adamoswald / ai-test Goto Github PK

Vulnerable Library - libxml2-2.9.9-he19cac6_0.conda

The XML C parser and toolkit of Gnome

Library home page: http://repo.continuum.io/pkgs/main/linux-64/libxml2-2.9.9-he19cac6_0.conda

Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /naconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-29824

Vulnerable Library - libxml2-2.9.9-he19cac6_0.conda

The XML C parser and toolkit of Gnome

Library home page: http://repo.continuum.io/pkgs/main/linux-64/libxml2-2.9.9-he19cac6_0.conda

Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /naconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda

Dependency Hierarchy:

• ❌ libxml2-2.9.9-he19cac6_0.conda (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

Publish Date: 2022-05-03

URL: CVE-2022-29824

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824

Release Date: 2022-05-03

Fix Resolution: v2.9.14

Step up your Open Source Security Game with Mend here

Vulnerable Library - urllib3-1.25.11-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/56/aa/4ef5aa67a9a62505db124a5cb5262332d1d4153462eb8fd89c9fa41e5d92/urllib3-1.25.11-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/Ai-test

Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt,/openai-python-0.22.1,/wombopy-main

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2021-33503

Vulnerable Library - urllib3-1.25.11-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/56/aa/4ef5aa67a9a62505db124a5cb5262332d1d4153462eb8fd89c9fa41e5d92/urllib3-1.25.11-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/Ai-test

Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt,/openai-python-0.22.1,/wombopy-main

Dependency Hierarchy:

• ❌ urllib3-1.25.11-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution: urllib3 - 1.26.5

Step up your Open Source Security Game with Mend here

Vulnerable Library - PyYAML-5.1.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2020-1747

Vulnerable Library - PyYAML-5.1.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ PyYAML-5.1.tar.gz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

Publish Date: 2020-03-24

URL: CVE-2020-1747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6757-jp84-gxfx

Release Date: 2020-03-24

Fix Resolution: pyyaml - 5.3.1

Step up your Open Source Security Game with Mend here

CVE-2019-20477

Vulnerable Library - PyYAML-5.1.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ PyYAML-5.1.tar.gz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.

Publish Date: 2020-02-19

URL: CVE-2019-20477

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20477

Release Date: 2020-02-19

Fix Resolution: 5.2

Step up your Open Source Security Game with Mend here

CVE-2020-14343

Vulnerable Library - PyYAML-5.1.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ PyYAML-5.1.tar.gz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

Publish Date: 2021-02-09

URL: CVE-2020-14343

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343

Release Date: 2021-02-09

Fix Resolution: PyYAML - 5.4

Step up your Open Source Security Game with Mend here

Vulnerable Library - archiver-2.1.1.tgz

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2021-43138

Vulnerable Library - async-2.6.1.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.1.tgz

Dependency Hierarchy:

• archiver-2.1.1.tgz (Root Library)
  • ❌ async-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (archiver): 4.0.2

Step up your Open Source Security Game with Mend here

Vulnerable Library - logrocket-1.7.1.pom

Path to dependency file: /setup-java-3.5.0/__tests__/cache/gradle/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-javalite/3.19.1/3ac913b600589dba649abe56d70889cb797bbb1a/protobuf-javalite-3.19.1.jar

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-3171

Vulnerable Library - protobuf-javalite-3.19.1.jar

Lite version of Protocol Buffers library. This version is optimized for code size, but does not guarantee API/ABI stability.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /setup-java-3.5.0/__tests__/cache/gradle/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-javalite/3.19.1/3ac913b600589dba649abe56d70889cb797bbb1a/protobuf-javalite-3.19.1.jar

Dependency Hierarchy:

• logrocket-1.7.1.pom (Root Library)
  • ❌ protobuf-javalite-3.19.1.jar (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: Oct 12, 2022 11:15:00 PM

URL: CVE-2022-3171

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4h5-3hr4-j3g2

Release Date: Oct 12, 2022 11:15:00 PM

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7

Step up your Open Source Security Game with Mend here

Vulnerable Library - async-1.5.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2021-43138

Vulnerable Library - async-1.5.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz

Dependency Hierarchy:

• ❌ async-1.5.2.tgz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: 2.6.4

Step up your Open Source Security Game with Mend here

Vulnerable Library - microsoft.ml.automl.0.19.1.nupkg

Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-1941

Vulnerable Library - google.protobuf.3.19.4.nupkg

C# runtime library for Protocol Buffers - Google's data interchange format.

Library home page: https://api.nuget.org/packages/google.protobuf.3.19.4.nupkg

Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg

Dependency Hierarchy:

• microsoft.ml.automl.0.19.1.nupkg (Root Library)
  • microsoft.ml.vision.1.7.1.nupkg
    • microsoft.ml.tensorflow.1.7.1.nupkg
      • ❌ google.protobuf.3.19.4.nupkg (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: 2022-09-22

URL: CVE-2022-1941

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: 2022-09-22

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Step up your Open Source Security Game with Mend here

Vulnerable Library - protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/19/a5/ac51df34cdf4739574492ed4903c11dadd72a7bec4a31bb0496f4f50fc19/protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-1941

Vulnerable Library - protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/19/a5/ac51df34cdf4739574492ed4903c11dadd72a7bec4a31bb0496f4f50fc19/protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: 2022-09-22

URL: CVE-2022-1941

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: 2022-09-22

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Step up your Open Source Security Game with Mend here

Vulnerable Library - urllib3-1.25.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2021-33503

Vulnerable Library - urllib3-1.25.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.25.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution: urllib3 - 1.26.5

Step up your Open Source Security Game with Mend here

CVE-2020-7212

Vulnerable Library - urllib3-1.25.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.25.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).

Publish Date: 2020-03-06

URL: CVE-2020-7212

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hmv2-79q8-fv6g

Release Date: 2020-03-09

Fix Resolution: urllib3 - 1.25.8

Step up your Open Source Security Game with Mend here

CVE-2020-26137

Vulnerable Library - urllib3-1.25.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.25.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution: 1.25.9

Step up your Open Source Security Game with Mend here

Vulnerable Library - numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/6d/ad/ff3b21ebfe79a4d25b4a4f8e5cf9fd44a204adb6b33c09010f566f51027a/numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /runx-0.0.5/requirements.txt

Path to vulnerable library: /runx-0.0.5/requirements.txt,/runx-0.0.5/requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/paperspace-python-0.2.0,/extension-cpp-master/requirements.txt,/Bobber-6.3.1,/runx-0.0.5,/PRNet-master/requirements.txt,/extension-cpp-master/cuda,/MM-RealSR-1.0.0/requirements.txt,/sprites-as-a-service-0.5.0/backend/requirements.txt,/Jupyter-master/requirements.txt,/requirements.txt,/Jupyter-master/requirements.txt,/DALLE2-pytorch-1.10.6,/PRNet-master/requirements.txt,/dalle-mini-0.1.1,/sprites-as-a-service-0.5.0/backend/requirements.txt,/openai-python-0.22.1,/MM-RealSR-1.0.0/requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/tmp/ws-scm/Ai-test,/_tests_requirements.txt,/imagen-pytorch-1.11.12,/MM-RealSR-1.0.0

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2021-34141

Vulnerable Library - numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/6d/ad/ff3b21ebfe79a4d25b4a4f8e5cf9fd44a204adb6b33c09010f566f51027a/numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /runx-0.0.5/requirements.txt

Path to vulnerable library: /runx-0.0.5/requirements.txt,/runx-0.0.5/requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/paperspace-python-0.2.0,/extension-cpp-master/requirements.txt,/Bobber-6.3.1,/runx-0.0.5,/PRNet-master/requirements.txt,/extension-cpp-master/cuda,/MM-RealSR-1.0.0/requirements.txt,/sprites-as-a-service-0.5.0/backend/requirements.txt,/Jupyter-master/requirements.txt,/requirements.txt,/Jupyter-master/requirements.txt,/DALLE2-pytorch-1.10.6,/PRNet-master/requirements.txt,/dalle-mini-0.1.1,/sprites-as-a-service-0.5.0/backend/requirements.txt,/openai-python-0.22.1,/MM-RealSR-1.0.0/requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/tmp/ws-scm/Ai-test,/_tests_requirements.txt,/imagen-pytorch-1.11.12,/MM-RealSR-1.0.0

Dependency Hierarchy:

• ❌ numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141

Publish Date: 2021-12-17

URL: CVE-2021-34141

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141

Release Date: 2021-12-17

Fix Resolution: numpy - 1.22.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2019-9423

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

In opencv calls that use libpng, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges required. User interaction is not required for exploitation. Product: AndroidVersions: Android-10Android ID: A-110986616

Publish Date: 2019-09-27

URL: CVE-2019-9423

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-9423

Release Date: 2019-09-27

Fix Resolution: opencv-python - 4.1.2.30,3.4.16.57;opencv-python-headless - 4.1.2.30,3.4.16.57;opencv-contrib-python-headless - 3.4.16.57,4.1.2.30;opencv-contrib-python - 3.4.16.57,4.1.2.30

Step up your Open Source Security Game with Mend here

CVE-2019-14493

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

An issue was discovered in OpenCV before 4.1.1. There is a NULL pointer dereference in the function cv::XMLParser::parse at modules/core/src/persistence.cpp.

Publish Date: 2019-08-01

URL: CVE-2019-14493

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3448-vrgh-85xr

Release Date: 2019-08-01

Fix Resolution: OpenCV-Python - 3.4.7.28, 4.1.1.26

Step up your Open Source Security Game with Mend here

CVE-2019-14492

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read/write in the function HaarEvaluator::OptFeature::calc in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.

Publish Date: 2019-08-01

URL: CVE-2019-14492

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-fw99-f933-rgh8

Release Date: 2020-04-17

Fix Resolution: OpenCV-Python - 3.4.7.28, 4.1.1.26

Step up your Open Source Security Game with Mend here

CVE-2019-19624

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

An out-of-bounds read was discovered in OpenCV before 4.1.1. Specifically, variable coarsest_scale is assumed to be greater than or equal to finest_scale within the calc()/ocl_calc() functions in dis_flow.cpp. However, this is not true when dealing with small images, leading to an out-of-bounds read of the heap-allocated arrays Ux and Uy.

Publish Date: 2019-12-06

URL: CVE-2019-19624

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-jggw-2q6g-c3m6

Release Date: 2019-12-17

Fix Resolution: OpenCV-Python - 4.1.0.25

Step up your Open Source Security Game with Mend here

CVE-2019-14491

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read in the function cv::predictOrderedcv::HaarEvaluator in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.

Publish Date: 2019-08-01

URL: CVE-2019-14491

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-fm39-cw8h-3p63

Release Date: 2019-12-02

Fix Resolution: OpenCV-Python - 3.4.7.28, 4.1.1.26

Step up your Open Source Security Game with Mend here

CVE-2019-15939

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

An issue was discovered in OpenCV 4.1.0. There is a divide-by-zero error in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp.

Publish Date: 2019-09-05

URL: CVE-2019-15939

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hxfw-jm98-v4mq

Release Date: 2019-09-05

Fix Resolution: OpenCV-Python - 4.1.1.26

Step up your Open Source Security Game with Mend here

CVE-2019-16249

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp when called from computeSSDMeanNorm in modules/video/src/dis_flow.cpp.

Publish Date: 2019-09-11

URL: CVE-2019-16249

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-x3rm-644h-67m8

Release Date: 2019-12-03

Fix Resolution: OpenCV-Python - 4.1.1.26

Step up your Open Source Security Game with Mend here

Vulnerable Library - image-data-uri-2.0.1.tgz

Path to dependency file: /nft-art-generator-main/package.json

Path to vulnerable library: /nft-art-generator-main/node_modules/cliss/node_modules/yargs-parser/package.json

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2020-7608

Vulnerable Library - yargs-parser-7.0.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-7.0.0.tgz

Path to dependency file: /nft-art-generator-main/package.json

Path to vulnerable library: /nft-art-generator-main/node_modules/cliss/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• image-data-uri-2.0.1.tgz (Root Library)
  • magicli-0.0.8.tgz
    • cliss-0.0.2.tgz
      • ❌ yargs-parser-7.0.0.tgz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - table-4.0.3.tgz

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2021-3807

Vulnerable Library - ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Dependency Hierarchy:

• table-4.0.3.tgz (Root Library)
  • string-width-2.1.1.tgz
    • strip-ansi-4.0.0.tgz
      • ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (table): 5.0.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl

An implementation of the WebSocket Protocol (RFC 6455 & 7692)

Library home page: https://files.pythonhosted.org/packages/5a/0b/3ebc752392a368af14dd24ee041683416ac6d2463eead94b311b11e41c82/websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /openai-python-0.22.1

Path to vulnerable library: /openai-python-0.22.1

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2021-33880

Vulnerable Library - websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl

An implementation of the WebSocket Protocol (RFC 6455 & 7692)

Library home page: https://files.pythonhosted.org/packages/5a/0b/3ebc752392a368af14dd24ee041683416ac6d2463eead94b311b11e41c82/websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /openai-python-0.22.1

Path to vulnerable library: /openai-python-0.22.1

Dependency Hierarchy:

• ❌ websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.

Publish Date: 2021-06-06

URL: CVE-2021-33880

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33880

Release Date: 2021-06-06

Fix Resolution: websockets - 9.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/50/46/292cff79f5b30151b027400efdb3f740ea03271b600751b6696cf550c10d/numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/Ai-test,/extension-cpp-master/cuda

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2021-34141

Vulnerable Library - numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/50/46/292cff79f5b30151b027400efdb3f740ea03271b600751b6696cf550c10d/numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/Ai-test,/extension-cpp-master/cuda

Dependency Hierarchy:

• ❌ numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141

Publish Date: Dec 17, 2021 7:15:00 PM

URL: CVE-2021-34141

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141

Release Date: Dec 17, 2021 7:15:00 PM

Fix Resolution: numpy - 1.22.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - nuxt-2.15.8.tgz

Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json

Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/nth-check/package.json

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-37601

Vulnerable Library - loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json

Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/cache-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/vue-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/webpack/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/postcss-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/vue-style-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json

Dependency Hierarchy:

• nuxt-2.15.8.tgz (Root Library)
  • webpack-2.15.8.tgz
    • webpack-4.46.0.tgz
      • ❌ loader-utils-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-12

Fix Resolution: loader-utils - v2.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-28469

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json

Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json

Dependency Hierarchy:

• nuxt-2.15.8.tgz (Root Library)
  • webpack-2.15.8.tgz
    • webpack-4.46.0.tgz
      • watchpack-1.7.5.tgz
        • watchpack-chokidar2-2.0.1.tgz
          • chokidar-2.1.8.tgz
            • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Step up your Open Source Security Game with Mend here

CVE-2022-37599

Vulnerable Libraries - loader-utils-2.0.2.tgz, loader-utils-1.4.0.tgz

loader-utils-2.0.2.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz

Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json

Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/loader-utils/package.json

Dependency Hierarchy:

• nuxt-2.15.8.tgz (Root Library)
  • webpack-2.15.8.tgz
    • thread-loader-3.0.4.tgz
      • ❌ loader-utils-2.0.2.tgz (Vulnerable Library)

loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json

Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/cache-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/vue-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/webpack/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/postcss-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/vue-style-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json

Dependency Hierarchy:

• nuxt-2.15.8.tgz (Root Library)
  • webpack-2.15.8.tgz
    • webpack-4.46.0.tgz
      • ❌ loader-utils-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: 2022-10-11

URL: CVE-2022-37599

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

CVE-2021-3803

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json

Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/nth-check/package.json

Dependency Hierarchy:

• nuxt-2.15.8.tgz (Root Library)
  • webpack-2.15.8.tgz
    • cssnano-4.1.11.tgz
      • cssnano-preset-default-4.0.8.tgz
        • postcss-svgo-4.0.3.tgz
          • svgo-1.3.2.tgz
            • css-select-2.1.0.tgz
              • ❌ nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - py-1.11.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/Ai-test

Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt,/wombopy-main/requirements.txt,/_tests_requirements.txt

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-42969

Vulnerable Library - py-1.11.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/Ai-test

Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt,/wombopy-main/requirements.txt,/_tests_requirements.txt

Dependency Hierarchy:

• ❌ py-1.11.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

Publish Date: Oct 16, 2022 6:15:00 AM

URL: CVE-2022-42969

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

Vulnerable Library - numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/a5/42/560d269f604d3e186a57c21a363e77e199358d054884e61b73e405dd217c/numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /generator-main/requirements.txt

Path to vulnerable library: /generator-main/requirements.txt,/tmp/ws-scm/Ai-test,/generator-main/requirements.txt,/extension-cpp-master/cuda

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2021-33430

Vulnerable Library - numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/a5/42/560d269f604d3e186a57c21a363e77e199358d054884e61b73e405dd217c/numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /generator-main/requirements.txt

Path to vulnerable library: /generator-main/requirements.txt,/tmp/ws-scm/Ai-test,/generator-main/requirements.txt,/extension-cpp-master/cuda

Dependency Hierarchy:

• ❌ numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

** DISPUTED ** A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. NOTE: The vendor does not agree this is a vulneraility; In (very limited) circumstances a user may be able provoke the buffer overflow, the user is most likely already privileged to at least provoke denial of service by exhausting memory. Triggering this further requires the use of uncommon API (complicated structured dtypes), which is very unlikely to be available to an unprivileged user.
Mend Note: After conducting further research, Mend has determined that numpy versions before 1.21.0 are vulnerable to CVE-2021-33430

Publish Date: 2021-12-17

URL: CVE-2021-33430

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33430

Release Date: 2021-12-17

Fix Resolution: numpy - 1.21.0

Step up your Open Source Security Game with Mend here

CVE-2021-34141

Vulnerable Library - numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/a5/42/560d269f604d3e186a57c21a363e77e199358d054884e61b73e405dd217c/numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /generator-main/requirements.txt

Path to vulnerable library: /generator-main/requirements.txt,/tmp/ws-scm/Ai-test,/generator-main/requirements.txt,/extension-cpp-master/cuda

Dependency Hierarchy:

• ❌ numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141

Publish Date: 2021-12-17

URL: CVE-2021-34141

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141

Release Date: 2021-12-17

Fix Resolution: numpy - 1.22.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - groovy-1.8.6.jar

Groovy: A powerful, dynamic language for the JVM

Path to dependency file: /setup-java-3.5.0/__tests__/cache/gradle/build.gradle

Path to vulnerable library: /gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy/1.8.6/553ca93e0407c94c89b058c482a404427ac7fc72/groovy-1.8.6.jar

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2016-6814

Vulnerable Library - groovy-1.8.6.jar

Groovy: A powerful, dynamic language for the JVM

Path to dependency file: /setup-java-3.5.0/__tests__/cache/gradle/build.gradle

Path to vulnerable library: /gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy/1.8.6/553ca93e0407c94c89b058c482a404427ac7fc72/groovy-1.8.6.jar

Dependency Hierarchy:

• ❌ groovy-1.8.6.jar (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

Publish Date: 2018-01-18

URL: CVE-2016-6814

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814

Release Date: 2018-01-18

Fix Resolution: 2.4.8

Step up your Open Source Security Game with Mend here

CVE-2015-3253

Vulnerable Library - groovy-1.8.6.jar

Groovy: A powerful, dynamic language for the JVM

Path to dependency file: /setup-java-3.5.0/__tests__/cache/gradle/build.gradle

Path to vulnerable library: /gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy/1.8.6/553ca93e0407c94c89b058c482a404427ac7fc72/groovy-1.8.6.jar

Dependency Hierarchy:

• ❌ groovy-1.8.6.jar (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

Publish Date: 2015-08-13

URL: CVE-2015-3253

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: http://groovy-lang.org/security.html

Release Date: 2015-08-13

Fix Resolution: 2.4.4

Step up your Open Source Security Game with Mend here

Vulnerable Library - protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/21/9b/258771d72fd2cf27eed3cfea1fc957a12666ccde394b294ac563fca23f2d/protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /runx-0.0.5/requirements.txt

Path to vulnerable library: /runx-0.0.5/requirements.txt,/runx-0.0.5/requirements.txt,/runx-0.0.5

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-1941

Vulnerable Library - protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/21/9b/258771d72fd2cf27eed3cfea1fc957a12666ccde394b294ac563fca23f2d/protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /runx-0.0.5/requirements.txt

Path to vulnerable library: /runx-0.0.5/requirements.txt,/runx-0.0.5/requirements.txt,/runx-0.0.5

Dependency Hierarchy:

• ❌ protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: 2022-09-22

URL: CVE-2022-1941

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: 2022-09-22

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Step up your Open Source Security Game with Mend here

Vulnerable Library - yargs-5.0.0.tgz

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2020-7608

Vulnerable Library - yargs-parser-3.2.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-3.2.0.tgz

Dependency Hierarchy:

• yargs-5.0.0.tgz (Root Library)
  • ❌ yargs-parser-3.2.0.tgz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 5.0.0-security.0

Direct dependency fix Resolution (yargs): 7.0.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - bleach-3.1.0-py37_0.conda

Easy, whitelist-based HTML-sanitizing tool

Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda

Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /naconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2020-6817

Vulnerable Library - bleach-3.1.0-py37_0.conda

Easy, whitelist-based HTML-sanitizing tool

Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda

Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /naconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda

Dependency Hierarchy:

• ❌ bleach-3.1.0-py37_0.conda (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A regular expression denial-of-service (ReDoS) found in Bleach before 3.1.4.

Publish Date: 2020-04-01

URL: CVE-2020-6817

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-04-01

Fix Resolution: bleach - 3.1.4

Step up your Open Source Security Game with Mend here

CVE-2020-6816

Vulnerable Library - bleach-3.1.0-py37_0.conda

Easy, whitelist-based HTML-sanitizing tool

Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda

Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /naconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda

Dependency Hierarchy:

• ❌ bleach-3.1.0-py37_0.conda (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.

Publish Date: 2020-03-24

URL: CVE-2020-6816

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-m6xf-fq7q-8743

Release Date: 2020-03-24

Fix Resolution: bleach - 3.1.2

Step up your Open Source Security Game with Mend here

CVE-2020-6802

Vulnerable Library - bleach-3.1.0-py37_0.conda

Easy, whitelist-based HTML-sanitizing tool

Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda

Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /naconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda

Dependency Hierarchy:

• ❌ bleach-3.1.0-py37_0.conda (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.

Publish Date: 2020-03-24

URL: CVE-2020-6802

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q65m-pv3f-wr5r

Release Date: 2020-03-24

Fix Resolution: 3.1.1

Step up your Open Source Security Game with Mend here

WS-2021-0011

Vulnerable Library - bleach-3.1.0-py37_0.conda

Easy, whitelist-based HTML-sanitizing tool

Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda

Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /naconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda

Dependency Hierarchy:

• ❌ bleach-3.1.0-py37_0.conda (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

In Mozilla Bleach before 3.3.0, a mutation XSS in bleach.clean when p, br, style, title, noscript, script, textarea, noframes, iframe, or xmp and either svg or math tags are whitelisted and the keyword argument strip_comments=False.

Publish Date: 2021-02-01

URL: WS-2021-0011

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-vv2x-vrpj-qqpq

Release Date: 2021-02-01

Fix Resolution: bleach - 3.3.0

Step up your Open Source Security Game with Mend here

CVE-2021-23980

Vulnerable Library - bleach-3.1.0-py37_0.conda

Easy, whitelist-based HTML-sanitizing tool

Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda

Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /naconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda

Dependency Hierarchy:

• ❌ bleach-3.1.0-py37_0.conda (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A flaw was found in bleach before 3.3.0. A mutation XSS affects users calling "bleach.clean". This was fixed in commit 1334134

Publish Date: 2021-01-14

URL: CVE-2021-23980

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/PYSEC-2021-865

Release Date: 2021-01-14

Fix Resolution: bleach - 3.3.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - PyJWT-1.7.1-py2.py3-none-any.whl

JSON Web Token implementation in Python

Library home page: https://files.pythonhosted.org/packages/87/8b/6a9f14b5f781697e51259d81657e6048fd31a113229cf346880bb7545565/PyJWT-1.7.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-29217

Vulnerable Library - PyJWT-1.7.1-py2.py3-none-any.whl

JSON Web Token implementation in Python

Library home page: https://files.pythonhosted.org/packages/87/8b/6a9f14b5f781697e51259d81657e6048fd31a113229cf346880bb7545565/PyJWT-1.7.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test

Dependency Hierarchy:

• ❌ PyJWT-1.7.1-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms() to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms() has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

Publish Date: 2022-05-24

URL: CVE-2022-29217

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217

Release Date: 2022-05-24

Fix Resolution: PyJWT - 2.4.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - mpmath-1.2.1-py3-none-any.whl

Python library for arbitrary-precision floating-point arithmetic

Library home page: https://files.pythonhosted.org/packages/d4/cf/3965bddbb4f1a61c49aacae0e78fd1fe36b5dc36c797b31f30cf07dcbbb7/mpmath-1.2.1-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/Ai-test

Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2021-29063

Vulnerable Library - mpmath-1.2.1-py3-none-any.whl

Python library for arbitrary-precision floating-point arithmetic

Library home page: https://files.pythonhosted.org/packages/d4/cf/3965bddbb4f1a61c49aacae0e78fd1fe36b5dc36c797b31f30cf07dcbbb7/mpmath-1.2.1-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/Ai-test

Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt

Dependency Hierarchy:

• ❌ mpmath-1.2.1-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Mpmath v1.0.0 through v1.2.1 when the mpmathify function is called.
Mend Note: After conducting further research, Mend has determined that all versions of mpmath through 1.2.1 are vulnerable to CVE-2021-29063.

Publish Date: 2021-06-21

URL: CVE-2021-29063

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

Vulnerable Library - Jinja2-2.8-py2.py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2019-10906

Vulnerable Library - Jinja2-2.8-py2.py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test

Dependency Hierarchy:

• ❌ Jinja2-2.8-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

Publish Date: 2019-04-07

URL: CVE-2019-10906

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10906

Release Date: 2020-08-24

Fix Resolution: 2.10.1

Step up your Open Source Security Game with Mend here

CVE-2016-10745

Vulnerable Library - Jinja2-2.8-py2.py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test

Dependency Hierarchy:

• ❌ Jinja2-2.8-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

Publish Date: 2019-04-08

URL: CVE-2016-10745

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10745

Release Date: 2019-04-08

Fix Resolution: 2.8.1

Step up your Open Source Security Game with Mend here

CVE-2020-28493

Vulnerable Library - Jinja2-2.8-py2.py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test

Dependency Hierarchy:

• ❌ Jinja2-2.8-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

Publish Date: 2021-02-01

URL: CVE-2020-28493

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28493

Release Date: 2021-02-01

Fix Resolution: Jinja2 - 2.11.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - starlette-0.13.2-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/37/2e/f56602beda25b376bbaaeadb626cf212b673457075ffed0dd12969ad6014/starlette-0.13.2-py3-none-any.whl

Path to dependency file: /sprites-as-a-service-0.5.0/backend/requirements.txt

Path to vulnerable library: /sprites-as-a-service-0.5.0/backend/requirements.txt,/sprites-as-a-service-0.5.0/backend/requirements.txt,/openai-python-0.22.1

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

WS-2020-0300

Vulnerable Library - starlette-0.13.2-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/37/2e/f56602beda25b376bbaaeadb626cf212b673457075ffed0dd12969ad6014/starlette-0.13.2-py3-none-any.whl

Path to dependency file: /sprites-as-a-service-0.5.0/backend/requirements.txt

Path to vulnerable library: /sprites-as-a-service-0.5.0/backend/requirements.txt,/sprites-as-a-service-0.5.0/backend/requirements.txt,/openai-python-0.22.1

Dependency Hierarchy:

• ❌ starlette-0.13.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

Path Traversal vulnerability was found in starlette before 0.13.5. The vulnerability allows a remote attacker to perform directory traversal attacks. The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Publish Date: 2020-06-23

URL: WS-2020-0300

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-06-23

Fix Resolution: starlette - 0.13.5

Step up your Open Source Security Game with Mend here

Vulnerable Library - canvas-2.8.0.tgz

Path to dependency file: /nft-art-generator-main/package.json

Path to vulnerable library: /nft-art-generator-main/node_modules/minimatch/package.json,/canvas-sketch-cli-1.11.20/node_modules/minimatch/package.json

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /nft-art-generator-main/package.json

Path to vulnerable library: /nft-art-generator-main/node_modules/minimatch/package.json,/canvas-sketch-cli-1.11.20/node_modules/minimatch/package.json

Dependency Hierarchy:

• canvas-2.8.0.tgz (Root Library)
  • node-pre-gyp-1.0.5.tgz
    • rimraf-3.0.2.tgz
      • glob-7.1.7.tgz
        • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: Oct 17, 2022 8:15:00 PM

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: Oct 17, 2022 8:15:00 PM

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

Vulnerable Library - py-1.11.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/Ai-test

Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt,/wombopy-main/requirements.txt,/_tests_requirements.txt

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-42969

Vulnerable Library - py-1.11.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/Ai-test

Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt,/wombopy-main/requirements.txt,/_tests_requirements.txt

Dependency Hierarchy:

• ❌ py-1.11.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

Publish Date: 2022-10-16

URL: CVE-2022-42969

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-42969

Release Date: 2022-10-16

Fix Resolution: py - 1.5.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - streamlit-0.72.0-py2.py3-none-any.whl

The fastest way to build data apps in Python

Library home page: https://files.pythonhosted.org/packages/a3/3b/8b70128553de980a5120b512c8eedc3667deced9554fc399703414b1d8cf/streamlit-0.72.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/Ai-test,/extension-cpp-master/cuda

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-35918

Vulnerable Library - streamlit-0.72.0-py2.py3-none-any.whl

The fastest way to build data apps in Python

Library home page: https://files.pythonhosted.org/packages/a3/3b/8b70128553de980a5120b512c8eedc3667deced9554fc399703414b1d8cf/streamlit-0.72.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/Ai-test,/extension-cpp-master/cuda

Dependency Hierarchy:

• ❌ streamlit-0.72.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2022-08-01

URL: CVE-2022-35918

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35918

Release Date: 2022-08-01

Fix Resolution: streamlit - 1.11.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - html-minifier-3.5.17.tgz

Path to dependency file: /canvas-sketch-cli-1.11.20/package.json

Path to vulnerable library: /canvas-sketch-cli-1.11.20/node_modules/html-minifier/node_modules/uglify-js/package.json

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-37598

Vulnerable Library - uglify-js-3.4.2.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.2.tgz

Path to dependency file: /canvas-sketch-cli-1.11.20/package.json

Path to vulnerable library: /canvas-sketch-cli-1.11.20/node_modules/html-minifier/node_modules/uglify-js/package.json

Dependency Hierarchy:

• html-minifier-3.5.17.tgz (Root Library)
  • ❌ uglify-js-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.

Publish Date: 2022-10-20

URL: CVE-2022-37598

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-20

Fix Resolution (uglify-js): 3.13.10

Direct dependency fix Resolution (html-minifier): 4.0.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - PyYAML-5.3.1.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c/PyYAML-5.3.1.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2020-14343

Vulnerable Library - PyYAML-5.3.1.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c/PyYAML-5.3.1.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test

Dependency Hierarchy:

• ❌ PyYAML-5.3.1.tar.gz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

Publish Date: 2021-02-09

URL: CVE-2020-14343

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343

Release Date: 2021-02-09

Fix Resolution: PyYAML - 5.4

Step up your Open Source Security Game with Mend here

Vulnerable Library - py-1.10.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/67/32/6fe01cfc3d1a27c92fdbcdfc3f67856da8cbadf0dd9f2e18055202b2dc62/py-1.10.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-42969

Vulnerable Library - py-1.10.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/67/32/6fe01cfc3d1a27c92fdbcdfc3f67856da8cbadf0dd9f2e18055202b2dc62/py-1.10.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test

Dependency Hierarchy:

• ❌ py-1.10.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

Publish Date: Oct 16, 2022 6:15:00 AM

URL: CVE-2022-42969

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

Vulnerable Library - react-native-svg-12.1.0.tgz

Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/nth-check/package.json

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2021-3803

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json

Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/nth-check/package.json

Dependency Hierarchy:

• react-native-svg-12.1.0.tgz (Root Library)
  • css-select-2.1.0.tgz
    • ❌ nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: Sep 17, 2021 7:15:00 AM

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: Sep 17, 2021 7:15:00 AM

Fix Resolution (nth-check): 2.0.1

Direct dependency fix Resolution (react-native-svg): 12.3.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - MattEland.ML.Common-1.0.0

Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-1941

Vulnerable Library - google.protobuf.3.19.4.nupkg

C# runtime library for Protocol Buffers - Google's data interchange format.

Library home page: https://api.nuget.org/packages/google.protobuf.3.19.4.nupkg

Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg

Dependency Hierarchy:

• MattEland.ML.Common-1.0.0 (Root Library)
  • microsoft.ml.automl.0.19.1.nupkg
    • microsoft.ml.vision.1.7.1.nupkg
      • microsoft.ml.tensorflow.1.7.1.nupkg
        • ❌ google.protobuf.3.19.4.nupkg (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: Sep 22, 2022 3:15:00 PM

URL: CVE-2022-1941

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: Sep 22, 2022 3:15:00 PM

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Step up your Open Source Security Game with Mend here

Vulnerable Library - MattEland.ML.TimeAndSpace.Core-1.0.0

Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg,/tmp/ws-ua_20221024140104_FQZMAS/dotnet_UYVIFD/20221024140104/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-1941

Vulnerable Library - google.protobuf.3.19.4.nupkg

C# runtime library for Protocol Buffers - Google's data interchange format.

Library home page: https://api.nuget.org/packages/google.protobuf.3.19.4.nupkg

Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.Common/MattEland.ML.Common.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg,/tmp/ws-ua_20221024140104_FQZMAS/dotnet_UYVIFD/20221024140104/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg

Dependency Hierarchy:

• MattEland.ML.TimeAndSpace.Core-1.0.0 (Root Library)
  • microsoft.ml.automl.0.19.1.nupkg
    • microsoft.ml.vision.1.7.1.nupkg
      • microsoft.ml.tensorflow.1.7.1.nupkg
        • ❌ google.protobuf.3.19.4.nupkg (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: Sep 22, 2022 3:15:00 PM

URL: CVE-2022-1941

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: Sep 22, 2022 3:15:00 PM

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Step up your Open Source Security Game with Mend here

Vulnerable Library - oauthlib-3.2.1-py3-none-any.whl

A generic, spec-compliant, thorough implementation of the OAuth request-signing logic

Library home page: https://files.pythonhosted.org/packages/92/bb/d669baf53d4ffe081dab80aad93c5c79f84eeac885dd31507c8c055a98d5/oauthlib-3.2.1-py3-none-any.whl

Path to dependency file: /imagen-pytorch-1.11.12

Path to vulnerable library: /imagen-pytorch-1.11.12,/_tests_requirements.txt,/tmp/ws-scm/Ai-test,/MM-RealSR-1.0.0,/requirements.txt,/extension-cpp-master/cuda,/PRNet-master/requirements.txt,/Jupyter-master/requirements.txt,/MM-RealSR-1.0.0/requirements.txt

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2022-36087

Vulnerable Library - oauthlib-3.2.1-py3-none-any.whl

A generic, spec-compliant, thorough implementation of the OAuth request-signing logic

Library home page: https://files.pythonhosted.org/packages/92/bb/d669baf53d4ffe081dab80aad93c5c79f84eeac885dd31507c8c055a98d5/oauthlib-3.2.1-py3-none-any.whl

Path to dependency file: /imagen-pytorch-1.11.12

Path to vulnerable library: /imagen-pytorch-1.11.12,/_tests_requirements.txt,/tmp/ws-scm/Ai-test,/MM-RealSR-1.0.0,/requirements.txt,/extension-cpp-master/cuda,/PRNet-master/requirements.txt,/Jupyter-master/requirements.txt,/MM-RealSR-1.0.0/requirements.txt

Dependency Hierarchy:

• ❌ oauthlib-3.2.1-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of uri_validate functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly uri_validate are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.
Mend Note: After conducting further research, Mend has determined that versions 3.1.1 through 3.2.1 of oauthlib are vulnerable to CVE-2022-36087.

Publish Date: 2022-09-09

URL: CVE-2022-36087

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

Vulnerable Library - microsoft.ml.1.7.1.nupkg

Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/newtonsoft.json/10.0.3/newtonsoft.json.10.0.3.nupkg

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

CVE-2019-0820

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Dependency Hierarchy:

• microsoft.ml.1.7.1.nupkg (Root Library)
  • newtonsoft.json.10.0.3.nupkg
    • system.xml.xmldocument.4.3.0.nupkg
      • system.xml.readerwriter.4.3.0.nupkg
        • ❌ system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.

Publish Date: 2019-05-16

URL: CVE-2019-0820

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cmhx-cq75-c4mj

Release Date: 2019-05-16

Fix Resolution: System.Text.RegularExpressions - 4.3.1

Step up your Open Source Security Game with Mend here

WS-2022-0161

Vulnerable Library - newtonsoft.json.10.0.3.nupkg

Json.NET is a popular high-performance JSON framework for .NET

Library home page: https://api.nuget.org/packages/newtonsoft.json.10.0.3.nupkg

Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/newtonsoft.json/10.0.3/newtonsoft.json.10.0.3.nupkg

Dependency Hierarchy:

• microsoft.ml.1.7.1.nupkg (Root Library)
  • ❌ newtonsoft.json.10.0.3.nupkg (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

Improper Handling of Exceptional Conditions in Newtonsoft.Json.
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. This vulnerability affects Internet Information Services (IIS) Applications.

Publish Date: 2022-06-22

URL: WS-2022-0161

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-06-22

Fix Resolution: Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0

Step up your Open Source Security Game with Mend here

CVE-2018-8292

Vulnerable Library - system.net.http.4.3.0.nupkg

Provides a programming interface for modern HTTP applications, including HTTP client components that...

Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg

Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg

Dependency Hierarchy:

• microsoft.ml.1.7.1.nupkg (Root Library)
  • newtonsoft.json.10.0.3.nupkg
    • netstandard.library.1.6.1.nupkg
      • ❌ system.net.http.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Publish Date: 2018-10-10

URL: CVE-2018-8292

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2018-10-10

Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - glslify-6.3.0.tgz

Path to dependency file: /canvas-sketch-cli-1.11.20/package.json

Path to vulnerable library: /canvas-sketch-cli-1.11.20/node_modules/falafel/node_modules/acorn/package.json

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

WS-2020-0042

Vulnerable Library - acorn-5.7.4.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz

Path to dependency file: /canvas-sketch-cli-1.11.20/package.json

Path to vulnerable library: /canvas-sketch-cli-1.11.20/node_modules/falafel/node_modules/acorn/package.json

Dependency Hierarchy:

• glslify-6.3.0.tgz (Root Library)
  • falafel-2.1.0.tgz
    • ❌ acorn-5.7.4.tgz (Vulnerable Library)

Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d

Found in base branch: main

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (glslify): 6.3.1

Step up your Open Source Security Game with Mend here