Critical vulnerabilities detected in dependencies #7
Description
🚨 Critical vulnerabilities detected in dependencies
This issue was created automatically from the SBOM security audit. It includes a summary and detailed list of detected vulnerabilities.
Summary
- Total: 38
- Critical: 3 | High: 7 | Medium: 28 | Low: 0 | Unknown: 0
Top Issues
| ID | Severity | Component | Version | CVSS | Description | References |
|---|---|---|---|---|---|---|
| PYSEC-2023-161 | CRITICAL | gitpython | 3.1.0 | 10.0 | GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH envi… | link link |
| PYSEC-2024-4 | CRITICAL | gitpython | 3.1.0 | 10.0 | GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses … | link link link |
| PYSEC-2022-42992 | CRITICAL | gitpython | 3.1.0 | None | All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remot… | link link link |
| GHSA-2mqj-m65w-jghx | HIGH | gitpython | 3.1.0 | 7.5 | ### Summary This issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run git, as well as when… |
link link link |
| GHSA-hcpj-qp55-gfph | HIGH | gitpython | 3.1.0 | 7.5 | All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remot… | link link link |
| GHSA-pr76-5cm5-w9cj | HIGH | gitpython | 3.1.0 | 7.5 | GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from, making it vulnerable to Remote Code Execution (RCE) due to improper user input valida… |
link link link |
| GHSA-wfm5-v35h-vwf4 | HIGH | gitpython | 3.1.0 | 7.5 | ### Summary When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment (see big warning in https://docs.python.org/3/libr… | link link link |
| GHSA-5m98-qgg9-wh84 | HIGH | aiohttp | 3.8.0 | 7.0 | ### Summary An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable … | link link link |
| PYSEC-2023-246 | HIGH | aiohttp | 3.8.0 | 7.0 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request sm… | link link |
| PYSEC-2024-24 | HIGH | aiohttp | 3.8.0 | 7.0 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the roo… | link link link |
| GHSA-9wx4-h78v-vm56 | MEDIUM | requests | 2.28.0 | 6.5 | When making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same origin will co… |
link link link |
| GHSA-h5c8-rqwp-cp95 | MEDIUM | jinja2 | 3.0.0 | 6.5 | The xmlattr filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attrib… |
link link link |
| GHSA-h75v-3vvj-5mfj | MEDIUM | jinja2 | 3.0.0 | 6.5 | The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, >, or =, as each would then… |
link link link |
| GHSA-7gpw-8wmc-pm8g | MEDIUM | aiohttp | 3.8.0 | 6.5 | ### Summary A XSS vulnerability exists on index pages for static file handling. ### Details When using web.static(..., show_index=True), the resulting index pages do not escap… |
link link link |
| PYSEC-2024-26 | MEDIUM | aiohttp | 3.8.0 | 6.5 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character… | link link link |
| PYSEC-2023-165 | MEDIUM | gitpython | 3.1.0 | 6.5 | GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the .git directory, in some places the … |
link link |
| GHSA-9hjg-9r4m-mvj7 | MEDIUM | requests | 2.28.0 | 6.0 | ### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. ### Workarounds For o… | link link link |
| GHSA-j8r2-6x86-q33q | MEDIUM | requests | 2.28.0 | 6.0 | ### Impact Since Requests v2.3.0, Requests has been vulnerable to potentially leaking Proxy-Authorization headers to destination servers, specifically during redirects to an HTT… |
link link link |
| GHSA-cpwx-vrp4-4pq7 | MEDIUM | jinja2 | 3.0.0 | 5.5 | An oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. … |
link link link |
| GHSA-gmj6-6f8f-6699 | MEDIUM | jinja2 | 3.0.0 | 5.5 | A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.… | link link link |
| GHSA-q2x7-8rv6-6q7h | MEDIUM | jinja2 | 3.0.0 | 5.5 | An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To e… |
link link link |
| GHSA-5h86-8mv2-jq9f | MEDIUM | aiohttp | 3.8.0 | 5.5 | ### Summary Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system. ### Det… | link link link |
| PYSEC-2023-250 | MEDIUM | aiohttp | 3.8.0 | 5.5 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a ne… | link link link |
| PYSEC-2023-251 | MEDIUM | aiohttp | 3.8.0 | 5.5 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new … | link link link |
| GHSA-8qpw-xqxj-h4r2 | MEDIUM | aiohttp | 3.8.0 | 5.1 | ### Summary Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame bo… | link link link |
| GHSA-q3qx-c6g2-7pw2 | MEDIUM | aiohttp | 3.8.0 | 5.1 | ### Summary Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls… | link link link |
| GHSA-wrxv-2j5q-m38w | MEDIUM | lxml | 4.9.0 | 4.8 | NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libx… | link link link |
| GHSA-45c4-8wx5-qw6w | MEDIUM | aiohttp | 3.8.0 | 4.8 | ### Impact aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vuln… | link link link |
| GHSA-8495-4g3g-x7pr | MEDIUM | aiohttp | 3.8.0 | 4.8 | ### Summary The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. ### Impact If a pure Py… | link link link |
| GHSA-9548-qrrj-x5pj | MEDIUM | aiohttp | 3.8.0 | 4.8 | ### Summary The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. ### Impact If a pure Python version of aio… | link link link |
| GHSA-gfw2-4jvh-wgfg | MEDIUM | aiohttp | 3.8.0 | 4.8 | # Summary The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enab… |
link link link |
| GHSA-qvrw-v9rv-5rjx | MEDIUM | aiohttp | 3.8.0 | 4.8 | ### Summary Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls t… | link link link |
| GHSA-cwvm-v4w8-q58c | MEDIUM | gitpython | 3.1.0 | 4.8 | ### Summary In order to resolve some git references, GitPython reads files from the .git directory, in some places the name of the file being read is provided by the user, GitPy… |
link link link |
| PYSEC-2023-74 | MEDIUM | requests | 2.28.0 | None | Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a produ… | link link link |
| PYSEC-2022-230 | MEDIUM | lxml | 4.9.0 | None | NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libx… | link link link |
| GHSA-pjjw-qhg8-p2p9 | MEDIUM | aiohttp | 3.8.0 | None | ### Summary llhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities. Details have not been disclosed yet, so refer to llhttp for future information. The issue is resolv… | link link link |
| PYSEC-2023-120 | MEDIUM | aiohttp | 3.8.0 | None | ### Impact aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vuln… | link link link |
| PYSEC-2023-137 | MEDIUM | gitpython | 3.1.0 | None | GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439. | link link |