diff --git a/requirements.in.txt b/requirements.in.txt index ffc48e8f..d492434d 100644 --- a/requirements.in.txt +++ b/requirements.in.txt @@ -84,6 +84,6 @@ setuptools>=65.5.1,!=68.1.*,!=68.2.*,!=69.0.* importlib-resources<6.0 gevent>=23.9.0 urllib3~=1.26.17 -cryptography>=41.0.6 pip>=23.3 jinja2>=3.1.3 +cryptography>=42.0.2 diff --git a/requirements.txt b/requirements.txt index 7e091c0f..273f9433 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,8 +5,8 @@ Babel==2.10.3 Beaker==1.11.0 bleach==5.0.1 blinker==1.5 -boto3==1.34.23 -botocore==1.34.23 +boto3==1.34.32 +botocore==1.34.32 certifi==2023.11.17 cffi==1.16.0 chardet==5.2.0 @@ -19,10 +19,10 @@ ckanext-googleanalyticsbasic==0.2.1 ckanext-s3filestore @ git+https://github.com/keitaroinc/ckanext-s3filestore.git@caf88c0352ffe7b4432d3d55ddfb0a71249ceddd ckanext-saml2auth @ git+https://github.com/GSA/ckanext-saml2auth.git@4d59366423ed965ba86a7b85547a6bd9f4351869 ckanext-usmetadata==0.3.2 --e git+https://github.com/ckan/ckanext-xloader.git@16b84175005435d579607638dfe2056dda61af70#egg=ckanext_xloader +-e git+https://github.com/ckan/ckanext-xloader.git@58be9beaf414a6449d34da3ae948286b695b74a5#egg=ckanext_xloader ckantoolkit==0.0.7 click==8.1.3 -cryptography==41.0.7 +cryptography==42.0.2 defusedxml==0.7.1 dominate==2.7.0 elementpath==4.1.5 @@ -48,13 +48,13 @@ jsonlines==4.0.0 jsonschema==2.4.0 linear-tsv==1.1.0 lxml==4.9.1 -Mako==1.3.0 +Mako==1.3.2 Markdown==3.4.1 MarkupSafe==2.0.1 messytables==0.15.2 mypy==1.8.0 mypy-extensions==1.0.0 -newrelic==9.5.0 +newrelic==9.6.0 nose==1.3.7 openpyxl==3.1.2 packaging==23.2 @@ -66,12 +66,12 @@ polib==1.1.1 psycopg2==2.9.3 pycparser==2.21 PyJWT==2.4.0 -pyOpenSSL==23.3.0 +pyOpenSSL==24.0.0 pysaml2==7.0.1 pysolr==3.9.0 python-dateutil==2.8.2 python-magic==0.4.27 -pytz==2023.3.post1 +pytz==2023.4 pytz-deprecation-shim==0.1.0.post0 PyUtilib==6.0.0 PyYAML==6.0 diff --git a/scan.json b/scan.json new file mode 100644 index 00000000..79ece564 --- /dev/null +++ b/scan.json @@ -0,0 +1,7412 @@ +{ + "vulnerabilities": [ + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6210214", + "title": "NULL Pointer Dereference", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "credit": [ + "Bahaa Naamneh" + ], + "semver": { + "vulnerable": [ + "[,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 3.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/pull/23362", + "title": "GitHub PR" + }, + { + "url": "https://www.openssl.org/news/secadv/20240125.txt", + "title": "OpenSSL Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 3.3, + "modificationTime": "2024-01-25T13:59:48.995274Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference when processing a maliciously formatted PKCS12 file. The vulnerability exists due to improper handling of optional `ContentInfo` fields, which can be set to null. An attacker can cause a denial of service by sending crafted input that leads to applications loading files in PKCS12 format from untrusted sources to terminate abruptly.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d)\n- [GitHub PR](https://github.com/openssl/openssl/pull/23362)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240125.txt)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2024-0727" + ], + "CWE": [ + "CWE-476" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-31T11:24:15.556076Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-22T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-31T17:09:40.537426Z", + "modificationTime": "2024-01-31T17:09:40.537723Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "inventory-app@0.0.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7" + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6210214", + "title": "NULL Pointer Dereference", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "credit": [ + "Bahaa Naamneh" + ], + "semver": { + "vulnerable": [ + "[,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 3.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/pull/23362", + "title": "GitHub PR" + }, + { + "url": "https://www.openssl.org/news/secadv/20240125.txt", + "title": "OpenSSL Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 3.3, + "modificationTime": "2024-01-25T13:59:48.995274Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference when processing a maliciously formatted PKCS12 file. The vulnerability exists due to improper handling of optional `ContentInfo` fields, which can be set to null. An attacker can cause a denial of service by sending crafted input that leads to applications loading files in PKCS12 format from untrusted sources to terminate abruptly.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d)\n- [GitHub PR](https://github.com/openssl/openssl/pull/23362)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240125.txt)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2024-0727" + ], + "CWE": [ + "CWE-476" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-31T11:24:15.556076Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-22T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-31T17:09:40.537426Z", + "modificationTime": "2024-01-31T17:09:40.537723Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "inventory-app@0.0.0", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7" + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6210214", + "title": "NULL Pointer Dereference", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "credit": [ + "Bahaa Naamneh" + ], + "semver": { + "vulnerable": [ + "[,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 3.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/pull/23362", + "title": "GitHub PR" + }, + { + "url": "https://www.openssl.org/news/secadv/20240125.txt", + "title": "OpenSSL Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 3.3, + "modificationTime": "2024-01-25T13:59:48.995274Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference when processing a maliciously formatted PKCS12 file. The vulnerability exists due to improper handling of optional `ContentInfo` fields, which can be set to null. An attacker can cause a denial of service by sending crafted input that leads to applications loading files in PKCS12 format from untrusted sources to terminate abruptly.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d)\n- [GitHub PR](https://github.com/openssl/openssl/pull/23362)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240125.txt)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2024-0727" + ], + "CWE": [ + "CWE-476" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-31T11:24:15.556076Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-22T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-31T17:09:40.537426Z", + "modificationTime": "2024-01-31T17:09:40.537723Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "inventory-app@0.0.0", + "pysaml2@7.0.1", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7" + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6210214", + "title": "NULL Pointer Dereference", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "credit": [ + "Bahaa Naamneh" + ], + "semver": { + "vulnerable": [ + "[,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 3.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/pull/23362", + "title": "GitHub PR" + }, + { + "url": "https://www.openssl.org/news/secadv/20240125.txt", + "title": "OpenSSL Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 3.3, + "modificationTime": "2024-01-25T13:59:48.995274Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference when processing a maliciously formatted PKCS12 file. The vulnerability exists due to improper handling of optional `ContentInfo` fields, which can be set to null. An attacker can cause a denial of service by sending crafted input that leads to applications loading files in PKCS12 format from untrusted sources to terminate abruptly.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d)\n- [GitHub PR](https://github.com/openssl/openssl/pull/23362)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240125.txt)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2024-0727" + ], + "CWE": [ + "CWE-476" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-31T11:24:15.556076Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-22T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-31T17:09:40.537426Z", + "modificationTime": "2024-01-31T17:09:40.537723Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "inventory-app@0.0.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7" + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6210214", + "title": "NULL Pointer Dereference", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "credit": [ + "Bahaa Naamneh" + ], + "semver": { + "vulnerable": [ + "[,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 3.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/pull/23362", + "title": "GitHub PR" + }, + { + "url": "https://www.openssl.org/news/secadv/20240125.txt", + "title": "OpenSSL Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 3.3, + "modificationTime": "2024-01-25T13:59:48.995274Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference when processing a maliciously formatted PKCS12 file. The vulnerability exists due to improper handling of optional `ContentInfo` fields, which can be set to null. An attacker can cause a denial of service by sending crafted input that leads to applications loading files in PKCS12 format from untrusted sources to terminate abruptly.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d)\n- [GitHub PR](https://github.com/openssl/openssl/pull/23362)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240125.txt)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2024-0727" + ], + "CWE": [ + "CWE-476" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-31T11:24:15.556076Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-22T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-31T17:09:40.537426Z", + "modificationTime": "2024-01-31T17:09:40.537723Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "inventory-app@0.0.0", + "ckanext-saml2auth@1.3.0", + "pysaml2@7.0.1", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7" + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6210214", + "title": "NULL Pointer Dereference", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "credit": [ + "Bahaa Naamneh" + ], + "semver": { + "vulnerable": [ + "[,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 3.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/pull/23362", + "title": "GitHub PR" + }, + { + "url": "https://www.openssl.org/news/secadv/20240125.txt", + "title": "OpenSSL Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 3.3, + "modificationTime": "2024-01-25T13:59:48.995274Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference when processing a maliciously formatted PKCS12 file. The vulnerability exists due to improper handling of optional `ContentInfo` fields, which can be set to null. An attacker can cause a denial of service by sending crafted input that leads to applications loading files in PKCS12 format from untrusted sources to terminate abruptly.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d)\n- [GitHub PR](https://github.com/openssl/openssl/pull/23362)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240125.txt)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2024-0727" + ], + "CWE": [ + "CWE-476" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-31T11:24:15.556076Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-22T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-31T17:09:40.537426Z", + "modificationTime": "2024-01-31T17:09:40.537723Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "inventory-app@0.0.0", + "ckanext-saml2auth@1.3.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7" + } + ], + "ok": false, + "dependencyCount": 108, + "org": "data.gov", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-PYTHON-WERKZEUG-6035177:\n - '*':\n reason: >-\n Upgrade path is complex, Issue tracked in github:\n https://github.com/GSA/data.gov/issues/4217\n expires: 2024-03-31T13:35:17.967Z\n created: 2023-11-01T13:35:17.972Z\n source: cli\n SNYK-PYTHON-BEAKER-575115:\n - '*':\n reason: >-\n No remediation available yet; Not affecting us since the storage is\n not accessible to any other client\n expires: 2024-03-30T16:20:58.017Z\n created: 2022-12-08T16:20:58.023Z\n source: cli\n SNYK-PYTHON-WERKZEUG-3319936:\n - '*':\n reason: >-\n Upgrade path is complex, Issue tracked in github:\n https://github.com/GSA/data.gov/issues/4217\n expires: 2024-03-01T16:20:58.017Z\n created: 2023-02-15T16:20:58.023Z\n source: cli\n SNYK-PYTHON-WERKZEUG-3319935:\n - '*':\n reason: >-\n Upgrade path is complex, Issue tracked in github:\n https://github.com/GSA/data.gov/issues/4217\n expires: 2024-03-01T16:20:58.017Z\n created: 2023-02-15T16:20:58.023Z\n source: cli\n SNYK-PYTHON-FLASK-5490129:\n - '*':\n reason: >-\n Upgrade path is complex, Issue tracked in github:\n https://github.com/GSA/data.gov/issues/4303\n expires: 2024-03-01T16:20:58.017Z\n created: 2023-05-08T16:20:58.023Z\n source: cli\n SNYK-PYTHON-WERKZEUG-6041510:\n - '*':\n reason: >-\n Upgrade path is complex, Issue tracked in github:\n https://github.com/GSA/data.gov/issues/4217\n expires: 2024-03-31T16:44:37.234Z\n created: 2023-11-01T16:44:37.239Z\n source: cli\n SNYK-PYTHON-CRYPTOGRAPHY-6050294:\n - '*':\n reason: >-\n No remediation available yet; Issue tracked in github:\n https://github.com/GSA/data.gov/issues/4532\n expires: 2024-02-08T00:00:00.000Z\n created: 2023-11-16T20:31:20.590Z\n source: cli\n SNYK-PYTHON-CKAN-6124881:\n - '*':\n reason: >-\n Remediation blocked by CKAN upgrade to 2.10.3:\n https://github.com/GSA/data.gov/issues/4571\n expires: 2024-03-14T00:00:00.000Z\n created: 2023-12-14T00:00:00.000Z\n source: cli\n SNYK-PYTHON-CRYPTOGRAPHY-6126975:\n - '*':\n reason: >-\n No remediation available yet; Issue tracked in github:\n https://github.com/GSA/data.gov/issues/4532\n expires: 2024-03-14T00:00:00.000Z\n created: 2023-12-14T00:00:00.000Z\n source: cli\n SNYK-PYTHON-CRYPTOGRAPHY-6149518:\n - '*':\n reason: >-\n No remediation available yet; Issue tracked in github:\n https://github.com/GSA/data.gov/issues/4532\n expires: 2024-04-10T19:28:50.100Z\n created: 2024-01-11T19:28:50.103Z\n source: cli\n SNYK-PYTHON-PYOPENSSL-6149520:\n - '*':\n reason: >-\n No remediation available yet; Issue tracked in github:\n https://github.com/GSA/data.gov/issues/4532\n expires: 2024-04-10T19:29:54.032Z\n created: 2024-01-11T19:29:54.039Z\n source: cli\n SNYK-PYTHON-PYOPENSSL-6157250:\n - '*':\n reason: >-\n No remediation available yet; Issue tracked in github:\n https://github.com/GSA/data.gov/issues/4591\n expires: 2024-04-10T19:29:54.032Z\n source: cli\n SNYK-PYTHON-CRYPTOGRAPHY-6157248:\n - '*':\n reason: >-\n No remediation available yet; Issue tracked in github:\n https://github.com/GSA/data.gov/issues/4590\n expires: 2024-04-10T19:29:54.032Z\n source: cli\npatch: {}\nexclude:\n global:\n - requirements-dev.txt\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-2.1+": { + "licenseType": "LGPL-2.1+", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0+": { + "licenseType": "LGPL-3.0+", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + } + } + }, + "packageManager": "pip", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "summary": "64 vulnerable dependency paths", + "remediation": { + "unresolved": [ + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6210214", + "title": "NULL Pointer Dereference", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "credit": [ + "Bahaa Naamneh" + ], + "semver": { + "vulnerable": [ + "[,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 3.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/pull/23362", + "title": "GitHub PR" + }, + { + "url": "https://www.openssl.org/news/secadv/20240125.txt", + "title": "OpenSSL Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 3.3, + "modificationTime": "2024-01-25T13:59:48.995274Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference when processing a maliciously formatted PKCS12 file. The vulnerability exists due to improper handling of optional `ContentInfo` fields, which can be set to null. An attacker can cause a denial of service by sending crafted input that leads to applications loading files in PKCS12 format from untrusted sources to terminate abruptly.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d)\n- [GitHub PR](https://github.com/openssl/openssl/pull/23362)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240125.txt)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2024-0727" + ], + "CWE": [ + "CWE-476" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-31T11:24:15.556076Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-22T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-31T17:09:40.537426Z", + "modificationTime": "2024-01-31T17:09:40.537723Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "inventory-app@0.0.0", + "ckanext-saml2auth@1.3.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": true, + "isRuntime": false, + "name": "cryptography", + "version": "41.0.7", + "severityWithCritical": "low" + } + ], + "upgrade": {}, + "patch": {}, + "ignore": {}, + "pin": { + "cryptography@41.0.7": { + "upgradeTo": "cryptography@42.0.2", + "vulns": [ + "SNYK-PYTHON-CRYPTOGRAPHY-6210214" + ], + "isTransitive": false + } + } + }, + "filesystemPolicy": true, + "filtered": { + "ignore": [ + { + "id": "SNYK-PYTHON-BEAKER-575115", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Matheus Bratfisch" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "beaker", + "references": [ + { + "url": "https://github.com/bbangert/beaker/issues/191", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 6.8, + "modificationTime": "2022-01-03T17:39:06.286361Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", + "cvssV3BaseScore": 5.7, + "modificationTime": "2022-10-25T14:23:51.225232Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data which could lead to arbitrary code execution.\n## Remediation\nThere is no fixed version for `Beaker`.\n## References\n- [GitHub Issue](https://github.com/bbangert/beaker/issues/191)\n", + "epssDetails": { + "percentile": "0.12815", + "probability": "0.00045", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2013-7489" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "beaker", + "proprietary": false, + "creationTime": "2020-07-01T15:53:02.903673Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-07-01T15:48:38Z", + "packageManager": "pip", + "publicationTime": "2020-07-01T16:02:51.973144Z", + "modificationTime": "2022-10-25T14:23:51.225232Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "inventory-app@0.0.0", + "beaker@1.11.0" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "beaker", + "version": "1.11.0", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Not affecting us since the storage is not accessible to any other client", + "expires": "2024-03-30T16:20:58.017Z", + "created": "2022-12-08T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CKAN-6124881", + "title": "Improper Handling of Length Parameter Inconsistency", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", + "credit": [ + "thorge" + ], + "semver": { + "vulnerable": [ + "[2.0,2.9.10)", + "[2.10.0,2.10.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10", + "2.10.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 4.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "ckan", + "references": [ + { + "url": "https://github.com/ckan/ckan/commit/bd02018b65c5b81d7ede195d00d0fcbac3aa33be", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2023-12-19T01:11:17.174142Z" + } + ], + "description": "## Overview\n[ckan](https://pypi.org/project/ckan/) is a world’s leading Open Source data portal platform.\r\n\r\nIt powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.\r\n\r\nIt makes easy to publish, share and find data online and is fully customizable via extensions and plugins.\n\nAffected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency via the `/dataset/new` endpoint when submitting a POST request with a specially-crafted field. An attacker can create an out-of-memory error on the hosting server by submitting a malicious payload.\n\n**Note:**\nThis is only exploitable if the user has permissions to create or edit datasets.\n## Remediation\nUpgrade `ckan` to version 2.9.10, 2.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/ckan/ckan/commit/bd02018b65c5b81d7ede195d00d0fcbac3aa33be)\n", + "epssDetails": { + "percentile": "0.06914", + "probability": "0.00043", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-50248" + ], + "CWE": [ + "CWE-130" + ], + "GHSA": [ + "GHSA-7fgc-89cx-w8j5" + ] + }, + "packageName": "ckan", + "proprietary": false, + "creationTime": "2023-12-14T10:32:26.667303Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-12-13T23:08:35Z", + "packageManager": "pip", + "publicationTime": "2023-12-14T10:32:26.872898Z", + "modificationTime": "2023-12-19T01:11:17.174142Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "ckan@2.10.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "ckan", + "version": "2.10.1", + "filtered": { + "ignored": [ + { + "reason": "Remediation blocked by CKAN upgrade to 2.10.3: https://github.com/GSA/data.gov/issues/4571", + "expires": "2024-03-14T00:00:00.000Z", + "created": "2023-12-14T00:00:00.000Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6050294", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "David Benjamin" + ], + "semver": { + "vulnerable": [ + "[,42.0.0)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248616", + "title": "RedHat Bugzilla Bug" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt", + "title": "Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T13:48:19.543999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-22T01:10:47.412869Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-22T11:02:51.571843Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when the `DH_generate_key()`, `DH_check_pub_key()`, `DH_check_pub_key_ex()`, `EVP_PKEY_public_check()`, and `EVP_PKEY_generate()` functions are used. An attacker can cause long delays and potentially a Denial of Service by supplying excessively long X9.42 DH keys or parameters obtained from an untrusted source. \r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the application uses these functions to generate or check an X9.42 DH key or parameters. Also, the OpenSSL `pkey` command line application, when using the `-pubcheck` option, as well as the OpenSSL `genpkey` command line application, are vulnerable to this issue.\n## Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2248616)\n- [Security Advisory](https://www.openssl.org/news/secadv/20231106.txt)\n", + "epssDetails": { + "percentile": "0.33049", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5678" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2023-11-08T11:10:10.146402Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-10-24T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2023-11-08T15:16:15.075620Z", + "modificationTime": "2024-01-26T12:43:37.247062Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-02-08T00:00:00.000Z", + "created": "2023-11-16T20:31:20.590Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6126975", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "credit": [ + "tomato42" + ], + "semver": { + "vulnerable": [ + "[,42.0.0)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "42.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/pyca/cryptography/issues/9785%23issuecomment-1856209406", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-12-14T13:49:17.282203Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.\r\n\r\n**Note:**\r\n\r\n\r\nThis vulnerability exists due to an incomplete fix for [CVE-2020-25659](https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-1022152).\n## Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n## References\n- [GitHub Issue](https://github.com/pyca/cryptography/issues/9785#issuecomment-1856209406)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-50782" + ], + "CWE": [ + "CWE-200" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2023-12-15T07:18:28.035469Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-12-14T16:58:05Z", + "packageManager": "pip", + "publicationTime": "2023-12-15T07:18:28.271359Z", + "modificationTime": "2024-01-26T12:41:42.633821Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-03-14T00:00:00.000Z", + "created": "2023-12-14T00:00:00.000Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6149518", + "title": "Use of a Broken or Risky Cryptographic Algorithm", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Sverker Eriksson" + ], + "semver": { + "vulnerable": [ + "[35.0.0,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240109.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257571", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-23T11:03:54.062787Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-24T01:11:18.316654Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-25T13:32:21.064625Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to an issue in the `POLY1305` MAC implementation on PowerPC CPUs. An attacker can corrupt the application state and cause incorrect calculations or potential denial of service by influencing the use of the `POLY1305` MAC algorithm.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the attacker has the ability to affect the algorithm's usage and the application relies on non-volatile XMM registers.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240109.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2257571)\n", + "epssDetails": { + "percentile": "0.26298", + "probability": "0.00064", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-6129" + ], + "CWE": [ + "CWE-328" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-10T13:39:49.004287Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-09T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-10T15:08:56.822931Z", + "modificationTime": "2024-01-31T11:32:14.163468Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-04-10T19:28:50.100Z", + "created": "2024-01-11T19:28:50.103Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6157248", + "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "OSS-Fuzz" + ], + "semver": { + "vulnerable": [ + "[35.0.0,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240115.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258502", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-16T13:32:46.781382Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-23T11:03:54.426940Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `EVP_PKEY_public_check` function. When the function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An attacker can cause a denial of service by supplying a specially crafted RSA key that triggers extensive computation.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240115.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2258502)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-6237" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-16T07:48:32.299571Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-15T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-16T10:17:35.692584Z", + "modificationTime": "2024-01-31T11:32:46.343597Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4590", + "expires": "2024-04-10T19:29:54.032Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6050294", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "David Benjamin" + ], + "semver": { + "vulnerable": [ + "[,42.0.0)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248616", + "title": "RedHat Bugzilla Bug" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt", + "title": "Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T13:48:19.543999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-22T01:10:47.412869Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-22T11:02:51.571843Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when the `DH_generate_key()`, `DH_check_pub_key()`, `DH_check_pub_key_ex()`, `EVP_PKEY_public_check()`, and `EVP_PKEY_generate()` functions are used. An attacker can cause long delays and potentially a Denial of Service by supplying excessively long X9.42 DH keys or parameters obtained from an untrusted source. \r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the application uses these functions to generate or check an X9.42 DH key or parameters. Also, the OpenSSL `pkey` command line application, when using the `-pubcheck` option, as well as the OpenSSL `genpkey` command line application, are vulnerable to this issue.\n## Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2248616)\n- [Security Advisory](https://www.openssl.org/news/secadv/20231106.txt)\n", + "epssDetails": { + "percentile": "0.33049", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5678" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2023-11-08T11:10:10.146402Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-10-24T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2023-11-08T15:16:15.075620Z", + "modificationTime": "2024-01-26T12:43:37.247062Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-02-08T00:00:00.000Z", + "created": "2023-11-16T20:31:20.590Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6126975", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "credit": [ + "tomato42" + ], + "semver": { + "vulnerable": [ + "[,42.0.0)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "42.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/pyca/cryptography/issues/9785%23issuecomment-1856209406", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-12-14T13:49:17.282203Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.\r\n\r\n**Note:**\r\n\r\n\r\nThis vulnerability exists due to an incomplete fix for [CVE-2020-25659](https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-1022152).\n## Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n## References\n- [GitHub Issue](https://github.com/pyca/cryptography/issues/9785#issuecomment-1856209406)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-50782" + ], + "CWE": [ + "CWE-200" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2023-12-15T07:18:28.035469Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-12-14T16:58:05Z", + "packageManager": "pip", + "publicationTime": "2023-12-15T07:18:28.271359Z", + "modificationTime": "2024-01-26T12:41:42.633821Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-03-14T00:00:00.000Z", + "created": "2023-12-14T00:00:00.000Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6149518", + "title": "Use of a Broken or Risky Cryptographic Algorithm", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Sverker Eriksson" + ], + "semver": { + "vulnerable": [ + "[35.0.0,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240109.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257571", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-23T11:03:54.062787Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-24T01:11:18.316654Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-25T13:32:21.064625Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to an issue in the `POLY1305` MAC implementation on PowerPC CPUs. An attacker can corrupt the application state and cause incorrect calculations or potential denial of service by influencing the use of the `POLY1305` MAC algorithm.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the attacker has the ability to affect the algorithm's usage and the application relies on non-volatile XMM registers.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240109.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2257571)\n", + "epssDetails": { + "percentile": "0.26298", + "probability": "0.00064", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-6129" + ], + "CWE": [ + "CWE-328" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-10T13:39:49.004287Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-09T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-10T15:08:56.822931Z", + "modificationTime": "2024-01-31T11:32:14.163468Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-04-10T19:28:50.100Z", + "created": "2024-01-11T19:28:50.103Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6157248", + "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "OSS-Fuzz" + ], + "semver": { + "vulnerable": [ + "[35.0.0,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240115.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258502", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-16T13:32:46.781382Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-23T11:03:54.426940Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `EVP_PKEY_public_check` function. When the function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An attacker can cause a denial of service by supplying a specially crafted RSA key that triggers extensive computation.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240115.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2258502)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-6237" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-16T07:48:32.299571Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-15T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-16T10:17:35.692584Z", + "modificationTime": "2024-01-31T11:32:46.343597Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4590", + "expires": "2024-04-10T19:29:54.032Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6050294", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "David Benjamin" + ], + "semver": { + "vulnerable": [ + "[,42.0.0)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248616", + "title": "RedHat Bugzilla Bug" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt", + "title": "Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T13:48:19.543999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-22T01:10:47.412869Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-22T11:02:51.571843Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when the `DH_generate_key()`, `DH_check_pub_key()`, `DH_check_pub_key_ex()`, `EVP_PKEY_public_check()`, and `EVP_PKEY_generate()` functions are used. An attacker can cause long delays and potentially a Denial of Service by supplying excessively long X9.42 DH keys or parameters obtained from an untrusted source. \r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the application uses these functions to generate or check an X9.42 DH key or parameters. Also, the OpenSSL `pkey` command line application, when using the `-pubcheck` option, as well as the OpenSSL `genpkey` command line application, are vulnerable to this issue.\n## Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2248616)\n- [Security Advisory](https://www.openssl.org/news/secadv/20231106.txt)\n", + "epssDetails": { + "percentile": "0.33049", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5678" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2023-11-08T11:10:10.146402Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-10-24T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2023-11-08T15:16:15.075620Z", + "modificationTime": "2024-01-26T12:43:37.247062Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pysaml2@7.0.1", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-02-08T00:00:00.000Z", + "created": "2023-11-16T20:31:20.590Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6126975", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "credit": [ + "tomato42" + ], + "semver": { + "vulnerable": [ + "[,42.0.0)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "42.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/pyca/cryptography/issues/9785%23issuecomment-1856209406", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-12-14T13:49:17.282203Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.\r\n\r\n**Note:**\r\n\r\n\r\nThis vulnerability exists due to an incomplete fix for [CVE-2020-25659](https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-1022152).\n## Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n## References\n- [GitHub Issue](https://github.com/pyca/cryptography/issues/9785#issuecomment-1856209406)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-50782" + ], + "CWE": [ + "CWE-200" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2023-12-15T07:18:28.035469Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-12-14T16:58:05Z", + "packageManager": "pip", + "publicationTime": "2023-12-15T07:18:28.271359Z", + "modificationTime": "2024-01-26T12:41:42.633821Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pysaml2@7.0.1", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-03-14T00:00:00.000Z", + "created": "2023-12-14T00:00:00.000Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6149518", + "title": "Use of a Broken or Risky Cryptographic Algorithm", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Sverker Eriksson" + ], + "semver": { + "vulnerable": [ + "[35.0.0,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240109.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257571", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-23T11:03:54.062787Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-24T01:11:18.316654Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-25T13:32:21.064625Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to an issue in the `POLY1305` MAC implementation on PowerPC CPUs. An attacker can corrupt the application state and cause incorrect calculations or potential denial of service by influencing the use of the `POLY1305` MAC algorithm.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the attacker has the ability to affect the algorithm's usage and the application relies on non-volatile XMM registers.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240109.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2257571)\n", + "epssDetails": { + "percentile": "0.26298", + "probability": "0.00064", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-6129" + ], + "CWE": [ + "CWE-328" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-10T13:39:49.004287Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-09T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-10T15:08:56.822931Z", + "modificationTime": "2024-01-31T11:32:14.163468Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pysaml2@7.0.1", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-04-10T19:28:50.100Z", + "created": "2024-01-11T19:28:50.103Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6157248", + "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "OSS-Fuzz" + ], + "semver": { + "vulnerable": [ + "[35.0.0,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240115.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258502", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-16T13:32:46.781382Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-23T11:03:54.426940Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `EVP_PKEY_public_check` function. When the function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An attacker can cause a denial of service by supplying a specially crafted RSA key that triggers extensive computation.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240115.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2258502)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-6237" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-16T07:48:32.299571Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-15T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-16T10:17:35.692584Z", + "modificationTime": "2024-01-31T11:32:46.343597Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pysaml2@7.0.1", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4590", + "expires": "2024-04-10T19:29:54.032Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6050294", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "David Benjamin" + ], + "semver": { + "vulnerable": [ + "[,42.0.0)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248616", + "title": "RedHat Bugzilla Bug" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt", + "title": "Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T13:48:19.543999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-22T01:10:47.412869Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-22T11:02:51.571843Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when the `DH_generate_key()`, `DH_check_pub_key()`, `DH_check_pub_key_ex()`, `EVP_PKEY_public_check()`, and `EVP_PKEY_generate()` functions are used. An attacker can cause long delays and potentially a Denial of Service by supplying excessively long X9.42 DH keys or parameters obtained from an untrusted source. \r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the application uses these functions to generate or check an X9.42 DH key or parameters. Also, the OpenSSL `pkey` command line application, when using the `-pubcheck` option, as well as the OpenSSL `genpkey` command line application, are vulnerable to this issue.\n## Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2248616)\n- [Security Advisory](https://www.openssl.org/news/secadv/20231106.txt)\n", + "epssDetails": { + "percentile": "0.33049", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5678" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2023-11-08T11:10:10.146402Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-10-24T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2023-11-08T15:16:15.075620Z", + "modificationTime": "2024-01-26T12:43:37.247062Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-02-08T00:00:00.000Z", + "created": "2023-11-16T20:31:20.590Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6126975", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "credit": [ + "tomato42" + ], + "semver": { + "vulnerable": [ + "[,42.0.0)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "42.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/pyca/cryptography/issues/9785%23issuecomment-1856209406", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-12-14T13:49:17.282203Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.\r\n\r\n**Note:**\r\n\r\n\r\nThis vulnerability exists due to an incomplete fix for [CVE-2020-25659](https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-1022152).\n## Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n## References\n- [GitHub Issue](https://github.com/pyca/cryptography/issues/9785#issuecomment-1856209406)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-50782" + ], + "CWE": [ + "CWE-200" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2023-12-15T07:18:28.035469Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-12-14T16:58:05Z", + "packageManager": "pip", + "publicationTime": "2023-12-15T07:18:28.271359Z", + "modificationTime": "2024-01-26T12:41:42.633821Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-03-14T00:00:00.000Z", + "created": "2023-12-14T00:00:00.000Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6149518", + "title": "Use of a Broken or Risky Cryptographic Algorithm", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Sverker Eriksson" + ], + "semver": { + "vulnerable": [ + "[35.0.0,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240109.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257571", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-23T11:03:54.062787Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-24T01:11:18.316654Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-25T13:32:21.064625Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to an issue in the `POLY1305` MAC implementation on PowerPC CPUs. An attacker can corrupt the application state and cause incorrect calculations or potential denial of service by influencing the use of the `POLY1305` MAC algorithm.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the attacker has the ability to affect the algorithm's usage and the application relies on non-volatile XMM registers.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240109.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2257571)\n", + "epssDetails": { + "percentile": "0.26298", + "probability": "0.00064", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-6129" + ], + "CWE": [ + "CWE-328" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-10T13:39:49.004287Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-09T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-10T15:08:56.822931Z", + "modificationTime": "2024-01-31T11:32:14.163468Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-04-10T19:28:50.100Z", + "created": "2024-01-11T19:28:50.103Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6157248", + "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "OSS-Fuzz" + ], + "semver": { + "vulnerable": [ + "[35.0.0,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240115.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258502", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-16T13:32:46.781382Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-23T11:03:54.426940Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `EVP_PKEY_public_check` function. When the function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An attacker can cause a denial of service by supplying a specially crafted RSA key that triggers extensive computation.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240115.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2258502)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-6237" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-16T07:48:32.299571Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-15T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-16T10:17:35.692584Z", + "modificationTime": "2024-01-31T11:32:46.343597Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4590", + "expires": "2024-04-10T19:29:54.032Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6050294", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "David Benjamin" + ], + "semver": { + "vulnerable": [ + "[,42.0.0)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248616", + "title": "RedHat Bugzilla Bug" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt", + "title": "Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T13:48:19.543999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-22T01:10:47.412869Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-22T11:02:51.571843Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when the `DH_generate_key()`, `DH_check_pub_key()`, `DH_check_pub_key_ex()`, `EVP_PKEY_public_check()`, and `EVP_PKEY_generate()` functions are used. An attacker can cause long delays and potentially a Denial of Service by supplying excessively long X9.42 DH keys or parameters obtained from an untrusted source. \r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the application uses these functions to generate or check an X9.42 DH key or parameters. Also, the OpenSSL `pkey` command line application, when using the `-pubcheck` option, as well as the OpenSSL `genpkey` command line application, are vulnerable to this issue.\n## Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2248616)\n- [Security Advisory](https://www.openssl.org/news/secadv/20231106.txt)\n", + "epssDetails": { + "percentile": "0.33049", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5678" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2023-11-08T11:10:10.146402Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-10-24T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2023-11-08T15:16:15.075620Z", + "modificationTime": "2024-01-26T12:43:37.247062Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "ckanext-saml2auth@1.3.0", + "pysaml2@7.0.1", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-02-08T00:00:00.000Z", + "created": "2023-11-16T20:31:20.590Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6126975", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "credit": [ + "tomato42" + ], + "semver": { + "vulnerable": [ + "[,42.0.0)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "42.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/pyca/cryptography/issues/9785%23issuecomment-1856209406", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-12-14T13:49:17.282203Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.\r\n\r\n**Note:**\r\n\r\n\r\nThis vulnerability exists due to an incomplete fix for [CVE-2020-25659](https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-1022152).\n## Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n## References\n- [GitHub Issue](https://github.com/pyca/cryptography/issues/9785#issuecomment-1856209406)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-50782" + ], + "CWE": [ + "CWE-200" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2023-12-15T07:18:28.035469Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-12-14T16:58:05Z", + "packageManager": "pip", + "publicationTime": "2023-12-15T07:18:28.271359Z", + "modificationTime": "2024-01-26T12:41:42.633821Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "ckanext-saml2auth@1.3.0", + "pysaml2@7.0.1", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-03-14T00:00:00.000Z", + "created": "2023-12-14T00:00:00.000Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6149518", + "title": "Use of a Broken or Risky Cryptographic Algorithm", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Sverker Eriksson" + ], + "semver": { + "vulnerable": [ + "[35.0.0,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240109.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257571", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-23T11:03:54.062787Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-24T01:11:18.316654Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-25T13:32:21.064625Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to an issue in the `POLY1305` MAC implementation on PowerPC CPUs. An attacker can corrupt the application state and cause incorrect calculations or potential denial of service by influencing the use of the `POLY1305` MAC algorithm.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the attacker has the ability to affect the algorithm's usage and the application relies on non-volatile XMM registers.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240109.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2257571)\n", + "epssDetails": { + "percentile": "0.26298", + "probability": "0.00064", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-6129" + ], + "CWE": [ + "CWE-328" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-10T13:39:49.004287Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-09T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-10T15:08:56.822931Z", + "modificationTime": "2024-01-31T11:32:14.163468Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "ckanext-saml2auth@1.3.0", + "pysaml2@7.0.1", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-04-10T19:28:50.100Z", + "created": "2024-01-11T19:28:50.103Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6157248", + "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "OSS-Fuzz" + ], + "semver": { + "vulnerable": [ + "[35.0.0,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240115.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258502", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-16T13:32:46.781382Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-23T11:03:54.426940Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `EVP_PKEY_public_check` function. When the function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An attacker can cause a denial of service by supplying a specially crafted RSA key that triggers extensive computation.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240115.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2258502)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-6237" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-16T07:48:32.299571Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-15T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-16T10:17:35.692584Z", + "modificationTime": "2024-01-31T11:32:46.343597Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "ckanext-saml2auth@1.3.0", + "pysaml2@7.0.1", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4590", + "expires": "2024-04-10T19:29:54.032Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6050294", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "David Benjamin" + ], + "semver": { + "vulnerable": [ + "[,42.0.0)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248616", + "title": "RedHat Bugzilla Bug" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt", + "title": "Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-08T13:48:19.543999Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-11-22T01:10:47.412869Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-22T11:02:51.571843Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when the `DH_generate_key()`, `DH_check_pub_key()`, `DH_check_pub_key_ex()`, `EVP_PKEY_public_check()`, and `EVP_PKEY_generate()` functions are used. An attacker can cause long delays and potentially a Denial of Service by supplying excessively long X9.42 DH keys or parameters obtained from an untrusted source. \r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the application uses these functions to generate or check an X9.42 DH key or parameters. Also, the OpenSSL `pkey` command line application, when using the `-pubcheck` option, as well as the OpenSSL `genpkey` command line application, are vulnerable to this issue.\n## Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2248616)\n- [Security Advisory](https://www.openssl.org/news/secadv/20231106.txt)\n", + "epssDetails": { + "percentile": "0.33049", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5678" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2023-11-08T11:10:10.146402Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-10-24T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2023-11-08T15:16:15.075620Z", + "modificationTime": "2024-01-26T12:43:37.247062Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "ckanext-saml2auth@1.3.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-02-08T00:00:00.000Z", + "created": "2023-11-16T20:31:20.590Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6126975", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "credit": [ + "tomato42" + ], + "semver": { + "vulnerable": [ + "[,42.0.0)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "42.0.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/pyca/cryptography/issues/9785%23issuecomment-1856209406", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2023-12-14T13:49:17.282203Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.\r\n\r\n**Note:**\r\n\r\n\r\nThis vulnerability exists due to an incomplete fix for [CVE-2020-25659](https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-1022152).\n## Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n## References\n- [GitHub Issue](https://github.com/pyca/cryptography/issues/9785#issuecomment-1856209406)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-50782" + ], + "CWE": [ + "CWE-200" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2023-12-15T07:18:28.035469Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-12-14T16:58:05Z", + "packageManager": "pip", + "publicationTime": "2023-12-15T07:18:28.271359Z", + "modificationTime": "2024-01-26T12:41:42.633821Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "ckanext-saml2auth@1.3.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-03-14T00:00:00.000Z", + "created": "2023-12-14T00:00:00.000Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6149518", + "title": "Use of a Broken or Risky Cryptographic Algorithm", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Sverker Eriksson" + ], + "semver": { + "vulnerable": [ + "[35.0.0,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240109.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257571", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-23T11:03:54.062787Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-24T01:11:18.316654Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-25T13:32:21.064625Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to an issue in the `POLY1305` MAC implementation on PowerPC CPUs. An attacker can corrupt the application state and cause incorrect calculations or potential denial of service by influencing the use of the `POLY1305` MAC algorithm.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the attacker has the ability to affect the algorithm's usage and the application relies on non-volatile XMM registers.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240109.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2257571)\n", + "epssDetails": { + "percentile": "0.26298", + "probability": "0.00064", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-6129" + ], + "CWE": [ + "CWE-328" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-10T13:39:49.004287Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-09T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-10T15:08:56.822931Z", + "modificationTime": "2024-01-31T11:32:14.163468Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "ckanext-saml2auth@1.3.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-04-10T19:28:50.100Z", + "created": "2024-01-11T19:28:50.103Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6157248", + "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "OSS-Fuzz" + ], + "semver": { + "vulnerable": [ + "[35.0.0,42.0.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "42.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "cryptography", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240115.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258502", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-16T13:32:46.781382Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-23T11:03:54.426940Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `EVP_PKEY_public_check` function. When the function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An attacker can cause a denial of service by supplying a specially crafted RSA key that triggers extensive computation.\n## Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240115.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2258502)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-6237" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "cryptography", + "proprietary": false, + "creationTime": "2024-01-16T07:48:32.299571Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-15T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-16T10:17:35.692584Z", + "modificationTime": "2024-01-31T11:32:46.343597Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "ckanext-saml2auth@1.3.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0", + "cryptography@41.0.7" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "cryptography", + "version": "41.0.7", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4590", + "expires": "2024-04-10T19:29:54.032Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-FLASK-5490129", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "credit": [ + "Tom Most" + ], + "semver": { + "vulnerable": [ + "[,2.2.5)", + "[2.3.0,2.3.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.5", + "2.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "flask", + "references": [ + { + "url": "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/flask/pull/5109", + "title": "GitHub PR" + }, + { + "url": "https://github.com/pallets/flask/releases/tag/2.2.5", + "title": "GitHub Release" + }, + { + "url": "https://github.com/pallets/flask/releases/tag/2.3.2", + "title": "GitHub Release" + }, + { + "url": "https://flask.palletsprojects.com/en/2.3.x/api/%23flask.session.permanent", + "title": "Session Cookie Documentation" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-05-10T13:10:17.914608Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-05-23T11:02:16.887375Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:42:37.921483Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure in the form of exposing the permanent session cookie, when all of the following conditions are met:\r\n\r\n1) The application is hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\r\n\r\n2) The application sets `session.permanent = True`.\r\n\r\n3) The application does not access or modify the session at any point during a request.\r\n\r\n4) `SESSION_REFRESH_EACH_REQUEST` is enabled (the default).\r\n\r\n5) The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\r\n\r\nA response containing data intended for one client may be cached and sent to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. Under these conditions, the `Vary: Cookie` header is not set when a session is refreshed (re-sent to update the expiration) without being accessed or modified.\n## Remediation\nUpgrade `flask` to version 2.2.5, 2.3.2 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b)\n- [GitHub Commit](https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965)\n- [GitHub PR](https://github.com/pallets/flask/pull/5109)\n- [GitHub Release](https://github.com/pallets/flask/releases/tag/2.2.5)\n- [GitHub Release](https://github.com/pallets/flask/releases/tag/2.3.2)\n- [Session Cookie Documentation](https://flask.palletsprojects.com/en/2.3.x/api/#flask.session.permanent)\n", + "epssDetails": { + "percentile": "0.40959", + "probability": "0.00100", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-30861" + ], + "CWE": [ + "CWE-200" + ], + "GHSA": [ + "GHSA-m2qf-hxjv-5gpq" + ] + }, + "packageName": "flask", + "proprietary": false, + "creationTime": "2023-05-02T05:56:52.780757Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-05-01T19:22:20Z", + "packageManager": "pip", + "publicationTime": "2023-05-02T07:57:54.707419Z", + "modificationTime": "2023-11-08T09:42:37.921483Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "inventory-app@0.0.0", + "flask@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "flask", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4303", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-05-08T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-FLASK-5490129", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "credit": [ + "Tom Most" + ], + "semver": { + "vulnerable": [ + "[,2.2.5)", + "[2.3.0,2.3.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.5", + "2.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "flask", + "references": [ + { + "url": "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/flask/pull/5109", + "title": "GitHub PR" + }, + { + "url": "https://github.com/pallets/flask/releases/tag/2.2.5", + "title": "GitHub Release" + }, + { + "url": "https://github.com/pallets/flask/releases/tag/2.3.2", + "title": "GitHub Release" + }, + { + "url": "https://flask.palletsprojects.com/en/2.3.x/api/%23flask.session.permanent", + "title": "Session Cookie Documentation" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-05-10T13:10:17.914608Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-05-23T11:02:16.887375Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:42:37.921483Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure in the form of exposing the permanent session cookie, when all of the following conditions are met:\r\n\r\n1) The application is hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\r\n\r\n2) The application sets `session.permanent = True`.\r\n\r\n3) The application does not access or modify the session at any point during a request.\r\n\r\n4) `SESSION_REFRESH_EACH_REQUEST` is enabled (the default).\r\n\r\n5) The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\r\n\r\nA response containing data intended for one client may be cached and sent to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. Under these conditions, the `Vary: Cookie` header is not set when a session is refreshed (re-sent to update the expiration) without being accessed or modified.\n## Remediation\nUpgrade `flask` to version 2.2.5, 2.3.2 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b)\n- [GitHub Commit](https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965)\n- [GitHub PR](https://github.com/pallets/flask/pull/5109)\n- [GitHub Release](https://github.com/pallets/flask/releases/tag/2.2.5)\n- [GitHub Release](https://github.com/pallets/flask/releases/tag/2.3.2)\n- [Session Cookie Documentation](https://flask.palletsprojects.com/en/2.3.x/api/#flask.session.permanent)\n", + "epssDetails": { + "percentile": "0.40959", + "probability": "0.00100", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-30861" + ], + "CWE": [ + "CWE-200" + ], + "GHSA": [ + "GHSA-m2qf-hxjv-5gpq" + ] + }, + "packageName": "flask", + "proprietary": false, + "creationTime": "2023-05-02T05:56:52.780757Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-05-01T19:22:20Z", + "packageManager": "pip", + "publicationTime": "2023-05-02T07:57:54.707419Z", + "modificationTime": "2023-11-08T09:42:37.921483Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "inventory-app@0.0.0", + "flask-babel@1.0.0", + "flask@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "flask", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4303", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-05-08T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-FLASK-5490129", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "credit": [ + "Tom Most" + ], + "semver": { + "vulnerable": [ + "[,2.2.5)", + "[2.3.0,2.3.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.5", + "2.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "flask", + "references": [ + { + "url": "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/flask/pull/5109", + "title": "GitHub PR" + }, + { + "url": "https://github.com/pallets/flask/releases/tag/2.2.5", + "title": "GitHub Release" + }, + { + "url": "https://github.com/pallets/flask/releases/tag/2.3.2", + "title": "GitHub Release" + }, + { + "url": "https://flask.palletsprojects.com/en/2.3.x/api/%23flask.session.permanent", + "title": "Session Cookie Documentation" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-05-10T13:10:17.914608Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-05-23T11:02:16.887375Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:42:37.921483Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure in the form of exposing the permanent session cookie, when all of the following conditions are met:\r\n\r\n1) The application is hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\r\n\r\n2) The application sets `session.permanent = True`.\r\n\r\n3) The application does not access or modify the session at any point during a request.\r\n\r\n4) `SESSION_REFRESH_EACH_REQUEST` is enabled (the default).\r\n\r\n5) The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\r\n\r\nA response containing data intended for one client may be cached and sent to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. Under these conditions, the `Vary: Cookie` header is not set when a session is refreshed (re-sent to update the expiration) without being accessed or modified.\n## Remediation\nUpgrade `flask` to version 2.2.5, 2.3.2 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b)\n- [GitHub Commit](https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965)\n- [GitHub PR](https://github.com/pallets/flask/pull/5109)\n- [GitHub Release](https://github.com/pallets/flask/releases/tag/2.2.5)\n- [GitHub Release](https://github.com/pallets/flask/releases/tag/2.3.2)\n- [Session Cookie Documentation](https://flask.palletsprojects.com/en/2.3.x/api/#flask.session.permanent)\n", + "epssDetails": { + "percentile": "0.40959", + "probability": "0.00100", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-30861" + ], + "CWE": [ + "CWE-200" + ], + "GHSA": [ + "GHSA-m2qf-hxjv-5gpq" + ] + }, + "packageName": "flask", + "proprietary": false, + "creationTime": "2023-05-02T05:56:52.780757Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-05-01T19:22:20Z", + "packageManager": "pip", + "publicationTime": "2023-05-02T07:57:54.707419Z", + "modificationTime": "2023-11-08T09:42:37.921483Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "inventory-app@0.0.0", + "flask-login@0.6.1", + "flask@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "flask", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4303", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-05-08T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-FLASK-5490129", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "credit": [ + "Tom Most" + ], + "semver": { + "vulnerable": [ + "[,2.2.5)", + "[2.3.0,2.3.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.5", + "2.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "flask", + "references": [ + { + "url": "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/flask/pull/5109", + "title": "GitHub PR" + }, + { + "url": "https://github.com/pallets/flask/releases/tag/2.2.5", + "title": "GitHub Release" + }, + { + "url": "https://github.com/pallets/flask/releases/tag/2.3.2", + "title": "GitHub Release" + }, + { + "url": "https://flask.palletsprojects.com/en/2.3.x/api/%23flask.session.permanent", + "title": "Session Cookie Documentation" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-05-10T13:10:17.914608Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-05-23T11:02:16.887375Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:42:37.921483Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure in the form of exposing the permanent session cookie, when all of the following conditions are met:\r\n\r\n1) The application is hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\r\n\r\n2) The application sets `session.permanent = True`.\r\n\r\n3) The application does not access or modify the session at any point during a request.\r\n\r\n4) `SESSION_REFRESH_EACH_REQUEST` is enabled (the default).\r\n\r\n5) The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\r\n\r\nA response containing data intended for one client may be cached and sent to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. Under these conditions, the `Vary: Cookie` header is not set when a session is refreshed (re-sent to update the expiration) without being accessed or modified.\n## Remediation\nUpgrade `flask` to version 2.2.5, 2.3.2 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b)\n- [GitHub Commit](https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965)\n- [GitHub PR](https://github.com/pallets/flask/pull/5109)\n- [GitHub Release](https://github.com/pallets/flask/releases/tag/2.2.5)\n- [GitHub Release](https://github.com/pallets/flask/releases/tag/2.3.2)\n- [Session Cookie Documentation](https://flask.palletsprojects.com/en/2.3.x/api/#flask.session.permanent)\n", + "epssDetails": { + "percentile": "0.40959", + "probability": "0.00100", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-30861" + ], + "CWE": [ + "CWE-200" + ], + "GHSA": [ + "GHSA-m2qf-hxjv-5gpq" + ] + }, + "packageName": "flask", + "proprietary": false, + "creationTime": "2023-05-02T05:56:52.780757Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-05-01T19:22:20Z", + "packageManager": "pip", + "publicationTime": "2023-05-02T07:57:54.707419Z", + "modificationTime": "2023-11-08T09:42:37.921483Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "inventory-app@0.0.0", + "flask-multistatic@1.0", + "flask@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "flask", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4303", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-05-08T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-FLASK-5490129", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "credit": [ + "Tom Most" + ], + "semver": { + "vulnerable": [ + "[,2.2.5)", + "[2.3.0,2.3.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.5", + "2.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "flask", + "references": [ + { + "url": "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/flask/pull/5109", + "title": "GitHub PR" + }, + { + "url": "https://github.com/pallets/flask/releases/tag/2.2.5", + "title": "GitHub Release" + }, + { + "url": "https://github.com/pallets/flask/releases/tag/2.3.2", + "title": "GitHub Release" + }, + { + "url": "https://flask.palletsprojects.com/en/2.3.x/api/%23flask.session.permanent", + "title": "Session Cookie Documentation" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-05-10T13:10:17.914608Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-05-23T11:02:16.887375Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:42:37.921483Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure in the form of exposing the permanent session cookie, when all of the following conditions are met:\r\n\r\n1) The application is hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\r\n\r\n2) The application sets `session.permanent = True`.\r\n\r\n3) The application does not access or modify the session at any point during a request.\r\n\r\n4) `SESSION_REFRESH_EACH_REQUEST` is enabled (the default).\r\n\r\n5) The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\r\n\r\nA response containing data intended for one client may be cached and sent to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. Under these conditions, the `Vary: Cookie` header is not set when a session is refreshed (re-sent to update the expiration) without being accessed or modified.\n## Remediation\nUpgrade `flask` to version 2.2.5, 2.3.2 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b)\n- [GitHub Commit](https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965)\n- [GitHub PR](https://github.com/pallets/flask/pull/5109)\n- [GitHub Release](https://github.com/pallets/flask/releases/tag/2.2.5)\n- [GitHub Release](https://github.com/pallets/flask/releases/tag/2.3.2)\n- [Session Cookie Documentation](https://flask.palletsprojects.com/en/2.3.x/api/#flask.session.permanent)\n", + "epssDetails": { + "percentile": "0.40959", + "probability": "0.00100", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-30861" + ], + "CWE": [ + "CWE-200" + ], + "GHSA": [ + "GHSA-m2qf-hxjv-5gpq" + ] + }, + "packageName": "flask", + "proprietary": false, + "creationTime": "2023-05-02T05:56:52.780757Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-05-01T19:22:20Z", + "packageManager": "pip", + "publicationTime": "2023-05-02T07:57:54.707419Z", + "modificationTime": "2023-11-08T09:42:37.921483Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "inventory-app@0.0.0", + "flask-wtf@1.0.1", + "flask@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "flask", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4303", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-05-08T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-PYOPENSSL-6149520", + "title": "Use of a Broken or Risky Cryptographic Algorithm", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Sverker Eriksson" + ], + "semver": { + "vulnerable": [ + "[22.0.0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "pyopenssl", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240109.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257571", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-23T11:03:54.062787Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-24T01:11:18.316654Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-25T13:32:21.064625Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to an issue in the `POLY1305` MAC implementation on PowerPC CPUs. An attacker can corrupt the application state and cause incorrect calculations or potential denial of service by influencing the use of the `POLY1305` MAC algorithm.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the attacker has the ability to affect the algorithm's usage and the application relies on non-volatile XMM registers.\n## Remediation\nThere is no fixed version for `pyOpenSSL`.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240109.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2257571)\n", + "epssDetails": { + "percentile": "0.26298", + "probability": "0.00064", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-6129" + ], + "CWE": [ + "CWE-328" + ] + }, + "packageName": "pyopenssl", + "proprietary": false, + "creationTime": "2024-01-10T13:39:49.598360Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-09T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-10T15:08:56.516899Z", + "modificationTime": "2024-01-31T11:32:13.984369Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pyopenssl@23.3.0" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "pyopenssl", + "version": "23.3.0", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-04-10T19:29:54.032Z", + "created": "2024-01-11T19:29:54.039Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-PYOPENSSL-6157250", + "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "OSS-Fuzz" + ], + "semver": { + "vulnerable": [ + "[22.0.0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "pyopenssl", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240115.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258502", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-16T13:32:46.781382Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-23T11:03:54.426940Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `EVP_PKEY_public_check` function. When the function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An attacker can cause a denial of service by supplying a specially crafted RSA key that triggers extensive computation.\n## Remediation\nThere is no fixed version for `pyopenssl`.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240115.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2258502)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-6237" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "pyopenssl", + "proprietary": false, + "creationTime": "2024-01-16T07:48:33.039346Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-15T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-16T10:17:36.325521Z", + "modificationTime": "2024-01-31T11:32:46.343597Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pyopenssl@23.3.0" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "pyopenssl", + "version": "23.3.0", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4591", + "expires": "2024-04-10T19:29:54.032Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-PYOPENSSL-6149520", + "title": "Use of a Broken or Risky Cryptographic Algorithm", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Sverker Eriksson" + ], + "semver": { + "vulnerable": [ + "[22.0.0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "pyopenssl", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240109.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257571", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-23T11:03:54.062787Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-24T01:11:18.316654Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-25T13:32:21.064625Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to an issue in the `POLY1305` MAC implementation on PowerPC CPUs. An attacker can corrupt the application state and cause incorrect calculations or potential denial of service by influencing the use of the `POLY1305` MAC algorithm.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the attacker has the ability to affect the algorithm's usage and the application relies on non-volatile XMM registers.\n## Remediation\nThere is no fixed version for `pyOpenSSL`.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240109.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2257571)\n", + "epssDetails": { + "percentile": "0.26298", + "probability": "0.00064", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-6129" + ], + "CWE": [ + "CWE-328" + ] + }, + "packageName": "pyopenssl", + "proprietary": false, + "creationTime": "2024-01-10T13:39:49.598360Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-09T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-10T15:08:56.516899Z", + "modificationTime": "2024-01-31T11:32:13.984369Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "pyopenssl", + "version": "23.3.0", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-04-10T19:29:54.032Z", + "created": "2024-01-11T19:29:54.039Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-PYOPENSSL-6157250", + "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "OSS-Fuzz" + ], + "semver": { + "vulnerable": [ + "[22.0.0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "pyopenssl", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240115.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258502", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-16T13:32:46.781382Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-23T11:03:54.426940Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `EVP_PKEY_public_check` function. When the function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An attacker can cause a denial of service by supplying a specially crafted RSA key that triggers extensive computation.\n## Remediation\nThere is no fixed version for `pyopenssl`.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240115.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2258502)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-6237" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "pyopenssl", + "proprietary": false, + "creationTime": "2024-01-16T07:48:33.039346Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-15T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-16T10:17:36.325521Z", + "modificationTime": "2024-01-31T11:32:46.343597Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "pyopenssl", + "version": "23.3.0", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4591", + "expires": "2024-04-10T19:29:54.032Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-PYOPENSSL-6149520", + "title": "Use of a Broken or Risky Cryptographic Algorithm", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Sverker Eriksson" + ], + "semver": { + "vulnerable": [ + "[22.0.0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "pyopenssl", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240109.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257571", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-23T11:03:54.062787Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-24T01:11:18.316654Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-01-25T13:32:21.064625Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to an issue in the `POLY1305` MAC implementation on PowerPC CPUs. An attacker can corrupt the application state and cause incorrect calculations or potential denial of service by influencing the use of the `POLY1305` MAC algorithm.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the attacker has the ability to affect the algorithm's usage and the application relies on non-volatile XMM registers.\n## Remediation\nThere is no fixed version for `pyOpenSSL`.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240109.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2257571)\n", + "epssDetails": { + "percentile": "0.26298", + "probability": "0.00064", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-6129" + ], + "CWE": [ + "CWE-328" + ] + }, + "packageName": "pyopenssl", + "proprietary": false, + "creationTime": "2024-01-10T13:39:49.598360Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-09T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-10T15:08:56.516899Z", + "modificationTime": "2024-01-31T11:32:13.984369Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "ckanext-saml2auth@1.3.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "pyopenssl", + "version": "23.3.0", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4532", + "expires": "2024-04-10T19:29:54.032Z", + "created": "2024-01-11T19:29:54.039Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-PYOPENSSL-6157250", + "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "OSS-Fuzz" + ], + "semver": { + "vulnerable": [ + "[22.0.0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "pyopenssl", + "references": [ + { + "url": "https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc", + "title": "GitHub Commit" + }, + { + "url": "https://www.openssl.org/news/secadv/20240115.txt", + "title": "OpenSSL Advisory" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258502", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-16T13:32:46.781382Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-01-23T11:03:54.426940Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `EVP_PKEY_public_check` function. When the function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An attacker can cause a denial of service by supplying a specially crafted RSA key that triggers extensive computation.\n## Remediation\nThere is no fixed version for `pyopenssl`.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240115.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2258502)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-6237" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "pyopenssl", + "proprietary": false, + "creationTime": "2024-01-16T07:48:33.039346Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-15T00:00:00Z", + "packageManager": "pip", + "publicationTime": "2024-01-16T10:17:36.325521Z", + "modificationTime": "2024-01-31T11:32:46.343597Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "ckanext-saml2auth@1.3.0", + "pysaml2@7.0.1", + "pyopenssl@23.3.0" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "pyopenssl", + "version": "23.3.0", + "filtered": { + "ignored": [ + { + "reason": "No remediation available yet; Issue tracked in github: https://github.com/GSA/data.gov/issues/4591", + "expires": "2024-04-10T19:29:54.032Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319935", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "credit": [ + "Marco Squarcina" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 2.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 3.5, + "modificationTime": "2023-02-24T01:10:17.823712Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 2.6, + "modificationTime": "2023-11-08T09:43:38.338871Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Access Restriction Bypass that allows a malicious application on an adjacent subdomain to present \"nameless\" cookies that look like `=value` instead of `key=value` and have them accepted by the affected browser. For example, a cookie like `=__Host-test=bad` would be parsed as `__Host-test=bad` and the key treated as valid while the value is ignored.\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.14431", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-23934" + ], + "CWE": [ + "CWE-284" + ], + "GHSA": [ + "GHSA-px8h-6qxv-m22q" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:00:54.002181Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:37:04Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:22:04.062534Z", + "modificationTime": "2023-11-08T09:43:38.338871Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "inventory-app@0.0.0", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319936", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Jakob Ackermann" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-02-24T01:10:17.734628Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-30T11:03:40.768284Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:42:47.858361Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when parsing multipart form data. An attacker can trigger the opening of multipart files containing a large number of file parts, which are processed using `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, consuming CPU, memory, or file handles resources. The amount of CPU time required can block worker processes from handling other requests. The amount of RAM required can trigger an out-of-memory and crash the process.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.23422", + "probability": "0.00059", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-25577" + ], + "CWE": [ + "CWE-770" + ], + "GHSA": [ + "GHSA-xg9f-g7g7-2323" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:07:54.915104Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:36:53Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:23:26.929186Z", + "modificationTime": "2023-11-08T09:42:47.858361Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "inventory-app@0.0.0", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-6035177", + "title": "Inefficient Algorithmic Complexity", + "CVSSv3": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Paweł Srokosz" + ], + "semver": { + "vulnerable": [ + "[,2.3.8)", + "[3.0.0,3.0.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.8", + "3.0.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-01T11:06:21.611437Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-02T01:10:54.852387Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:43:51.445258Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers. \r\n\r\nExploiting this vulnerability is possible if the uploaded file starts with `CR` or `LF` and is followed by megabytes of data without these characters.\n## Remediation\nUpgrade `werkzeug` to version 2.3.8, 3.0.1 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9)\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2)\n", + "epssDetails": { + "percentile": "0.14317", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-46136" + ], + "CWE": [ + "CWE-407" + ], + "GHSA": [ + "GHSA-hrfv-mqp8-q5rw" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-10-25T22:30:29.895488Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-10-25T17:47:19Z", + "packageManager": "pip", + "publicationTime": "2023-10-26T08:50:03.628406Z", + "modificationTime": "2023-11-09T07:54:15.421506Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-31T13:35:17.967Z", + "created": "2023-11-01T13:35:17.972Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319935", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "credit": [ + "Marco Squarcina" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 2.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 3.5, + "modificationTime": "2023-02-24T01:10:17.823712Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 2.6, + "modificationTime": "2023-11-08T09:43:38.338871Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Access Restriction Bypass that allows a malicious application on an adjacent subdomain to present \"nameless\" cookies that look like `=value` instead of `key=value` and have them accepted by the affected browser. For example, a cookie like `=__Host-test=bad` would be parsed as `__Host-test=bad` and the key treated as valid while the value is ignored.\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.14431", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-23934" + ], + "CWE": [ + "CWE-284" + ], + "GHSA": [ + "GHSA-px8h-6qxv-m22q" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:00:54.002181Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:37:04Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:22:04.062534Z", + "modificationTime": "2023-11-08T09:43:38.338871Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "inventory-app@0.0.0", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319936", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Jakob Ackermann" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-02-24T01:10:17.734628Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-30T11:03:40.768284Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:42:47.858361Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when parsing multipart form data. An attacker can trigger the opening of multipart files containing a large number of file parts, which are processed using `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, consuming CPU, memory, or file handles resources. The amount of CPU time required can block worker processes from handling other requests. The amount of RAM required can trigger an out-of-memory and crash the process.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.23422", + "probability": "0.00059", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-25577" + ], + "CWE": [ + "CWE-770" + ], + "GHSA": [ + "GHSA-xg9f-g7g7-2323" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:07:54.915104Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:36:53Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:23:26.929186Z", + "modificationTime": "2023-11-08T09:42:47.858361Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "inventory-app@0.0.0", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-6035177", + "title": "Inefficient Algorithmic Complexity", + "CVSSv3": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Paweł Srokosz" + ], + "semver": { + "vulnerable": [ + "[,2.3.8)", + "[3.0.0,3.0.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.8", + "3.0.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-01T11:06:21.611437Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-02T01:10:54.852387Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:43:51.445258Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers. \r\n\r\nExploiting this vulnerability is possible if the uploaded file starts with `CR` or `LF` and is followed by megabytes of data without these characters.\n## Remediation\nUpgrade `werkzeug` to version 2.3.8, 3.0.1 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9)\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2)\n", + "epssDetails": { + "percentile": "0.14317", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-46136" + ], + "CWE": [ + "CWE-407" + ], + "GHSA": [ + "GHSA-hrfv-mqp8-q5rw" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-10-25T22:30:29.895488Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-10-25T17:47:19Z", + "packageManager": "pip", + "publicationTime": "2023-10-26T08:50:03.628406Z", + "modificationTime": "2023-11-09T07:54:15.421506Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-31T13:35:17.967Z", + "created": "2023-11-01T13:35:17.972Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319935", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "credit": [ + "Marco Squarcina" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 2.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 3.5, + "modificationTime": "2023-02-24T01:10:17.823712Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 2.6, + "modificationTime": "2023-11-08T09:43:38.338871Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Access Restriction Bypass that allows a malicious application on an adjacent subdomain to present \"nameless\" cookies that look like `=value` instead of `key=value` and have them accepted by the affected browser. For example, a cookie like `=__Host-test=bad` would be parsed as `__Host-test=bad` and the key treated as valid while the value is ignored.\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.14431", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-23934" + ], + "CWE": [ + "CWE-284" + ], + "GHSA": [ + "GHSA-px8h-6qxv-m22q" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:00:54.002181Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:37:04Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:22:04.062534Z", + "modificationTime": "2023-11-08T09:43:38.338871Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "inventory-app@0.0.0", + "flask-login@0.6.1", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319936", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Jakob Ackermann" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-02-24T01:10:17.734628Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-30T11:03:40.768284Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:42:47.858361Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when parsing multipart form data. An attacker can trigger the opening of multipart files containing a large number of file parts, which are processed using `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, consuming CPU, memory, or file handles resources. The amount of CPU time required can block worker processes from handling other requests. The amount of RAM required can trigger an out-of-memory and crash the process.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.23422", + "probability": "0.00059", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-25577" + ], + "CWE": [ + "CWE-770" + ], + "GHSA": [ + "GHSA-xg9f-g7g7-2323" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:07:54.915104Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:36:53Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:23:26.929186Z", + "modificationTime": "2023-11-08T09:42:47.858361Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "inventory-app@0.0.0", + "flask-login@0.6.1", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-6035177", + "title": "Inefficient Algorithmic Complexity", + "CVSSv3": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Paweł Srokosz" + ], + "semver": { + "vulnerable": [ + "[,2.3.8)", + "[3.0.0,3.0.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.8", + "3.0.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-01T11:06:21.611437Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-02T01:10:54.852387Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:43:51.445258Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers. \r\n\r\nExploiting this vulnerability is possible if the uploaded file starts with `CR` or `LF` and is followed by megabytes of data without these characters.\n## Remediation\nUpgrade `werkzeug` to version 2.3.8, 3.0.1 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9)\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2)\n", + "epssDetails": { + "percentile": "0.14317", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-46136" + ], + "CWE": [ + "CWE-407" + ], + "GHSA": [ + "GHSA-hrfv-mqp8-q5rw" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-10-25T22:30:29.895488Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-10-25T17:47:19Z", + "packageManager": "pip", + "publicationTime": "2023-10-26T08:50:03.628406Z", + "modificationTime": "2023-11-09T07:54:15.421506Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "flask-login@0.6.1", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-31T13:35:17.967Z", + "created": "2023-11-01T13:35:17.972Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319935", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "credit": [ + "Marco Squarcina" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 2.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 3.5, + "modificationTime": "2023-02-24T01:10:17.823712Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 2.6, + "modificationTime": "2023-11-08T09:43:38.338871Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Access Restriction Bypass that allows a malicious application on an adjacent subdomain to present \"nameless\" cookies that look like `=value` instead of `key=value` and have them accepted by the affected browser. For example, a cookie like `=__Host-test=bad` would be parsed as `__Host-test=bad` and the key treated as valid while the value is ignored.\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.14431", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-23934" + ], + "CWE": [ + "CWE-284" + ], + "GHSA": [ + "GHSA-px8h-6qxv-m22q" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:00:54.002181Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:37:04Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:22:04.062534Z", + "modificationTime": "2023-11-08T09:43:38.338871Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "inventory-app@0.0.0", + "flask-babel@1.0.0", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319936", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Jakob Ackermann" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-02-24T01:10:17.734628Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-30T11:03:40.768284Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:42:47.858361Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when parsing multipart form data. An attacker can trigger the opening of multipart files containing a large number of file parts, which are processed using `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, consuming CPU, memory, or file handles resources. The amount of CPU time required can block worker processes from handling other requests. The amount of RAM required can trigger an out-of-memory and crash the process.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.23422", + "probability": "0.00059", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-25577" + ], + "CWE": [ + "CWE-770" + ], + "GHSA": [ + "GHSA-xg9f-g7g7-2323" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:07:54.915104Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:36:53Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:23:26.929186Z", + "modificationTime": "2023-11-08T09:42:47.858361Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "inventory-app@0.0.0", + "flask-babel@1.0.0", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-6035177", + "title": "Inefficient Algorithmic Complexity", + "CVSSv3": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Paweł Srokosz" + ], + "semver": { + "vulnerable": [ + "[,2.3.8)", + "[3.0.0,3.0.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.8", + "3.0.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-01T11:06:21.611437Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-02T01:10:54.852387Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:43:51.445258Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers. \r\n\r\nExploiting this vulnerability is possible if the uploaded file starts with `CR` or `LF` and is followed by megabytes of data without these characters.\n## Remediation\nUpgrade `werkzeug` to version 2.3.8, 3.0.1 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9)\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2)\n", + "epssDetails": { + "percentile": "0.14317", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-46136" + ], + "CWE": [ + "CWE-407" + ], + "GHSA": [ + "GHSA-hrfv-mqp8-q5rw" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-10-25T22:30:29.895488Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-10-25T17:47:19Z", + "packageManager": "pip", + "publicationTime": "2023-10-26T08:50:03.628406Z", + "modificationTime": "2023-11-09T07:54:15.421506Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "flask-babel@1.0.0", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-31T13:35:17.967Z", + "created": "2023-11-01T13:35:17.972Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319935", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "credit": [ + "Marco Squarcina" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 2.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 3.5, + "modificationTime": "2023-02-24T01:10:17.823712Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 2.6, + "modificationTime": "2023-11-08T09:43:38.338871Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Access Restriction Bypass that allows a malicious application on an adjacent subdomain to present \"nameless\" cookies that look like `=value` instead of `key=value` and have them accepted by the affected browser. For example, a cookie like `=__Host-test=bad` would be parsed as `__Host-test=bad` and the key treated as valid while the value is ignored.\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.14431", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-23934" + ], + "CWE": [ + "CWE-284" + ], + "GHSA": [ + "GHSA-px8h-6qxv-m22q" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:00:54.002181Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:37:04Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:22:04.062534Z", + "modificationTime": "2023-11-08T09:43:38.338871Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "inventory-app@0.0.0", + "flask-login@0.6.1", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319936", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Jakob Ackermann" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-02-24T01:10:17.734628Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-30T11:03:40.768284Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:42:47.858361Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when parsing multipart form data. An attacker can trigger the opening of multipart files containing a large number of file parts, which are processed using `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, consuming CPU, memory, or file handles resources. The amount of CPU time required can block worker processes from handling other requests. The amount of RAM required can trigger an out-of-memory and crash the process.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.23422", + "probability": "0.00059", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-25577" + ], + "CWE": [ + "CWE-770" + ], + "GHSA": [ + "GHSA-xg9f-g7g7-2323" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:07:54.915104Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:36:53Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:23:26.929186Z", + "modificationTime": "2023-11-08T09:42:47.858361Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "inventory-app@0.0.0", + "flask-login@0.6.1", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-6035177", + "title": "Inefficient Algorithmic Complexity", + "CVSSv3": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Paweł Srokosz" + ], + "semver": { + "vulnerable": [ + "[,2.3.8)", + "[3.0.0,3.0.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.8", + "3.0.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-01T11:06:21.611437Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-02T01:10:54.852387Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:43:51.445258Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers. \r\n\r\nExploiting this vulnerability is possible if the uploaded file starts with `CR` or `LF` and is followed by megabytes of data without these characters.\n## Remediation\nUpgrade `werkzeug` to version 2.3.8, 3.0.1 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9)\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2)\n", + "epssDetails": { + "percentile": "0.14317", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-46136" + ], + "CWE": [ + "CWE-407" + ], + "GHSA": [ + "GHSA-hrfv-mqp8-q5rw" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-10-25T22:30:29.895488Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-10-25T17:47:19Z", + "packageManager": "pip", + "publicationTime": "2023-10-26T08:50:03.628406Z", + "modificationTime": "2023-11-09T07:54:15.421506Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "flask-login@0.6.1", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-31T13:35:17.967Z", + "created": "2023-11-01T13:35:17.972Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319935", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "credit": [ + "Marco Squarcina" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 2.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 3.5, + "modificationTime": "2023-02-24T01:10:17.823712Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 2.6, + "modificationTime": "2023-11-08T09:43:38.338871Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Access Restriction Bypass that allows a malicious application on an adjacent subdomain to present \"nameless\" cookies that look like `=value` instead of `key=value` and have them accepted by the affected browser. For example, a cookie like `=__Host-test=bad` would be parsed as `__Host-test=bad` and the key treated as valid while the value is ignored.\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.14431", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-23934" + ], + "CWE": [ + "CWE-284" + ], + "GHSA": [ + "GHSA-px8h-6qxv-m22q" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:00:54.002181Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:37:04Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:22:04.062534Z", + "modificationTime": "2023-11-08T09:43:38.338871Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "inventory-app@0.0.0", + "flask-multistatic@1.0", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319936", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Jakob Ackermann" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-02-24T01:10:17.734628Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-30T11:03:40.768284Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:42:47.858361Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when parsing multipart form data. An attacker can trigger the opening of multipart files containing a large number of file parts, which are processed using `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, consuming CPU, memory, or file handles resources. The amount of CPU time required can block worker processes from handling other requests. The amount of RAM required can trigger an out-of-memory and crash the process.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.23422", + "probability": "0.00059", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-25577" + ], + "CWE": [ + "CWE-770" + ], + "GHSA": [ + "GHSA-xg9f-g7g7-2323" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:07:54.915104Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:36:53Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:23:26.929186Z", + "modificationTime": "2023-11-08T09:42:47.858361Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "inventory-app@0.0.0", + "flask-multistatic@1.0", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-6035177", + "title": "Inefficient Algorithmic Complexity", + "CVSSv3": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Paweł Srokosz" + ], + "semver": { + "vulnerable": [ + "[,2.3.8)", + "[3.0.0,3.0.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.8", + "3.0.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-01T11:06:21.611437Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-02T01:10:54.852387Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:43:51.445258Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers. \r\n\r\nExploiting this vulnerability is possible if the uploaded file starts with `CR` or `LF` and is followed by megabytes of data without these characters.\n## Remediation\nUpgrade `werkzeug` to version 2.3.8, 3.0.1 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9)\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2)\n", + "epssDetails": { + "percentile": "0.14317", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-46136" + ], + "CWE": [ + "CWE-407" + ], + "GHSA": [ + "GHSA-hrfv-mqp8-q5rw" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-10-25T22:30:29.895488Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-10-25T17:47:19Z", + "packageManager": "pip", + "publicationTime": "2023-10-26T08:50:03.628406Z", + "modificationTime": "2023-11-09T07:54:15.421506Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "flask-multistatic@1.0", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-31T13:35:17.967Z", + "created": "2023-11-01T13:35:17.972Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319935", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "credit": [ + "Marco Squarcina" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "low", + "cvssScore": 2.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 3.5, + "modificationTime": "2023-02-24T01:10:17.823712Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 2.6, + "modificationTime": "2023-11-08T09:43:38.338871Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Access Restriction Bypass that allows a malicious application on an adjacent subdomain to present \"nameless\" cookies that look like `=value` instead of `key=value` and have them accepted by the affected browser. For example, a cookie like `=__Host-test=bad` would be parsed as `__Host-test=bad` and the key treated as valid while the value is ignored.\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.14431", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-23934" + ], + "CWE": [ + "CWE-284" + ], + "GHSA": [ + "GHSA-px8h-6qxv-m22q" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:00:54.002181Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:37:04Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:22:04.062534Z", + "modificationTime": "2023-11-08T09:43:38.338871Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "inventory-app@0.0.0", + "flask-wtf@1.0.1", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319936", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Jakob Ackermann" + ], + "semver": { + "vulnerable": [ + "[,2.2.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/releases/tag/2.2.3", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-02-24T01:10:17.734628Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-30T11:03:40.768284Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:42:47.858361Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when parsing multipart form data. An attacker can trigger the opening of multipart files containing a large number of file parts, which are processed using `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, consuming CPU, memory, or file handles resources. The amount of CPU time required can block worker processes from handling other requests. The amount of RAM required can trigger an out-of-memory and crash the process.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n", + "epssDetails": { + "percentile": "0.23422", + "probability": "0.00059", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-25577" + ], + "CWE": [ + "CWE-770" + ], + "GHSA": [ + "GHSA-xg9f-g7g7-2323" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-02-15T09:07:54.915104Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-15T08:36:53Z", + "packageManager": "pip", + "publicationTime": "2023-02-15T09:23:26.929186Z", + "modificationTime": "2023-11-08T09:42:47.858361Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "inventory-app@0.0.0", + "flask-wtf@1.0.1", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-01T16:20:58.017Z", + "created": "2023-02-15T16:20:58.023Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-6035177", + "title": "Inefficient Algorithmic Complexity", + "CVSSv3": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Paweł Srokosz" + ], + "semver": { + "vulnerable": [ + "[,2.3.8)", + "[3.0.0,3.0.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.8", + "3.0.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "python", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "werkzeug", + "references": [ + { + "url": "https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-01T11:06:21.611437Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-02T01:10:54.852387Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-11-08T09:43:51.445258Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers. \r\n\r\nExploiting this vulnerability is possible if the uploaded file starts with `CR` or `LF` and is followed by megabytes of data without these characters.\n## Remediation\nUpgrade `werkzeug` to version 2.3.8, 3.0.1 or higher.\n## References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9)\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2)\n", + "epssDetails": { + "percentile": "0.14317", + "probability": "0.00046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-46136" + ], + "CWE": [ + "CWE-407" + ], + "GHSA": [ + "GHSA-hrfv-mqp8-q5rw" + ] + }, + "packageName": "werkzeug", + "proprietary": false, + "creationTime": "2023-10-25T22:30:29.895488Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-10-25T17:47:19Z", + "packageManager": "pip", + "publicationTime": "2023-10-26T08:50:03.628406Z", + "modificationTime": "2023-11-09T07:54:15.421506Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "inventory-app@0.0.0", + "flask-wtf@1.0.1", + "flask@2.0.3", + "werkzeug@2.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "werkzeug", + "version": "2.0.3", + "filtered": { + "ignored": [ + { + "reason": "Upgrade path is complex, Issue tracked in github: https://github.com/GSA/data.gov/issues/4217", + "expires": "2024-03-31T13:35:17.967Z", + "created": "2023-11-01T13:35:17.972Z", + "source": "cli", + "path": [ + "*" + ] + } + ] + } + } + ], + "patch": [] + }, + "uniqueCount": 1, + "projectName": "inventory-app", + "foundProjectCount": 2, + "displayTargetFile": "requirements.txt", + "hasUnknownVersions": false, + "path": "/home/runner/work/inventory-app/inventory-app" +}