "advisory": "Plone 4.3 includes a fix for CVE-2012-5486: It was discovered that Plone, included as a part of luci, did not properly sanitize HTTP headers provided within certain URL requests. A remote attacker could use a specially crafted URL that, when processed, would cause the injected HTTP headers to be returned as a part of the Plone HTTP response, potentially allowing the attacker to perform other more advanced attacks.", "cve": "CVE-2012-5486", @@ -107188,20 +108373,20 @@ "v": "<5.0a" }, { - "advisory": "An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the HOST headers. See CVE-2024-23055.\r\nhttps://github.com/c0d3x27/CVEs/tree/main/CVE-2024-23055", - "cve": "CVE-2024-23055", - "id": "pyup.io-64641", - "more_info_path": "/vulnerabilities/CVE-2024-23055/64641", + "advisory": "The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 (5221), allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server or deleting them. See CVE-2024-23756.", + "cve": "CVE-2024-23756", + "id": "pyup.io-65287", + "more_info_path": "/vulnerabilities/CVE-2024-23756/65287", "specs": [ "<5.2.13" ], "v": "<5.2.13" }, { - "advisory": "The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 (5221), allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server or deleting them. See CVE-2024-23756.", - "cve": "CVE-2024-23756", - "id": "pyup.io-65287", - "more_info_path": "/vulnerabilities/CVE-2024-23756/65287", + "advisory": "An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the HOST headers. See CVE-2024-23055.\r\nhttps://github.com/c0d3x27/CVEs/tree/main/CVE-2024-23055", + "cve": "CVE-2024-23055", + "id": "pyup.io-64641", + "more_info_path": "/vulnerabilities/CVE-2024-23055/64641", "specs": [ "<5.2.13" ], @@ -107278,20 +108463,20 @@ "v": "<=3.0.6" }, { - "advisory": "Plone CMS does not record users' authentication states, and implements the logout feature solely on the client side, which makes it easier for context-dependent attackers to reuse a logged-out session.", - "cve": "CVE-2008-1395", - "id": "pyup.io-67965", - "more_info_path": "/vulnerabilities/CVE-2008-1395/67965", + "advisory": "Plone CMS 3.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network.", + "cve": "CVE-2008-1396", + "id": "pyup.io-67966", + "more_info_path": "/vulnerabilities/CVE-2008-1396/67966", "specs": [ "<=3.1.7" ], "v": "<=3.1.7" }, { - "advisory": "Plone CMS 3.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network.", - "cve": "CVE-2008-1396", - "id": "pyup.io-67966", - "more_info_path": "/vulnerabilities/CVE-2008-1396/67966", + "advisory": "Plone CMS does not record users' authentication states, and implements the logout feature solely on the client side, which makes it easier for context-dependent attackers to reuse a logged-out session.", + "cve": "CVE-2008-1395", + "id": "pyup.io-67965", + "more_info_path": "/vulnerabilities/CVE-2008-1395/67965", "specs": [ "<=3.1.7" ], @@ -107323,40 +108508,40 @@ "v": "<=3.3.6,>=4.0a1,<=4.0.10,>=4.1a1,<=4.1.6,>=4.2a1,<=4.2.7,>=4.3a1,<4.3.7" }, { - "advisory": "Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file.", - "cve": "CVE-2021-33510", - "id": "pyup.io-40535", - "more_info_path": "/vulnerabilities/CVE-2021-33510/40535", + "advisory": "Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.", + "cve": "CVE-2021-33513", + "id": "pyup.io-40538", + "more_info_path": "/vulnerabilities/CVE-2021-33513/40538", "specs": [ "<=5.2.4" ], "v": "<=5.2.4" }, { - "advisory": "Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.", - "cve": "CVE-2021-33507", - "id": "pyup.io-40821", - "more_info_path": "/vulnerabilities/CVE-2021-33507/40821", + "advisory": "Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.", + "cve": "CVE-2021-33511", + "id": "pyup.io-40536", + "more_info_path": "/vulnerabilities/CVE-2021-33511/40536", "specs": [ "<=5.2.4" ], "v": "<=5.2.4" }, { - "advisory": "Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.", - "cve": "CVE-2021-33513", - "id": "pyup.io-40538", - "more_info_path": "/vulnerabilities/CVE-2021-33513/40538", + "advisory": "Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file.", + "cve": "CVE-2021-33510", + "id": "pyup.io-40535", + "more_info_path": "/vulnerabilities/CVE-2021-33510/40535", "specs": [ "<=5.2.4" ], "v": "<=5.2.4" }, { - "advisory": "Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.", - "cve": "CVE-2021-33511", - "id": "pyup.io-40536", - "more_info_path": "/vulnerabilities/CVE-2021-33511/40536", + "advisory": "Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.", + "cve": "CVE-2021-33507", + "id": "pyup.io-40821", + "more_info_path": "/vulnerabilities/CVE-2021-33507/40821", "specs": [ "<=5.2.4" ], @@ -107373,20 +108558,20 @@ "v": "<=5.2.4" }, { - "advisory": "Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.", - "cve": "CVE-2021-33509", - "id": "pyup.io-40534", - "more_info_path": "/vulnerabilities/CVE-2021-33509/40534", + "advisory": "Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.", + "cve": "CVE-2021-33512", + "id": "pyup.io-40537", + "more_info_path": "/vulnerabilities/CVE-2021-33512/40537", "specs": [ "<=5.2.4" ], "v": "<=5.2.4" }, { - "advisory": "Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.", - "cve": "CVE-2021-33512", - "id": "pyup.io-40537", - "more_info_path": "/vulnerabilities/CVE-2021-33512/40537", + "advisory": "Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.", + "cve": "CVE-2021-33509", + "id": "pyup.io-40534", + "more_info_path": "/vulnerabilities/CVE-2021-33509/40534", "specs": [ "<=5.2.4" ], @@ -107477,10 +108662,10 @@ "v": ">=2.1,<4.0.6,>=4.1a0,<4.2" }, { - "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4193: typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce the immutable setting on unspecified content edit forms, which allows remote attackers to hide fields on the forms via a crafted URL.", - "cve": "CVE-2013-4193", - "id": "pyup.io-35445", - "more_info_path": "/vulnerabilities/CVE-2013-4193/35445", + "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4196: The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request.", + "cve": "CVE-2013-4196", + "id": "pyup.io-35448", + "more_info_path": "/vulnerabilities/CVE-2013-4196/35448", "specs": [ ">=2.1,<4.1", ">=4.2a1,<4.2.5", @@ -107489,10 +108674,10 @@ "v": ">=2.1,<4.1,>=4.2a1,<4.2.5,>=4.3a1,<4.3.1" }, { - "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4196: The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request.", - "cve": "CVE-2013-4196", - "id": "pyup.io-35448", - "more_info_path": "/vulnerabilities/CVE-2013-4196/35448", + "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4192: sendto.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to spoof emails via unspecified vectors.", + "cve": "CVE-2013-4192", + "id": "pyup.io-35444", + "more_info_path": "/vulnerabilities/CVE-2013-4192/35444", "specs": [ ">=2.1,<4.1", ">=4.2a1,<4.2.5", @@ -107501,10 +108686,10 @@ "v": ">=2.1,<4.1,>=4.2a1,<4.2.5,>=4.3a1,<4.3.1" }, { - "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4188: traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service (infinite loop and resource consumption) via unspecified vectors related to \"retrieving information for certain resources.\"", - "cve": "CVE-2013-4188", - "id": "pyup.io-35440", - "more_info_path": "/vulnerabilities/CVE-2013-4188/35440", + "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4195: Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.", + "cve": "CVE-2013-4195", + "id": "pyup.io-35447", + "more_info_path": "/vulnerabilities/CVE-2013-4195/35447", "specs": [ ">=2.1,<4.1", ">=4.2a1,<4.2.5", @@ -107513,10 +108698,10 @@ "v": ">=2.1,<4.1,>=4.2a1,<4.2.5,>=4.3a1,<4.3.1" }, { - "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4195: (1) cb_decode.py and (2) linkintegrity.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users to cause a denial of service (resource consumption) via a large zip archive, which is expanded (decompressed).", - "cve": "CVE-2013-4199", - "id": "pyup.io-35451", - "more_info_path": "/vulnerabilities/CVE-2013-4199/35451", + "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4194: The WYSIWYG component (wysiwyg.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message.", + "cve": "CVE-2013-4194", + "id": "pyup.io-35446", + "more_info_path": "/vulnerabilities/CVE-2013-4194/35446", "specs": [ ">=2.1,<4.1", ">=4.2a1,<4.2.5", @@ -107525,10 +108710,10 @@ "v": ">=2.1,<4.1,>=4.2a1,<4.2.5,>=4.3a1,<4.3.1" }, { - "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4189: Multiple unspecified vulnerabilities in (1) dataitems.py, (2) get.py, and (3) traverseName.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users with administrator access to a subtree to access nodes above the subtree via unknown vectors.", - "cve": "CVE-2013-4189", - "id": "pyup.io-35441", - "more_info_path": "/vulnerabilities/CVE-2013-4189/35441", + "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4197: member_portrait.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to modify or delete portraits of other users via unspecified vectors.", + "cve": "CVE-2013-4197", + "id": "pyup.io-35449", + "more_info_path": "/vulnerabilities/CVE-2013-4197/35449", "specs": [ ">=2.1,<4.1", ">=4.2a1,<4.2.5", @@ -107537,10 +108722,10 @@ "v": ">=2.1,<4.1,>=4.2a1,<4.2.5,>=4.3a1,<4.3.1" }, { - "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4191: zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive.", - "cve": "CVE-2013-4191", - "id": "pyup.io-35443", - "more_info_path": "/vulnerabilities/CVE-2013-4191/35443", + "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4189: Multiple unspecified vulnerabilities in (1) dataitems.py, (2) get.py, and (3) traverseName.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users with administrator access to a subtree to access nodes above the subtree via unknown vectors.", + "cve": "CVE-2013-4189", + "id": "pyup.io-35441", + "more_info_path": "/vulnerabilities/CVE-2013-4189/35441", "specs": [ ">=2.1,<4.1", ">=4.2a1,<4.2.5", @@ -107549,10 +108734,10 @@ "v": ">=2.1,<4.1,>=4.2a1,<4.2.5,>=4.3a1,<4.3.1" }, { - "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4192: sendto.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to spoof emails via unspecified vectors.", - "cve": "CVE-2013-4192", - "id": "pyup.io-35444", - "more_info_path": "/vulnerabilities/CVE-2013-4192/35444", + "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4193: typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce the immutable setting on unspecified content edit forms, which allows remote attackers to hide fields on the forms via a crafted URL.", + "cve": "CVE-2013-4193", + "id": "pyup.io-35445", + "more_info_path": "/vulnerabilities/CVE-2013-4193/35445", "specs": [ ">=2.1,<4.1", ">=4.2a1,<4.2.5", @@ -107561,10 +108746,10 @@ "v": ">=2.1,<4.1,>=4.2a1,<4.2.5,>=4.3a1,<4.3.1" }, { - "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4195: Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.", - "cve": "CVE-2013-4195", - "id": "pyup.io-35447", - "more_info_path": "/vulnerabilities/CVE-2013-4195/35447", + "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4191: zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive.", + "cve": "CVE-2013-4191", + "id": "pyup.io-35443", + "more_info_path": "/vulnerabilities/CVE-2013-4191/35443", "specs": [ ">=2.1,<4.1", ">=4.2a1,<4.2.5", @@ -107573,10 +108758,10 @@ "v": ">=2.1,<4.1,>=4.2a1,<4.2.5,>=4.3a1,<4.3.1" }, { - "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4194: The WYSIWYG component (wysiwyg.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message.", - "cve": "CVE-2013-4194", - "id": "pyup.io-35446", - "more_info_path": "/vulnerabilities/CVE-2013-4194/35446", + "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4188: traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service (infinite loop and resource consumption) via unspecified vectors related to \"retrieving information for certain resources.\"", + "cve": "CVE-2013-4188", + "id": "pyup.io-35440", + "more_info_path": "/vulnerabilities/CVE-2013-4188/35440", "specs": [ ">=2.1,<4.1", ">=4.2a1,<4.2.5", @@ -107585,10 +108770,10 @@ "v": ">=2.1,<4.1,>=4.2a1,<4.2.5,>=4.3a1,<4.3.1" }, { - "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4197: member_portrait.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to modify or delete portraits of other users via unspecified vectors.", - "cve": "CVE-2013-4197", - "id": "pyup.io-35449", - "more_info_path": "/vulnerabilities/CVE-2013-4197/35449", + "advisory": "Plone 4.1, 4.2.5 and 4.3.1 include a fix for CVE-2013-4195: (1) cb_decode.py and (2) linkintegrity.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users to cause a denial of service (resource consumption) via a large zip archive, which is expanded (decompressed).", + "cve": "CVE-2013-4199", + "id": "pyup.io-35451", + "more_info_path": "/vulnerabilities/CVE-2013-4199/35451", "specs": [ ">=2.1,<4.1", ">=4.2a1,<4.2.5", @@ -107643,20 +108828,20 @@ "v": ">=2.5,<4.0" }, { - "advisory": "A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.\r\nhttps://plone.org/security/hotfix/20171128/xss-using-the-home_page-member-property", - "cve": "CVE-2017-1000482", - "id": "pyup.io-35702", - "more_info_path": "/vulnerabilities/CVE-2017-1000482/35702", + "advisory": "When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafted link. You would login, and get redirected to the site of the attacker, letting you think that you are still on the original Plone site. Or some javascript of the attacker could be executed. Most of these types of attacks are already blocked by Plone, using the 'isURLInPortal' check to make sure we only redirect to a page on the same Plone site. But a few more ways of tricking Plone into accepting a malicious link were discovered, and fixed with this hotfix.\r\nhttps://plone.org/security/hotfix/20171128/open-redirection-on-login-form", + "cve": "CVE-2017-1000481", + "id": "pyup.io-35701", + "more_info_path": "/vulnerabilities/CVE-2017-1000481/35701", "specs": [ ">=2.5,<=5.1rc1" ], "v": ">=2.5,<=5.1rc1" }, { - "advisory": "When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafted link. You would login, and get redirected to the site of the attacker, letting you think that you are still on the original Plone site. Or some javascript of the attacker could be executed. Most of these types of attacks are already blocked by Plone, using the 'isURLInPortal' check to make sure we only redirect to a page on the same Plone site. But a few more ways of tricking Plone into accepting a malicious link were discovered, and fixed with this hotfix.\r\nhttps://plone.org/security/hotfix/20171128/open-redirection-on-login-form", - "cve": "CVE-2017-1000481", - "id": "pyup.io-35701", - "more_info_path": "/vulnerabilities/CVE-2017-1000481/35701", + "advisory": "A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.\r\nhttps://plone.org/security/hotfix/20171128/xss-using-the-home_page-member-property", + "cve": "CVE-2017-1000482", + "id": "pyup.io-35702", + "more_info_path": "/vulnerabilities/CVE-2017-1000482/35702", "specs": [ ">=2.5,<=5.1rc1" ], @@ -107784,10 +108969,10 @@ "v": ">=3.3a1,<3.3.6,>=4.0a1,<4.0.10,>=4.1a1,<4.1.6,>=4.2a1,<4.2.7,>=4.3a1,<4.3.6" }, { - "advisory": "Plone 3.3.6, 4.3.11 and 5.0.6 include a fix for CVE-2016-7139: Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.\r\nhttps://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone", - "cve": "CVE-2016-7139", - "id": "pyup.io-35687", - "more_info_path": "/vulnerabilities/CVE-2016-7139/35687", + "advisory": "Plone 3.3.6, 4.3.11 and 5.0.6 include a fix for CVE-2016-7137: Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form.", + "cve": "CVE-2016-7137", + "id": "pyup.io-35685", + "more_info_path": "/vulnerabilities/CVE-2016-7137/35685", "specs": [ ">=3.3a1,<3.3.6", ">=4.0a1,<4.3.11", @@ -107796,10 +108981,10 @@ "v": ">=3.3a1,<3.3.6,>=4.0a1,<4.3.11,>=5.0a1,<5.0.6" }, { - "advisory": "Plone 3.3.6, 4.3.11 and 5.0.6 include a fix for CVE-2016-7137: Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form.", - "cve": "CVE-2016-7137", - "id": "pyup.io-35685", - "more_info_path": "/vulnerabilities/CVE-2016-7137/35685", + "advisory": "Plone 3.3.6, 4.3.11 and 5.0.6 include a fix for CVE-2016-7139: Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.\r\nhttps://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone", + "cve": "CVE-2016-7139", + "id": "pyup.io-35687", + "more_info_path": "/vulnerabilities/CVE-2016-7139/35687", "specs": [ ">=3.3a1,<3.3.6", ">=4.0a1,<4.3.11", @@ -108568,9 +109753,9 @@ }, { "advisory": "Plotly 1.9.6 includes plotly.js version 1.5.2, which contains security fixes.", - "cve": "CVE-2015-8858", - "id": "pyup.io-45779", - "more_info_path": "/vulnerabilities/CVE-2015-8858/45779", + "cve": "CVE-2015-9242", + "id": "pyup.io-38545", + "more_info_path": "/vulnerabilities/CVE-2015-9242/38545", "specs": [ "<1.9.6" ], @@ -108578,9 +109763,9 @@ }, { "advisory": "Plotly 1.9.6 includes plotly.js version 1.5.2, which contains security fixes.", - "cve": "CVE-2015-9242", - "id": "pyup.io-38545", - "more_info_path": "/vulnerabilities/CVE-2015-9242/38545", + "cve": "CVE-2015-8858", + "id": "pyup.io-45779", + "more_info_path": "/vulnerabilities/CVE-2015-8858/45779", "specs": [ "<1.9.6" ], @@ -108992,10 +110177,10 @@ ], "polyaxon": [ { - "advisory": "Polyaxon 0.4.1 updates its NPM dependency 'bootstrap' to v3.4.1 to include a security fix.", - "cve": "CVE-2019-8331", - "id": "pyup.io-49097", - "more_info_path": "/vulnerabilities/CVE-2019-8331/49097", + "advisory": "Polyaxon 0.4.1 updates its NPM dependency 'lodash' to v4.17.11 to include security fixes.", + "cve": "CVE-2018-16487", + "id": "pyup.io-49096", + "more_info_path": "/vulnerabilities/CVE-2018-16487/49096", "specs": [ "<0.4.1" ], @@ -109012,10 +110197,10 @@ "v": "<0.4.1" }, { - "advisory": "Polyaxon 0.4.1 updates its NPM dependency 'lodash' to v4.17.11 to include security fixes.", - "cve": "CVE-2018-16487", - "id": "pyup.io-49096", - "more_info_path": "/vulnerabilities/CVE-2018-16487/49096", + "advisory": "Polyaxon 0.4.1 updates its NPM dependency 'bootstrap' to v3.4.1 to include a security fix.", + "cve": "CVE-2019-8331", + "id": "pyup.io-49097", + "more_info_path": "/vulnerabilities/CVE-2019-8331/49097", "specs": [ "<0.4.1" ], @@ -109053,9 +110238,9 @@ }, { "advisory": "Polyaxon 0.5.5 updates its dependency 'django' to v2.2.4 to include security fixes.", - "cve": "CVE-2019-14234", - "id": "pyup.io-45019", - "more_info_path": "/vulnerabilities/CVE-2019-14234/45019", + "cve": "CVE-2019-14233", + "id": "pyup.io-45018", + "more_info_path": "/vulnerabilities/CVE-2019-14233/45018", "specs": [ "<0.5.5" ], @@ -109063,9 +110248,9 @@ }, { "advisory": "Polyaxon 0.5.5 updates its dependency 'django' to v2.2.4 to include security fixes.", - "cve": "CVE-2019-14233", - "id": "pyup.io-45018", - "more_info_path": "/vulnerabilities/CVE-2019-14233/45018", + "cve": "CVE-2019-14234", + "id": "pyup.io-45019", + "more_info_path": "/vulnerabilities/CVE-2019-14234/45019", "specs": [ "<0.5.5" ], @@ -109683,20 +110868,20 @@ "v": "<0.14.21" }, { - "advisory": "Prefect 0.15.8 includes a Prefect Server update that bumps an upstream dependency to fix a security vulnerability. See CVE-2021-41249.", - "cve": "CVE-2021-41249", - "id": "pyup.io-42552", - "more_info_path": "/vulnerabilities/CVE-2021-41249/42552", + "advisory": "Prefect 0.15.8 includes a version of Prefect UI which updates a dependency (npm:graphiql) to include a security fix.", + "cve": "CVE-2021-41248", + "id": "pyup.io-42952", + "more_info_path": "/vulnerabilities/CVE-2021-41248/42952", "specs": [ "<0.15.8" ], "v": "<0.15.8" }, { - "advisory": "Prefect 0.15.8 includes a version of Prefect UI which updates a dependency (npm:graphiql) to include a security fix.", - "cve": "CVE-2021-41248", - "id": "pyup.io-42952", - "more_info_path": "/vulnerabilities/CVE-2021-41248/42952", + "advisory": "Prefect 0.15.8 includes a Prefect Server update that bumps an upstream dependency to fix a security vulnerability. See CVE-2021-41249.", + "cve": "CVE-2021-41249", + "id": "pyup.io-42552", + "more_info_path": "/vulnerabilities/CVE-2021-41249/42552", "specs": [ "<0.15.8" ], @@ -109722,6 +110907,16 @@ ], "v": "<2.15.0" }, + { + "advisory": "Prefect updates its `anyo` dependency to address a race condition in `anyo` related to a thread race condition in `_eventloop.get_asynclib()`.", + "cve": "PVE-2024-72487", + "id": "pyup.io-72487", + "more_info_path": "/vulnerabilities/PVE-2024-72487/72487", + "specs": [ + "<2.20.0" + ], + "v": "<2.20.0" + }, { "advisory": "Prefect affected versions have a race condition that could lead to operational inconsistencies and potential security vulnerabilities. This issue arises when multiple processes attempt to update the state of the same flow run concurrently, leading to conflicts such as duplicate flow run executions.", "cve": "PVE-2024-71644", @@ -109822,6 +111017,16 @@ ], "v": "<2024.1.1" }, + { + "advisory": "Stored XSS vulnerabilities in the organizer and event settings of Pretix affected versions allowed malicious event organizers to inject HTML tags into email previews on the settings page. The fix introduced proper escaping of placeholders and dynamic content using Django's `escape` function, mitigating the risk of Cross-Site Scripting (XSS) attacks. While the default Content Security Policy (CSP) of Pretix prevents the execution of attacker-provided scripts, making exploitation unlikely, this vulnerability could still be dangerous if combined with a CSP bypass, potentially allowing impersonation of other organizers or staff users.", + "cve": "CVE-2024-8113", + "id": "pyup.io-72971", + "more_info_path": "/vulnerabilities/CVE-2024-8113/72971", + "specs": [ + "<2024.7.1" + ], + "v": "<2024.7.1" + }, { "advisory": "pretix before 2023.7.2 allows Pillow to parse EPS files.", "cve": "CVE-2023-44464", @@ -112015,6 +113220,19 @@ "v": "<0.3" } ], + "puffioner131": [ + { + "advisory": "The puffioner131 package on PyPI has been identified as malicious by the OpenSSF Package Analysis project. The package communicates with a domain linked to malicious activity, posing significant security risks. Users who have installed this package may be vulnerable to unauthorized access or other harmful consequences.", + "cve": "PVE-2024-72978", + "id": "pyup.io-72978", + "more_info_path": "/vulnerabilities/PVE-2024-72978/72978", + "specs": [ + ">=0", + "<=0" + ], + "v": ">=0,<=0" + } + ], "pulp-ansible": [ { "advisory": "Pulp-ansible 0.15.0 includes a fix for CVE-2022-3644: The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.\r\nhttps://github.com/pulp/pulp_ansible/pull/1222", @@ -112120,6 +113338,21 @@ ">=0,<3.15.0" ], "v": ">=0,<3.15.0" + }, + { + "advisory": "Pulpcore fixed an issue where RBAC permissions were incorrectly assigned during task-based object creation. In Pulp, the `AutoAddObjPermsMixin` assigns permissions to the oldest user with task permissions instead of the actual task initiator. This resulted in the wrong user receiving permissions, leaving the creating user with none.", + "cve": "CVE-2024-7143", + "id": "pyup.io-72596", + "more_info_path": "/vulnerabilities/CVE-2024-7143/72596", + "specs": [ + ">=3.28,<3.28.32", + ">=3.39,<3.39.20", + ">=3.49,<3.49.17", + ">=3.57.0,<3.57.1", + ">=3.22,<3.22.30", + "<3.21.33" + ], + "v": ">=3.28,<3.28.32,>=3.39,<3.39.20,>=3.49,<3.49.17,>=3.57.0,<3.57.1,>=3.22,<3.22.30,<3.21.33" } ], "pulsar-client": [ @@ -115459,7 +116692,7 @@ ], "py": [ { - "advisory": "Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.\r\nhttps://github.com/pytest-dev/py/issues/287", + "advisory": "** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.\r\nhttps://github.com/pytest-dev/py/issues/287", "cve": "CVE-2022-42969", "id": "pyup.io-51457", "more_info_path": "/vulnerabilities/CVE-2022-42969/51457", @@ -115632,6 +116865,26 @@ } ], "py-quantaq": [ + { + "advisory": "Py-quantaq 1.2.0a0 updates its dependency 'numpy' to v1.23.2 to include security fixes.", + "cve": "CVE-2021-41496", + "id": "pyup.io-50904", + "more_info_path": "/vulnerabilities/CVE-2021-41496/50904", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, + { + "advisory": "Py-quantaq 1.2.0a0 updates its dependency 'numpy' to v1.23.2 to include security fixes.", + "cve": "CVE-2021-33430", + "id": "pyup.io-50903", + "more_info_path": "/vulnerabilities/CVE-2021-33430/50903", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, { "advisory": "Py-quantaq 1.2.0a0 updates its dependency 'urllib3' to v1.26.12 to include security fixes.", "cve": "CVE-2018-20060", @@ -115672,16 +116925,6 @@ ], "v": "<1.2.0a0" }, - { - "advisory": "Py-quantaq 1.2.0a0 updates its dependency 'numpy' to v1.23.2 to include security fixes.", - "cve": "CVE-2021-33430", - "id": "pyup.io-50903", - "more_info_path": "/vulnerabilities/CVE-2021-33430/50903", - "specs": [ - "<1.2.0a0" - ], - "v": "<1.2.0a0" - }, { "advisory": "Py-quantaq 1.2.0a0 updates its dependency 'urllib3' to v1.26.12 to include security fixes.", "cve": "CVE-2020-26137", @@ -115712,16 +116955,6 @@ ], "v": "<1.2.0a0" }, - { - "advisory": "Py-quantaq 1.2.0a0 updates its dependency 'numpy' to v1.23.2 to include security fixes.", - "cve": "CVE-2021-41496", - "id": "pyup.io-50904", - "more_info_path": "/vulnerabilities/CVE-2021-41496/50904", - "specs": [ - "<1.2.0a0" - ], - "v": "<1.2.0a0" - }, { "advisory": "Py-quantaq 1.3.0 updates its dependency 'urllib3' to v1.26.12 to include security fixes.", "cve": "CVE-2020-26137", @@ -116557,20 +117790,20 @@ ], "pybotx": [ { - "advisory": "Pybotx 0.55.3 updates its dependency 'requests' to v2.31.0 to include a security fix.", - "cve": "CVE-2023-32681", - "id": "pyup.io-58908", - "more_info_path": "/vulnerabilities/CVE-2023-32681/58908", + "advisory": "Pybotx 0.55.3 updates its dependency 'fastapy' to v0.95.2 to include a security fix.", + "cve": "PVE-2023-58713", + "id": "pyup.io-58906", + "more_info_path": "/vulnerabilities/PVE-2023-58713/58906", "specs": [ "<0.55.3" ], "v": "<0.55.3" }, { - "advisory": "Pybotx 0.55.3 updates its dependency 'fastapy' to v0.95.2 to include a security fix.", - "cve": "PVE-2023-58713", - "id": "pyup.io-58906", - "more_info_path": "/vulnerabilities/PVE-2023-58713/58906", + "advisory": "Pybotx 0.55.3 updates its dependency 'requests' to v2.31.0 to include a security fix.", + "cve": "CVE-2023-32681", + "id": "pyup.io-58908", + "more_info_path": "/vulnerabilities/CVE-2023-32681/58908", "specs": [ "<0.55.3" ], @@ -117634,6 +118867,18 @@ "v": "<2.4.0.dev2" } ], + "pygenesis-django": [ + { + "advisory": "Pygenesis-django 0.1.1alpha updates its dependency 'django' to v5.1 to include a fix for a SQLi vulnerability.", + "cve": "CVE-2024-42005", + "id": "pyup.io-72579", + "more_info_path": "/vulnerabilities/CVE-2024-42005/72579", + "specs": [ + "<0.1.1alpha" + ], + "v": "<0.1.1alpha" + } + ], "pyglove": [ { "advisory": "Pyglove 0.1.1 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/google/pyglove/pull/52", @@ -117814,20 +119059,20 @@ "v": "<0.7" }, { - "advisory": "Pyinaturalist 0.7.0 updates its dependency 'urllib3' to v1.24.2 to include a security fix.", - "cve": "CVE-2019-11324", - "id": "pyup.io-49091", - "more_info_path": "/vulnerabilities/CVE-2019-11324/49091", + "advisory": "Pyinaturalist 0.7.0 updates its dependency 'jinja2' to v2.10.1 to include a security fix.", + "cve": "CVE-2019-10906", + "id": "pyup.io-37127", + "more_info_path": "/vulnerabilities/CVE-2019-10906/37127", "specs": [ "<0.7.0" ], "v": "<0.7.0" }, { - "advisory": "Pyinaturalist 0.7.0 updates its dependency 'jinja2' to v2.10.1 to include a security fix.", - "cve": "CVE-2019-10906", - "id": "pyup.io-37127", - "more_info_path": "/vulnerabilities/CVE-2019-10906/37127", + "advisory": "Pyinaturalist 0.7.0 updates its dependency 'urllib3' to v1.24.2 to include a security fix.", + "cve": "CVE-2019-11324", + "id": "pyup.io-49091", + "more_info_path": "/vulnerabilities/CVE-2019-11324/49091", "specs": [ "<0.7.0" ], @@ -117847,9 +119092,9 @@ }, { "advisory": "Pyinstaller 3.5 updates the bundled zlib library to version 1.2.11 to address vulnerabilities.", - "cve": "CVE-2016-9841", - "id": "pyup.io-45787", - "more_info_path": "/vulnerabilities/CVE-2016-9841/45787", + "cve": "CVE-2016-9842", + "id": "pyup.io-45788", + "more_info_path": "/vulnerabilities/CVE-2016-9842/45788", "specs": [ "<3.5" ], @@ -117857,9 +119102,9 @@ }, { "advisory": "Pyinstaller 3.5 updates the bundled zlib library to version 1.2.11 to address vulnerabilities.", - "cve": "CVE-2016-9842", - "id": "pyup.io-45788", - "more_info_path": "/vulnerabilities/CVE-2016-9842/45788", + "cve": "CVE-2016-9841", + "id": "pyup.io-45787", + "more_info_path": "/vulnerabilities/CVE-2016-9841/45787", "specs": [ "<3.5" ], @@ -118730,10 +119975,10 @@ "v": "<0.9.0" }, { - "advisory": "Pyoes 0.9.0 updates its dependency 'pyramid' to 1.10.4 to include security fixes.", - "cve": "PVE-2022-48337", - "id": "pyup.io-37254", - "more_info_path": "/vulnerabilities/PVE-2022-48337/37254", + "advisory": "Pyoes 0.9.0 updates its dependency 'jinja2' to 2.10.1 to include security fixes.", + "cve": "CVE-2016-10745", + "id": "pyup.io-49089", + "more_info_path": "/vulnerabilities/CVE-2016-10745/49089", "specs": [ "<0.9.0" ], @@ -118750,10 +119995,10 @@ "v": "<0.9.0" }, { - "advisory": "Pyoes 0.9.0 updates its dependency 'jinja2' to 2.10.1 to include security fixes.", - "cve": "CVE-2016-10745", - "id": "pyup.io-49089", - "more_info_path": "/vulnerabilities/CVE-2016-10745/49089", + "advisory": "Pyoes 0.9.0 updates its dependency 'pyramid' to 1.10.4 to include security fixes.", + "cve": "PVE-2022-48337", + "id": "pyup.io-37254", + "more_info_path": "/vulnerabilities/PVE-2022-48337/37254", "specs": [ "<0.9.0" ], @@ -119614,34 +120859,22 @@ "v": "<0.12" } ], - "pyrdfa3": [ - { - "advisory": "A vulnerability was found in RDFlib pyrdfa3 and classified as problematic. This issue affects the function _get_option of the file pyRdfa/__init__.py. The manipulation leads to cross site scripting. The attack may be initiated remotely.", - "cve": "CVE-2022-4396", - "id": "pyup.io-54597", - "more_info_path": "/vulnerabilities/CVE-2022-4396/54597", - "specs": [ - "<3.6.2" - ], - "v": "<3.6.2" - } - ], "pyrit": [ { - "advisory": "Pyrit version 0.1.0 has upgraded its notebook dependency to version 7.0.7 in response to the security issue outlined in CVE-2024-22421.", - "cve": "CVE-2024-22421", - "id": "pyup.io-66903", - "more_info_path": "/vulnerabilities/CVE-2024-22421/66903", + "advisory": "Pyrit version 0.1.0 has upgraded its notebook dependency to version 7.0.7 in response to the security issue outlined in CVE-2024-22420.\r\nhttps://github.com/Azure/PyRIT/pull/26/commits/e9322551a6842f73e6e232b469579374d2915290", + "cve": "CVE-2024-22420", + "id": "pyup.io-66865", + "more_info_path": "/vulnerabilities/CVE-2024-22420/66865", "specs": [ "<0.1.0" ], "v": "<0.1.0" }, { - "advisory": "Pyrit version 0.1.0 has upgraded its notebook dependency to version 7.0.7 in response to the security issue outlined in CVE-2024-22420.\r\nhttps://github.com/Azure/PyRIT/pull/26/commits/e9322551a6842f73e6e232b469579374d2915290", - "cve": "CVE-2024-22420", - "id": "pyup.io-66865", - "more_info_path": "/vulnerabilities/CVE-2024-22420/66865", + "advisory": "Pyrit version 0.1.0 has upgraded its notebook dependency to version 7.0.7 in response to the security issue outlined in CVE-2024-22421.", + "cve": "CVE-2024-22421", + "id": "pyup.io-66903", + "more_info_path": "/vulnerabilities/CVE-2024-22421/66903", "specs": [ "<0.1.0" ], @@ -119877,9 +121110,9 @@ "pyserini": [ { "advisory": "Pyserini 0.11.0.0 and prior includes a version of Anserini affected by critical and severe vulnerabilities, related to log4j.", - "cve": "CVE-2021-45046", - "id": "pyup.io-43607", - "more_info_path": "/vulnerabilities/CVE-2021-45046/43607", + "cve": "CVE-2021-44228", + "id": "pyup.io-43606", + "more_info_path": "/vulnerabilities/CVE-2021-44228/43606", "specs": [ "<=0.11.0.0" ], @@ -119887,9 +121120,9 @@ }, { "advisory": "Pyserini 0.11.0.0 and prior includes a version of Anserini affected by critical and severe vulnerabilities, related to log4j.", - "cve": "CVE-2021-45105", - "id": "pyup.io-43608", - "more_info_path": "/vulnerabilities/CVE-2021-45105/43608", + "cve": "CVE-2021-44832", + "id": "pyup.io-44462", + "more_info_path": "/vulnerabilities/CVE-2021-44832/44462", "specs": [ "<=0.11.0.0" ], @@ -119897,9 +121130,9 @@ }, { "advisory": "Pyserini 0.11.0.0 and prior includes a version of Anserini affected by critical and severe vulnerabilities, related to log4j.", - "cve": "CVE-2021-44228", - "id": "pyup.io-43606", - "more_info_path": "/vulnerabilities/CVE-2021-44228/43606", + "cve": "CVE-2021-45046", + "id": "pyup.io-43607", + "more_info_path": "/vulnerabilities/CVE-2021-45046/43607", "specs": [ "<=0.11.0.0" ], @@ -119907,9 +121140,9 @@ }, { "advisory": "Pyserini 0.11.0.0 and prior includes a version of Anserini affected by critical and severe vulnerabilities, related to log4j.", - "cve": "CVE-2021-44832", - "id": "pyup.io-44462", - "more_info_path": "/vulnerabilities/CVE-2021-44832/44462", + "cve": "CVE-2021-45105", + "id": "pyup.io-43608", + "more_info_path": "/vulnerabilities/CVE-2021-45105/43608", "specs": [ "<=0.11.0.0" ], @@ -120738,9 +121971,9 @@ "pytest-httpserver": [ { "advisory": "Pytest-httpserver 1.0.2 drops support for Python 3.4 and 3.5. These versions arrived to EOL and don't receive security fixes anymore.", - "cve": "CVE-2019-20907", - "id": "pyup.io-43451", - "more_info_path": "/vulnerabilities/CVE-2019-20907/43451", + "cve": "CVE-2021-3177", + "id": "pyup.io-43452", + "more_info_path": "/vulnerabilities/CVE-2021-3177/43452", "specs": [ "<1.0.2" ], @@ -120748,9 +121981,9 @@ }, { "advisory": "Pytest-httpserver 1.0.2 drops support for Python 3.4 and 3.5. These versions arrived to EOL and don't receive security fixes anymore.", - "cve": "CVE-2021-3177", - "id": "pyup.io-43452", - "more_info_path": "/vulnerabilities/CVE-2021-3177/43452", + "cve": "CVE-2020-27619", + "id": "pyup.io-43407", + "more_info_path": "/vulnerabilities/CVE-2020-27619/43407", "specs": [ "<1.0.2" ], @@ -120768,9 +122001,9 @@ }, { "advisory": "Pytest-httpserver 1.0.2 drops support for Python 3.4 and 3.5. These versions arrived to EOL and don't receive security fixes anymore.", - "cve": "CVE-2020-27619", - "id": "pyup.io-43407", - "more_info_path": "/vulnerabilities/CVE-2020-27619/43407", + "cve": "CVE-2019-20907", + "id": "pyup.io-43451", + "more_info_path": "/vulnerabilities/CVE-2019-20907/43451", "specs": [ "<1.0.2" ], @@ -122202,7 +123435,7 @@ "v": "<=2.6.6,>=3.1.0,<3.1.3" }, { - "advisory": "The MSI installer for Python through 2.7.16 on Windows defaults to the C:\\Python27 directory, which makes it easier for local users to deploy Trojan horse code: a privilege escalation vulnerability. This issue also affects old 3.x releases before 3.5.\r\nNOTE: the vendor's position is that it is the user's responsibility to ensure C:\\Python27 access control or choose a different directory, because backwards compatibility requires that C:\\Python27 remain the default for 2.7.x.", + "advisory": "The MSI installer for Python through 2.7.16 on Windows defaults to the C:\\Python27 directory, which makes it easier for local users to deploy Trojan horse code: a privilege escalation vulnerability. This issue also affects old 3.x releases before 3.5.\r\nNOTE: the vendor's position is that it is the user's responsibility to ensure C:\\Python27 access control or choose a different directory because backwards compatibility requires that C:\\Python27 remain the default for 2.7.x.", "cve": "CVE-2019-13404", "id": "pyup.io-70573", "more_info_path": "/vulnerabilities/CVE-2019-13404/70573", @@ -123010,6 +124243,18 @@ "v": "<3.9.0" } ], + "python-engineio-v3": [ + { + "advisory": "Python-engineio-v3 3.9.0\r\n\r\n- **Vulnerability Type:** Cross-origin scripting attack\r\n- **Impact:** Executing arbitrary JavaScript in the origin of the WebSocket connection\r\n- **Attack Vector:** Bypassing the same-origin policy of web browsers through the use of WebSockets\r\n- **Vulnerable Configuration:** Lack of origin check when establishing WebSocket connections\r\n- **Mitigation:** Enforce origin checks when accepting WebSocket connections to prevent cross-origin scripting attacks.\r\n\r\nThe application establishes WebSocket connections without validating the origin of the sender, allowing attackers to bypass the same-origin policy and inject malicious JavaScript into the application context. By sending specially crafted WebSocket messages, an attacker could execute arbitrary code in the origin of the WebSocket connection.\r\n\r\nAnalysis Details:\r\n\r\nContext: Web security policy \r\nVulnerability: True positive (cross-origin attack) \r\nLinks Commit: https://github.com/miguelgrinberg/python-engineio/commit/7548f704a0a3000b7ac8a6c88796c4ae58aa9c37\r\nScore: 8 - True positive, documentation added to describe and mitigate cross-origin vulnerabilities", + "cve": "PVE-2024-72870", + "id": "pyup.io-72870", + "more_info_path": "/vulnerabilities/PVE-2024-72870/72870", + "specs": [ + "<3.9.0" + ], + "v": "<3.9.0" + } + ], "python-exiv2": [ { "advisory": "A stack out of bounds read vulnerability exists in Exiv2 library 0.26 within the webp parser.", @@ -123251,6 +124496,16 @@ } ], "python-homewizard-energy": [ + { + "advisory": "Python-homewizard-energy 2.1.2 updates its dependency 'urllib3' to include a security fix.", + "cve": "CVE-2023-43804", + "id": "pyup.io-61779", + "more_info_path": "/vulnerabilities/CVE-2023-43804/61779", + "specs": [ + "<2.1.2" + ], + "v": "<2.1.2" + }, { "advisory": "Python-homewizard-energy 2.1.2 updates its dependency 'gitpython' to include a security fix.", "cve": "CVE-2023-40590", @@ -123270,16 +124525,6 @@ "<2.1.2" ], "v": "<2.1.2" - }, - { - "advisory": "Python-homewizard-energy 2.1.2 updates its dependency 'urllib3' to include a security fix.", - "cve": "CVE-2023-43804", - "id": "pyup.io-61779", - "more_info_path": "/vulnerabilities/CVE-2023-43804/61779", - "specs": [ - "<2.1.2" - ], - "v": "<2.1.2" } ], "python-hugo": [ @@ -123358,20 +124603,20 @@ "v": "<1.3.2" }, { - "advisory": "python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a \"JWT bomb.\" This is similar to CVE-2024-21319. See CVE-2024-33664.", - "cve": "CVE-2024-33664", - "id": "pyup.io-70716", - "more_info_path": "/vulnerabilities/CVE-2024-33664/70716", + "advisory": "python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217. See CVE-2024-33663.", + "cve": "CVE-2024-33663", + "id": "pyup.io-70715", + "more_info_path": "/vulnerabilities/CVE-2024-33663/70715", "specs": [ "<3.3.0" ], "v": "<3.3.0" }, { - "advisory": "python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217. See CVE-2024-33663.", - "cve": "CVE-2024-33663", - "id": "pyup.io-70715", - "more_info_path": "/vulnerabilities/CVE-2024-33663/70715", + "advisory": "python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a \"JWT bomb.\" This is similar to CVE-2024-21319. See CVE-2024-33664.", + "cve": "CVE-2024-33664", + "id": "pyup.io-70716", + "more_info_path": "/vulnerabilities/CVE-2024-33664/70716", "specs": [ "<3.3.0" ], @@ -123447,20 +124692,20 @@ "v": "<0.2.4" }, { - "advisory": "Python-keystoneclient 0.2.4 includes a fix for CVE-2013-2104: python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires.\r\nhttps://bugs.launchpad.net/python-keystoneclient/+bug/1179615", - "cve": "CVE-2013-2104", - "id": "pyup.io-35427", - "more_info_path": "/vulnerabilities/CVE-2013-2104/35427", + "advisory": "keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora.", + "cve": "CVE-2013-2030", + "id": "pyup.io-66670", + "more_info_path": "/vulnerabilities/CVE-2013-2030/66670", "specs": [ "<0.2.4" ], "v": "<0.2.4" }, { - "advisory": "keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora.", - "cve": "CVE-2013-2030", - "id": "pyup.io-66670", - "more_info_path": "/vulnerabilities/CVE-2013-2030/66670", + "advisory": "Python-keystoneclient 0.2.4 includes a fix for CVE-2013-2104: python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires.\r\nhttps://bugs.launchpad.net/python-keystoneclient/+bug/1179615", + "cve": "CVE-2013-2104", + "id": "pyup.io-35427", + "more_info_path": "/vulnerabilities/CVE-2013-2104/35427", "specs": [ "<0.2.4" ], @@ -123508,20 +124753,20 @@ "v": "<=5.0.1" }, { - "advisory": "Python-keystoneclient 0.3.0 includes a fix for CVE-2013-2166: Middleware memcache encryption and signing bypass.", - "cve": "CVE-2013-2166", - "id": "pyup.io-37748", - "more_info_path": "/vulnerabilities/CVE-2013-2166/37748", + "advisory": "Python-keystoneclient 0.3.0 includes a fix for CVE-2013-2167: Middleware memcache encryption and signing bypass.", + "cve": "CVE-2013-2167", + "id": "pyup.io-37749", + "more_info_path": "/vulnerabilities/CVE-2013-2167/37749", "specs": [ ">=0.2.3,<=0.2.5" ], "v": ">=0.2.3,<=0.2.5" }, { - "advisory": "Python-keystoneclient 0.3.0 includes a fix for CVE-2013-2167: Middleware memcache encryption and signing bypass.", - "cve": "CVE-2013-2167", - "id": "pyup.io-37749", - "more_info_path": "/vulnerabilities/CVE-2013-2167/37749", + "advisory": "Python-keystoneclient 0.3.0 includes a fix for CVE-2013-2166: Middleware memcache encryption and signing bypass.", + "cve": "CVE-2013-2166", + "id": "pyup.io-37748", + "more_info_path": "/vulnerabilities/CVE-2013-2166/37748", "specs": [ ">=0.2.3,<=0.2.5" ], @@ -124049,6 +125294,28 @@ "v": "<4.3.0" } ], + "python-socketio-v4": [ + { + "advisory": "Python-socketio-v4 1.4.4\r\n\r\n- Vulnerability Type: Race Condition \r\n- Impact: Depends on specifics of race condition. Likely allows unauthorized access or privilege escalation. \r\n- Attack Vector: Local users or remote attackers could exploit this race condition vulnerability.\r\n\r\nAffected Functions/Methods: The fix for the race condition is linked to commit 024609e10e570ccd2e932a0584c5a1784c4bbf75. The issue related to this fix is linked to issue 37. \r\n- Vulnerable Configuration: Any version of the python-socketio package prior to the fix. \r\n- Mitigation/Remediation: Upgrade to version of python-socketio package that contains commit 024609e10e570ccd2e932a0584c5a1784c4bbf75.\r\n\r\nThe analysis did not provide any information on exploitability or why this information is better than public sources.", + "cve": "PVE-2024-72873", + "id": "pyup.io-72873", + "more_info_path": "/vulnerabilities/PVE-2024-72873/72873", + "specs": [ + "<1.4.4" + ], + "v": "<1.4.4" + }, + { + "advisory": "Python-socketio-v4 4.3.0\r\n\r\nVulnerability Type: Cross-Site Scripting (XSS) \r\nImpact: Medium. The vulnerability allows execution of arbitrary JavaScript code in the context of the affected website.\r\nCVSS v3.0 severity rating: 6.1 (Medium)\r\nAttack Vector: Maliciously crafted HTTP requests\r\nAffected Functions/Methods: The socket.io library is affected, specifically in handling cross-origin requests. \r\nVulnerable Configuration: Any application using the affected socket.io library versions.\r\nExploitability: The issue and fix are clearly identified, allowing reproduction of the vulnerability. The vulnerability appears to be easily exploitable.\r\nMitigation/Remediation: Upgrade to socket.io version 3.1.1 or later.\r\n\r\n\r\nRemarks: PoC exploits may become public, so we advise you to monitor for developments.", + "cve": "PVE-2024-72872", + "id": "pyup.io-72872", + "more_info_path": "/vulnerabilities/PVE-2024-72872/72872", + "specs": [ + "<4.3.0" + ], + "v": "<4.3.0" + } + ], "python-sqlite": [ { "advisory": "Python-sqlite is a typosquatting package. It installs malware in your system that leaks your data.\r\nhttps://github.com/rsc-dev/pypi_malware", @@ -124357,9 +125624,9 @@ }, { "advisory": "Pytorch-lightning 1.6.0 updates its dependency 'pyyaml' to v5.4 and uses yaml.safe_load() to fix code execution vulnerabilities.", - "cve": "CVE-2020-14343", - "id": "pyup.io-43752", - "more_info_path": "/vulnerabilities/CVE-2020-14343/43752", + "cve": "CVE-2020-1747", + "id": "pyup.io-43581", + "more_info_path": "/vulnerabilities/CVE-2020-1747/43581", "specs": [ "<1.6.0" ], @@ -124367,9 +125634,9 @@ }, { "advisory": "Pytorch-lightning 1.6.0 updates its dependency 'pyyaml' to v5.4 and uses yaml.safe_load() to fix code execution vulnerabilities.", - "cve": "CVE-2020-1747", - "id": "pyup.io-43581", - "more_info_path": "/vulnerabilities/CVE-2020-1747/43581", + "cve": "CVE-2020-14343", + "id": "pyup.io-43752", + "more_info_path": "/vulnerabilities/CVE-2020-14343/43752", "specs": [ "<1.6.0" ], @@ -125051,9 +126318,9 @@ }, { "advisory": "Pywikibot 6.1.0 updates its dependency 'Pillow' to versions >=8.1.1 to include security fixes.", - "cve": "CVE-2020-35653", - "id": "pyup.io-46446", - "more_info_path": "/vulnerabilities/CVE-2020-35653/46446", + "cve": "CVE-2021-23437", + "id": "pyup.io-46452", + "more_info_path": "/vulnerabilities/CVE-2021-23437/46452", "specs": [ "<6.1.0" ], @@ -125061,9 +126328,9 @@ }, { "advisory": "Pywikibot 6.1.0 updates its dependency 'Pillow' to versions >=8.1.1 to include security fixes.", - "cve": "CVE-2021-23437", - "id": "pyup.io-46452", - "more_info_path": "/vulnerabilities/CVE-2021-23437/46452", + "cve": "CVE-2020-35653", + "id": "pyup.io-46446", + "more_info_path": "/vulnerabilities/CVE-2020-35653/46446", "specs": [ "<6.1.0" ], @@ -125564,6 +126831,18 @@ "v": "<0.2.1" } ], + "quantities": [ + { + "advisory": "A vulnerability in the quantities library\u2019s UnitRegistry class allows arbitrary code execution due to the insecure use of eval in the __getitem__ method. Malicious input could exploit this flaw, leading to potential system compromise. The issue is mitigated by introducing checks to block harmful code execution.", + "cve": "PVE-2024-72822", + "id": "pyup.io-72822", + "more_info_path": "/vulnerabilities/PVE-2024-72822/72822", + "specs": [ + "<0.16.0" + ], + "v": "<0.16.0" + } + ], "quark": [ { "advisory": "comelz Quark before 2019-03-26 allows directory traversal to locations outside of the project directory.", @@ -126201,19 +127480,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-5481", - "id": "pyup.io-48353", - "more_info_path": "/vulnerabilities/CVE-2019-5481/48353", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-16168", - "id": "pyup.io-48347", - "more_info_path": "/vulnerabilities/CVE-2019-16168/48347", + "cve": "CVE-2020-15209", + "id": "pyup.io-48374", + "more_info_path": "/vulnerabilities/CVE-2020-15209/48374", "specs": [ "<2.0.2" ], @@ -126239,16 +127508,6 @@ ], "v": "<2.0.2" }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-26271", - "id": "pyup.io-48383", - "more_info_path": "/vulnerabilities/CVE-2020-26271/48383", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", "cve": "CVE-2019-10099", @@ -126281,9 +127540,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15207", - "id": "pyup.io-48372", - "more_info_path": "/vulnerabilities/CVE-2020-15207/48372", + "cve": "CVE-2020-15194", + "id": "pyup.io-48365", + "more_info_path": "/vulnerabilities/CVE-2020-15194/48365", "specs": [ "<2.0.2" ], @@ -126291,9 +127550,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15194", - "id": "pyup.io-48365", - "more_info_path": "/vulnerabilities/CVE-2020-15194/48365", + "cve": "CVE-2020-26270", + "id": "pyup.io-48382", + "more_info_path": "/vulnerabilities/CVE-2020-26270/48382", "specs": [ "<2.0.2" ], @@ -126301,9 +127560,39 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-26270", - "id": "pyup.io-48382", - "more_info_path": "/vulnerabilities/CVE-2020-26270/48382", + "cve": "CVE-2020-13630", + "id": "pyup.io-48359", + "more_info_path": "/vulnerabilities/CVE-2020-13630/48359", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2019-5481", + "id": "pyup.io-48353", + "more_info_path": "/vulnerabilities/CVE-2019-5481/48353", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2019-16168", + "id": "pyup.io-48347", + "more_info_path": "/vulnerabilities/CVE-2019-16168/48347", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2020-15207", + "id": "pyup.io-48372", + "more_info_path": "/vulnerabilities/CVE-2020-15207/48372", "specs": [ "<2.0.2" ], @@ -126341,9 +127630,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-13630", - "id": "pyup.io-48359", - "more_info_path": "/vulnerabilities/CVE-2020-13630/48359", + "cve": "CVE-2020-15204", + "id": "pyup.io-48369", + "more_info_path": "/vulnerabilities/CVE-2020-15204/48369", "specs": [ "<2.0.2" ], @@ -126351,9 +127640,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15204", - "id": "pyup.io-48369", - "more_info_path": "/vulnerabilities/CVE-2020-15204/48369", + "cve": "CVE-2020-13435", + "id": "pyup.io-48358", + "more_info_path": "/vulnerabilities/CVE-2020-13435/48358", "specs": [ "<2.0.2" ], @@ -126361,9 +127650,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-13435", - "id": "pyup.io-48358", - "more_info_path": "/vulnerabilities/CVE-2020-13435/48358", + "cve": "CVE-2019-20838", + "id": "pyup.io-48352", + "more_info_path": "/vulnerabilities/CVE-2019-20838/48352", "specs": [ "<2.0.2" ], @@ -126381,9 +127670,39 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-20838", - "id": "pyup.io-48352", - "more_info_path": "/vulnerabilities/CVE-2019-20838/48352", + "cve": "CVE-2020-26266", + "id": "pyup.io-48379", + "more_info_path": "/vulnerabilities/CVE-2020-26266/48379", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2020-13871", + "id": "pyup.io-48362", + "more_info_path": "/vulnerabilities/CVE-2020-13871/48362", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2018-11770", + "id": "pyup.io-40991", + "more_info_path": "/vulnerabilities/CVE-2018-11770/40991", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2020-13434", + "id": "pyup.io-48357", + "more_info_path": "/vulnerabilities/CVE-2020-13434/48357", "specs": [ "<2.0.2" ], @@ -126401,9 +127720,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15206", - "id": "pyup.io-48371", - "more_info_path": "/vulnerabilities/CVE-2020-15206/48371", + "cve": "CVE-2020-13631", + "id": "pyup.io-48360", + "more_info_path": "/vulnerabilities/CVE-2020-13631/48360", "specs": [ "<2.0.2" ], @@ -126411,9 +127730,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-19880", - "id": "pyup.io-48351", - "more_info_path": "/vulnerabilities/CVE-2019-19880/48351", + "cve": "CVE-2020-15190", + "id": "pyup.io-48364", + "more_info_path": "/vulnerabilities/CVE-2020-15190/48364", "specs": [ "<2.0.2" ], @@ -126421,9 +127740,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-5215", - "id": "pyup.io-48384", - "more_info_path": "/vulnerabilities/CVE-2020-5215/48384", + "cve": "CVE-2020-26271", + "id": "pyup.io-48383", + "more_info_path": "/vulnerabilities/CVE-2020-26271/48383", "specs": [ "<2.0.2" ], @@ -126431,9 +127750,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-26266", - "id": "pyup.io-48379", - "more_info_path": "/vulnerabilities/CVE-2020-26266/48379", + "cve": "CVE-2019-19646", + "id": "pyup.io-48350", + "more_info_path": "/vulnerabilities/CVE-2019-19646/48350", "specs": [ "<2.0.2" ], @@ -126441,9 +127760,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-13871", - "id": "pyup.io-48362", - "more_info_path": "/vulnerabilities/CVE-2020-13871/48362", + "cve": "CVE-2019-5482", + "id": "pyup.io-48354", + "more_info_path": "/vulnerabilities/CVE-2019-5482/48354", "specs": [ "<2.0.2" ], @@ -126451,9 +127770,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2018-19664", - "id": "pyup.io-48342", - "more_info_path": "/vulnerabilities/CVE-2018-19664/48342", + "cve": "CVE-2020-26268", + "id": "pyup.io-48381", + "more_info_path": "/vulnerabilities/CVE-2020-26268/48381", "specs": [ "<2.0.2" ], @@ -126461,9 +127780,19 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-9327", - "id": "pyup.io-48385", - "more_info_path": "/vulnerabilities/CVE-2020-9327/48385", + "cve": "CVE-2020-15206", + "id": "pyup.io-48371", + "more_info_path": "/vulnerabilities/CVE-2020-15206/48371", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2019-19880", + "id": "pyup.io-48351", + "more_info_path": "/vulnerabilities/CVE-2019-19880/48351", "specs": [ "<2.0.2" ], @@ -126481,9 +127810,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-19646", - "id": "pyup.io-48350", - "more_info_path": "/vulnerabilities/CVE-2019-19646/48350", + "cve": "CVE-2020-9327", + "id": "pyup.io-48385", + "more_info_path": "/vulnerabilities/CVE-2020-9327/48385", "specs": [ "<2.0.2" ], @@ -126491,9 +127820,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2018-11770", - "id": "pyup.io-40991", - "more_info_path": "/vulnerabilities/CVE-2018-11770/40991", + "cve": "CVE-2020-5215", + "id": "pyup.io-48384", + "more_info_path": "/vulnerabilities/CVE-2020-5215/48384", "specs": [ "<2.0.2" ], @@ -126501,9 +127830,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-13960", - "id": "pyup.io-48345", - "more_info_path": "/vulnerabilities/CVE-2019-13960/48345", + "cve": "CVE-2018-19664", + "id": "pyup.io-48342", + "more_info_path": "/vulnerabilities/CVE-2018-19664/48342", "specs": [ "<2.0.2" ], @@ -126529,16 +127858,6 @@ ], "v": "<2.0.2" }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-13434", - "id": "pyup.io-48357", - "more_info_path": "/vulnerabilities/CVE-2020-13434/48357", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", "cve": "CVE-2020-15211", @@ -126569,16 +127888,6 @@ ], "v": "<2.0.2" }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15209", - "id": "pyup.io-48374", - "more_info_path": "/vulnerabilities/CVE-2020-15209/48374", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", "cve": "CVE-2019-19645", @@ -126591,19 +127900,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-5482", - "id": "pyup.io-48354", - "more_info_path": "/vulnerabilities/CVE-2019-5482/48354", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-26268", - "id": "pyup.io-48381", - "more_info_path": "/vulnerabilities/CVE-2020-26268/48381", + "cve": "CVE-2019-13960", + "id": "pyup.io-48345", + "more_info_path": "/vulnerabilities/CVE-2019-13960/48345", "specs": [ "<2.0.2" ], @@ -126619,26 +127918,6 @@ ], "v": "<2.0.2" }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-13631", - "id": "pyup.io-48360", - "more_info_path": "/vulnerabilities/CVE-2020-13631/48360", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15190", - "id": "pyup.io-48364", - "more_info_path": "/vulnerabilities/CVE-2020-15190/48364", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, { "advisory": "Rapidtide 2.6.5 updates its dependency 'urllib3' to v2.0.6 to include a security fix.", "cve": "CVE-2023-43804", @@ -128302,16 +129581,6 @@ ], "v": "<3.1.4" }, - { - "advisory": "Rasa 3.1.4 updates its dependency 'tensorflow' to v2.7.3 to include security fixes.", - "cve": "CVE-2022-27780", - "id": "pyup.io-49597", - "more_info_path": "/vulnerabilities/CVE-2022-27780/49597", - "specs": [ - "<3.1.4" - ], - "v": "<3.1.4" - }, { "advisory": "Rasa 3.1.4 updates its dependency 'tensorflow' to v2.7.3 to include security fixes.", "cve": "CVE-2022-27778", @@ -128352,6 +129621,16 @@ ], "v": "<3.1.4" }, + { + "advisory": "Rasa 3.1.4 updates its dependency 'tensorflow' to v2.7.3 to include security fixes.", + "cve": "CVE-2022-27780", + "id": "pyup.io-49597", + "more_info_path": "/vulnerabilities/CVE-2022-27780/49597", + "specs": [ + "<3.1.4" + ], + "v": "<3.1.4" + }, { "advisory": "Rasa 3.1.4 updates its dependency 'tensorflow' to v2.7.3 to include security fixes.", "cve": "CVE-2022-29194", @@ -129169,9 +130448,9 @@ }, { "advisory": "Rasa-sdk 3.6.2 updates its dependency 'wheel' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/RasaHQ/rasa-sdk/pull/1026", - "cve": "CVE-2022-40898", - "id": "pyup.io-60643", - "more_info_path": "/vulnerabilities/CVE-2022-40898/60643", + "cve": "PVE-2023-60638", + "id": "pyup.io-60638", + "more_info_path": "/vulnerabilities/PVE-2023-60638/60638", "specs": [ "<3.6.2" ], @@ -129179,9 +130458,9 @@ }, { "advisory": "Rasa-sdk 3.6.2 updates its dependency 'wheel' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/RasaHQ/rasa-sdk/pull/1026", - "cve": "PVE-2023-60638", - "id": "pyup.io-60638", - "more_info_path": "/vulnerabilities/PVE-2023-60638/60638", + "cve": "CVE-2022-40898", + "id": "pyup.io-60643", + "more_info_path": "/vulnerabilities/CVE-2022-40898/60643", "specs": [ "<3.6.2" ], @@ -129191,9 +130470,9 @@ "rasterio": [ { "advisory": "Rasterio 1.3.0 updates its C dependency 'hdf5' to include security fixes.\r\nhttps://github.com/rasterio/rasterio-wheels/issues/81", - "cve": "CVE-2020-10812", - "id": "pyup.io-51987", - "more_info_path": "/vulnerabilities/CVE-2020-10812/51987", + "cve": "CVE-2020-10809", + "id": "pyup.io-51988", + "more_info_path": "/vulnerabilities/CVE-2020-10809/51988", "specs": [ "<1.3.0" ], @@ -129201,19 +130480,19 @@ }, { "advisory": "Rasterio 1.3.0 updates its C dependency 'hdf5' to include security fixes.\r\nhttps://github.com/rasterio/rasterio-wheels/issues/81", - "cve": "CVE-2020-10810", - "id": "pyup.io-51986", - "more_info_path": "/vulnerabilities/CVE-2020-10810/51986", + "cve": "CVE-2020-10812", + "id": "pyup.io-51987", + "more_info_path": "/vulnerabilities/CVE-2020-10812/51987", "specs": [ "<1.3.0" ], "v": "<1.3.0" }, { - "advisory": "Rasterio 1.3.0 updates its C dependency 'json-c' to include a security fix.\r\nhttps://github.com/rasterio/rasterio-wheels/issues/81", - "cve": "CVE-2020-12762", - "id": "pyup.io-51989", - "more_info_path": "/vulnerabilities/CVE-2020-12762/51989", + "advisory": "Rasterio 1.3.0 updates its C dependency 'hdf5' to include security fixes.\r\nhttps://github.com/rasterio/rasterio-wheels/issues/81", + "cve": "CVE-2020-10811", + "id": "pyup.io-51985", + "more_info_path": "/vulnerabilities/CVE-2020-10811/51985", "specs": [ "<1.3.0" ], @@ -129221,39 +130500,39 @@ }, { "advisory": "Rasterio 1.3.0 updates its C dependency 'hdf5' to include security fixes.\r\nhttps://github.com/rasterio/rasterio-wheels/issues/81", - "cve": "CVE-2020-10809", - "id": "pyup.io-51988", - "more_info_path": "/vulnerabilities/CVE-2020-10809/51988", + "cve": "CVE-2020-10810", + "id": "pyup.io-51986", + "more_info_path": "/vulnerabilities/CVE-2020-10810/51986", "specs": [ "<1.3.0" ], "v": "<1.3.0" }, { - "advisory": "Rasterio 1.3.0 updates its C dependency 'hdf5' to include security fixes.\r\nhttps://github.com/rasterio/rasterio-wheels/issues/81", - "cve": "CVE-2020-10811", - "id": "pyup.io-51985", - "more_info_path": "/vulnerabilities/CVE-2020-10811/51985", + "advisory": "Rasterio 1.3.0 updates its C dependency 'json-c' to include a security fix.\r\nhttps://github.com/rasterio/rasterio-wheels/issues/81", + "cve": "CVE-2020-12762", + "id": "pyup.io-51989", + "more_info_path": "/vulnerabilities/CVE-2020-12762/51989", "specs": [ "<1.3.0" ], "v": "<1.3.0" }, { - "advisory": "Rasterio 1.3.8.post2 updates its bundled dependency 'libcurl' to v8.4.0 to include a security fix.", - "cve": "CVE-2023-38545", - "id": "pyup.io-61769", - "more_info_path": "/vulnerabilities/CVE-2023-38545/61769", + "advisory": "Rasterio 1.3.8.post2 updates its bundled dependency 'libcurl' to v8.4.0 to include a security fix.\r\nhttps://github.com/rasterio/rasterio-wheels/issues/112", + "cve": "CVE-2023-38546", + "id": "pyup.io-61770", + "more_info_path": "/vulnerabilities/CVE-2023-38546/61770", "specs": [ "<1.3.8.post2" ], "v": "<1.3.8.post2" }, { - "advisory": "Rasterio 1.3.8.post2 updates its bundled dependency 'libcurl' to v8.4.0 to include a security fix.\r\nhttps://github.com/rasterio/rasterio-wheels/issues/112", - "cve": "CVE-2023-38546", - "id": "pyup.io-61770", - "more_info_path": "/vulnerabilities/CVE-2023-38546/61770", + "advisory": "Rasterio 1.3.8.post2 updates its bundled dependency 'libcurl' to v8.4.0 to include a security fix.", + "cve": "CVE-2023-38545", + "id": "pyup.io-61769", + "more_info_path": "/vulnerabilities/CVE-2023-38545/61769", "specs": [ "<1.3.8.post2" ], @@ -129317,9 +130596,9 @@ }, { "advisory": "Ray 1.9.1 updates its dependency 'log4j' to v2.16.0 to include security fixes.\r\nhttps://github.com/ray-project/ray/commit/2cdbf974ea63caf4323aacbccaef2394a14a8562", - "cve": "CVE-2021-45046", - "id": "pyup.io-43415", - "more_info_path": "/vulnerabilities/CVE-2021-45046/43415", + "cve": "CVE-2021-44228", + "id": "pyup.io-43413", + "more_info_path": "/vulnerabilities/CVE-2021-44228/43413", "specs": [ "<1.9.1" ], @@ -129327,9 +130606,9 @@ }, { "advisory": "Ray 1.9.1 updates its dependency 'log4j' to v2.16.0 to include security fixes.\r\nhttps://github.com/ray-project/ray/commit/2cdbf974ea63caf4323aacbccaef2394a14a8562", - "cve": "CVE-2021-44228", - "id": "pyup.io-43413", - "more_info_path": "/vulnerabilities/CVE-2021-44228/43413", + "cve": "CVE-2021-45046", + "id": "pyup.io-43415", + "more_info_path": "/vulnerabilities/CVE-2021-45046/43415", "specs": [ "<1.9.1" ], @@ -129366,10 +130645,10 @@ "v": "<2.8.1" }, { - "advisory": "Ray 2.8.1 includes a fix for CVE-2023-6019: A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.\r\nhttps://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023", - "cve": "CVE-2023-6019", - "id": "pyup.io-62632", - "more_info_path": "/vulnerabilities/CVE-2023-6019/62632", + "advisory": "Ray 2.8.1 includes a fix for CVE-2023-6020: LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.\r\nhttps://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023", + "cve": "CVE-2023-6020", + "id": "pyup.io-62649", + "more_info_path": "/vulnerabilities/CVE-2023-6020/62649", "specs": [ "<2.8.1" ], @@ -129386,10 +130665,10 @@ "v": "<2.8.1" }, { - "advisory": "Ray 2.8.1 includes a fix for CVE-2023-6020: LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.\r\nhttps://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023", - "cve": "CVE-2023-6020", - "id": "pyup.io-62649", - "more_info_path": "/vulnerabilities/CVE-2023-6020/62649", + "advisory": "Ray 2.8.1 includes a fix for CVE-2023-6019: A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.\r\nhttps://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023", + "cve": "CVE-2023-6019", + "id": "pyup.io-62632", + "more_info_path": "/vulnerabilities/CVE-2023-6019/62632", "specs": [ "<2.8.1" ], @@ -129730,26 +131009,6 @@ ], "v": ">=0,<2.4.7" }, - { - "advisory": "rdiffweb prior to 2.4.8 has no limit in length of root directory names. Allowing users to enter long strings may result in a DOS attack or memory corruption. Version 2.4.8 defines a field limit for username, email, and root directory.", - "cve": "CVE-2022-3295", - "id": "pyup.io-54477", - "more_info_path": "/vulnerabilities/CVE-2022-3295/54477", - "specs": [ - ">=0,<2.4.8" - ], - "v": ">=0,<2.4.8" - }, - { - "advisory": "rdiffweb prior to 2.4.8 is vulnerable to a potential Dos attack via an unlimited length \"username\" field. This can result in excess memory consumption, or memory corruption, leading to a Denial of Service (DoS). This issue is patched in version 2.4.8. There are no known workarounds.", - "cve": "CVE-2022-3290", - "id": "pyup.io-54481", - "more_info_path": "/vulnerabilities/CVE-2022-3290/54481", - "specs": [ - ">=0,<2.4.8" - ], - "v": ">=0,<2.4.8" - }, { "advisory": "rdiffweb prior to 2.4.8 does not validate email length, allowing users to insert an email longer than 255 characters. If a user signs up with an email with a length of 1 million or more characters and logs in, withdraws, or changes their email, the server may cause denial of service due to overload. Version 2.4.8 sets length limits for username, email, and root directory.\n", "cve": "CVE-2022-3272", @@ -129780,6 +131039,26 @@ ], "v": ">=0,<2.4.8" }, + { + "advisory": "rdiffweb prior to 2.4.8 has no limit in length of root directory names. Allowing users to enter long strings may result in a DOS attack or memory corruption. Version 2.4.8 defines a field limit for username, email, and root directory.", + "cve": "CVE-2022-3295", + "id": "pyup.io-54477", + "more_info_path": "/vulnerabilities/CVE-2022-3295/54477", + "specs": [ + ">=0,<2.4.8" + ], + "v": ">=0,<2.4.8" + }, + { + "advisory": "rdiffweb prior to 2.4.8 is vulnerable to a potential Dos attack via an unlimited length \"username\" field. This can result in excess memory consumption, or memory corruption, leading to a Denial of Service (DoS). This issue is patched in version 2.4.8. There are no known workarounds.", + "cve": "CVE-2022-3290", + "id": "pyup.io-54481", + "more_info_path": "/vulnerabilities/CVE-2022-3290/54481", + "specs": [ + ">=0,<2.4.8" + ], + "v": ">=0,<2.4.8" + }, { "advisory": "rdiffweb prior to version 2.4.9 is vulnerable to Use of Cache Containing Sensitive Information. Due to improper cache control, an attacker can view sensitive information even if they are not logged into an account. Version 2.4.9 contains a patch for this issue.", "cve": "CVE-2022-3292", @@ -129811,40 +131090,40 @@ "v": ">=0,<2.5.0" }, { - "advisory": "Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0. ", - "cve": "CVE-2022-3439", - "id": "pyup.io-54521", - "more_info_path": "/vulnerabilities/CVE-2022-3439/54521", + "advisory": "Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0.", + "cve": "CVE-2022-3327", + "id": "pyup.io-54572", + "more_info_path": "/vulnerabilities/CVE-2022-3327/54572", "specs": [ ">=0,<2.5.0" ], "v": ">=0,<2.5.0" }, { - "advisory": "rdiffweb prior to 2.5.0a4 allows users to set their new password to be the same as the old password during a password reset. Version 2.5.0a4 enforces a password policy in which a new password cannot be the same as the old one.", - "cve": "CVE-2022-3376", - "id": "pyup.io-54507", - "more_info_path": "/vulnerabilities/CVE-2022-3376/54507", + "advisory": "Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.", + "cve": "CVE-2022-3456", + "id": "pyup.io-54520", + "more_info_path": "/vulnerabilities/CVE-2022-3456/54520", "specs": [ ">=0,<2.5.0" ], "v": ">=0,<2.5.0" }, { - "advisory": "Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0.", - "cve": "CVE-2022-3327", - "id": "pyup.io-54572", - "more_info_path": "/vulnerabilities/CVE-2022-3327/54572", + "advisory": "Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0. ", + "cve": "CVE-2022-3439", + "id": "pyup.io-54521", + "more_info_path": "/vulnerabilities/CVE-2022-3439/54521", "specs": [ ">=0,<2.5.0" ], "v": ">=0,<2.5.0" }, { - "advisory": "Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.", - "cve": "CVE-2022-3456", - "id": "pyup.io-54520", - "more_info_path": "/vulnerabilities/CVE-2022-3456/54520", + "advisory": "rdiffweb prior to 2.5.0a4 allows users to set their new password to be the same as the old password during a password reset. Version 2.5.0a4 enforces a password policy in which a new password cannot be the same as the old one.", + "cve": "CVE-2022-3376", + "id": "pyup.io-54507", + "more_info_path": "/vulnerabilities/CVE-2022-3376/54507", "specs": [ ">=0,<2.5.0" ], @@ -129960,6 +131239,16 @@ ], "v": ">=0,<2.5.5" }, + { + "advisory": "Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.5.", + "cve": "CVE-2022-4720", + "id": "pyup.io-54634", + "more_info_path": "/vulnerabilities/CVE-2022-4720/54634", + "specs": [ + ">=0,<2.5.5" + ], + "v": ">=0,<2.5.5" + }, { "advisory": "Authentication Bypass by Primary Weakness in GitHub repository ikus060/rdiffweb prior to 2.5.5.", "cve": "CVE-2022-4722", @@ -129999,16 +131288,6 @@ ">=0,<2.5.5" ], "v": ">=0,<2.5.5" - }, - { - "advisory": "Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.5.", - "cve": "CVE-2022-4720", - "id": "pyup.io-54634", - "more_info_path": "/vulnerabilities/CVE-2022-4720/54634", - "specs": [ - ">=0,<2.5.5" - ], - "v": ">=0,<2.5.5" } ], "rdmo": [ @@ -130992,6 +132271,18 @@ "v": "<0.4.0" } ], + "repopack": [ + { + "advisory": "Repopack has updated `micromatch` from version 4.0.7 to 4.0.8, addressing a critical security vulnerability CVE-2024-4067.", + "cve": "CVE-2024-4067", + "id": "pyup.io-72816", + "more_info_path": "/vulnerabilities/CVE-2024-4067/72816", + "specs": [ + "<0.1.29" + ], + "v": "<0.1.29" + } + ], "reportlab": [ { "advisory": "ReportLab 3.5.31 includes a fix for CVE-2019-19450: Paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '.", "cve": "PVE-2021-38393", @@ -135031,16 +136344,18 @@ "<2.8.0" ], "v": "<2.8.0" - }, + } + ], + "sbpy": [ { - "advisory": "Sbp 2.8.0 updates its dependency 'minimist' to version '1.2.5' to include a fix for a Prototype Pollution vulnerability.\r\nhttps://github.com/swift-nav/libsbp/pull/791", - "cve": "CVE-2020-7598", - "id": "pyup.io-60389", - "more_info_path": "/vulnerabilities/CVE-2020-7598/60389", + "advisory": "Sbpy now requires `astropy` version 5.3.3 or higher to mitigate CVE-2023-41334.", + "cve": "CVE-2023-41334", + "id": "pyup.io-72899", + "more_info_path": "/vulnerabilities/CVE-2023-41334/72899", "specs": [ - "<2.8.0" + "<0.5.0" ], - "v": "<2.8.0" + "v": "<0.5.0" } ], "scalecodec": [ @@ -135311,20 +136626,20 @@ "v": "<2.3.0" }, { - "advisory": "Sceptre 3.3.0 updates its dependency 'wheel' to v0.38.1 to include a security fix.", - "cve": "CVE-2022-40898", - "id": "pyup.io-53270", - "more_info_path": "/vulnerabilities/CVE-2022-40898/53270", + "advisory": "Sceptre 3.3.0 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", + "cve": "CVE-2022-40897", + "id": "pyup.io-53273", + "more_info_path": "/vulnerabilities/CVE-2022-40897/53273", "specs": [ "<3.3.0" ], "v": "<3.3.0" }, { - "advisory": "Sceptre 3.3.0 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", - "cve": "CVE-2022-40897", - "id": "pyup.io-53273", - "more_info_path": "/vulnerabilities/CVE-2022-40897/53273", + "advisory": "Sceptre 3.3.0 updates its dependency 'wheel' to v0.38.1 to include a security fix.", + "cve": "CVE-2022-40898", + "id": "pyup.io-53270", + "more_info_path": "/vulnerabilities/CVE-2022-40898/53270", "specs": [ "<3.3.0" ], @@ -135423,20 +136738,20 @@ ], "scikit-network": [ { - "advisory": "Scikit-network 0.29.0 updates its dependency 'ipython' to v8.10.0 to include a security fix.", - "cve": "CVE-2023-24816", - "id": "pyup.io-54748", - "more_info_path": "/vulnerabilities/CVE-2023-24816/54748", + "advisory": "Scikit-network 0.29.0 updates its dependency 'wheel' to v0.38.4 to include a security fix.", + "cve": "CVE-2022-40898", + "id": "pyup.io-54736", + "more_info_path": "/vulnerabilities/CVE-2022-40898/54736", "specs": [ "<0.29.0" ], "v": "<0.29.0" }, { - "advisory": "Scikit-network 0.29.0 updates its dependency 'wheel' to v0.38.4 to include a security fix.", - "cve": "CVE-2022-40898", - "id": "pyup.io-54736", - "more_info_path": "/vulnerabilities/CVE-2022-40898/54736", + "advisory": "Scikit-network 0.29.0 updates its dependency 'ipython' to v8.10.0 to include a security fix.", + "cve": "CVE-2023-24816", + "id": "pyup.io-54748", + "more_info_path": "/vulnerabilities/CVE-2023-24816/54748", "specs": [ "<0.29.0" ], @@ -135527,20 +136842,20 @@ ], "scout-browser": [ { - "advisory": "Pypi package scout-browser (GitHub repository clinical-genomics/scout) prior to v4.52 is vulnerable to server-side request forgery. An attacker could make the application perform arbitrary requests to steal cookies, request access to private areas, or lead to cross-site scripting.", - "cve": "CVE-2022-1592", - "id": "pyup.io-53953", - "more_info_path": "/vulnerabilities/CVE-2022-1592/53953", + "advisory": "Scout is a Variant Call Format (VCF) visualization interface. The Pypi package `scout-browser` is vulnerable to path traversal due to `send_file` call in versions prior to 4.52.", + "cve": "CVE-2022-1554", + "id": "pyup.io-54438", + "more_info_path": "/vulnerabilities/CVE-2022-1554/54438", "specs": [ ">=0,<4.52" ], "v": ">=0,<4.52" }, { - "advisory": "Scout is a Variant Call Format (VCF) visualization interface. The Pypi package `scout-browser` is vulnerable to path traversal due to `send_file` call in versions prior to 4.52.", - "cve": "CVE-2022-1554", - "id": "pyup.io-54438", - "more_info_path": "/vulnerabilities/CVE-2022-1554/54438", + "advisory": "Pypi package scout-browser (GitHub repository clinical-genomics/scout) prior to v4.52 is vulnerable to server-side request forgery. An attacker could make the application perform arbitrary requests to steal cookies, request access to private areas, or lead to cross-site scripting.", + "cve": "CVE-2022-1592", + "id": "pyup.io-53953", + "more_info_path": "/vulnerabilities/CVE-2022-1592/53953", "specs": [ ">=0,<4.52" ], @@ -137551,16 +138866,6 @@ } ], "seismic-zfp": [ - { - "advisory": "Seismic-zfp version 0.3.2 has been updated to enhance security by upgrading its numpy dependency from version 1.21.3 to 1.22.2. This update addresses the vulnerability identified as CVE-2021-41495.", - "cve": "CVE-2021-41495", - "id": "pyup.io-71163", - "more_info_path": "/vulnerabilities/CVE-2021-41495/71163", - "specs": [ - "<0.3.2" - ], - "v": "<0.3.2" - }, { "advisory": "Seismic-zfp version 0.3.2 has been updated to enhance security by upgrading its fonttools dependency from 4.38.0 to 4.43.0. This update addresses the vulnerability identified as CVE-2023-45139.", "cve": "CVE-2023-45139", @@ -137580,6 +138885,16 @@ "<0.3.2" ], "v": "<0.3.2" + }, + { + "advisory": "Seismic-zfp version 0.3.2 has been updated to enhance security by upgrading its numpy dependency from version 1.21.3 to 1.22.2. This update addresses the vulnerability identified as CVE-2021-41495.", + "cve": "CVE-2021-41495", + "id": "pyup.io-71163", + "more_info_path": "/vulnerabilities/CVE-2021-41495/71163", + "specs": [ + "<0.3.2" + ], + "v": "<0.3.2" } ], "seldon-core": [ @@ -140134,9 +141449,9 @@ }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2019-13960", - "id": "pyup.io-43823", - "more_info_path": "/vulnerabilities/CVE-2019-13960/43823", + "cve": "CVE-2018-11770", + "id": "pyup.io-43822", + "more_info_path": "/vulnerabilities/CVE-2018-11770/43822", "specs": [ "<1.0.10" ], @@ -140144,9 +141459,9 @@ }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2018-11770", - "id": "pyup.io-43822", - "more_info_path": "/vulnerabilities/CVE-2018-11770/43822", + "cve": "CVE-2019-13960", + "id": "pyup.io-43823", + "more_info_path": "/vulnerabilities/CVE-2019-13960/43823", "specs": [ "<1.0.10" ], @@ -142423,20 +143738,20 @@ "v": "<2.3.0rc5" }, { - "advisory": "Smart-app-framework 2.3.0rc5 updates its dependency 'PyYAML' to version '6.0.1' to include a fix for an Arbitrary Code Execution vulnerability.", - "cve": "CVE-2020-1747", - "id": "pyup.io-60340", - "more_info_path": "/vulnerabilities/CVE-2020-1747/60340", + "advisory": "Smart-app-framework 2.3.0rc5 updates its dependency 'nltk' to version '3.8.1' to include a fix for a ReDoS vulnerability.", + "cve": "CVE-2021-3842", + "id": "pyup.io-60335", + "more_info_path": "/vulnerabilities/CVE-2021-3842/60335", "specs": [ "<2.3.0rc5" ], "v": "<2.3.0rc5" }, { - "advisory": "Smart-app-framework 2.3.0rc5 updates its dependency 'nltk' to version '3.8.1' to include a fix for a ReDoS vulnerability.", - "cve": "CVE-2021-3828", - "id": "pyup.io-60337", - "more_info_path": "/vulnerabilities/CVE-2021-3828/60337", + "advisory": "Smart-app-framework 2.3.0rc5 updates its dependency 'PyYAML' to version '6.0.1' to include a fix for an Arbitrary Code Execution vulnerability.", + "cve": "CVE-2020-1747", + "id": "pyup.io-60340", + "more_info_path": "/vulnerabilities/CVE-2020-1747/60340", "specs": [ "<2.3.0rc5" ], @@ -142454,9 +143769,9 @@ }, { "advisory": "Smart-app-framework 2.3.0rc5 updates its dependency 'nltk' to version '3.8.1' to include a fix for a ReDoS vulnerability.", - "cve": "CVE-2021-3842", - "id": "pyup.io-60335", - "more_info_path": "/vulnerabilities/CVE-2021-3842/60335", + "cve": "CVE-2021-3828", + "id": "pyup.io-60337", + "more_info_path": "/vulnerabilities/CVE-2021-3828/60337", "specs": [ "<2.3.0rc5" ], @@ -142905,20 +144220,30 @@ "v": "<0.4.2" }, { - "advisory": "Snyk-tags version 2.2.4 updates its dependency on the cryptography library to version 42.0.4. This change is made to address the security issue identified as CVE-2023-50782.", - "cve": "CVE-2023-50782", - "id": "pyup.io-67580", - "more_info_path": "/vulnerabilities/CVE-2023-50782/67580", + "advisory": "Snyk-tags version 2.2.4 updates its dependency on the cryptography library to version 42.0.4. This change is made to address the security issue identified as CVE-2023-6237.", + "cve": "CVE-2023-6237", + "id": "pyup.io-67577", + "more_info_path": "/vulnerabilities/CVE-2023-6237/67577", "specs": [ "<2.2.4" ], "v": "<2.2.4" }, { - "advisory": "Snyk-tags version 2.2.4 updates its dependency on the cryptography library to version 42.0.4. This change is made to address the security issue identified as CVE-2023-6237.", - "cve": "CVE-2023-6237", - "id": "pyup.io-67577", - "more_info_path": "/vulnerabilities/CVE-2023-6237/67577", + "advisory": "Snyk-tags version 2.2.4 updates its dependency on the cryptography library to version 42.0.4. This change is made to address the security issue identified as CVE-2023-5363.", + "cve": "CVE-2023-5363", + "id": "pyup.io-67567", + "more_info_path": "/vulnerabilities/CVE-2023-5363/67567", + "specs": [ + "<2.2.4" + ], + "v": "<2.2.4" + }, + { + "advisory": "Snyk-tags version 2.2.4 updates its dependency on the cryptography library to version 42.0.4. This change is made to address the security issue identified as CVE-2023-50782.", + "cve": "CVE-2023-50782", + "id": "pyup.io-67580", + "more_info_path": "/vulnerabilities/CVE-2023-50782/67580", "specs": [ "<2.2.4" ], @@ -142944,16 +144269,6 @@ ], "v": "<2.2.4" }, - { - "advisory": "Snyk-tags version 2.2.4 updates its dependency on the cryptography library to version 42.0.4. This change is made to address the security issue identified as CVE-2023-5363.", - "cve": "CVE-2023-5363", - "id": "pyup.io-67567", - "more_info_path": "/vulnerabilities/CVE-2023-5363/67567", - "specs": [ - "<2.2.4" - ], - "v": "<2.2.4" - }, { "advisory": "Snyk-tags version 2.2.4 updates its dependency on the cryptography library to version 42.0.4. This change is made to address the security issue identified as CVE-2024-26130.", "cve": "CVE-2024-26130", @@ -143315,16 +144630,6 @@ } ], "spark-on-k8s": [ - { - "advisory": "Spark-on-k8s updates `apache-airflow` to address security vulnerability CVE-2024-39863.", - "cve": "CVE-2024-39863", - "id": "pyup.io-72359", - "more_info_path": "/vulnerabilities/CVE-2024-39863/72359", - "specs": [ - "<0.10.0" - ], - "v": "<0.10.0" - }, { "advisory": "Spark-on-k8s updates `zipp` to address security vulnerability CVE-2024-5569.", "cve": "CVE-2024-5569", @@ -143355,6 +144660,16 @@ ], "v": "<0.10.0" }, + { + "advisory": "Spark-on-k8s updates `apache-airflow` to address security vulnerability CVE-2024-39863.", + "cve": "CVE-2024-39863", + "id": "pyup.io-72359", + "more_info_path": "/vulnerabilities/CVE-2024-39863/72359", + "specs": [ + "<0.10.0" + ], + "v": "<0.10.0" + }, { "advisory": "Version 0.2.0 of Spark-on-k8s updates its `aiohttp` dependency to require version 3.9.2 or newer. This change aims to protect against the potential security risks outlined in CVE-2024-23334.", "cve": "CVE-2024-23334", @@ -144171,9 +145486,9 @@ "splitio-client": [ { "advisory": "Splitio-client 9.1.2 updates its dependency 'pyyaml' minimum requirement to v5.4 to include security fixes.", - "cve": "CVE-2020-14343", - "id": "pyup.io-48011", - "more_info_path": "/vulnerabilities/CVE-2020-14343/48011", + "cve": "CVE-2019-20477", + "id": "pyup.io-48016", + "more_info_path": "/vulnerabilities/CVE-2019-20477/48016", "specs": [ "<9.1.2" ], @@ -144181,9 +145496,9 @@ }, { "advisory": "Splitio-client 9.1.2 updates its dependency 'pyyaml' minimum requirement to v5.4 to include security fixes.", - "cve": "CVE-2019-20477", - "id": "pyup.io-48016", - "more_info_path": "/vulnerabilities/CVE-2019-20477/48016", + "cve": "CVE-2020-14343", + "id": "pyup.io-48011", + "more_info_path": "/vulnerabilities/CVE-2020-14343/48011", "specs": [ "<9.1.2" ], @@ -145175,7 +146490,7 @@ "v": ">=0,<1.27.0" }, { - "advisory": "**Synopsis:** Streamlit open source publicizes a prior security fix implemented in 2021. The vulnerability affected Streamlit versions between 0.63.0 and 0.80.0 (inclusive) and was patched on April 21, 2021. If you are using Streamlit with version before 0.63.0 or after 0.80.0, no action is required. \n# 1. Impacted Products\nStreamilt Open Source versions between 0.63.0 and 0.80.0.\n# 2. Introduction\nOn April 21, 2021, Streamlit merged a patch that fixed a cross-site scripting (XSS) vulnerability in the Streamlit open source library, without an associated public advisory. The vulnerability affected Streamlit versions between 0.63.0 and 0.80.0 (inclusive), which are no longer supported. We recommend using the latest version of our library, but so long as you are not using an affected Streamlit version, no action is required. \n# 3. Cross Site Scripting Vulnerability \n## 3.1 Description\nOn April 20, 2021, Streamlit was informed via our support forum about a XSS vulnerability in the open source library. We fixed and merged a patch remediating the vulnerability on April 21st, 2021. The issue was determined to be in the moderate severity range with a maximum CVSSv3 base score of [5.9](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N)\n## 3.2 Scenarios and attack vector(s)\nUsers of hosted Streamlit app(s) were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to an XSS. \n## 3.3 Our response\nStreamlit fixed and merged a patch for this vulnerability on April 21, 2021. The vulnerability was fixed within 24hrs of notification to Streamlit. \n## 3.4 Resolution\nThe vulnerability has been fixed in all Streamlit versions released since April 21, 2021. The affected versions \u2013 those between 0.63.0 and 0.80.0 (inclusive) \u2013 are no longer supported. We recommend always using supported versions of the Streamlit open source library. Version 1.19.0 is current as of this advisory. \n# 4. Contact\nPlease contact security@snowflake.com if you have any questions regarding this advisory. If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our [Vulnerability Disclosure Policy](https://hackerone.com/snowflake?type=team).", + "advisory": "Streamlit affected versions have a cross-site scripting (XSS) vulnerability. Hosted Streamlit app(s) users were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to XSS.", "cve": "CVE-2023-27494", "id": "pyup.io-54668", "more_info_path": "/vulnerabilities/CVE-2023-27494/54668", @@ -145185,7 +146500,7 @@ "v": ">=0.63.0,<0.81.0" }, { - "advisory": "Streamlit 1.11.1 includes a fix for CVE-2022-35918: Directory traversal vulnerability.\r\nhttps://github.com/streamlit/streamlit/security/advisories/GHSA-v4hr-4jpx-56gc", + "advisory": "In Streamlit affected versions, users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world-readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.", "cve": "CVE-2022-35918", "id": "pyup.io-50437", "more_info_path": "/vulnerabilities/CVE-2022-35918/50437", @@ -145774,7 +147089,7 @@ ], "supervisor": [ { - "advisory": "Affected versions of Supervisor allow an unauthenticated user to read log files or restart a service when the inet_http_server component is enabled without a password. While this component is not activated by default, failure to secure it with a password exposes the system to unauthorized access. Logged warnings and documentation advisories were added to prevent this risky usage.", + "advisory": "** Disputed ** Affected versions of Supervisor allow an unauthenticated user to read log files or restart a service when the inet_http_server component is enabled without a password. While this component is not activated by default, failure to secure it with a password exposes the system to unauthorized access. Logged warnings and documentation advisories were added to prevent this risky usage.", "cve": "CVE-2019-12105", "id": "pyup.io-70372", "more_info_path": "/vulnerabilities/CVE-2019-12105/70372", @@ -146394,16 +147709,6 @@ ], "v": "<0.8.2b40" }, - { - "advisory": "Syft 0.8.4b4 updates its dependency 'certifi' to 2023.7.22 to include a security fix on the CVE-2022-23491.\r\nhttps://github.com/OpenMined/PySyft/pull/8356", - "cve": "CVE-2022-23491", - "id": "pyup.io-63086", - "more_info_path": "/vulnerabilities/CVE-2022-23491/63086", - "specs": [ - "<0.8.4b4" - ], - "v": "<0.8.4b4" - }, { "advisory": "Syft 0.8.4b4 updates its dependency 'pygments' to 2.15.0 to include a security fix on the CVE-2021-27291.\r\nhttps://github.com/OpenMined/PySyft/pull/8356", "cve": "CVE-2021-27291", @@ -146454,6 +147759,16 @@ ], "v": "<0.8.4b4" }, + { + "advisory": "Syft 0.8.4b4 updates its dependency 'certifi' to 2023.7.22 to include a security fix on the CVE-2022-23491.\r\nhttps://github.com/OpenMined/PySyft/pull/8356", + "cve": "CVE-2022-23491", + "id": "pyup.io-63086", + "more_info_path": "/vulnerabilities/CVE-2022-23491/63086", + "specs": [ + "<0.8.4b4" + ], + "v": "<0.8.4b4" + }, { "advisory": "Syft 0.8.4b4 updates its dependency 'requests' to 2.31.0 to include a security fix on the CVE-2023-32681.\r\nhttps://github.com/OpenMined/PySyft/pull/8356", "cve": "CVE-2023-32681", @@ -146638,20 +147953,20 @@ "v": "<0.10.0" }, { - "advisory": "Synapseml 0.10.0 updates its NPM dependency 'node-forge' to v1.3.0 to include security fixes.", - "cve": "CVE-2022-24771", - "id": "pyup.io-50832", - "more_info_path": "/vulnerabilities/CVE-2022-24771/50832", + "advisory": "Synapseml 0.10.0 updates its NPM dependency 'prismjs' to v1.27.0 to include a security fix.", + "cve": "CVE-2022-23647", + "id": "pyup.io-50835", + "more_info_path": "/vulnerabilities/CVE-2022-23647/50835", "specs": [ "<0.10.0" ], "v": "<0.10.0" }, { - "advisory": "Synapseml 0.10.0 updates its NPM dependency 'prismjs' to v1.27.0 to include a security fix.", - "cve": "CVE-2022-23647", - "id": "pyup.io-50835", - "more_info_path": "/vulnerabilities/CVE-2022-23647/50835", + "advisory": "Synapseml 0.10.0 updates its NPM dependency 'node-forge' to v1.3.0 to include security fixes.", + "cve": "CVE-2022-24771", + "id": "pyup.io-50832", + "more_info_path": "/vulnerabilities/CVE-2022-24771/50832", "specs": [ "<0.10.0" ], @@ -146749,9 +148064,9 @@ }, { "advisory": "Synapseml 0.9.0 updates its dependency 'openjdk' to include several security fixes.\r\nhttps://github.com/microsoft/SynapseML/commit/de4b47b8b6643575eb8dec470dec0dadfd1d836b", - "cve": "CVE-2019-3844", - "id": "pyup.io-54956", - "more_info_path": "/vulnerabilities/CVE-2019-3844/54956", + "cve": "CVE-2019-3843", + "id": "pyup.io-54957", + "more_info_path": "/vulnerabilities/CVE-2019-3843/54957", "specs": [ "<0.9.0" ], @@ -146759,9 +148074,9 @@ }, { "advisory": "Synapseml 0.9.0 updates its dependency 'openjdk' to include several security fixes.\r\nhttps://github.com/microsoft/SynapseML/commit/de4b47b8b6643575eb8dec470dec0dadfd1d836b", - "cve": "CVE-2020-1967", - "id": "pyup.io-54958", - "more_info_path": "/vulnerabilities/CVE-2020-1967/54958", + "cve": "CVE-2019-12290", + "id": "pyup.io-54955", + "more_info_path": "/vulnerabilities/CVE-2019-12290/54955", "specs": [ "<0.9.0" ], @@ -146769,9 +148084,9 @@ }, { "advisory": "Synapseml 0.9.0 updates its dependency 'openjdk' to include several security fixes.\r\nhttps://github.com/microsoft/SynapseML/commit/de4b47b8b6643575eb8dec470dec0dadfd1d836b", - "cve": "CVE-2019-8457", - "id": "pyup.io-54960", - "more_info_path": "/vulnerabilities/CVE-2019-8457/54960", + "cve": "CVE-2020-1967", + "id": "pyup.io-54958", + "more_info_path": "/vulnerabilities/CVE-2020-1967/54958", "specs": [ "<0.9.0" ], @@ -146779,9 +148094,9 @@ }, { "advisory": "Synapseml 0.9.0 updates its dependency 'openjdk' to include several security fixes.\r\nhttps://github.com/microsoft/SynapseML/commit/de4b47b8b6643575eb8dec470dec0dadfd1d836b", - "cve": "CVE-2019-12290", - "id": "pyup.io-54955", - "more_info_path": "/vulnerabilities/CVE-2019-12290/54955", + "cve": "CVE-2019-3844", + "id": "pyup.io-54956", + "more_info_path": "/vulnerabilities/CVE-2019-3844/54956", "specs": [ "<0.9.0" ], @@ -146789,9 +148104,9 @@ }, { "advisory": "Synapseml 0.9.0 updates its dependency 'openjdk' to include several security fixes.\r\nhttps://github.com/microsoft/SynapseML/commit/de4b47b8b6643575eb8dec470dec0dadfd1d836b", - "cve": "CVE-2019-3843", - "id": "pyup.io-54957", - "more_info_path": "/vulnerabilities/CVE-2019-3843/54957", + "cve": "CVE-2019-8457", + "id": "pyup.io-54960", + "more_info_path": "/vulnerabilities/CVE-2019-8457/54960", "specs": [ "<0.9.0" ], @@ -147124,6 +148439,18 @@ "v": "<0.8.0" } ], + "taipy": [ + { + "advisory": "Affected versions of Taipy have a session cookie missing both the Secure and HttpOnly flags. Without the Secure flag, the cookie can be transmitted over insecure HTTP connections, exposing it to potential interception or tampering. The absence of the HttpOnly flag allows the cookie to be accessed by client-side JavaScript, increasing the risk of cross-site scripting (XSS) attacks.", + "cve": "PVE-2024-72965", + "id": "pyup.io-72965", + "more_info_path": "/vulnerabilities/PVE-2024-72965/72965", + "specs": [ + ">=0" + ], + "v": ">=0" + } + ], "tair": [ { "advisory": "Tair 1.3.3 updates its dependency 'redis' to version '4.4.4' to fix a Race Condition vulnerability.\r\nhttps://github.com/tair-opensource/tair-py/commit/9640ee7b29faba60c06e9b63bf13484b2814c29d", @@ -147593,9 +148920,9 @@ }, { "advisory": "Tendenci 11.0.4 updates its requirements.txt to require django >=1.11.16 because there are vulnerabilities in Django 1.11.x before 1.11.15.", - "cve": "CVE-2017-12794", - "id": "pyup.io-38940", - "more_info_path": "/vulnerabilities/CVE-2017-12794/38940", + "cve": "CVE-2018-7536", + "id": "pyup.io-49768", + "more_info_path": "/vulnerabilities/CVE-2018-7536/49768", "specs": [ "<11.0.4" ], @@ -147603,9 +148930,9 @@ }, { "advisory": "Tendenci 11.0.4 updates its requirements.txt to require django >=1.11.16 because there are vulnerabilities in Django 1.11.x before 1.11.15.", - "cve": "CVE-2018-7536", - "id": "pyup.io-49768", - "more_info_path": "/vulnerabilities/CVE-2018-7536/49768", + "cve": "CVE-2017-12794", + "id": "pyup.io-38940", + "more_info_path": "/vulnerabilities/CVE-2017-12794/38940", "specs": [ "<11.0.4" ], @@ -147633,9 +148960,9 @@ }, { "advisory": "Tendenci 11.2.8 upgrades its dependency 'bootstrap' from 3.3.1 to 3.4.1. There are several XSS vulnerabilities in versions lower than 3.4.1.", - "cve": "CVE-2018-14040", - "id": "pyup.io-42994", - "more_info_path": "/vulnerabilities/CVE-2018-14040/42994", + "cve": "CVE-2018-20677", + "id": "pyup.io-42992", + "more_info_path": "/vulnerabilities/CVE-2018-20677/42992", "specs": [ "<11.2.8" ], @@ -147643,9 +148970,9 @@ }, { "advisory": "Tendenci 11.2.8 upgrades its dependency 'bootstrap' from 3.3.1 to 3.4.1. There are several XSS vulnerabilities in versions lower than 3.4.1.", - "cve": "CVE-2016-10735", - "id": "pyup.io-42996", - "more_info_path": "/vulnerabilities/CVE-2016-10735/42996", + "cve": "CVE-2018-20676", + "id": "pyup.io-42993", + "more_info_path": "/vulnerabilities/CVE-2018-20676/42993", "specs": [ "<11.2.8" ], @@ -147653,9 +148980,9 @@ }, { "advisory": "Tendenci 11.2.8 upgrades its dependency 'bootstrap' from 3.3.1 to 3.4.1. There are several XSS vulnerabilities in versions lower than 3.4.1.", - "cve": "CVE-2018-14042", - "id": "pyup.io-42995", - "more_info_path": "/vulnerabilities/CVE-2018-14042/42995", + "cve": "CVE-2018-14040", + "id": "pyup.io-42994", + "more_info_path": "/vulnerabilities/CVE-2018-14040/42994", "specs": [ "<11.2.8" ], @@ -147663,9 +148990,9 @@ }, { "advisory": "Tendenci 11.2.8 upgrades its dependency 'bootstrap' from 3.3.1 to 3.4.1. There are several XSS vulnerabilities in versions lower than 3.4.1.", - "cve": "CVE-2019-8331", - "id": "pyup.io-37150", - "more_info_path": "/vulnerabilities/CVE-2019-8331/37150", + "cve": "CVE-2016-10735", + "id": "pyup.io-42996", + "more_info_path": "/vulnerabilities/CVE-2016-10735/42996", "specs": [ "<11.2.8" ], @@ -147673,9 +149000,9 @@ }, { "advisory": "Tendenci 11.2.8 upgrades its dependency 'bootstrap' from 3.3.1 to 3.4.1. There are several XSS vulnerabilities in versions lower than 3.4.1.", - "cve": "CVE-2018-20677", - "id": "pyup.io-42992", - "more_info_path": "/vulnerabilities/CVE-2018-20677/42992", + "cve": "CVE-2018-14042", + "id": "pyup.io-42995", + "more_info_path": "/vulnerabilities/CVE-2018-14042/42995", "specs": [ "<11.2.8" ], @@ -147683,9 +149010,9 @@ }, { "advisory": "Tendenci 11.2.8 upgrades its dependency 'bootstrap' from 3.3.1 to 3.4.1. There are several XSS vulnerabilities in versions lower than 3.4.1.", - "cve": "CVE-2018-20676", - "id": "pyup.io-42993", - "more_info_path": "/vulnerabilities/CVE-2018-20676/42993", + "cve": "CVE-2019-8331", + "id": "pyup.io-37150", + "more_info_path": "/vulnerabilities/CVE-2019-8331/37150", "specs": [ "<11.2.8" ], @@ -147803,19 +149130,19 @@ }, { "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-27921", - "id": "pyup.io-43489", - "more_info_path": "/vulnerabilities/CVE-2021-27921/43489", + "cve": "CVE-2021-25292", + "id": "pyup.io-43492", + "more_info_path": "/vulnerabilities/CVE-2021-25292/43492", "specs": [ "<12.4.8" ], "v": "<12.4.8" }, { - "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-25290", - "id": "pyup.io-43487", - "more_info_path": "/vulnerabilities/CVE-2021-25290/43487", + "advisory": "Tendenci 12.4.8 tightens the security check for the password change page.\r\nhttps://github.com/tendenci/tendenci/commit/4101194640b5d5dc99c01efdfa80c34bdba2b158", + "cve": "PVE-2021-40133", + "id": "pyup.io-43486", + "more_info_path": "/vulnerabilities/PVE-2021-40133/43486", "specs": [ "<12.4.8" ], @@ -147823,9 +149150,9 @@ }, { "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-25292", - "id": "pyup.io-43492", - "more_info_path": "/vulnerabilities/CVE-2021-25292/43492", + "cve": "CVE-2021-25289", + "id": "pyup.io-40133", + "more_info_path": "/vulnerabilities/CVE-2021-25289/40133", "specs": [ "<12.4.8" ], @@ -147833,19 +149160,19 @@ }, { "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-25291", - "id": "pyup.io-43491", - "more_info_path": "/vulnerabilities/CVE-2021-25291/43491", + "cve": "CVE-2021-27923", + "id": "pyup.io-43490", + "more_info_path": "/vulnerabilities/CVE-2021-27923/43490", "specs": [ "<12.4.8" ], "v": "<12.4.8" }, { - "advisory": "Tendenci 12.4.8 tightens the security check for the password change page.\r\nhttps://github.com/tendenci/tendenci/commit/4101194640b5d5dc99c01efdfa80c34bdba2b158", - "cve": "PVE-2021-40133", - "id": "pyup.io-43486", - "more_info_path": "/vulnerabilities/PVE-2021-40133/43486", + "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", + "cve": "CVE-2021-27921", + "id": "pyup.io-43489", + "more_info_path": "/vulnerabilities/CVE-2021-27921/43489", "specs": [ "<12.4.8" ], @@ -147853,9 +149180,9 @@ }, { "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-27923", - "id": "pyup.io-43490", - "more_info_path": "/vulnerabilities/CVE-2021-27923/43490", + "cve": "CVE-2021-25290", + "id": "pyup.io-43487", + "more_info_path": "/vulnerabilities/CVE-2021-25290/43487", "specs": [ "<12.4.8" ], @@ -147863,9 +149190,9 @@ }, { "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-25289", - "id": "pyup.io-40133", - "more_info_path": "/vulnerabilities/CVE-2021-25289/40133", + "cve": "CVE-2021-27922", + "id": "pyup.io-43488", + "more_info_path": "/vulnerabilities/CVE-2021-27922/43488", "specs": [ "<12.4.8" ], @@ -147873,9 +149200,9 @@ }, { "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-27922", - "id": "pyup.io-43488", - "more_info_path": "/vulnerabilities/CVE-2021-27922/43488", + "cve": "CVE-2021-25291", + "id": "pyup.io-43491", + "more_info_path": "/vulnerabilities/CVE-2021-25291/43491", "specs": [ "<12.4.8" ], @@ -148795,14 +150122,24 @@ "v": "<2.12.1,>=2.13.0rc0,<2.13.0" }, { - "advisory": "Improper buffer restrictions in Intel(R) Optimization for TensorFlow before version 2.13.0 may allow an authenticated user to potentially enable escalation of privilege via local access. See CVE-2023-30767.", - "cve": "CVE-2023-30767", - "id": "pyup.io-65691", - "more_info_path": "/vulnerabilities/CVE-2023-30767/65691", + "advisory": "TensorFlow updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38546.", + "cve": "CVE-2023-38546", + "id": "pyup.io-72611", + "more_info_path": "/vulnerabilities/CVE-2023-38546/72611", "specs": [ - "<2.13.0" + "<2.14.1" ], - "v": "<2.13.0" + "v": "<2.14.1" + }, + { + "advisory": "TensorFlow updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38545.", + "cve": "CVE-2023-38545", + "id": "pyup.io-72612", + "more_info_path": "/vulnerabilities/CVE-2023-38545/72612", + "specs": [ + "<2.14.1" + ], + "v": "<2.14.1" }, { "advisory": "TensorFlow 2.4.0 includes a fix for CVE-2020-15265: In Tensorflow before version 2.4.0, an attacker can pass an invalid `axis` value to `tf.quantization.quantize_and_dequantize`. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds, `DCHECK`-like macros are no-ops, this results in segfault and access out of bounds of the array. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.", @@ -150098,19 +151435,6 @@ ], "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" }, - { - "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27780.", - "cve": "CVE-2022-27780", - "id": "pyup.io-48661", - "more_info_path": "/vulnerabilities/CVE-2022-27780/48661", - "specs": [ - "<2.6.4", - ">=2.7.0rc0,<2.7.2", - ">=2.8.0rc0,<2.8.1", - ">=2.9.0rc0,<2.9.0" - ], - "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" - }, { "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29195: Missing validation which causes denial of service via 'StagePeek'.", "cve": "CVE-2022-29195", @@ -150202,6 +151526,19 @@ ], "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" }, + { + "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27780.", + "cve": "CVE-2022-27780", + "id": "pyup.io-48661", + "more_info_path": "/vulnerabilities/CVE-2022-27780/48661", + "specs": [ + "<2.6.4", + ">=2.7.0rc0,<2.7.2", + ">=2.8.0rc0,<2.8.1", + ">=2.9.0rc0,<2.9.0" + ], + "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" + }, { "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29205: Segfault due to missing support for quantized types.", "cve": "CVE-2022-29205", @@ -154467,6 +155804,26 @@ ], "v": "<2.12.1,>=2.13.0rc0,<2.13.0" }, + { + "advisory": "Tensorflow-aarch64 updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38545.", + "cve": "CVE-2023-38545", + "id": "pyup.io-72936", + "more_info_path": "/vulnerabilities/CVE-2023-38545/72936", + "specs": [ + "<2.14.1" + ], + "v": "<2.14.1" + }, + { + "advisory": "TensorFlow-aarch64 updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38546.", + "cve": "CVE-2023-38546", + "id": "pyup.io-72935", + "more_info_path": "/vulnerabilities/CVE-2023-38546/72935", + "specs": [ + "<2.14.1" + ], + "v": "<2.14.1" + }, { "advisory": "Tensorflow-aarch64 before version 2.7.3 is vulnerable to several vulnerabilities, affecting confidentiality, integrity and availability.", "cve": "PVE-2023-56372", @@ -156272,6 +157629,26 @@ ], "v": "<2.12.1,>=2.13.0rc0,<2.13.0" }, + { + "advisory": "TensorFlow-CPU updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38545.", + "cve": "CVE-2023-38545", + "id": "pyup.io-72613", + "more_info_path": "/vulnerabilities/CVE-2023-38545/72613", + "specs": [ + "<2.14.1" + ], + "v": "<2.14.1" + }, + { + "advisory": "TensorFlow-GPU updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38546.", + "cve": "CVE-2023-38546", + "id": "pyup.io-72616", + "more_info_path": "/vulnerabilities/CVE-2023-38546/72616", + "specs": [ + "<2.14.1" + ], + "v": "<2.14.1" + }, { "advisory": "Tensorflow-cpu 2.4.0 includes a fix for CVE-2020-15265: In Tensorflow before version 2.4.0, an attacker can pass an invalid `axis` value to `tf.quantization.quantize_and_dequantize`. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds, `DCHECK`-like macros are no-ops, this results in segfault and access out of bounds of the array. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.", "cve": "CVE-2020-15265", @@ -157483,6 +158860,19 @@ ], "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" }, + { + "advisory": "Tensorflow-cpu versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27780.", + "cve": "CVE-2022-27780", + "id": "pyup.io-55542", + "more_info_path": "/vulnerabilities/CVE-2022-27780/55542", + "specs": [ + "<2.6.4", + ">=2.7.0rc0,<2.7.2", + ">=2.8.0rc0,<2.8.1", + ">=2.9.0rc0,<2.9.0" + ], + "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" + }, { "advisory": "Tensorflow-cpu versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29199: Missing validation which causes denial of service via 'LoadAndRemapMatrix'.", "cve": "CVE-2022-29199", @@ -157873,19 +159263,6 @@ ], "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" }, - { - "advisory": "Tensorflow-cpu versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27780.", - "cve": "CVE-2022-27780", - "id": "pyup.io-55542", - "more_info_path": "/vulnerabilities/CVE-2022-27780/55542", - "specs": [ - "<2.6.4", - ">=2.7.0rc0,<2.7.2", - ">=2.8.0rc0,<2.8.1", - ">=2.9.0rc0,<2.9.0" - ], - "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" - }, { "advisory": "Tensorflow-cpu versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29207: Issues arising from undefined behavior stemming from users supplying invalid resource handles.", "cve": "CVE-2022-29207", @@ -161876,6 +163253,26 @@ ], "v": "<2.12.1,>=2.13.0rc0,<2.13.0" }, + { + "advisory": "Tensorflow-cpu-aws updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38545.", + "cve": "CVE-2023-38545", + "id": "pyup.io-72941", + "more_info_path": "/vulnerabilities/CVE-2023-38545/72941", + "specs": [ + "<2.14.1" + ], + "v": "<2.14.1" + }, + { + "advisory": "Tensorflow-cpu-aws updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38546.", + "cve": "CVE-2023-38546", + "id": "pyup.io-72942", + "more_info_path": "/vulnerabilities/CVE-2023-38546/72942", + "specs": [ + "<2.14.1" + ], + "v": "<2.14.1" + }, { "advisory": "Tensorflow-cpu-aws 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35940: Int overflow in 'RaggedRangeOp'.\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-x989-q2pq-4q5x", "cve": "CVE-2022-35940", @@ -163299,9 +164696,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29216", - "id": "pyup.io-49295", - "more_info_path": "/vulnerabilities/CVE-2022-29216/49295", + "cve": "CVE-2022-29192", + "id": "pyup.io-49273", + "more_info_path": "/vulnerabilities/CVE-2022-29192/49273", "specs": [ "<0.25.0" ], @@ -163309,9 +164706,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-27779", - "id": "pyup.io-49268", - "more_info_path": "/vulnerabilities/CVE-2022-27779/49268", + "cve": "CVE-2022-29198", + "id": "pyup.io-49279", + "more_info_path": "/vulnerabilities/CVE-2022-29198/49279", "specs": [ "<0.25.0" ], @@ -163319,9 +164716,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29206", - "id": "pyup.io-49287", - "more_info_path": "/vulnerabilities/CVE-2022-29206/49287", + "cve": "CVE-2022-29203", + "id": "pyup.io-49284", + "more_info_path": "/vulnerabilities/CVE-2022-29203/49284", "specs": [ "<0.25.0" ], @@ -163329,9 +164726,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29191", - "id": "pyup.io-49272", - "more_info_path": "/vulnerabilities/CVE-2022-29191/49272", + "cve": "CVE-2022-29194", + "id": "pyup.io-49275", + "more_info_path": "/vulnerabilities/CVE-2022-29194/49275", "specs": [ "<0.25.0" ], @@ -163339,9 +164736,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29211", - "id": "pyup.io-49292", - "more_info_path": "/vulnerabilities/CVE-2022-29211/49292", + "cve": "CVE-2022-29193", + "id": "pyup.io-49274", + "more_info_path": "/vulnerabilities/CVE-2022-29193/49274", "specs": [ "<0.25.0" ], @@ -163349,9 +164746,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29196", - "id": "pyup.io-49277", - "more_info_path": "/vulnerabilities/CVE-2022-29196/49277", + "cve": "CVE-2022-29212", + "id": "pyup.io-49293", + "more_info_path": "/vulnerabilities/CVE-2022-29212/49293", "specs": [ "<0.25.0" ], @@ -163359,9 +164756,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2018-25032", - "id": "pyup.io-49261", - "more_info_path": "/vulnerabilities/CVE-2018-25032/49261", + "cve": "CVE-2022-27776", + "id": "pyup.io-49266", + "more_info_path": "/vulnerabilities/CVE-2022-27776/49266", "specs": [ "<0.25.0" ], @@ -163369,9 +164766,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-27780", - "id": "pyup.io-49269", - "more_info_path": "/vulnerabilities/CVE-2022-27780/49269", + "cve": "CVE-2022-27774", + "id": "pyup.io-49264", + "more_info_path": "/vulnerabilities/CVE-2022-27774/49264", "specs": [ "<0.25.0" ], @@ -163379,9 +164776,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-27781", - "id": "pyup.io-49270", - "more_info_path": "/vulnerabilities/CVE-2022-27781/49270", + "cve": "CVE-2022-27775", + "id": "pyup.io-49265", + "more_info_path": "/vulnerabilities/CVE-2022-27775/49265", "specs": [ "<0.25.0" ], @@ -163389,9 +164786,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29205", - "id": "pyup.io-49286", - "more_info_path": "/vulnerabilities/CVE-2022-29205/49286", + "cve": "CVE-2022-29209", + "id": "pyup.io-49290", + "more_info_path": "/vulnerabilities/CVE-2022-29209/49290", "specs": [ "<0.25.0" ], @@ -163399,9 +164796,19 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29197", - "id": "pyup.io-49278", - "more_info_path": "/vulnerabilities/CVE-2022-29197/49278", + "cve": "CVE-2022-29204", + "id": "pyup.io-49285", + "more_info_path": "/vulnerabilities/CVE-2022-29204/49285", + "specs": [ + "<0.25.0" + ], + "v": "<0.25.0" + }, + { + "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", + "cve": "CVE-2022-29201", + "id": "pyup.io-49282", + "more_info_path": "/vulnerabilities/CVE-2022-29201/49282", "specs": [ "<0.25.0" ], @@ -163419,9 +164826,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29201", - "id": "pyup.io-49282", - "more_info_path": "/vulnerabilities/CVE-2022-29201/49282", + "cve": "CVE-2022-29205", + "id": "pyup.io-49286", + "more_info_path": "/vulnerabilities/CVE-2022-29205/49286", "specs": [ "<0.25.0" ], @@ -163429,9 +164836,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29204", - "id": "pyup.io-49285", - "more_info_path": "/vulnerabilities/CVE-2022-29204/49285", + "cve": "CVE-2022-29197", + "id": "pyup.io-49278", + "more_info_path": "/vulnerabilities/CVE-2022-29197/49278", "specs": [ "<0.25.0" ], @@ -163439,9 +164846,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29209", - "id": "pyup.io-49290", - "more_info_path": "/vulnerabilities/CVE-2022-29209/49290", + "cve": "CVE-2022-27781", + "id": "pyup.io-49270", + "more_info_path": "/vulnerabilities/CVE-2022-27781/49270", "specs": [ "<0.25.0" ], @@ -163449,9 +164856,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-27775", - "id": "pyup.io-49265", - "more_info_path": "/vulnerabilities/CVE-2022-27775/49265", + "cve": "CVE-2018-25032", + "id": "pyup.io-49261", + "more_info_path": "/vulnerabilities/CVE-2018-25032/49261", "specs": [ "<0.25.0" ], @@ -163459,9 +164866,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-27774", - "id": "pyup.io-49264", - "more_info_path": "/vulnerabilities/CVE-2022-27774/49264", + "cve": "CVE-2022-29196", + "id": "pyup.io-49277", + "more_info_path": "/vulnerabilities/CVE-2022-29196/49277", "specs": [ "<0.25.0" ], @@ -163469,9 +164876,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-27776", - "id": "pyup.io-49266", - "more_info_path": "/vulnerabilities/CVE-2022-27776/49266", + "cve": "CVE-2022-29211", + "id": "pyup.io-49292", + "more_info_path": "/vulnerabilities/CVE-2022-29211/49292", "specs": [ "<0.25.0" ], @@ -163479,9 +164886,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29192", - "id": "pyup.io-49273", - "more_info_path": "/vulnerabilities/CVE-2022-29192/49273", + "cve": "CVE-2022-29191", + "id": "pyup.io-49272", + "more_info_path": "/vulnerabilities/CVE-2022-29191/49272", "specs": [ "<0.25.0" ], @@ -163489,9 +164896,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29198", - "id": "pyup.io-49279", - "more_info_path": "/vulnerabilities/CVE-2022-29198/49279", + "cve": "CVE-2022-29206", + "id": "pyup.io-49287", + "more_info_path": "/vulnerabilities/CVE-2022-29206/49287", "specs": [ "<0.25.0" ], @@ -163499,9 +164906,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29212", - "id": "pyup.io-49293", - "more_info_path": "/vulnerabilities/CVE-2022-29212/49293", + "cve": "CVE-2022-27779", + "id": "pyup.io-49268", + "more_info_path": "/vulnerabilities/CVE-2022-27779/49268", "specs": [ "<0.25.0" ], @@ -163509,9 +164916,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29193", - "id": "pyup.io-49274", - "more_info_path": "/vulnerabilities/CVE-2022-29193/49274", + "cve": "CVE-2022-29216", + "id": "pyup.io-49295", + "more_info_path": "/vulnerabilities/CVE-2022-29216/49295", "specs": [ "<0.25.0" ], @@ -163519,9 +164926,29 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29203", - "id": "pyup.io-49284", - "more_info_path": "/vulnerabilities/CVE-2022-29203/49284", + "cve": "CVE-2022-27780", + "id": "pyup.io-49269", + "more_info_path": "/vulnerabilities/CVE-2022-27780/49269", + "specs": [ + "<0.25.0" + ], + "v": "<0.25.0" + }, + { + "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", + "cve": "CVE-2022-29202", + "id": "pyup.io-49283", + "more_info_path": "/vulnerabilities/CVE-2022-29202/49283", + "specs": [ + "<0.25.0" + ], + "v": "<0.25.0" + }, + { + "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", + "cve": "CVE-2022-29199", + "id": "pyup.io-49280", + "more_info_path": "/vulnerabilities/CVE-2022-29199/49280", "specs": [ "<0.25.0" ], @@ -163557,16 +164984,6 @@ ], "v": "<0.25.0" }, - { - "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29194", - "id": "pyup.io-49275", - "more_info_path": "/vulnerabilities/CVE-2022-29194/49275", - "specs": [ - "<0.25.0" - ], - "v": "<0.25.0" - }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", "cve": "CVE-2022-29208", @@ -163616,26 +165033,6 @@ "<0.25.0" ], "v": "<0.25.0" - }, - { - "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29199", - "id": "pyup.io-49280", - "more_info_path": "/vulnerabilities/CVE-2022-29199/49280", - "specs": [ - "<0.25.0" - ], - "v": "<0.25.0" - }, - { - "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29202", - "id": "pyup.io-49283", - "more_info_path": "/vulnerabilities/CVE-2022-29202/49283", - "specs": [ - "<0.25.0" - ], - "v": "<0.25.0" } ], "tensorflow-gpu": [ @@ -163692,10 +165089,10 @@ "v": "<1.15.3,>=2.0.0a0,<2.0.2,>=2.1.0rc0,<2.1.1" }, { - "advisory": "Tensorflow-gpu versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"libjpeg-turbo\" to handle CVE-2019-13960.", - "cve": "CVE-2019-13960", - "id": "pyup.io-56352", - "more_info_path": "/vulnerabilities/CVE-2019-13960/56352", + "advisory": "Tensorflow-gpu versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"Apache Spark\" to handle CVE-2018-17190.", + "cve": "CVE-2018-17190", + "id": "pyup.io-56353", + "more_info_path": "/vulnerabilities/CVE-2018-17190/56353", "specs": [ "<1.15.3", ">=2.0.0a0,<2.0.2", @@ -163704,10 +165101,10 @@ "v": "<1.15.3,>=2.0.0a0,<2.0.2,>=2.1.0rc0,<2.1.1" }, { - "advisory": "Tensorflow-gpu versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"Apache Spark\" to handle CVE-2018-17190.", - "cve": "CVE-2018-17190", - "id": "pyup.io-56353", - "more_info_path": "/vulnerabilities/CVE-2018-17190/56353", + "advisory": "Tensorflow-gpu versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"libjpeg-turbo\" to handle CVE-2019-13960.", + "cve": "CVE-2019-13960", + "id": "pyup.io-56352", + "more_info_path": "/vulnerabilities/CVE-2019-13960/56352", "specs": [ "<1.15.3", ">=2.0.0a0,<2.0.2", @@ -164496,6 +165893,26 @@ ], "v": "<2.12.1,>=2.13.0rc0,<2.13.0" }, + { + "advisory": "TensorFlow-GPU updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38545.", + "cve": "CVE-2023-38545", + "id": "pyup.io-72615", + "more_info_path": "/vulnerabilities/CVE-2023-38545/72615", + "specs": [ + "<2.14.1" + ], + "v": "<2.14.1" + }, + { + "advisory": "TensorFlow-GPU updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38546.", + "cve": "CVE-2023-38546", + "id": "pyup.io-72614", + "more_info_path": "/vulnerabilities/CVE-2023-38546/72614", + "specs": [ + "<2.14.1" + ], + "v": "<2.14.1" + }, { "advisory": "Tensorflow-gpu 2.4.0 includes a fix for CVE-2020-15266: In Tensorflow before version 2.4.0, when the 'boxes' argument of 'tf.image.crop_and_resize' has a very large value, the CPU kernel implementation receives it as a C++ 'nan' floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault.\nhttps://github.com/tensorflow/tensorflow/issues/42129\nhttps://github.com/tensorflow/tensorflow/pull/42143/commits/3ade2efec2e90c6237de32a19680caaa3ebc2845\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-xwhf-g6j5-j5gc", "cve": "CVE-2020-15266", @@ -165707,19 +167124,6 @@ ], "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" }, - { - "advisory": "Tensorflow-gpu versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27780.", - "cve": "CVE-2022-27780", - "id": "pyup.io-56019", - "more_info_path": "/vulnerabilities/CVE-2022-27780/56019", - "specs": [ - "<2.6.4", - ">=2.7.0rc0,<2.7.2", - ">=2.8.0rc0,<2.8.1", - ">=2.9.0rc0,<2.9.0" - ], - "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" - }, { "advisory": "Tensorflow-gpu versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-30115.", "cve": "CVE-2022-30115", @@ -165863,6 +167267,19 @@ ], "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" }, + { + "advisory": "Tensorflow-gpu versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27780.", + "cve": "CVE-2022-27780", + "id": "pyup.io-56019", + "more_info_path": "/vulnerabilities/CVE-2022-27780/56019", + "specs": [ + "<2.6.4", + ">=2.7.0rc0,<2.7.2", + ">=2.8.0rc0,<2.8.1", + ">=2.9.0rc0,<2.9.0" + ], + "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" + }, { "advisory": "Tensorflow-gpu versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29205: Segfault due to missing support for quantized types.", "cve": "CVE-2022-29205", @@ -170692,6 +172109,26 @@ ], "v": "<2.12.1,>=2.13.0rc0,<2.13.0" }, + { + "advisory": "Tensorflow-intel updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38546.", + "cve": "CVE-2023-38546", + "id": "pyup.io-72937", + "more_info_path": "/vulnerabilities/CVE-2023-38546/72937", + "specs": [ + "<2.14.1" + ], + "v": "<2.14.1" + }, + { + "advisory": "Tensorflow-intel updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38545.", + "cve": "CVE-2023-38545", + "id": "pyup.io-72938", + "more_info_path": "/vulnerabilities/CVE-2023-38545/72938", + "specs": [ + "<2.14.1" + ], + "v": "<2.14.1" + }, { "advisory": "Tensorflow-intel 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41908: TensorFlow is an open source platform for machine learning. An input 'token' that is not a UTF-8 bytestring will trigger a 'CHECK' fail in 'tf.raw_ops.PyFunc'.\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-mv77-9g28-cwg3", "cve": "CVE-2022-41908", @@ -171259,6 +172696,26 @@ ], "v": "<2.12.1,>=2.13.0rc0,<2.13.0" }, + { + "advisory": "Tensorflow-macos updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38545.", + "cve": "CVE-2023-38545", + "id": "pyup.io-72940", + "more_info_path": "/vulnerabilities/CVE-2023-38545/72940", + "specs": [ + "<2.14.1" + ], + "v": "<2.14.1" + }, + { + "advisory": "Tensorflow-macos updates its curl dependency from version 8.2.1 to 8.4.0 to address CVE-2023-38546.", + "cve": "CVE-2023-38546", + "id": "pyup.io-72939", + "more_info_path": "/vulnerabilities/CVE-2023-38546/72939", + "specs": [ + "<2.14.1" + ], + "v": "<2.14.1" + }, { "advisory": "Tensorflow-macos versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41204: In affected versions, during TensorFlow's Grappler optimizer phase, constant folding might attempt to deep copy a resource tensor. This results in a segfault, as these tensors are supposed to not change. The fix is included in TensorFlow 2.7.0.\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-786j-5qwq-r36x\nhttps://github.com/tensorflow/tensorflow/commit/7731e8dfbe4a56773be5dc94d631611211156659", "cve": "CVE-2021-41204", @@ -172431,6 +173888,19 @@ ], "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" }, + { + "advisory": "Tensorflow-macos versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27780.", + "cve": "CVE-2022-27780", + "id": "pyup.io-58373", + "more_info_path": "/vulnerabilities/CVE-2022-27780/58373", + "specs": [ + "<2.6.4", + ">=2.7.0rc0,<2.7.2", + ">=2.8.0rc0,<2.8.1", + ">=2.9.0rc0,<2.9.0" + ], + "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" + }, { "advisory": "Tensorflow-macos versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29206: Missing validation which results in undefined behavior in 'SparseTensorDenseAdd'.", "cve": "CVE-2022-29206", @@ -172834,19 +174304,6 @@ ], "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" }, - { - "advisory": "Tensorflow-macos versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27780.", - "cve": "CVE-2022-27780", - "id": "pyup.io-58373", - "more_info_path": "/vulnerabilities/CVE-2022-27780/58373", - "specs": [ - "<2.6.4", - ">=2.7.0rc0,<2.7.2", - ">=2.8.0rc0,<2.8.1", - ">=2.9.0rc0,<2.9.0" - ], - "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" - }, { "advisory": "Affected versions of Tensorflow-macos are vulnerable to Denial of Service in the implementation of depthwise ops via CHECK-failure (assertion failure) caused by overflowing the number of elements in a tensor. This is another instance of TFSA-2021-198 (CVE-2021-41197).", "cve": "PVE-2024-71511", @@ -176477,19 +177934,6 @@ ], "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" }, - { - "advisory": "Tensorflow-rocm versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27780.", - "cve": "CVE-2022-27780", - "id": "pyup.io-57675", - "more_info_path": "/vulnerabilities/CVE-2022-27780/57675", - "specs": [ - "<2.6.4", - ">=2.7.0rc0,<2.7.2", - ">=2.8.0rc0,<2.8.1", - ">=2.9.0rc0,<2.9.0" - ], - "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" - }, { "advisory": "Tensorflow-rocm versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29206: Missing validation which results in undefined behavior in 'SparseTensorDenseAdd'.", "cve": "CVE-2022-29206", @@ -176568,6 +178012,19 @@ ], "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" }, + { + "advisory": "Tensorflow-rocm versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27780.", + "cve": "CVE-2022-27780", + "id": "pyup.io-57675", + "more_info_path": "/vulnerabilities/CVE-2022-27780/57675", + "specs": [ + "<2.6.4", + ">=2.7.0rc0,<2.7.2", + ">=2.8.0rc0,<2.8.1", + ">=2.9.0rc0,<2.9.0" + ], + "v": "<2.6.4,>=2.7.0rc0,<2.7.2,>=2.8.0rc0,<2.8.1,>=2.9.0rc0,<2.9.0" + }, { "advisory": "Tensorflow-rocm versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29204: Missing validation which causes denial of service via 'Conv3DBackpropFilterV2'.", "cve": "CVE-2022-29204", @@ -177852,6 +179309,26 @@ ], "v": "<2.9.3,>=2.10.0rc0,<2.10.1" }, + { + "advisory": "Tensorflow-rocm includes a vulnerable dependency, `curl` version 8.2.1, which is affected by CVE-2023-38545.", + "cve": "CVE-2023-38545", + "id": "pyup.io-72951", + "more_info_path": "/vulnerabilities/CVE-2023-38545/72951", + "specs": [ + ">=0" + ], + "v": ">=0" + }, + { + "advisory": "Tensorflow-rocm includes a vulnerable dependency, `curl` version 8.2.1, which is affected by CVE-2023-38546.", + "cve": "CVE-2023-38546", + "id": "pyup.io-72949", + "more_info_path": "/vulnerabilities/CVE-2023-38546/72949", + "specs": [ + ">=0" + ], + "v": ">=0" + }, { "advisory": "Tensorflow-rocm versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1 updates its dependency \"SQLite\" to handle CVE-2020-15358.", "cve": "CVE-2020-15358", @@ -184803,20 +186280,20 @@ ], "testinfra-bdd": [ { - "advisory": "Testinfra-bdd 2.2.4 updates its dependency 'GitPython' to v3.1.30 to include a security fix.", - "cve": "CVE-2022-24439", - "id": "pyup.io-52602", - "more_info_path": "/vulnerabilities/CVE-2022-24439/52602", + "advisory": "Testinfra-bdd 2.2.4 pins its dependency 'setuptools' to versions '>=65.5.1' to include a security fix.", + "cve": "CVE-2022-40897", + "id": "pyup.io-52656", + "more_info_path": "/vulnerabilities/CVE-2022-40897/52656", "specs": [ "<2.2.4" ], "v": "<2.2.4" }, { - "advisory": "Testinfra-bdd 2.2.4 pins its dependency 'setuptools' to versions '>=65.5.1' to include a security fix.", - "cve": "CVE-2022-40897", - "id": "pyup.io-52656", - "more_info_path": "/vulnerabilities/CVE-2022-40897/52656", + "advisory": "Testinfra-bdd 2.2.4 updates its dependency 'GitPython' to v3.1.30 to include a security fix.", + "cve": "CVE-2022-24439", + "id": "pyup.io-52602", + "more_info_path": "/vulnerabilities/CVE-2022-24439/52602", "specs": [ "<2.2.4" ], @@ -185927,6 +187404,18 @@ "v": "<0.1.0" } ], + "that-depends": [ + { + "advisory": "That-depends fixes a race condition that could lead to multiple instances being created, causing inconsistent states or denial of service. The update ensures proper synchronization to prevent these issues.", + "cve": "PVE-2024-72763", + "id": "pyup.io-72763", + "more_info_path": "/vulnerabilities/PVE-2024-72763/72763", + "specs": [ + "<1.16.2" + ], + "v": "<1.16.2" + } + ], "thefuck": [ { "advisory": "The thefuck (aka The Fuck) package before 3.31 for Python allows Path Traversal that leads to arbitrary file deletion via the \"undo archive operation\" feature.\r\nhttps://github.com/nvbn/thefuck/commit/e343c577cd7da4d304b837d4a07ab4df1e023092", @@ -186210,6 +187699,18 @@ "v": ">0,<0" } ], + "timesketch": [ + { + "advisory": "Timesketch upgrade urllib3 from version 1.22 to 1.24.1 to address CVE-2019-11324 vulnerability.", + "cve": "CVE-2019-11324", + "id": "pyup.io-72884", + "more_info_path": "/vulnerabilities/CVE-2019-11324/72884", + "specs": [ + "<20240508.1" + ], + "v": "<20240508.1" + } + ], "timetagger": [ { "advisory": "Timetagger 21.3.3 improves the authentication system to make it more secure (can revoke access).", @@ -186427,20 +187928,20 @@ "v": "<0.3.0.dev15" }, { - "advisory": "Toga-core 0.3.0.dev15 updates its dependency 'Django' minimum requirement to versions ~2.2 to include security fixes.", - "cve": "CVE-2017-7233", - "id": "pyup.io-48157", - "more_info_path": "/vulnerabilities/CVE-2017-7233/48157", + "advisory": "Toga-core 0.3.0.dev15 updates its NPM dependency 'bootstrap' minimum requirement to versions >=4.3.1 to include a security fix.", + "cve": "CVE-2019-8331", + "id": "pyup.io-48156", + "more_info_path": "/vulnerabilities/CVE-2019-8331/48156", "specs": [ "<0.3.0.dev15" ], "v": "<0.3.0.dev15" }, { - "advisory": "Toga-core 0.3.0.dev15 updates its NPM dependency 'bootstrap' minimum requirement to versions >=4.3.1 to include a security fix.", - "cve": "CVE-2019-8331", - "id": "pyup.io-48156", - "more_info_path": "/vulnerabilities/CVE-2019-8331/48156", + "advisory": "Toga-core 0.3.0.dev15 updates its dependency 'Django' minimum requirement to versions ~2.2 to include security fixes.", + "cve": "CVE-2017-7233", + "id": "pyup.io-48157", + "more_info_path": "/vulnerabilities/CVE-2017-7233/48157", "specs": [ "<0.3.0.dev15" ], @@ -186526,16 +188027,6 @@ ], "v": "<1.6.1" }, - { - "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", - "cve": "CVE-2020-9402", - "id": "pyup.io-49467", - "more_info_path": "/vulnerabilities/CVE-2020-9402/49467", - "specs": [ - "<1.6.1" - ], - "v": "<1.6.1" - }, { "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", "cve": "CVE-2019-19118", @@ -186578,9 +188069,9 @@ }, { "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", - "cve": "CVE-2020-13596", - "id": "pyup.io-38397", - "more_info_path": "/vulnerabilities/CVE-2020-13596/38397", + "cve": "CVE-2020-13254", + "id": "pyup.io-49466", + "more_info_path": "/vulnerabilities/CVE-2020-13254/49466", "specs": [ "<1.6.1" ], @@ -186588,9 +188079,9 @@ }, { "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", - "cve": "CVE-2020-13254", - "id": "pyup.io-49466", - "more_info_path": "/vulnerabilities/CVE-2020-13254/49466", + "cve": "CVE-2019-12308", + "id": "pyup.io-49476", + "more_info_path": "/vulnerabilities/CVE-2019-12308/49476", "specs": [ "<1.6.1" ], @@ -186598,9 +188089,9 @@ }, { "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", - "cve": "CVE-2019-14234", - "id": "pyup.io-49471", - "more_info_path": "/vulnerabilities/CVE-2019-14234/49471", + "cve": "CVE-2020-13596", + "id": "pyup.io-38397", + "more_info_path": "/vulnerabilities/CVE-2020-13596/38397", "specs": [ "<1.6.1" ], @@ -186618,9 +188109,19 @@ }, { "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", - "cve": "CVE-2019-12308", - "id": "pyup.io-49476", - "more_info_path": "/vulnerabilities/CVE-2019-12308/49476", + "cve": "CVE-2019-14234", + "id": "pyup.io-49471", + "more_info_path": "/vulnerabilities/CVE-2019-14234/49471", + "specs": [ + "<1.6.1" + ], + "v": "<1.6.1" + }, + { + "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", + "cve": "CVE-2020-9402", + "id": "pyup.io-49467", + "more_info_path": "/vulnerabilities/CVE-2020-9402/49467", "specs": [ "<1.6.1" ], @@ -187383,16 +188884,6 @@ ], "v": "<4.38.0" }, - { - "advisory": "Transformers version 4.41.0 updates its `aiohttp` dependency from version 3.8.5 to 3.9.0 to address the security vulnerability identified as CVE-2023-49081.", - "cve": "CVE-2023-49081", - "id": "pyup.io-71037", - "more_info_path": "/vulnerabilities/CVE-2023-49081/71037", - "specs": [ - "<4.41.0" - ], - "v": "<4.41.0" - }, { "advisory": "Transformers version 4.41.0 updates its `black` dependency from version 22.1.0 to 24.3.0 to address the security vulnerability identified as CVE-2024-21503.", "cve": "CVE-2024-21503", @@ -187413,6 +188904,16 @@ ], "v": "<4.41.0" }, + { + "advisory": "Transformers version 4.41.0 updates its `aiohttp` dependency from version 3.8.5 to 3.9.0 to address the security vulnerability identified as CVE-2023-49081.", + "cve": "CVE-2023-49081", + "id": "pyup.io-71037", + "more_info_path": "/vulnerabilities/CVE-2023-49081/71037", + "specs": [ + "<4.41.0" + ], + "v": "<4.41.0" + }, { "advisory": "Transformers 4.5.0 includes various vulnerability fixes.", "cve": "PVE-2021-40187", @@ -187883,10 +189384,10 @@ "v": "<2.4.0" }, { - "advisory": "file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.", - "cve": "CVE-2016-1242", - "id": "pyup.io-54111", - "more_info_path": "/vulnerabilities/CVE-2016-1242/54111", + "advisory": "Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors.", + "cve": "CVE-2016-1241", + "id": "pyup.io-54110", + "more_info_path": "/vulnerabilities/CVE-2016-1241/54110", "specs": [ ">=0,<3.2.17", ">=3.4,<3.4.14", @@ -187897,10 +189398,10 @@ "v": ">=0,<3.2.17,>=3.4,<3.4.14,>=3.6,<3.6.12,>=3.8,<3.8.8,>=4.0,<4.0.4" }, { - "advisory": "Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors.", - "cve": "CVE-2016-1241", - "id": "pyup.io-54110", - "more_info_path": "/vulnerabilities/CVE-2016-1241/54110", + "advisory": "file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.", + "cve": "CVE-2016-1242", + "id": "pyup.io-54111", + "more_info_path": "/vulnerabilities/CVE-2016-1242/54111", "specs": [ ">=0,<3.2.17", ">=3.4,<3.4.14", @@ -188061,29 +189562,29 @@ }, { "advisory": "Tstoolbox 103.15.0 pins its dependency 'pygments' to versions >=2.7.4 to include security fixes.", - "cve": "CVE-2015-8557", - "id": "pyup.io-44904", - "more_info_path": "/vulnerabilities/CVE-2015-8557/44904", + "cve": "CVE-2021-27291", + "id": "pyup.io-44903", + "more_info_path": "/vulnerabilities/CVE-2021-27291/44903", "specs": [ "<103.15.0" ], "v": "<103.15.0" }, { - "advisory": "Tstoolbox 103.15.0 pins its dependency 'pygments' to versions >=2.7.4 to include security fixes.", - "cve": "CVE-2021-20270", - "id": "pyup.io-44836", - "more_info_path": "/vulnerabilities/CVE-2021-20270/44836", + "advisory": "Tstoolbox 103.15.0 pins its dependency 'sphinx' to versions >=3.0.4 to include security fixes.", + "cve": "CVE-2020-11022", + "id": "pyup.io-44905", + "more_info_path": "/vulnerabilities/CVE-2020-11022/44905", "specs": [ "<103.15.0" ], "v": "<103.15.0" }, { - "advisory": "Tstoolbox 103.15.0 pins its dependency 'sphinx' to versions >=3.0.4 to include security fixes.", - "cve": "CVE-2020-11022", - "id": "pyup.io-44905", - "more_info_path": "/vulnerabilities/CVE-2020-11022/44905", + "advisory": "Tstoolbox 103.15.0 pins its dependency 'pygments' to versions >=2.7.4 to include security fixes.", + "cve": "CVE-2015-8557", + "id": "pyup.io-44904", + "more_info_path": "/vulnerabilities/CVE-2015-8557/44904", "specs": [ "<103.15.0" ], @@ -188091,9 +189592,9 @@ }, { "advisory": "Tstoolbox 103.15.0 pins its dependency 'pygments' to versions >=2.7.4 to include security fixes.", - "cve": "CVE-2021-27291", - "id": "pyup.io-44903", - "more_info_path": "/vulnerabilities/CVE-2021-27291/44903", + "cve": "CVE-2021-20270", + "id": "pyup.io-44836", + "more_info_path": "/vulnerabilities/CVE-2021-20270/44836", "specs": [ "<103.15.0" ], @@ -188627,9 +190128,9 @@ }, { "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", - "cve": "CVE-2019-12781", - "id": "pyup.io-49773", - "more_info_path": "/vulnerabilities/CVE-2019-12781/49773", + "cve": "CVE-2019-19118", + "id": "pyup.io-49778", + "more_info_path": "/vulnerabilities/CVE-2019-19118/49778", "specs": [ "<3.9.0" ], @@ -188637,9 +190138,9 @@ }, { "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", - "cve": "CVE-2019-14235", - "id": "pyup.io-49777", - "more_info_path": "/vulnerabilities/CVE-2019-14235/49777", + "cve": "CVE-2019-12308", + "id": "pyup.io-40921", + "more_info_path": "/vulnerabilities/CVE-2019-12308/40921", "specs": [ "<3.9.0" ], @@ -188657,9 +190158,9 @@ }, { "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", - "cve": "CVE-2019-12308", - "id": "pyup.io-40921", - "more_info_path": "/vulnerabilities/CVE-2019-12308/40921", + "cve": "CVE-2019-14235", + "id": "pyup.io-49777", + "more_info_path": "/vulnerabilities/CVE-2019-14235/49777", "specs": [ "<3.9.0" ], @@ -188667,9 +190168,9 @@ }, { "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", - "cve": "CVE-2019-19118", - "id": "pyup.io-49778", - "more_info_path": "/vulnerabilities/CVE-2019-19118/49778", + "cve": "CVE-2019-12781", + "id": "pyup.io-49773", + "more_info_path": "/vulnerabilities/CVE-2019-12781/49773", "specs": [ "<3.9.0" ], @@ -190220,20 +191721,20 @@ "v": "<=0.6.2" }, { - "advisory": "In affected versions, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function in `src/vanna/base/base.py`. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the server.", - "cve": "CVE-2024-5826", - "id": "pyup.io-72090", - "more_info_path": "/vulnerabilities/CVE-2024-5826/72090", + "advisory": "vanna-ai/vanna version affected versions are vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like `/etc/passwd`, by exploiting the exposed SQL queries via a Python Flask API.", + "cve": "CVE-2024-5753", + "id": "pyup.io-72081", + "more_info_path": "/vulnerabilities/CVE-2024-5753/72081", "specs": [ ">=0" ], "v": ">=0" }, { - "advisory": "vanna-ai/vanna version affected versions are vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like `/etc/passwd`, by exploiting the exposed SQL queries via a Python Flask API.", - "cve": "CVE-2024-5753", - "id": "pyup.io-72081", - "more_info_path": "/vulnerabilities/CVE-2024-5753/72081", + "advisory": "In affected versions, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function in `src/vanna/base/base.py`. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the server.", + "cve": "CVE-2024-5826", + "id": "pyup.io-72090", + "more_info_path": "/vulnerabilities/CVE-2024-5826/72090", "specs": [ ">=0" ], @@ -190241,16 +191742,6 @@ } ], "vantage6": [ - { - "advisory": "Vantage6 4.0.0 includes a fix for CVE-2023-23930: Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Users may specify JSON serialization as a workaround.\r\nhttps://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6", - "cve": "CVE-2023-23930", - "id": "pyup.io-61778", - "more_info_path": "/vulnerabilities/CVE-2023-23930/61778", - "specs": [ - "<4.0.0" - ], - "v": "<4.0.0" - }, { "advisory": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.", "cve": "CVE-2023-41882", @@ -190271,6 +191762,16 @@ ], "v": "<4.0.0" }, + { + "advisory": "Vantage6 4.0.0 includes a fix for CVE-2023-23930: Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Users may specify JSON serialization as a workaround.\r\nhttps://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6", + "cve": "CVE-2023-23930", + "id": "pyup.io-61778", + "more_info_path": "/vulnerabilities/CVE-2023-23930/61778", + "specs": [ + "<4.0.0" + ], + "v": "<4.0.0" + }, { "advisory": "vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for example, if user id 13 is allowed to run tasks, and an attacker creates a username with username '13', they would be wrongly allowed to run an algorithm. There may also be other places in the code where such a mixup of resource ID or name leads to issues. Version 4.0.0 contains a patch for this issue. The best solution is to check when resources are created or modified, that the resource name always starts with a character.", "cve": "CVE-2023-28635", @@ -190436,20 +191937,20 @@ ], "vantage6-common": [ { - "advisory": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.", - "cve": "CVE-2023-41881", - "id": "pyup.io-65246", - "more_info_path": "/vulnerabilities/CVE-2023-41881/65246", + "advisory": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.", + "cve": "CVE-2023-41882", + "id": "pyup.io-65241", + "more_info_path": "/vulnerabilities/CVE-2023-41882/65241", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { - "advisory": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.", - "cve": "CVE-2023-41882", - "id": "pyup.io-65241", - "more_info_path": "/vulnerabilities/CVE-2023-41882/65241", + "advisory": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.", + "cve": "CVE-2023-41881", + "id": "pyup.io-65246", + "more_info_path": "/vulnerabilities/CVE-2023-41881/65246", "specs": [ "<4.0.0" ], @@ -190499,6 +192000,16 @@ } ], "vantage6-server": [ + { + "advisory": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.", + "cve": "CVE-2023-41882", + "id": "pyup.io-65243", + "more_info_path": "/vulnerabilities/CVE-2023-41882/65243", + "specs": [ + "<4.0.0" + ], + "v": "<4.0.0" + }, { "advisory": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.", "cve": "CVE-2023-41881", @@ -190519,16 +192030,6 @@ ], "v": "<4.0.0" }, - { - "advisory": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.", - "cve": "CVE-2023-41882", - "id": "pyup.io-65243", - "more_info_path": "/vulnerabilities/CVE-2023-41882/65243", - "specs": [ - "<4.0.0" - ], - "v": "<4.0.0" - }, { "advisory": "vantage6 is a framework to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). In affected versions a node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the server may modify it to set a fake `parent_id` and send a task of a non-whitelisted algorithm. The node will then execute it because the `parent_id` that is set prevents checks from being run. This impacts all servers that are breached by an expert user. This vulnerability has been patched in version 4.1.2. All users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve": "CVE-2023-47631", @@ -190540,20 +192041,20 @@ "v": "<4.1.2" }, { - "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.", - "cve": "CVE-2024-21649", - "id": "pyup.io-66730", - "more_info_path": "/vulnerabilities/CVE-2024-21649/66730", + "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability.", + "cve": "CVE-2024-21671", + "id": "pyup.io-66726", + "more_info_path": "/vulnerabilities/CVE-2024-21671/66726", "specs": [ "<4.2.0" ], "v": "<4.2.0" }, { - "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability.", - "cve": "CVE-2024-21671", - "id": "pyup.io-66726", - "more_info_path": "/vulnerabilities/CVE-2024-21671/66726", + "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.", + "cve": "CVE-2024-21649", + "id": "pyup.io-66730", + "more_info_path": "/vulnerabilities/CVE-2024-21649/66730", "specs": [ "<4.2.0" ], @@ -191258,6 +192759,18 @@ "v": "<1.0.62" } ], + "volttron": [ + { + "advisory": "Volttron affected versions contained a potential security vulnerability in the RPC subsystem, where capability checks for RPC methods were commented out. This flaw could allow unauthorized access to sensitive methods. Re-enabling these checks has resolved the issue, ensuring that only properly authenticated and authorized agents can execute restricted RPC methods.", + "cve": "PVE-2024-72956", + "id": "pyup.io-72956", + "more_info_path": "/vulnerabilities/PVE-2024-72956/72956", + "specs": [ + "<9.0.1" + ], + "v": "<9.0.1" + } + ], "volumio-buddy": [ { "advisory": "Volumio-buddy 3.0.3 updates its dependency 'pillow' to v9.3.0 to include security fixes.", @@ -192576,26 +194089,6 @@ ], "v": "<0.12.12" }, - { - "advisory": "Wandb 0.12.18 updates its dependency 'urllib3' to v1.26.5 to include security fixes.", - "cve": "CVE-2021-33503", - "id": "pyup.io-49369", - "more_info_path": "/vulnerabilities/CVE-2021-33503/49369", - "specs": [ - "<0.12.18" - ], - "v": "<0.12.18" - }, - { - "advisory": "Wandb 0.12.18 updates its dependency 'rsa' to v4.7 to include security fixes.", - "cve": "CVE-2020-25658", - "id": "pyup.io-49366", - "more_info_path": "/vulnerabilities/CVE-2020-25658/49366", - "specs": [ - "<0.12.18" - ], - "v": "<0.12.18" - }, { "advisory": "Wandb 0.12.18 updates its dependency 'httplib2' to v0.19.0 to include security fixes.", "cve": "CVE-2020-11078", @@ -192616,6 +194109,16 @@ ], "v": "<0.12.18" }, + { + "advisory": "Wandb 0.12.18 updates its dependency 'urllib3' to v1.26.5 to include security fixes.", + "cve": "CVE-2021-33503", + "id": "pyup.io-49369", + "more_info_path": "/vulnerabilities/CVE-2021-33503/49369", + "specs": [ + "<0.12.18" + ], + "v": "<0.12.18" + }, { "advisory": "Wandb 0.12.18 updates its dependency 'urllib3' to v1.26.5 to include security fixes.", "cve": "CVE-2020-26137", @@ -192627,10 +194130,10 @@ "v": "<0.12.18" }, { - "advisory": "Wandb 0.12.18 updates its dependency 'urllib3' to v1.26.5 to include security fixes.", - "cve": "CVE-2020-7212", - "id": "pyup.io-49370", - "more_info_path": "/vulnerabilities/CVE-2020-7212/49370", + "advisory": "Wandb 0.12.18 updates its dependency 'rsa' to v4.7 to include security fixes.", + "cve": "CVE-2020-25658", + "id": "pyup.io-49366", + "more_info_path": "/vulnerabilities/CVE-2020-25658/49366", "specs": [ "<0.12.18" ], @@ -192646,6 +194149,36 @@ ], "v": "<0.12.18" }, + { + "advisory": "Wandb 0.12.18 updates its dependency 'urllib3' to v1.26.5 to include security fixes.", + "cve": "CVE-2020-7212", + "id": "pyup.io-49370", + "more_info_path": "/vulnerabilities/CVE-2020-7212/49370", + "specs": [ + "<0.12.18" + ], + "v": "<0.12.18" + }, + { + "advisory": "A race condition and inconsistent control handling vulnerability were identified in the wandb package's Handler and Writer components. This issue could lead to data corruption, unauthorized data exposure, or improper record handling, especially in concurrent environments. The vulnerability has been mitigated by introducing record cloning and standardized control flag application.", + "cve": "PVE-2024-72896", + "id": "pyup.io-72896", + "more_info_path": "/vulnerabilities/PVE-2024-72896/72896", + "specs": [ + "<0.15.10" + ], + "v": "<0.15.10" + }, + { + "advisory": "A race condition and inconsistent cleanup vulnerability in wandb's LaunchAgent allowed unsynchronized access to job status data across threads. If multiple threads accessed or modified job status simultaneously, this could lead to data corruption or incomplete resource cleanup. The vulnerability is resolved by enforcing thread-safe data access and ensuring reliable cleanup even when exceptions occur.", + "cve": "PVE-2024-72895", + "id": "pyup.io-72895", + "more_info_path": "/vulnerabilities/PVE-2024-72895/72895", + "specs": [ + "<0.15.12" + ], + "v": "<0.15.12" + }, { "advisory": "Socket in wandb 0.8.0 only binds to localhost for improved security and prevents firewall warnings in OSX.", "cve": "PVE-2021-37149", @@ -192763,16 +194296,6 @@ ], "v": "<15.0.1" }, - { - "advisory": "Wasmtime 3.0.0 (Python bindings) downloads a precompiled version of Wastime core that includes security fixes.\r\nhttps://github.com/bytecodealliance/wasmtime-py/commit/18a742a3457d6edfab7e96af466721e19d2e12cd", - "cve": "CVE-2022-39394", - "id": "pyup.io-51998", - "more_info_path": "/vulnerabilities/CVE-2022-39394/51998", - "specs": [ - "<3.0.0" - ], - "v": "<3.0.0" - }, { "advisory": "Wasmtime 3.0.0 (Python bindings) downloads a precompiled version of Wastime core that includes security fixes.\r\nhttps://github.com/bytecodealliance/wasmtime-py/commit/18a742a3457d6edfab7e96af466721e19d2e12cd", "cve": "CVE-2022-39393", @@ -192794,14 +194317,14 @@ "v": "<3.0.0" }, { - "advisory": "Wasmtime (Python bindings) 7.0.0 downloads a precompiled version of Wasmtime core that includes security fixes.\r\nhttps://github.com/bytecodealliance/wasmtime-py/commit/4a52ebbe0a7e577721a30a38170b7472aa153329", - "cve": "CVE-2023-26489", - "id": "pyup.io-53755", - "more_info_path": "/vulnerabilities/CVE-2023-26489/53755", + "advisory": "Wasmtime 3.0.0 (Python bindings) downloads a precompiled version of Wastime core that includes security fixes.\r\nhttps://github.com/bytecodealliance/wasmtime-py/commit/18a742a3457d6edfab7e96af466721e19d2e12cd", + "cve": "CVE-2022-39394", + "id": "pyup.io-51998", + "more_info_path": "/vulnerabilities/CVE-2022-39394/51998", "specs": [ - "<7.0.0" + "<3.0.0" ], - "v": "<7.0.0" + "v": "<3.0.0" }, { "advisory": "Wasmtime (Python bindings) 7.0.0 downloads a precompiled version of Wastime core that includes security fixes.\r\nhttps://github.com/bytecodealliance/wasmtime-py/commit/4a52ebbe0a7e577721a30a38170b7472aa153329", @@ -192813,6 +194336,16 @@ ], "v": "<7.0.0" }, + { + "advisory": "Wasmtime (Python bindings) 7.0.0 downloads a precompiled version of Wasmtime core that includes security fixes.\r\nhttps://github.com/bytecodealliance/wasmtime-py/commit/4a52ebbe0a7e577721a30a38170b7472aa153329", + "cve": "CVE-2023-26489", + "id": "pyup.io-53755", + "more_info_path": "/vulnerabilities/CVE-2023-26489/53755", + "specs": [ + "<7.0.0" + ], + "v": "<7.0.0" + }, { "advisory": "Wasmtime 9.0.0 (Python bindings) downloads a precompiled version of Wasmtime core (9.0.0) that includes a security fix.\r\nhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7", "cve": "CVE-2023-30624", @@ -192973,16 +194506,6 @@ ], "v": "<12.9.3" }, - { - "advisory": "Wdmtoolbox 12.9.3 pins the dependency 'numpy>=1.22.2' to include security fixes.", - "cve": "CVE-2021-41495", - "id": "pyup.io-49447", - "more_info_path": "/vulnerabilities/CVE-2021-41495/49447", - "specs": [ - "<12.9.3" - ], - "v": "<12.9.3" - }, { "advisory": "Wdmtoolbox 12.9.3 pins the dependency 'pygments>=2.7.4' to include security fixes.", "cve": "CVE-2021-20270", @@ -193012,6 +194535,16 @@ "<12.9.3" ], "v": "<12.9.3" + }, + { + "advisory": "Wdmtoolbox 12.9.3 pins the dependency 'numpy>=1.22.2' to include security fixes.", + "cve": "CVE-2021-41495", + "id": "pyup.io-49447", + "more_info_path": "/vulnerabilities/CVE-2021-41495/49447", + "specs": [ + "<12.9.3" + ], + "v": "<12.9.3" } ], "weasyprint": [ @@ -193480,6 +195013,18 @@ "v": ">=4.14,<5.6.2" } ], + "webob": [ + { + "advisory": "The WebOb affected versions have a critical security vulnerability related to improper handling of the HTTP Location header during URL redirection. The issue arises when WebOb normalizes the Location header by combining the request's hostname with the destination URL using Python's `urlparse` and `urljoin` functions. If the destination URL begins with \"//\", `urlparse` interprets it as a URI without a scheme, using the following string as the hostname. Consequently, `urljoin` replaces the original request hostname with this new hostname, potentially redirecting users to a malicious site. This vulnerability could allow attackers to craft URLs that redirect users from trusted domains to malicious sites, posing significant security risks. The WebOb update ensures that such scenarios are handled correctly, preventing unintended redirects and securing the application against this attack.", + "cve": "CVE-2024-42353", + "id": "pyup.io-72631", + "more_info_path": "/vulnerabilities/CVE-2024-42353/72631", + "specs": [ + "<1.8.8" + ], + "v": "<1.8.8" + } + ], "webp": [ { "advisory": "Webp 1.0.1 adds further security related hardening in libwebp & libwebpmux.", @@ -193684,20 +195229,20 @@ "v": "<0.8.3" }, { - "advisory": "Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow \"nameless\" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.\r\nhttps://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q", - "cve": "CVE-2023-23934", - "id": "pyup.io-53326", - "more_info_path": "/vulnerabilities/CVE-2023-23934/53326", + "advisory": "Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.\r\nhttps://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323", + "cve": "CVE-2023-25577", + "id": "pyup.io-53325", + "more_info_path": "/vulnerabilities/CVE-2023-25577/53325", "specs": [ "<2.2.3" ], "v": "<2.2.3" }, { - "advisory": "Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.\r\nhttps://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323", - "cve": "CVE-2023-25577", - "id": "pyup.io-53325", - "more_info_path": "/vulnerabilities/CVE-2023-25577/53325", + "advisory": "Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow \"nameless\" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.\r\nhttps://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q", + "cve": "CVE-2023-23934", + "id": "pyup.io-53326", + "more_info_path": "/vulnerabilities/CVE-2023-23934/53326", "specs": [ "<2.2.3" ], @@ -194877,9 +196422,9 @@ "xtgeo": [ { "advisory": "Xtgeo 2.17.1 drops dependency on 'pillow' to avoid security issues with versions <=8.4.\r\nhttps://github.com/equinor/xtgeo/pull/748", - "cve": "CVE-2022-22815", - "id": "pyup.io-48288", - "more_info_path": "/vulnerabilities/CVE-2022-22815/48288", + "cve": "PVE-2022-44524", + "id": "pyup.io-48286", + "more_info_path": "/vulnerabilities/PVE-2022-44524/48286", "specs": [ "<2.17.1" ], @@ -194887,9 +196432,9 @@ }, { "advisory": "Xtgeo 2.17.1 drops dependency on 'pillow' to avoid security issues with versions <=8.4.\r\nhttps://github.com/equinor/xtgeo/pull/748", - "cve": "PVE-2022-44524", - "id": "pyup.io-48286", - "more_info_path": "/vulnerabilities/PVE-2022-44524/48286", + "cve": "CVE-2022-22817", + "id": "pyup.io-48284", + "more_info_path": "/vulnerabilities/CVE-2022-22817/48284", "specs": [ "<2.17.1" ], @@ -194907,9 +196452,9 @@ }, { "advisory": "Xtgeo 2.17.1 drops dependency on 'pillow' to avoid security issues with versions <=8.4.\r\nhttps://github.com/equinor/xtgeo/pull/748", - "cve": "CVE-2022-22817", - "id": "pyup.io-48284", - "more_info_path": "/vulnerabilities/CVE-2022-22817/48284", + "cve": "CVE-2022-22815", + "id": "pyup.io-48288", + "more_info_path": "/vulnerabilities/CVE-2022-22815/48288", "specs": [ "<2.17.1" ], @@ -195614,6 +197159,19 @@ ], "v": "<0.42.1" }, + { + "advisory": "ZenML Server in the ZenML package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body. These are also patched versions: 0.44.4, 0.43.1, and 0.42.2. See CVE-2024-25723.", + "cve": "CVE-2024-25723", + "id": "pyup.io-65699", + "more_info_path": "/vulnerabilities/CVE-2024-25723/65699", + "specs": [ + "<0.42.2", + ">=0.43.0,<0.43.1", + ">=0.44.0,<0.44.4", + ">=0.46.0,<0.47.0" + ], + "v": "<0.42.2,>=0.43.0,<0.43.1,>=0.44.0,<0.44.4,>=0.46.0,<0.47.0" + }, { "advisory": "Zenml 0.46.0 updates its dependency 'langchain' to versions \">=0.0.325\" to include security fixes.", "cve": "CVE-2023-39631", @@ -195645,14 +197203,14 @@ "v": "<0.46.0" }, { - "advisory": "ZenML Server in the ZenML package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body. These are also patched versions: 0.44.4, 0.43.1, and 0.42.2. See CVE-2024-25723.", - "cve": "CVE-2024-25723", - "id": "pyup.io-65699", - "more_info_path": "/vulnerabilities/CVE-2024-25723/65699", + "advisory": "A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The vulnerability arises due to the lack of validation for directory traversal patterns, allowing attackers to access files outside of the restricted directory.", + "cve": "CVE-2024-2083", + "id": "pyup.io-71954", + "more_info_path": "/vulnerabilities/CVE-2024-2083/71954", "specs": [ - "<0.46.7" + "<0.55.5" ], - "v": "<0.46.7" + "v": "<0.55.5" }, { "advisory": "A race condition vulnerability exists in zenml-io/zenml affected versions, which allows for the creation of multiple users with the same username when requests are sent in parallel. The vulnerability arises due to insufficient handling of concurrent user creation requests, leading to data inconsistencies and potential authentication problems. Specifically, concurrent processes may overwrite or corrupt user data, complicating user identification and posing security risks. This issue is particularly concerning for APIs that rely on usernames as input parameters, such as PUT /api/v1/users/test_race, which could lead to further complications.", @@ -195664,16 +197222,6 @@ ], "v": "<0.55.5" }, - { - "advisory": "A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The vulnerability arises due to the lack of validation for directory traversal patterns, allowing attackers to access files outside of the restricted directory.", - "cve": "CVE-2024-2083", - "id": "pyup.io-71954", - "more_info_path": "/vulnerabilities/CVE-2024-2083/71954", - "specs": [ - "<0.55.5" - ], - "v": "<0.55.5" - }, { "advisory": "An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the active status of user accounts to false, effectively deactivating them. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application.", "cve": "CVE-2024-2035", @@ -195715,20 +197263,20 @@ "v": "<0.56.3" }, { - "advisory": "A clickjacking vulnerability exists in zenml-io/zenml affected versions due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control.", - "cve": "CVE-2024-2383", - "id": "pyup.io-71949", - "more_info_path": "/vulnerabilities/CVE-2024-2383/71949", + "advisory": "An issue was discovered in zenml-io/zenml affected versions. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for unauthorized account takeover by bypassing the standard password change verification process.", + "cve": "CVE-2024-2213", + "id": "pyup.io-71952", + "more_info_path": "/vulnerabilities/CVE-2024-2213/71952", "specs": [ "<0.56.3" ], "v": "<0.56.3" }, { - "advisory": "An issue was discovered in zenml-io/zenml affected versions. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for unauthorized account takeover by bypassing the standard password change verification process.", - "cve": "CVE-2024-2213", - "id": "pyup.io-71952", - "more_info_path": "/vulnerabilities/CVE-2024-2213/71952", + "advisory": "A clickjacking vulnerability exists in zenml-io/zenml affected versions due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control.", + "cve": "CVE-2024-2383", + "id": "pyup.io-71949", + "more_info_path": "/vulnerabilities/CVE-2024-2383/71949", "specs": [ "<0.56.3" ], @@ -195822,6 +197370,16 @@ } ], "zhmc-prometheus-exporter": [ + { + "advisory": "Zhmc-prometheus-exporter affected versions contain two risky cryptographic algorithms. The exporter should not support any risky cryptographic algorithms, and this issue is resolved by using prometheus_client version 0.20.0.", + "cve": "PVE-2024-72449", + "id": "pyup.io-72449", + "more_info_path": "/vulnerabilities/PVE-2024-72449/72449", + "specs": [ + "<1.7.0" + ], + "v": "<1.7.0" + }, { "advisory": "Zhmc-prometheus-exporter fixes the exporter to ensure it does not support risky cryptographic algorithms, addressing potential vulnerabilities associated with TLS CBC ciphers.", "cve": "PVE-2024-72412",