luong-komorebi / bitbucket-pipeline-aws-cloudfront-invalidate Goto Github PK

Vulnerable Library - bitbucket-pipes-toolkit-2.2.0.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/test/requirements.txt

Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b

CVE-2023-40267

Vulnerable Library - GitPython-3.0.8-py3-none-any.whl

Python Git Library

Library home page: https://files.pythonhosted.org/packages/9d/38/e11e9376a91d55502ad153ce9391b06fa59741357b9e9d5cc2fc9c23ce93/GitPython-3.0.8-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/test/requirements.txt

Dependency Hierarchy:

• bitbucket-pipes-toolkit-2.2.0.tar.gz (Root Library)
  • ❌ GitPython-3.0.8-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b

Found in base branch: master

Vulnerability Details

GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.

Publish Date: 2023-08-11

URL: CVE-2023-40267

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-08-11

Fix Resolution: GitPython - 3.1.32

Step up your Open Source Security Game with Mend here

CVE-2022-24439

Vulnerable Library - GitPython-3.0.8-py3-none-any.whl

Python Git Library

Library home page: https://files.pythonhosted.org/packages/9d/38/e11e9376a91d55502ad153ce9391b06fa59741357b9e9d5cc2fc9c23ce93/GitPython-3.0.8-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/test/requirements.txt

Dependency Hierarchy:

• bitbucket-pipes-toolkit-2.2.0.tar.gz (Root Library)
  • ❌ GitPython-3.0.8-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b

Found in base branch: master

Vulnerability Details

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Publish Date: 2022-12-06

URL: CVE-2022-24439

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

CVE-2023-43804

Vulnerable Library - urllib3-1.26.16-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/c5/05/c214b32d21c0b465506f95c4f28ccbcba15022e000b043b72b3df7728471/urllib3-1.26.16-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/test/requirements.txt

Dependency Hierarchy:

• bitbucket-pipes-toolkit-2.2.0.tar.gz (Root Library)
  • docker-4.2.2-py2.py3-none-any.whl
    • requests-2.31.0-py3-none-any.whl
      • ❌ urllib3-1.26.16-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b

Found in base branch: master

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Publish Date: 2023-10-04

URL: CVE-2023-43804

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804

Release Date: 2023-10-04

Fix Resolution (urllib3): 1.26.17

Direct dependency fix Resolution (bitbucket-pipes-toolkit): 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-22190

Vulnerable Library - GitPython-3.0.8-py3-none-any.whl

Python Git Library

Library home page: https://files.pythonhosted.org/packages/9d/38/e11e9376a91d55502ad153ce9391b06fa59741357b9e9d5cc2fc9c23ce93/GitPython-3.0.8-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/test/requirements.txt

Dependency Hierarchy:

• bitbucket-pipes-toolkit-2.2.0.tar.gz (Root Library)
  • ❌ GitPython-3.0.8-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b

Found in base branch: master

Vulnerability Details

GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run git, as well as when it runs bash.exe to interpret hooks. If either of those features are used on Windows, a malicious git.exe or bash.exe may be run from an untrusted repository. This issue has been patched in version 3.1.41.

Publish Date: 2024-01-11

URL: CVE-2024-22190

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-22190

Release Date: 2024-01-11

Fix Resolution: GitPython - 3.1.41

Step up your Open Source Security Game with Mend here

CVE-2023-40590

Vulnerable Library - GitPython-3.0.8-py3-none-any.whl

Python Git Library

Library home page: https://files.pythonhosted.org/packages/9d/38/e11e9376a91d55502ad153ce9391b06fa59741357b9e9d5cc2fc9c23ce93/GitPython-3.0.8-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/test/requirements.txt

Dependency Hierarchy:

• bitbucket-pipes-toolkit-2.2.0.tar.gz (Root Library)
  • ❌ GitPython-3.0.8-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b

Found in base branch: master

Vulnerability Details

GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the git command, if a user runs GitPython from a repo has a git.exe or git executable, that program will be run instead of the one in the user's PATH. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious git executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like C:\\Program Files\\Git\\cmd\\git.EXE (default git path installation). 2: Require users to set the GIT_PYTHON_GIT_EXECUTABLE environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE env var to an absolute path. 4: Resolve the executable manually by only looking into the PATH environment variable.

Publish Date: 2023-08-28

URL: CVE-2023-40590

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-wfm5-v35h-vwf4

Release Date: 2023-08-28

Fix Resolution: GitPython - 3.1.33

Step up your Open Source Security Game with Mend here

CVE-2023-41040

Vulnerable Library - GitPython-3.0.8-py3-none-any.whl

Python Git Library

Library home page: https://files.pythonhosted.org/packages/9d/38/e11e9376a91d55502ad153ce9391b06fa59741357b9e9d5cc2fc9c23ce93/GitPython-3.0.8-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/test/requirements.txt

Dependency Hierarchy:

• bitbucket-pipes-toolkit-2.2.0.tar.gz (Root Library)
  • ❌ GitPython-3.0.8-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b

Found in base branch: master

Vulnerability Details

GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the .git directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the .git directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.

Publish Date: 2023-08-30

URL: CVE-2023-41040

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-cwvm-v4w8-q58c

Release Date: 2023-08-30

Fix Resolution (GitPython): 3.1.35

Direct dependency fix Resolution (bitbucket-pipes-toolkit): 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-45803

Vulnerable Library - urllib3-1.26.16-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/c5/05/c214b32d21c0b465506f95c4f28ccbcba15022e000b043b72b3df7728471/urllib3-1.26.16-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/test/requirements.txt

Dependency Hierarchy:

• bitbucket-pipes-toolkit-2.2.0.tar.gz (Root Library)
  • docker-4.2.2-py2.py3-none-any.whl
    • requests-2.31.0-py3-none-any.whl
      • ❌ urllib3-1.26.16-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b

Found in base branch: master

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False and disable automatic redirects with redirects=False and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

Publish Date: 2023-10-17

URL: CVE-2023-45803

CVSS 3 Score Details (4.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-g4mx-q9vg-27p4

Release Date: 2023-10-17

Fix Resolution (urllib3): 1.26.18

Direct dependency fix Resolution (bitbucket-pipes-toolkit): 3.0.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - pytest-4.3.0-py2.py3-none-any.whl

Path to dependency file: /test/requirements.txt

Path to vulnerable library: /test/requirements.txt

Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b

CVE-2022-42969

Vulnerable Library - py-1.11.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl

Path to dependency file: /test/requirements.txt

Path to vulnerable library: /test/requirements.txt

Dependency Hierarchy:

• pytest-4.3.0-py2.py3-none-any.whl (Root Library)
  • ❌ py-1.11.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b

Found in base branch: master

Vulnerability Details

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

Publish Date: 2022-10-16

URL: CVE-2022-42969

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Step up your Open Source Security Game with Mend here