nadgowdas / myapp Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
See package details below.
License | Compliant? | Primary? | Files |
---|---|---|---|
MPL-2.0 | ✔️ | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
Apache-2.0 | ✔️ | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
Python-2.0 | ✔️ | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
Apache-2.0 | ✔️ | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
Python-2.0 | ✔️ | ✔️ |
|
Apache-2.0 | ✔️ | ✔️ |
|
Public Domain | ✔️ |
|
|
MIT | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
MIT | ✔️ | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
BSD-3-Clause | ✔️ | ✔️ |
|
Public Domain | ✔️ |
|
|
GPL-2.0 | ❌ |
|
|
Python-2.0 | ✔️ |
|
|
GPL-1.0+ | ❌ |
|
|
MIT | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
MIT | ✔️ | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
MIT | ✔️ | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
Apache-2.0 | ✔️ | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
Apache-2.0 | ✔️ | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
LGPL-2.1 | ❌ | ✔️ |
|
LGPL-2.0+ | ❌ | ✔️ |
|
Public Domain | ✔️ |
|
|
Proprietary | ✔️ |
|
|
LGPL-2.1+ | ❌ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
Apache-2.0 | ✔️ | ✔️ |
|
LGPL-2.1 | ❌ |
|
|
ZPL-2.1 | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
Python-2.0 | ✔️ | ✔️ |
|
Unicode - Data Files and Software | ✔️ | ✔️ |
|
BSD-3-Clause | ✔️ | ✔️ |
|
ScanSoft Public License 1.2 | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
MIT | ✔️ | ✔️ |
|
Public Domain | ✔️ |
|
|
Apache-2.0 | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
MIT | ✔️ | ✔️ |
|
Public Domain | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
Apache-2.0 | ✔️ | ✔️ |
|
GPL-2.0 | ❌ | ✔️ |
|
BSD-3-Clause | ✔️ | ✔️ |
|
License | Compliant? | Primary? | Files |
---|---|---|---|
BSD-3-Clause | ✔️ | ✔️ |
|
ID | Rule | Compliant? |
---|---|---|
5.25 | Ensure the container is restricted from acquiring additional privileges | :?: |
5.19 | Ensure mount propagation mode is not set to shared | :?: |
5.13 | Ensure incoming container traffic is binded to a specific host interface | :?: |
5.8 | Ensure only needed ports are open on the container | :?: |
5.26 | Ensure container health is checked at runtime | :?: |
5.17 | Ensure host devices are not directly exposed to containers | :?: |
5.11 | Ensure CPU priority is set appropriately on the container | ✔️ |
5.6 | Ensure ssh is not run within containers | :?: |
5.2 | Ensure SELinux security options are set, if applicable | :?: |
5.28 | Ensure PIDs cgroup limit is used | :?: |
5.21 | Ensure the default seccomp profile is not Disabled | :?: |
5.12 | Ensure the container's root filesystem is mounted as read only | :?: |
5.24 | Ensure cgroup usage is confirmed | :?: |
5.20 | Ensure the host's UTS namespace is not shared | :?: |
5.16 | Ensure the host's IPC namespace is not shared | ✔️ |
5.15 | Ensure the host's process namespace is not shared | ✔️ |
5.9 | Ensure the host's network namespace is not shared | ✔️ |
5.5 | Ensure sensitive host system directories are not mounted on containers | ✔️ |
5.22 | Ensure docker exec commands are not used with privileged option | :?: |
5.18 | Ensure the default ulimit is overwritten at runtime, only if needed | :?: |
5.14 | Ensure 'on-failure' container restart policy is set to '5' | :?: |
5.10 | Ensure memory usage for container is limited | ❌ |
5.7 | Ensure privileged ports are not mapped within containers | ✔️ |
5.3 | Ensure Linux Kernel Capabilities are restricted within containers | ✔️ |
5.1 | Ensure AppArmor Profile is Enabled | :?: |
5.27 | Ensure docker commands always get the latest version of the image | :?: |
5.23 | Ensure docker exec commands are not used with user option | :?: |
5.4 | Ensure privileged containers are not used | ✔️ |
5.30 | Ensure the host's user namespaces is not shared | :?: |
5.29 | Ensure Docker's default bridge docker0 is not used | :?: |
5.31 | Ensure the Docker socket is not mounted inside any containers | ✔️ |
ID | Rule | Compliant? |
---|---|---|
5.1 | Ensure AppArmor Profile is Enabled | ? |
5.2 | Ensure SELinux security options are set, if applicable | ? |
5.3 | Ensure Linux Kernel Capabilities are restricted within containers | ✔️ |
5.4 | Ensure privileged containers are not used | ✔️ |
5.5 | Ensure sensitive host system directories are not mounted on containers | ✔️ |
5.6 | Ensure ssh is not run within containers | ? |
5.7 | Ensure privileged ports are not mapped within containers | ✔️ |
5.8 | Ensure only needed ports are open on the container | ? |
5.9 | Ensure the host's network namespace is not shared | ✔️ |
5.10 | Ensure memory usage for container is limited | ❌ |
5.11 | Ensure CPU priority is set appropriately on the container | ✔️ |
5.12 | Ensure the container's root filesystem is mounted as read only | ? |
5.13 | Ensure incoming container traffic is binded to a specific host interface | ? |
5.14 | Ensure 'on-failure' container restart policy is set to '5' | ? |
5.15 | Ensure the host's process namespace is not shared | ✔️ |
5.16 | Ensure the host's IPC namespace is not shared | ✔️ |
5.17 | Ensure host devices are not directly exposed to containers | ? |
5.18 | Ensure the default ulimit is overwritten at runtime, only if needed | ? |
5.19 | Ensure mount propagation mode is not set to shared | ? |
5.20 | Ensure the host's UTS namespace is not shared | ? |
5.21 | Ensure the default seccomp profile is not Disabled | ? |
5.22 | Ensure docker exec commands are not used with privileged option | ? |
5.23 | Ensure docker exec commands are not used with user option | ? |
5.24 | Ensure cgroup usage is confirmed | ? |
5.25 | Ensure the container is restricted from acquiring additional privileges | ? |
5.26 | Ensure container health is checked at runtime | ? |
5.27 | Ensure docker commands always get the latest version of the image | ? |
5.28 | Ensure PIDs cgroup limit is used | ? |
5.29 | Ensure Docker's default bridge docker0 is not used | ? |
5.30 | Ensure the host's user namespaces is not shared | ? |
5.31 | Ensure the Docker socket is not mounted inside any containers | ✔️ |
✅ OS Packages Safe
❌ Pip Packages Safe
No vulnerable os packages found
Total of 1 vulnerable pip packages found
Package Django needs to satisfy this version requirement >= 1.8.15
Contains vulnerability, license and pedigree information for each package
Recommended update : >= 1.8.15
1. Affected Versions : <1.4.18
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
2. Affected Versions : <1.4.20
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
3. Affected Versions : <1.7.11
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
4. Affected Versions : <1.7.6
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @Property.
5. Affected Versions : <1.8.10
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
6. Affected Versions : <1.8.10
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
7. Affected Versions : <1.8.15
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
8. Affected Versions : >=1.2,<1.2.4
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
9. Affected Versions : >=1.2,<1.2.4
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
10. Affected Versions : >=1.2,<1.2.5
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
11. Affected Versions : >=1.2,<1.2.5
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
12. Affected Versions : <1.2.2
Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
13. Affected Versions : <1.2.7
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
14. Affected Versions : <1.2.7
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
15. Affected Versions : <1.2.7
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.
16. Affected Versions : <1.2.7
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
17. Affected Versions : <1.3.2
The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.
18. Affected Versions : <1.3.2
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
19. Affected Versions : <1.3.2
The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.
20. Affected Versions : <1.3.4
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
21. Affected Versions : <1.4.18
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.
22. Affected Versions : <1.4.18
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
OSSC Compliant:
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
✅ OS Packages Safe
✅ Pip Packages Safe
No vulnerable os packages found
No vulnerable pip packages found
Contains vulnerability, license and pedigree information for each package
✅ OS Packages Safe
❌ Pip Packages Safe
No vulnerable os packages found
Total of 1 vulnerable pip packages found
Package Django needs to satisfy this version requirement >= 1.8.15
Contains vulnerability, license and pedigree information for each package
Recommended update : >= 1.8.15
1. Affected Versions : <1.2.2
Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
2. Affected Versions : <1.2.7
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
3. Affected Versions : <1.2.7
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
4. Affected Versions : <1.2.7
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.
5. Affected Versions : <1.2.7
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
6. Affected Versions : <1.3.2
The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.
7. Affected Versions : <1.3.2
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
8. Affected Versions : <1.3.2
The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.
9. Affected Versions : <1.3.4
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
10. Affected Versions : <1.4.18
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.
11. Affected Versions : <1.4.18
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
12. Affected Versions : <1.4.18
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
13. Affected Versions : <1.4.20
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
14. Affected Versions : <1.7.11
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
15. Affected Versions : <1.7.6
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @Property.
16. Affected Versions : <1.8.10
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
17. Affected Versions : <1.8.10
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
18. Affected Versions : <1.8.15
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
19. Affected Versions : >=1.2,<1.2.4
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
20. Affected Versions : >=1.2,<1.2.4
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
21. Affected Versions : >=1.2,<1.2.5
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
22. Affected Versions : >=1.2,<1.2.5
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
OSSC Compliant: False
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
ID | Rule | Compliant? |
---|---|---|
5.25 | Ensure the container is restricted from acquiring additional privileges | |
5.19 | Ensure mount propagation mode is not set to shared | |
5.13 | Ensure incoming container traffic is binded to a specific host interface | |
5.8 | Ensure only needed ports are open on the container | |
5.26 | Ensure container health is checked at runtime | |
5.17 | Ensure host devices are not directly exposed to containers | |
5.11 | Ensure CPU priority is set appropriately on the container | |
5.6 | Ensure ssh is not run within containers | |
5.2 | Ensure SELinux security options are set, if applicable | |
5.28 | Ensure PIDs cgroup limit is used | |
5.21 | Ensure the default seccomp profile is not Disabled | |
5.12 | Ensure the container's root filesystem is mounted as read only | |
5.24 | Ensure cgroup usage is confirmed | |
5.20 | Ensure the host's UTS namespace is not shared | |
5.16 | Ensure the host's IPC namespace is not shared | |
5.15 | Ensure the host's process namespace is not shared | |
5.9 | Ensure the host's network namespace is not shared | |
5.5 | Ensure sensitive host system directories are not mounted on containers | |
5.22 | Ensure docker exec commands are not used with privileged option | |
5.18 | Ensure the default ulimit is overwritten at runtime, only if needed | |
5.14 | Ensure 'on-failure' container restart policy is set to '5' | |
5.10 | Ensure memory usage for container is limited | |
5.7 | Ensure privileged ports are not mapped within containers | |
5.3 | Ensure Linux Kernel Capabilities are restricted within containers | |
5.1 | Ensure AppArmor Profile is Enabled | |
5.27 | Ensure docker commands always get the latest version of the image | |
5.23 | Ensure docker exec commands are not used with user option | |
5.4 | Ensure privileged containers are not used | |
5.30 | Ensure the host's user namespaces is not shared | |
5.29 | Ensure Docker's default bridge docker0 is not used | |
5.31 | Ensure the Docker socket is not mounted inside any containers |
See package details below.
ID | Rule | Compliant? |
---|---|---|
5.25 | Ensure the container is restricted from acquiring additional privileges | ? |
5.19 | Ensure mount propagation mode is not set to shared | ? |
5.13 | Ensure incoming container traffic is binded to a specific host interface | ? |
5.8 | Ensure only needed ports are open on the container | ? |
5.26 | Ensure container health is checked at runtime | ? |
5.17 | Ensure host devices are not directly exposed to containers | ? |
5.11 | Ensure CPU priority is set appropriately on the container | ✔️ |
5.6 | Ensure ssh is not run within containers | ? |
5.2 | Ensure SELinux security options are set, if applicable | ? |
5.28 | Ensure PIDs cgroup limit is used | ? |
5.21 | Ensure the default seccomp profile is not Disabled | ? |
5.12 | Ensure the container's root filesystem is mounted as read only | ? |
5.24 | Ensure cgroup usage is confirmed | ? |
5.20 | Ensure the host's UTS namespace is not shared | ? |
5.16 | Ensure the host's IPC namespace is not shared | ✔️ |
5.15 | Ensure the host's process namespace is not shared | ✔️ |
5.9 | Ensure the host's network namespace is not shared | ✔️ |
5.5 | Ensure sensitive host system directories are not mounted on containers | ✔️ |
5.22 | Ensure docker exec commands are not used with privileged option | ? |
5.18 | Ensure the default ulimit is overwritten at runtime, only if needed | ? |
5.14 | Ensure 'on-failure' container restart policy is set to '5' | ? |
5.10 | Ensure memory usage for container is limited | ❌ |
5.7 | Ensure privileged ports are not mapped within containers | ✔️ |
5.3 | Ensure Linux Kernel Capabilities are restricted within containers | ✔️ |
5.1 | Ensure AppArmor Profile is Enabled | ? |
5.27 | Ensure docker commands always get the latest version of the image | ? |
5.23 | Ensure docker exec commands are not used with user option | ? |
5.4 | Ensure privileged containers are not used | ✔️ |
5.30 | Ensure the host's user namespaces is not shared | ? |
5.29 | Ensure Docker's default bridge docker0 is not used | ? |
5.31 | Ensure the Docker socket is not mounted inside any containers | ✔️ |
✅ OS Packages Safe
❌ Pip Packages Safe
No vulnerable os packages found
Total of 12 vulnerable pip packages found
Package numpy needs to satisfy this version requirement <= 1.16.0
Package astropy needs to satisfy this version requirement < 3.0.1
Package cryptography needs to satisfy this version requirement >= 2.3
Package requests needs to satisfy this version requirement <= 2.19.1
Package pyOpenSSL needs to satisfy this version requirement < 17.5.0
Package urllib3 needs to satisfy this version requirement < 1.23
Package bleach needs to satisfy this version requirement < 2.1
Package bokeh needs to satisfy this version requirement < 1.0.4
Package Flask needs to satisfy this version requirement < 0.12.3
Package mistune needs to satisfy this version requirement < 0.8.1
Package pycrypto needs to satisfy this version requirement <= 2.6.1
Package Django needs to satisfy this version requirement >= 1.8.15
Contains vulnerability, license and pedigree information for each package
Recommended update : <= 1.16.0
1. Affected Versions : <=1.16.0
An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.
OSSC Compliant:
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
Recommended update : < 3.0.1
1. Affected Versions : <3.0.1
astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.
OSSC Compliant:
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
Recommended update : >= 2.3
1. Affected Versions : >=1.9.0,<2.3
python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag length for finalize_with_tag API. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.
OSSC Compliant:
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
Recommended update : <= 2.19.1
1. Affected Versions : <=2.19.1
The Requests package before 2.19.1 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
OSSC Compliant:
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
Recommended update : < 17.5.0
1. Affected Versions : <17.5.0
Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0.
2. Affected Versions : <17.5.0
Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted.
OSSC Compliant:
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
Recommended update : < 1.23
1. Affected Versions : <1.23
urllib3 before 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
OSSC Compliant:
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
Recommended update : < 2.1
1. Affected Versions : <2.1
bleach 2.1 converts control characters (backspace particularly) to "?" preventing malicious copy-and-paste situations.
OSSC Compliant:
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
Recommended update : < 1.0.4
1. Affected Versions : <1.0.4
bokeh before 1.0.4 used a Pyyaml version that was vulnerable to cve-2017-18342
OSSC Compliant:
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
Recommended update : < 0.12.3
1. Affected Versions : <0.12.3
flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.
OSSC Compliant:
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
Recommended update : < 0.8.1
1. Affected Versions : <0.8.1
mistune before 0.8.1 has a cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py which allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument.
OSSC Compliant:
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
Recommended update : <= 2.6.1
1. Affected Versions : <=2.6.1
Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.
OSSC Compliant:
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
Recommended update : >= 1.8.15
1. Affected Versions : <1.2.2
Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
2. Affected Versions : <1.2.7
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
3. Affected Versions : <1.2.7
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
4. Affected Versions : <1.2.7
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.
5. Affected Versions : <1.2.7
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
6. Affected Versions : <1.3.2
The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.
7. Affected Versions : <1.3.2
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
8. Affected Versions : <1.3.2
The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.
9. Affected Versions : <1.3.4
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
10. Affected Versions : <1.4.18
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.
11. Affected Versions : <1.4.18
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
12. Affected Versions : <1.4.18
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
13. Affected Versions : <1.4.20
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
14. Affected Versions : <1.7.11
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
15. Affected Versions : <1.7.6
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @Property.
16. Affected Versions : <1.8.10
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
17. Affected Versions : <1.8.10
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
18. Affected Versions : <1.8.15
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
19. Affected Versions : >=1.2,<1.2.4
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
20. Affected Versions : >=1.2,<1.2.4
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
21. Affected Versions : >=1.2,<1.2.5
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
22. Affected Versions : >=1.2,<1.2.5
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
OSSC Compliant:
Last Reviewed License Version: Not Available
Pedigree Reviewed:
Last Reviewed Pedigree Version: Not Available
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.