luong-komorebi / bitbucket-pipeline-aws-cloudfront-invalidate Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
License: Other
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/test/requirements.txt
Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b
CVE | Severity | CVSS | Dependency | Type | Fixed in (bitbucket-pipes-toolkit version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-40267 | Critical | 9.8 | GitPython-3.0.8-py3-none-any.whl | Transitive | N/A* | ❌ |
CVE-2022-24439 | Critical | 9.8 | GitPython-3.0.8-py3-none-any.whl | Transitive | N/A* | ❌ |
CVE-2023-43804 | High | 8.1 | urllib3-1.26.16-py2.py3-none-any.whl | Transitive | 3.0.0 | ❌ |
CVE-2024-22190 | High | 7.8 | GitPython-3.0.8-py3-none-any.whl | Transitive | N/A* | ❌ |
CVE-2023-40590 | High | 7.8 | GitPython-3.0.8-py3-none-any.whl | Transitive | N/A* | ❌ |
CVE-2023-41040 | Medium | 6.5 | GitPython-3.0.8-py3-none-any.whl | Transitive | 3.0.0 | ❌ |
CVE-2023-45803 | Medium | 4.2 | urllib3-1.26.16-py2.py3-none-any.whl | Transitive | 3.0.0 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Python Git Library
Library home page: https://files.pythonhosted.org/packages/9d/38/e11e9376a91d55502ad153ce9391b06fa59741357b9e9d5cc2fc9c23ce93/GitPython-3.0.8-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/test/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b
Found in base branch: master
GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
Publish Date: 2023-08-11
URL: CVE-2023-40267
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-08-11
Fix Resolution: GitPython - 3.1.32
Step up your Open Source Security Game with Mend here
Python Git Library
Library home page: https://files.pythonhosted.org/packages/9d/38/e11e9376a91d55502ad153ce9391b06fa59741357b9e9d5cc2fc9c23ce93/GitPython-3.0.8-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/test/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b
Found in base branch: master
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
Publish Date: 2022-12-06
URL: CVE-2022-24439
Base Score Metrics:
Step up your Open Source Security Game with Mend here
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/c5/05/c214b32d21c0b465506f95c4f28ccbcba15022e000b043b72b3df7728471/urllib3-1.26.16-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/test/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b
Found in base branch: master
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie
HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie
header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
Publish Date: 2023-10-04
URL: CVE-2023-43804
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804
Release Date: 2023-10-04
Fix Resolution (urllib3): 1.26.17
Direct dependency fix Resolution (bitbucket-pipes-toolkit): 3.0.0
Step up your Open Source Security Game with Mend here
Python Git Library
Library home page: https://files.pythonhosted.org/packages/9d/38/e11e9376a91d55502ad153ce9391b06fa59741357b9e9d5cc2fc9c23ce93/GitPython-3.0.8-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/test/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b
Found in base branch: master
GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run git
, as well as when it runs bash.exe
to interpret hooks. If either of those features are used on Windows, a malicious git.exe
or bash.exe
may be run from an untrusted repository. This issue has been patched in version 3.1.41.
Publish Date: 2024-01-11
URL: CVE-2024-22190
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-22190
Release Date: 2024-01-11
Fix Resolution: GitPython - 3.1.41
Step up your Open Source Security Game with Mend here
Python Git Library
Library home page: https://files.pythonhosted.org/packages/9d/38/e11e9376a91d55502ad153ce9391b06fa59741357b9e9d5cc2fc9c23ce93/GitPython-3.0.8-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/test/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b
Found in base branch: master
GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the git
command, if a user runs GitPython from a repo has a git.exe
or git
executable, that program will be run instead of the one in the user's PATH
. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious git
executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like C:\\Program Files\\Git\\cmd\\git.EXE
(default git path installation). 2: Require users to set the GIT_PYTHON_GIT_EXECUTABLE
environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE
env var to an absolute path. 4: Resolve the executable manually by only looking into the PATH
environment variable.
Publish Date: 2023-08-28
URL: CVE-2023-40590
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wfm5-v35h-vwf4
Release Date: 2023-08-28
Fix Resolution: GitPython - 3.1.33
Step up your Open Source Security Game with Mend here
Python Git Library
Library home page: https://files.pythonhosted.org/packages/9d/38/e11e9376a91d55502ad153ce9391b06fa59741357b9e9d5cc2fc9c23ce93/GitPython-3.0.8-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/test/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b
Found in base branch: master
GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the .git
directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the .git
directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.
Publish Date: 2023-08-30
URL: CVE-2023-41040
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cwvm-v4w8-q58c
Release Date: 2023-08-30
Fix Resolution (GitPython): 3.1.35
Direct dependency fix Resolution (bitbucket-pipes-toolkit): 3.0.0
Step up your Open Source Security Game with Mend here
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/c5/05/c214b32d21c0b465506f95c4f28ccbcba15022e000b043b72b3df7728471/urllib3-1.26.16-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/test/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b
Found in base branch: master
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST
) to GET
as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False
and disable automatic redirects with redirects=False
and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.
Publish Date: 2023-10-17
URL: CVE-2023-45803
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g4mx-q9vg-27p4
Release Date: 2023-10-17
Fix Resolution (urllib3): 1.26.18
Direct dependency fix Resolution (bitbucket-pipes-toolkit): 3.0.0
Step up your Open Source Security Game with Mend here
Path to dependency file: /test/requirements.txt
Path to vulnerable library: /test/requirements.txt
Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b
CVE | Severity | CVSS | Dependency | Type | Fixed in (pytest version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2022-42969 | High | 7.5 | py-1.11.0-py2.py3-none-any.whl | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
library with cross-python path, ini-parsing, io, code, log facilities
Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl
Path to dependency file: /test/requirements.txt
Path to vulnerable library: /test/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1da5a746e3a16f1d8f05c1c4f1b1f5300a8a1c5b
Found in base branch: master
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
Publish Date: 2022-10-16
URL: CVE-2022-42969
Base Score Metrics:
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.