adamoswald / ai-test Goto Github PK
View Code? Open in Web Editor NEWThis project is either going to become the most dangerous computer virus the world has and ever will see or it will actually go smoothly (I really hope it isn’t the former)
This project is either going to become the most dangerous computer virus the world has and ever will see or it will actually go smoothly (I really hope it isn’t the former)
The XML C parser and toolkit of Gnome
Library home page: http://repo.continuum.io/pkgs/main/linux-64/libxml2-2.9.9-he19cac6_0.conda
Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /naconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-29824 | Medium | 6.5 | libxml2-2.9.9-he19cac6_0.conda | Direct | v2.9.14 |
The XML C parser and toolkit of Gnome
Library home page: http://repo.continuum.io/pkgs/main/linux-64/libxml2-2.9.9-he19cac6_0.conda
Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /naconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
Publish Date: 2022-05-03
URL: CVE-2022-29824
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824
Release Date: 2022-05-03
Fix Resolution: v2.9.14
Step up your Open Source Security Game with Mend here
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/56/aa/4ef5aa67a9a62505db124a5cb5262332d1d4153462eb8fd89c9fa41e5d92/urllib3-1.25.11-py2.py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Ai-test
Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt,/openai-python-0.22.1,/wombopy-main
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33503 | High | 7.5 | urllib3-1.25.11-py2.py3-none-any.whl | Direct | urllib3 - 1.26.5 |
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/56/aa/4ef5aa67a9a62505db124a5cb5262332d1d4153462eb8fd89c9fa41e5d92/urllib3-1.25.11-py2.py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Ai-test
Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt,/openai-python-0.22.1,/wombopy-main
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
Step up your Open Source Security Game with Mend here
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-1747 | High | 9.8 | PyYAML-5.1.tar.gz | Direct | pyyaml - 5.3.1 | |
CVE-2019-20477 | High | 9.8 | PyYAML-5.1.tar.gz | Direct | 5.2 | |
CVE-2020-14343 | High | 9.8 | PyYAML-5.1.tar.gz | Direct | PyYAML - 5.4 |
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.
Publish Date: 2020-03-24
URL: CVE-2020-1747
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6757-jp84-gxfx
Release Date: 2020-03-24
Fix Resolution: pyyaml - 5.3.1
Step up your Open Source Security Game with Mend here
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
Publish Date: 2020-02-19
URL: CVE-2019-20477
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20477
Release Date: 2020-02-19
Fix Resolution: 5.2
Step up your Open Source Security Game with Mend here
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
Publish Date: 2021-02-09
URL: CVE-2020-14343
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343
Release Date: 2021-02-09
Fix Resolution: PyYAML - 5.4
Step up your Open Source Security Game with Mend here
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-43138 | High | 7.8 | async-2.6.1.tgz | Transitive | 4.0.2 |
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.1.tgz
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (archiver): 4.0.2
Step up your Open Source Security Game with Mend here
Path to dependency file: /setup-java-3.5.0/__tests__/cache/gradle/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-javalite/3.19.1/3ac913b600589dba649abe56d70889cb797bbb1a/protobuf-javalite-3.19.1.jar
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in (logrocket version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-3171 | High | 7.5 | protobuf-javalite-3.19.1.jar | Transitive | N/A* |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Lite version of Protocol Buffers library. This version is optimized for code size, but does not guarantee API/ABI stability.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /setup-java-3.5.0/__tests__/cache/gradle/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-javalite/3.19.1/3ac913b600589dba649abe56d70889cb797bbb1a/protobuf-javalite-3.19.1.jar
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: Oct 12, 2022 11:15:00 PM
URL: CVE-2022-3171
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h4h5-3hr4-j3g2
Release Date: Oct 12, 2022 11:15:00 PM
Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7
Step up your Open Source Security Game with Mend here
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-43138 | High | 7.8 | async-1.5.2.tgz | Direct | 2.6.4 |
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution: 2.6.4
Step up your Open Source Security Game with Mend here
Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-1941 | High | 7.5 | google.protobuf.3.19.4.nupkg | Transitive | N/A |
C# runtime library for Protocol Buffers - Google's data interchange format.
Library home page: https://api.nuget.org/packages/google.protobuf.3.19.4.nupkg
Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
Base Score Metrics:
Type: Upgrade version
Origin: https://cloud.google.com/support/bulletins#GCP-2022-019
Release Date: 2022-09-22
Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
Tracking issue for:
Protocol Buffers
Library home page: https://files.pythonhosted.org/packages/19/a5/ac51df34cdf4739574492ed4903c11dadd72a7bec4a31bb0496f4f50fc19/protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-1941 | High | 7.5 | protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl | Direct | Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6 |
Protocol Buffers
Library home page: https://files.pythonhosted.org/packages/19/a5/ac51df34cdf4739574492ed4903c11dadd72a7bec4a31bb0496f4f50fc19/protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
Base Score Metrics:
Type: Upgrade version
Origin: https://cloud.google.com/support/bulletins#GCP-2022-019
Release Date: 2022-09-22
Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
Tracking issue for:
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33503 | High | 7.5 | urllib3-1.25.3-py2.py3-none-any.whl | Direct | urllib3 - 1.26.5 | |
CVE-2020-7212 | High | 7.5 | urllib3-1.25.3-py2.py3-none-any.whl | Direct | urllib3 - 1.25.8 | |
CVE-2020-26137 | Medium | 6.5 | urllib3-1.25.3-py2.py3-none-any.whl | Direct | 1.25.9 |
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
Step up your Open Source Security Game with Mend here
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
Publish Date: 2020-03-06
URL: CVE-2020-7212
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hmv2-79q8-fv6g
Release Date: 2020-03-09
Fix Resolution: urllib3 - 1.25.8
Step up your Open Source Security Game with Mend here
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution: 1.25.9
Step up your Open Source Security Game with Mend here
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /runx-0.0.5/requirements.txt
Path to vulnerable library: /runx-0.0.5/requirements.txt,/runx-0.0.5/requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/paperspace-python-0.2.0,/extension-cpp-master/requirements.txt,/Bobber-6.3.1,/runx-0.0.5,/PRNet-master/requirements.txt,/extension-cpp-master/cuda,/MM-RealSR-1.0.0/requirements.txt,/sprites-as-a-service-0.5.0/backend/requirements.txt,/Jupyter-master/requirements.txt,/requirements.txt,/Jupyter-master/requirements.txt,/DALLE2-pytorch-1.10.6,/PRNet-master/requirements.txt,/dalle-mini-0.1.1,/sprites-as-a-service-0.5.0/backend/requirements.txt,/openai-python-0.22.1,/MM-RealSR-1.0.0/requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/tmp/ws-scm/Ai-test,/_tests_requirements.txt,/imagen-pytorch-1.11.12,/MM-RealSR-1.0.0
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-34141 | Medium | 5.3 | numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Direct | numpy - 1.22.0 |
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /runx-0.0.5/requirements.txt
Path to vulnerable library: /runx-0.0.5/requirements.txt,/runx-0.0.5/requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/paperspace-python-0.2.0,/extension-cpp-master/requirements.txt,/Bobber-6.3.1,/runx-0.0.5,/PRNet-master/requirements.txt,/extension-cpp-master/cuda,/MM-RealSR-1.0.0/requirements.txt,/sprites-as-a-service-0.5.0/backend/requirements.txt,/Jupyter-master/requirements.txt,/requirements.txt,/Jupyter-master/requirements.txt,/DALLE2-pytorch-1.10.6,/PRNet-master/requirements.txt,/dalle-mini-0.1.1,/sprites-as-a-service-0.5.0/backend/requirements.txt,/openai-python-0.22.1,/MM-RealSR-1.0.0/requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt,/tmp/ws-scm/Ai-test,/_tests_requirements.txt,/imagen-pytorch-1.11.12,/MM-RealSR-1.0.0
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141
Publish Date: 2021-12-17
URL: CVE-2021-34141
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
Release Date: 2021-12-17
Fix Resolution: numpy - 1.22.0
Step up your Open Source Security Game with Mend here
Sign in to LogRocket here.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbnRlZ3JhdGlvbl9pZCI6MjY5NywibG9naW5fbmFtZSI6IkFkYW1Pc3dhbGQifQ.hHgAzAx-9_pVyh7Nq3hSKVnx0F5UVF1u2ajAy1MO2VQ
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-9423 | High | 7.8 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | opencv-python - 4.1.2.30,3.4.16.57;opencv-python-headless - 4.1.2.30,3.4.16.57;opencv-contrib-python-headless - 3.4.16.57,4.1.2.30;opencv-contrib-python - 3.4.16.57,4.1.2.30 | |
CVE-2019-14493 | High | 7.5 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | OpenCV-Python - 3.4.7.28, 4.1.1.26 | |
CVE-2019-14492 | High | 7.5 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | OpenCV-Python - 3.4.7.28, 4.1.1.26 | |
CVE-2019-19624 | Medium | 6.5 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | OpenCV-Python - 4.1.0.25 | |
CVE-2019-14491 | Medium | 6.5 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | OpenCV-Python - 3.4.7.28, 4.1.1.26 | |
CVE-2019-15939 | Medium | 5.9 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | OpenCV-Python - 4.1.1.26 | |
CVE-2019-16249 | Medium | 5.3 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | OpenCV-Python - 4.1.1.26 |
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
In opencv calls that use libpng, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges required. User interaction is not required for exploitation. Product: AndroidVersions: Android-10Android ID: A-110986616
Publish Date: 2019-09-27
URL: CVE-2019-9423
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-9423
Release Date: 2019-09-27
Fix Resolution: opencv-python - 4.1.2.30,3.4.16.57;opencv-python-headless - 4.1.2.30,3.4.16.57;opencv-contrib-python-headless - 3.4.16.57,4.1.2.30;opencv-contrib-python - 3.4.16.57,4.1.2.30
Step up your Open Source Security Game with Mend here
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
An issue was discovered in OpenCV before 4.1.1. There is a NULL pointer dereference in the function cv::XMLParser::parse at modules/core/src/persistence.cpp.
Publish Date: 2019-08-01
URL: CVE-2019-14493
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3448-vrgh-85xr
Release Date: 2019-08-01
Fix Resolution: OpenCV-Python - 3.4.7.28, 4.1.1.26
Step up your Open Source Security Game with Mend here
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read/write in the function HaarEvaluator::OptFeature::calc in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.
Publish Date: 2019-08-01
URL: CVE-2019-14492
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-fw99-f933-rgh8
Release Date: 2020-04-17
Fix Resolution: OpenCV-Python - 3.4.7.28, 4.1.1.26
Step up your Open Source Security Game with Mend here
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
An out-of-bounds read was discovered in OpenCV before 4.1.1. Specifically, variable coarsest_scale is assumed to be greater than or equal to finest_scale within the calc()/ocl_calc() functions in dis_flow.cpp. However, this is not true when dealing with small images, leading to an out-of-bounds read of the heap-allocated arrays Ux and Uy.
Publish Date: 2019-12-06
URL: CVE-2019-19624
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jggw-2q6g-c3m6
Release Date: 2019-12-17
Fix Resolution: OpenCV-Python - 4.1.0.25
Step up your Open Source Security Game with Mend here
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read in the function cv::predictOrderedcv::HaarEvaluator in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.
Publish Date: 2019-08-01
URL: CVE-2019-14491
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-fm39-cw8h-3p63
Release Date: 2019-12-02
Fix Resolution: OpenCV-Python - 3.4.7.28, 4.1.1.26
Step up your Open Source Security Game with Mend here
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
An issue was discovered in OpenCV 4.1.0. There is a divide-by-zero error in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp.
Publish Date: 2019-09-05
URL: CVE-2019-15939
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hxfw-jm98-v4mq
Release Date: 2019-09-05
Fix Resolution: OpenCV-Python - 4.1.1.26
Step up your Open Source Security Game with Mend here
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-PBHPIP-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp when called from computeSSDMeanNorm in modules/video/src/dis_flow.cpp.
Publish Date: 2019-09-11
URL: CVE-2019-16249
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-x3rm-644h-67m8
Release Date: 2019-12-03
Fix Resolution: OpenCV-Python - 4.1.1.26
Step up your Open Source Security Game with Mend here
Path to dependency file: /nft-art-generator-main/package.json
Path to vulnerable library: /nft-art-generator-main/node_modules/cliss/node_modules/yargs-parser/package.json
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-7608 | Medium | 5.3 | yargs-parser-7.0.0.tgz | Transitive | N/A |
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-7.0.0.tgz
Path to dependency file: /nft-art-generator-main/package.json
Path to vulnerable library: /nft-art-generator-main/node_modules/cliss/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with Mend here
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-3807 | High | 7.5 | ansi-regex-3.0.0.tgz | Transitive | 5.0.0 |
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 3.0.1
Direct dependency fix Resolution (table): 5.0.0
Step up your Open Source Security Game with Mend here
Tracking issue for:
An implementation of the WebSocket Protocol (RFC 6455 & 7692)
Library home page: https://files.pythonhosted.org/packages/5a/0b/3ebc752392a368af14dd24ee041683416ac6d2463eead94b311b11e41c82/websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /openai-python-0.22.1
Path to vulnerable library: /openai-python-0.22.1
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33880 | Medium | 5.9 | websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl | Direct | websockets - 9.1 |
An implementation of the WebSocket Protocol (RFC 6455 & 7692)
Library home page: https://files.pythonhosted.org/packages/5a/0b/3ebc752392a368af14dd24ee041683416ac6d2463eead94b311b11e41c82/websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /openai-python-0.22.1
Path to vulnerable library: /openai-python-0.22.1
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.
Publish Date: 2021-06-06
URL: CVE-2021-33880
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33880
Release Date: 2021-06-06
Fix Resolution: websockets - 9.1
Step up your Open Source Security Game with Mend here
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/Ai-test,/extension-cpp-master/cuda
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in (numpy version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-34141 | Medium | 5.3 | numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Direct | numpy - 1.22.0 |
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/Ai-test,/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141
Publish Date: Dec 17, 2021 7:15:00 PM
URL: CVE-2021-34141
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
Release Date: Dec 17, 2021 7:15:00 PM
Fix Resolution: numpy - 1.22.0
Step up your Open Source Security Game with Mend here
Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json
Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/nth-check/package.json
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-37601 | High | 9.8 | loader-utils-1.4.0.tgz | Transitive | N/A | |
CVE-2020-28469 | High | 7.5 | glob-parent-3.1.0.tgz | Transitive | N/A | |
CVE-2022-37599 | High | 7.5 | detected in multiple dependencies | Transitive | N/A | |
CVE-2021-3803 | High | 7.5 | nth-check-1.0.2.tgz | Transitive | N/A |
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json
Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/cache-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/vue-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/webpack/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/postcss-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/vue-style-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-12
Fix Resolution: loader-utils - v2.0.0
Step up your Open Source Security Game with Mend here
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json
Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with Mend here
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz
Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json
Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/loader-utils/package.json
Dependency Hierarchy:
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json
Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/cache-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/vue-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/webpack/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/postcss-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/vue-style-loader/node_modules/loader-utils/package.json,/sprites-as-a-service-0.5.0/frontend/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: 2022-10-11
URL: CVE-2022-37599
Base Score Metrics:
Step up your Open Source Security Game with Mend here
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json
Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/nth-check/package.json
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
Step up your Open Source Security Game with Mend here
library with cross-python path, ini-parsing, io, code, log facilities
Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Ai-test
Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt,/wombopy-main/requirements.txt,/_tests_requirements.txt
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in (py version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-42969 | High | 7.5 | py-1.11.0-py2.py3-none-any.whl | Direct | N/A |
library with cross-python path, ini-parsing, io, code, log facilities
Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Ai-test
Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt,/wombopy-main/requirements.txt,/_tests_requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
Publish Date: Oct 16, 2022 6:15:00 AM
URL: CVE-2022-42969
Base Score Metrics:
Step up your Open Source Security Game with Mend here
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /generator-main/requirements.txt
Path to vulnerable library: /generator-main/requirements.txt,/tmp/ws-scm/Ai-test,/generator-main/requirements.txt,/extension-cpp-master/cuda
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33430 | Medium | 5.3 | numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Direct | numpy - 1.21.0 | |
CVE-2021-34141 | Medium | 5.3 | numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Direct | numpy - 1.22.0 |
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /generator-main/requirements.txt
Path to vulnerable library: /generator-main/requirements.txt,/tmp/ws-scm/Ai-test,/generator-main/requirements.txt,/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
** DISPUTED ** A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. NOTE: The vendor does not agree this is a vulneraility; In (very limited) circumstances a user may be able provoke the buffer overflow, the user is most likely already privileged to at least provoke denial of service by exhausting memory. Triggering this further requires the use of uncommon API (complicated structured dtypes), which is very unlikely to be available to an unprivileged user.
Mend Note: After conducting further research, Mend has determined that numpy versions before 1.21.0 are vulnerable to CVE-2021-33430
Publish Date: 2021-12-17
URL: CVE-2021-33430
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33430
Release Date: 2021-12-17
Fix Resolution: numpy - 1.21.0
Step up your Open Source Security Game with Mend here
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /generator-main/requirements.txt
Path to vulnerable library: /generator-main/requirements.txt,/tmp/ws-scm/Ai-test,/generator-main/requirements.txt,/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141
Publish Date: 2021-12-17
URL: CVE-2021-34141
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
Release Date: 2021-12-17
Fix Resolution: numpy - 1.22.0
Step up your Open Source Security Game with Mend here
Groovy: A powerful, dynamic language for the JVM
Path to dependency file: /setup-java-3.5.0/__tests__/cache/gradle/build.gradle
Path to vulnerable library: /gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy/1.8.6/553ca93e0407c94c89b058c482a404427ac7fc72/groovy-1.8.6.jar
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2016-6814 | High | 9.8 | groovy-1.8.6.jar | Direct | 2.4.8 | |
CVE-2015-3253 | Medium | 5.6 | groovy-1.8.6.jar | Direct | 2.4.4 |
Groovy: A powerful, dynamic language for the JVM
Path to dependency file: /setup-java-3.5.0/__tests__/cache/gradle/build.gradle
Path to vulnerable library: /gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy/1.8.6/553ca93e0407c94c89b058c482a404427ac7fc72/groovy-1.8.6.jar
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Publish Date: 2018-01-18
URL: CVE-2016-6814
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
Release Date: 2018-01-18
Fix Resolution: 2.4.8
Step up your Open Source Security Game with Mend here
Groovy: A powerful, dynamic language for the JVM
Path to dependency file: /setup-java-3.5.0/__tests__/cache/gradle/build.gradle
Path to vulnerable library: /gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy/1.8.6/553ca93e0407c94c89b058c482a404427ac7fc72/groovy-1.8.6.jar
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.
Publish Date: 2015-08-13
URL: CVE-2015-3253
Base Score Metrics:
Type: Upgrade version
Origin: http://groovy-lang.org/security.html
Release Date: 2015-08-13
Fix Resolution: 2.4.4
Step up your Open Source Security Game with Mend here
Protocol Buffers
Path to dependency file: /runx-0.0.5/requirements.txt
Path to vulnerable library: /runx-0.0.5/requirements.txt,/runx-0.0.5/requirements.txt,/runx-0.0.5
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-1941 | High | 7.5 | protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6 |
Protocol Buffers
Path to dependency file: /runx-0.0.5/requirements.txt
Path to vulnerable library: /runx-0.0.5/requirements.txt,/runx-0.0.5/requirements.txt,/runx-0.0.5
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
Base Score Metrics:
Type: Upgrade version
Origin: https://cloud.google.com/support/bulletins#GCP-2022-019
Release Date: 2022-09-22
Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-7608 | Medium | 5.3 | yargs-parser-3.2.0.tgz | Transitive | 7.0.0 |
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-3.2.0.tgz
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 5.0.0-security.0
Direct dependency fix Resolution (yargs): 7.0.0
Step up your Open Source Security Game with Mend here
Easy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /naconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-6817 | High | 7.5 | bleach-3.1.0-py37_0.conda | Direct | bleach - 3.1.4 | |
CVE-2020-6816 | Medium | 6.1 | bleach-3.1.0-py37_0.conda | Direct | bleach - 3.1.2 | |
CVE-2020-6802 | Medium | 6.1 | bleach-3.1.0-py37_0.conda | Direct | 3.1.1 | |
WS-2021-0011 | Medium | 6.1 | bleach-3.1.0-py37_0.conda | Direct | bleach - 3.3.0 | |
CVE-2021-23980 | Medium | 6.1 | bleach-3.1.0-py37_0.conda | Direct | bleach - 3.3.0 |
Easy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /naconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A regular expression denial-of-service (ReDoS) found in Bleach before 3.1.4.
Publish Date: 2020-04-01
URL: CVE-2020-6817
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-01
Fix Resolution: bleach - 3.1.4
Step up your Open Source Security Game with Mend here
Easy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /naconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.
Publish Date: 2020-03-24
URL: CVE-2020-6816
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-m6xf-fq7q-8743
Release Date: 2020-03-24
Fix Resolution: bleach - 3.1.2
Step up your Open Source Security Game with Mend here
Easy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /naconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
Publish Date: 2020-03-24
URL: CVE-2020-6802
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q65m-pv3f-wr5r
Release Date: 2020-03-24
Fix Resolution: 3.1.1
Step up your Open Source Security Game with Mend here
Easy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /naconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
In Mozilla Bleach before 3.3.0, a mutation XSS in bleach.clean when p, br, style, title, noscript, script, textarea, noframes, iframe, or xmp and either svg or math tags are whitelisted and the keyword argument strip_comments=False.
Publish Date: 2021-02-01
URL: WS-2021-0011
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-vv2x-vrpj-qqpq
Release Date: 2021-02-01
Fix Resolution: bleach - 3.3.0
Step up your Open Source Security Game with Mend here
Easy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /naconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A flaw was found in bleach before 3.3.0. A mutation XSS affects users calling "bleach.clean". This was fixed in commit 1334134
Publish Date: 2021-01-14
URL: CVE-2021-23980
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/PYSEC-2021-865
Release Date: 2021-01-14
Fix Resolution: bleach - 3.3.0
Step up your Open Source Security Game with Mend here
JSON Web Token implementation in Python
Library home page: https://files.pythonhosted.org/packages/87/8b/6a9f14b5f781697e51259d81657e6048fd31a113229cf346880bb7545565/PyJWT-1.7.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-29217 | High | 7.5 | PyJWT-1.7.1-py2.py3-none-any.whl | Direct | PyJWT - 2.4.0 |
JSON Web Token implementation in Python
Library home page: https://files.pythonhosted.org/packages/87/8b/6a9f14b5f781697e51259d81657e6048fd31a113229cf346880bb7545565/PyJWT-1.7.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms()
to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms()
has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.
Publish Date: 2022-05-24
URL: CVE-2022-29217
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217
Release Date: 2022-05-24
Fix Resolution: PyJWT - 2.4.0
Step up your Open Source Security Game with Mend here
Python library for arbitrary-precision floating-point arithmetic
Library home page: https://files.pythonhosted.org/packages/d4/cf/3965bddbb4f1a61c49aacae0e78fd1fe36b5dc36c797b31f30cf07dcbbb7/mpmath-1.2.1-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Ai-test
Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-29063 | High | 7.5 | mpmath-1.2.1-py3-none-any.whl | Direct | N/A |
Python library for arbitrary-precision floating-point arithmetic
Library home page: https://files.pythonhosted.org/packages/d4/cf/3965bddbb4f1a61c49aacae0e78fd1fe36b5dc36c797b31f30cf07dcbbb7/mpmath-1.2.1-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Ai-test
Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Mpmath v1.0.0 through v1.2.1 when the mpmathify function is called.
Mend Note: After conducting further research, Mend has determined that all versions of mpmath through 1.2.1 are vulnerable to CVE-2021-29063.
Publish Date: 2021-06-21
URL: CVE-2021-29063
Base Score Metrics:
Step up your Open Source Security Game with Mend here
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-10906 | Medium | 5.3 | Jinja2-2.8-py2.py3-none-any.whl | Direct | 2.10.1 | |
CVE-2016-10745 | Medium | 5.3 | Jinja2-2.8-py2.py3-none-any.whl | Direct | 2.8.1 | |
CVE-2020-28493 | Medium | 5.3 | Jinja2-2.8-py2.py3-none-any.whl | Direct | Jinja2 - 2.11.3 |
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
Publish Date: 2019-04-07
URL: CVE-2019-10906
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10906
Release Date: 2020-08-24
Fix Resolution: 2.10.1
Step up your Open Source Security Game with Mend here
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
Publish Date: 2019-04-08
URL: CVE-2016-10745
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10745
Release Date: 2019-04-08
Fix Resolution: 2.8.1
Step up your Open Source Security Game with Mend here
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex
operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Publish Date: 2021-02-01
URL: CVE-2020-28493
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28493
Release Date: 2021-02-01
Fix Resolution: Jinja2 - 2.11.3
Step up your Open Source Security Game with Mend here
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/37/2e/f56602beda25b376bbaaeadb626cf212b673457075ffed0dd12969ad6014/starlette-0.13.2-py3-none-any.whl
Path to dependency file: /sprites-as-a-service-0.5.0/backend/requirements.txt
Path to vulnerable library: /sprites-as-a-service-0.5.0/backend/requirements.txt,/sprites-as-a-service-0.5.0/backend/requirements.txt,/openai-python-0.22.1
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
WS-2020-0300 | High | 7.5 | starlette-0.13.2-py3-none-any.whl | Direct | starlette - 0.13.5 |
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/37/2e/f56602beda25b376bbaaeadb626cf212b673457075ffed0dd12969ad6014/starlette-0.13.2-py3-none-any.whl
Path to dependency file: /sprites-as-a-service-0.5.0/backend/requirements.txt
Path to vulnerable library: /sprites-as-a-service-0.5.0/backend/requirements.txt,/sprites-as-a-service-0.5.0/backend/requirements.txt,/openai-python-0.22.1
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
Path Traversal vulnerability was found in starlette before 0.13.5. The vulnerability allows a remote attacker to perform directory traversal attacks. The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Publish Date: 2020-06-23
URL: WS-2020-0300
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-06-23
Fix Resolution: starlette - 0.13.5
Step up your Open Source Security Game with Mend here
Path to dependency file: /nft-art-generator-main/package.json
Path to vulnerable library: /nft-art-generator-main/node_modules/minimatch/package.json,/canvas-sketch-cli-1.11.20/node_modules/minimatch/package.json
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in (canvas version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-3517 | High | 7.5 | minimatch-3.0.4.tgz | Transitive | N/A* |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /nft-art-generator-main/package.json
Path to vulnerable library: /nft-art-generator-main/node_modules/minimatch/package.json,/canvas-sketch-cli-1.11.20/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 8:15:00 PM
URL: CVE-2022-3517
Base Score Metrics:
Type: Upgrade version
Release Date: Oct 17, 2022 8:15:00 PM
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
library with cross-python path, ini-parsing, io, code, log facilities
Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Ai-test
Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt,/wombopy-main/requirements.txt,/_tests_requirements.txt
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-42969 | Medium | 5.3 | py-1.11.0-py2.py3-none-any.whl | Direct | py - 1.5.0 |
library with cross-python path, ini-parsing, io, code, log facilities
Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Ai-test
Path to vulnerable library: /tmp/ws-scm/Ai-test,/extension-cpp-master/cuda,/requirements.txt,/wombopy-main/requirements.txt,/_tests_requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
Publish Date: 2022-10-16
URL: CVE-2022-42969
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-42969
Release Date: 2022-10-16
Fix Resolution: py - 1.5.0
Step up your Open Source Security Game with Mend here
The fastest way to build data apps in Python
Library home page: https://files.pythonhosted.org/packages/a3/3b/8b70128553de980a5120b512c8eedc3667deced9554fc399703414b1d8cf/streamlit-0.72.0-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/Ai-test,/extension-cpp-master/cuda
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-35918 | Medium | 6.5 | streamlit-0.72.0-py2.py3-none-any.whl | Direct | streamlit - 1.11.1 |
The fastest way to build data apps in Python
Library home page: https://files.pythonhosted.org/packages/a3/3b/8b70128553de980a5120b512c8eedc3667deced9554fc399703414b1d8cf/streamlit-0.72.0-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/Ai-test,/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2022-08-01
URL: CVE-2022-35918
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35918
Release Date: 2022-08-01
Fix Resolution: streamlit - 1.11.1
Step up your Open Source Security Game with Mend here
Path to dependency file: /canvas-sketch-cli-1.11.20/package.json
Path to vulnerable library: /canvas-sketch-cli-1.11.20/node_modules/html-minifier/node_modules/uglify-js/package.json
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-37598 | High | 9.8 | uglify-js-3.4.2.tgz | Transitive | 4.0.0 |
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.2.tgz
Path to dependency file: /canvas-sketch-cli-1.11.20/package.json
Path to vulnerable library: /canvas-sketch-cli-1.11.20/node_modules/html-minifier/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.
Publish Date: 2022-10-20
URL: CVE-2022-37598
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-20
Fix Resolution (uglify-js): 3.13.10
Direct dependency fix Resolution (html-minifier): 4.0.0
Step up your Open Source Security Game with Mend here
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c/PyYAML-5.3.1.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-14343 | High | 9.8 | PyYAML-5.3.1.tar.gz | Direct | PyYAML - 5.4 |
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c/PyYAML-5.3.1.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
Publish Date: 2021-02-09
URL: CVE-2020-14343
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343
Release Date: 2021-02-09
Fix Resolution: PyYAML - 5.4
Step up your Open Source Security Game with Mend here
Tracking issue for:
library with cross-python path, ini-parsing, io, code, log facilities
Library home page: https://files.pythonhosted.org/packages/67/32/6fe01cfc3d1a27c92fdbcdfc3f67856da8cbadf0dd9f2e18055202b2dc62/py-1.10.0-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in (py version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-42969 | High | 7.5 | py-1.10.0-py2.py3-none-any.whl | Direct | N/A |
library with cross-python path, ini-parsing, io, code, log facilities
Library home page: https://files.pythonhosted.org/packages/67/32/6fe01cfc3d1a27c92fdbcdfc3f67856da8cbadf0dd9f2e18055202b2dc62/py-1.10.0-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/extension-cpp-master/cuda,/tmp/ws-scm/Ai-test
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
Publish Date: Oct 16, 2022 6:15:00 AM
URL: CVE-2022-42969
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Looks like these dependencies are no longer a dependency, so this is no longer needed.
Originally posted by @dependabot[bot] in #66 (comment) this is false
Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/nth-check/package.json
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in (react-native-svg version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-3803 | High | 7.5 | nth-check-1.0.2.tgz | Transitive | 12.3.0 |
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /sprites-as-a-service-0.5.0/frontend/package.json
Path to vulnerable library: /sprites-as-a-service-0.5.0/frontend/node_modules/nth-check/package.json
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: Sep 17, 2021 7:15:00 AM
URL: CVE-2021-3803
Base Score Metrics:
Type: Upgrade version
Release Date: Sep 17, 2021 7:15:00 AM
Fix Resolution (nth-check): 2.0.1
Direct dependency fix Resolution (react-native-svg): 12.3.0
Step up your Open Source Security Game with Mend here
Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in (MattEland.ML.Common version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-1941 | High | 7.5 | google.protobuf.3.19.4.nupkg | Transitive | N/A* |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
C# runtime library for Protocol Buffers - Google's data interchange format.
Library home page: https://api.nuget.org/packages/google.protobuf.3.19.4.nupkg
Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: Sep 22, 2022 3:15:00 PM
URL: CVE-2022-1941
Base Score Metrics:
Type: Upgrade version
Origin: https://cloud.google.com/support/bulletins#GCP-2022-019
Release Date: Sep 22, 2022 3:15:00 PM
Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg,/tmp/ws-ua_20221024140104_FQZMAS/dotnet_UYVIFD/20221024140104/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in (MattEland.ML.TimeAndSpace.Core version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-1941 | High | 7.5 | google.protobuf.3.19.4.nupkg | Transitive | N/A* |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
C# runtime library for Protocol Buffers - Google's data interchange format.
Library home page: https://api.nuget.org/packages/google.protobuf.3.19.4.nupkg
Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.Common/MattEland.ML.Common.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg,/tmp/ws-ua_20221024140104_FQZMAS/dotnet_UYVIFD/20221024140104/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: Sep 22, 2022 3:15:00 PM
URL: CVE-2022-1941
Base Score Metrics:
Type: Upgrade version
Origin: https://cloud.google.com/support/bulletins#GCP-2022-019
Release Date: Sep 22, 2022 3:15:00 PM
Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
A generic, spec-compliant, thorough implementation of the OAuth request-signing logic
Library home page: https://files.pythonhosted.org/packages/92/bb/d669baf53d4ffe081dab80aad93c5c79f84eeac885dd31507c8c055a98d5/oauthlib-3.2.1-py3-none-any.whl
Path to dependency file: /imagen-pytorch-1.11.12
Path to vulnerable library: /imagen-pytorch-1.11.12,/_tests_requirements.txt,/tmp/ws-scm/Ai-test,/MM-RealSR-1.0.0,/requirements.txt,/extension-cpp-master/cuda,/PRNet-master/requirements.txt,/Jupyter-master/requirements.txt,/MM-RealSR-1.0.0/requirements.txt
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-36087 | Medium | 6.5 | oauthlib-3.2.1-py3-none-any.whl | Direct | N/A |
A generic, spec-compliant, thorough implementation of the OAuth request-signing logic
Library home page: https://files.pythonhosted.org/packages/92/bb/d669baf53d4ffe081dab80aad93c5c79f84eeac885dd31507c8c055a98d5/oauthlib-3.2.1-py3-none-any.whl
Path to dependency file: /imagen-pytorch-1.11.12
Path to vulnerable library: /imagen-pytorch-1.11.12,/_tests_requirements.txt,/tmp/ws-scm/Ai-test,/MM-RealSR-1.0.0,/requirements.txt,/extension-cpp-master/cuda,/PRNet-master/requirements.txt,/Jupyter-master/requirements.txt,/MM-RealSR-1.0.0/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of uri_validate
functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly uri_validate
are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.
Mend Note: After conducting further research, Mend has determined that versions 3.1.1 through 3.2.1 of oauthlib are vulnerable to CVE-2022-36087.
Publish Date: 2022-09-09
URL: CVE-2022-36087
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Looks like these dependencies are no longer a dependency, so this is no longer needed.
Originally posted by @dependabot[bot] in #66 (comment) they are still a dependency
Tracking issue for:
Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/newtonsoft.json/10.0.3/newtonsoft.json.10.0.3.nupkg
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-0820 | High | 7.5 | system.text.regularexpressions.4.3.0.nupkg | Transitive | N/A | |
WS-2022-0161 | High | 7.5 | newtonsoft.json.10.0.3.nupkg | Transitive | N/A | |
CVE-2018-8292 | Medium | 5.3 | system.net.http.4.3.0.nupkg | Transitive | N/A |
Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...
Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg
Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.
Publish Date: 2019-05-16
URL: CVE-2019-0820
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cmhx-cq75-c4mj
Release Date: 2019-05-16
Fix Resolution: System.Text.RegularExpressions - 4.3.1
Step up your Open Source Security Game with Mend here
Json.NET is a popular high-performance JSON framework for .NET
Library home page: https://api.nuget.org/packages/newtonsoft.json.10.0.3.nupkg
Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/newtonsoft.json/10.0.3/newtonsoft.json.10.0.3.nupkg
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
Improper Handling of Exceptional Conditions in Newtonsoft.Json.
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. This vulnerability affects Internet Information Services (IIS) Applications.
Publish Date: 2022-06-22
URL: WS-2022-0161
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-06-22
Fix Resolution: Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0
Step up your Open Source Security Game with Mend here
Provides a programming interface for modern HTTP applications, including HTTP client components that...
Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg
Path to dependency file: /WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.
Publish Date: 2018-10-10
URL: CVE-2018-8292
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-10-10
Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1
Step up your Open Source Security Game with Mend here
Path to dependency file: /canvas-sketch-cli-1.11.20/package.json
Path to vulnerable library: /canvas-sketch-cli-1.11.20/node_modules/falafel/node_modules/acorn/package.json
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
WS-2020-0042 | High | 7.5 | acorn-5.7.4.tgz | Transitive | 6.3.1 |
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz
Path to dependency file: /canvas-sketch-cli-1.11.20/package.json
Path to vulnerable library: /canvas-sketch-cli-1.11.20/node_modules/falafel/node_modules/acorn/package.json
Dependency Hierarchy:
Found in HEAD commit: a1571b8f31d1f56a3a15a788e630e1cadb54908d
Found in base branch: main
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1488
Release Date: 2020-03-01
Fix Resolution (acorn): 6.4.1
Direct dependency fix Resolution (glslify): 6.3.1
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.