diff --git a/components/producers/snyk-docker/task.yaml b/components/producers/snyk-docker/task.yaml index 0e70232af..ddb843cc9 100644 --- a/components/producers/snyk-docker/task.yaml +++ b/components/producers/snyk-docker/task.yaml @@ -29,11 +29,18 @@ spec: image: 'snyk/snyk:docker' script: | - set +xe - echo "authenticating to snyk" + #!/bin/sh + set -x + set +e + echo "authenticating to snyk!" snyk auth $(params.producer-snyk-docker-api-key) + echo "running snyk container test" - snyk container test --sarif-file=/scratch/snyk.out --docker $(params.producer-snyk-docker-image) + snyk container test \ + --sarif-file-output=/scratch/snyk.out \ + --docker \ + $(params.producer-snyk-docker-image) + exitCode=$? if [[ $exitCode -ne 0 && $exitCode -ne 1 ]]; then echo "Snyk failed with exit code $exitCode" @@ -47,8 +54,8 @@ spec: - name: produce-issues imagePullPolicy: IfNotPresent - image: '{{ default "ghcr.io/ocurity/dracon" .Values.image.registry }}/components/producers/snyk:{{ .Chart.AppVersion }}' - command: ["/app/components/producers/snyk/snyk-parser"] + image: '{{ default "ghcr.io/ocurity/dracon" .Values.image.registry }}/components/producers/snyk-docker:{{ .Chart.AppVersion }}' + command: ["/app/components/producers/snyk-docker/snyk-docker-parser"] args: - "-in=/scratch/snyk.out" - "-out=$(workspaces.output.path)/.dracon/producers/snyk.pb" diff --git a/components/producers/snyk-python/exampleData/snyk-python-out.pb b/components/producers/snyk-python/exampleData/snyk-python-out.pb new file mode 100644 index 000000000..4f2027b57 --- /dev/null +++ b/components/producers/snyk-python/exampleData/snyk-python-out.pb @@ -0,0 +1,132 @@ + + ۷snyk +requirements.txt:1-1SNYK-PYTHON-CERTIFI-5805047YThis file introduces a vulnerable certifi package with a critical severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CERTIFI-5805047","shortDescription":{"text":"Critical severity - Improper Following of a Certificate's Chain of Trust vulnerability in certifi"},"fullDescription":{"text":"(CVE-2023-37920) certifi@2022.12.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: certifi\n* Introduced through: pygoat@0.0.0 and certifi@2022.12.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › certifi@2022.12.7\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2 › certifi@2022.12.7\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2 › certifi@2022.12.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2 › certifi@2022.12.7\n# Overview\n\nAffected versions of this package are vulnerable to Improper Following of a Certificate's Chain of Trust. E-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found [here](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A).\r\n\r\n**Note:**\r\n\r\nThis issue is not an inherent vulnerability in the package, but a security measure against potential harmful effects of trusting the now-revoked root certificates.\n# Remediation\nUpgrade `certifi` to version 2023.7.22 or higher.\n# References\n- [GitHub Commit](https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909)\n- [Google Groups Forum](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A)\n"},"properties":{"cvssv3_baseScore":9.8,"security-severity":"9.8","tags":["security","CWE-296","pip"]}} + Message: This file introduces a vulnerable certifi package with a critical severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-CERTIFI-7430173WThis file introduces a vulnerable certifi package with a medium severity vulnerability. : MatchedRule: {"id":"SNYK-PYTHON-CERTIFI-7430173","shortDescription":{"text":"Medium severity - Insufficient Verification of Data Authenticity vulnerability in certifi"},"fullDescription":{"text":"(CVE-2024-39689) certifi@2022.12.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: certifi\n* Introduced through: pygoat@0.0.0 and certifi@2022.12.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › certifi@2022.12.7\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2 › certifi@2022.12.7\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2 › certifi@2022.12.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2 › certifi@2022.12.7\n# Overview\n\nAffected versions of this package are vulnerable to Insufficient Verification of Data Authenticity due to the presence of the root certificate for GLOBALTRUST in the root store. The root certificates are being removed pursuant to an investigation into non-compliance.\n# Remediation\nUpgrade `certifi` to version 2024.7.4 or higher.\n# References\n- [GitHub Commit](https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463)\n- [Mozilla Root Discussion](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI)\n"},"properties":{"cvssv3_baseScore":6.1,"security-severity":"6.1","tags":["security","CWE-345","pip"]}} + Message: This file introduces a vulnerable certifi package with a medium severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-5663682\This file introduces a vulnerable cryptography package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-5663682","shortDescription":{"text":"Medium severity - Denial of Service (DoS) vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2023-2650) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when processing specially crafted ASN.1 objects identifiers.\r\nApplications that use `OBJ_obj2txt()` directly, or use any of the OpenSSL subsystems OCSP, `PKCS7/SMIME`, `CMS`, `CMP/CRMF` or `TS` with no message size limit may experience notable to very long delays when processing those messages, which may lead to a exploitation of this vulnerability.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `cryptography` to version 41.0.0 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/db779b0e10b047f2585615e0b8f2acdf21f8544a)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2207947)\n- [Security Advisory](https://www.openssl.org/news/secadv/20230530.txt)\n"},"properties":{"cvssv3_baseScore":5.9,"security-severity":"5.9","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable cryptography package with a medium severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-5777683ZThis file introduces a vulnerable cryptography package with a high severity vulnerability. : MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-5777683","shortDescription":{"text":"High severity - Improper Certificate Validation vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2023-38325) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Improper Certificate Validation in the SSH certificate decoding process. An attacker can cause the application to accept unauthorized SSH certificates generated by `ssh-keygen`, or cause certificates generated by `SSHCertificateBuilder ` to fail when read by `ssh-keygen`. \r\n\r\n**Note:**\r\nThis is only exploitable if the attacker controls the SSH certificate generation process or can introduce crafted SSH certificates into the system.\n# Remediation\nUpgrade `cryptography` to version 41.0.2 or higher.\n# References\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/e190ef190525999d1f599cf8c3aef5cb7f3a8bc4)\n- [GitHub Diff](https://github.com/pyca/cryptography/compare/41.0.1...41.0.2)\n- [GitHub Issue](https://github.com/pyca/cryptography/issues/9207)\n- [GitHub PR](https://github.com/pyca/cryptography/pull/9208)\n"},"properties":{"cvssv3_baseScore":7.4,"security-severity":"7.4","tags":["security","CWE-295","pip"]}} + Message: This file introduces a vulnerable cryptography package with a high severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-5813745YThis file introduces a vulnerable cryptography package with a low severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-5813745","shortDescription":{"text":"Low severity - Insufficient Verification of Data Authenticity vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2023-2975) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the AES-SIV cipher implementation in `ciphers/cipher_aes_siv.c`, which ignores empty associated data entries, making them unauthenticated. \r\n\r\nApplications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding or reordering such empty entries as these are ignored by the OpenSSL implementation. \r\n\r\n**NOTE:** This issue does not affect non-empty associated data authentication and the maintainers are currently unaware of any applications that use empty associated data entries.\n# Remediation\nUpgrade `cryptography` to version 41.0.3 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/00e2f5eea29994d19293ec4e8c8775ba73678598)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2223016)\n- [Vulnerability Advisory](https://www.openssl.org/news/secadv/20230714.txt)\n"},"properties":{"cvssv3_baseScore":3.7,"security-severity":"3.7","tags":["security","CWE-345","pip"]}} + Message: This file introduces a vulnerable cryptography package with a low severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-5813746\This file introduces a vulnerable cryptography package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-5813746","shortDescription":{"text":"Medium severity - Denial of Service (DoS) vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2023-3446) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `DH_check()`, `DH_check_ex()` and `EVP_PKEY_param_check()` functions, which are used to check a DH key or DH parameters.\r\n\r\nWhen the key or parameters that are being checked contain an excessively large modulus value (the `p` parameter) this may cause slowness in processing. Some checks use the supplied modulus value even if it has already been found to be too large. \r\n\r\nThe OpenSSL `dhparam` and `pkeyparam` command line applications are also vulnerable, when using the `-check` option. \r\n\r\n**NOTE:** The OpenSSL SSL/TLS implementation is not affected by this issue.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `cryptography` to version 41.0.3 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/1fa20cf2f506113c761777127a38bce5068740eb)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/8780a896543a654e757db1b9396383f9d8095528)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/fc9867c1e03c22ebf56943be205202e576aabf23)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2224962)\n- [Vulnerability Advisory](https://www.openssl.org/news/secadv/20230719.txt)\n"},"properties":{"cvssv3_baseScore":5.3,"security-severity":"5.3","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable cryptography package with a medium severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-5813750YThis file introduces a vulnerable cryptography package with a low severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-5813750","shortDescription":{"text":"Low severity - Denial of Service (DoS) vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2023-3817) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when the `DH_check()`, `DH_check_ex()`, or `EVP_PKEY_param_check()` functions are used to check a DH key or DH parameters. An attacker can cause long delays and potentially a Denial of Service (DoS) by providing excessively long DH keys or parameters from an untrusted source. This is only exploitable if the application calls these functions and supplies a key or parameters obtained from an untrusted source.\r\n\r\n**Note:**\r\nThe OpenSSL SSL/TLS implementation and the OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `cryptography` to version 41.0.3 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/1c16253f3c3a8d1e25918c3f404aae6a5b0893de)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/91ddeba0f2269b017dc06c46c993a788974b1aa5)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d)\n- [Security Advisory](https://www.openssl.org/news/secadv/20230731.txt)\n"},"properties":{"cvssv3_baseScore":3.7,"security-severity":"3.7","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable cryptography package with a low severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-5914629\This file introduces a vulnerable cryptography package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-5914629","shortDescription":{"text":"Medium severity - Denial of Service (DoS) vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2023-4807) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). The POLY1305 MAC (message authentication code) implementation might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting AVX512-IFMA instructions. If an attacker can influence whether the POLY1305 MAC algorithm is used in an application, the application state might be corrupted with various application dependent consequences, the most likely of which being denial of service. The maintainers are currently not aware of any concrete application that would be affected by this issue.\r\n\r\n\r\n**NOTES:**\r\n\r\nThis vulnerability is only exploitable on Windows.\r\n\r\nThe FIPS provider is not affected by this issue.\r\n\r\n# Workaround \r\n\r\nDisable `AVX512-IFMA` instructions by setting the environment variable `OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000`\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `cryptography` to version 41.0.4 or higher.\n# References\n- [Github Commit](https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/4bfac4471f53c4f74c8d81020beb938f92d84ca5)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/6754de4a121ec7f261b16723180df6592cbb4508)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a632d534c73eeb3e3db8c7540d811194ef7c79ff)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2238009)\n- [Vulnerability Advisory](https://www.openssl.org/news/secadv/20230908.txt)\n"},"properties":{"cvssv3_baseScore":6.5,"security-severity":"6.5","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable cryptography package with a medium severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-6036192\This file introduces a vulnerable cryptography package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-6036192","shortDescription":{"text":"Medium severity - Missing Cryptographic Step vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2023-5363) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Missing Cryptographic Step when the `EVP_EncryptInit_ex2()`, `EVP_DecryptInit_ex2()` or `EVP_CipherInit_ex2()` functions are used. An attacker can cause truncation or overreading of key and initialization vector (IV) lengths by altering the \"keylen\" or \"ivlen\" parameters within the `OSSL_PARAM` array after the key and IV have been established. This can lead to potential truncation or overruns during the initialization of some symmetric ciphers, such as RC2, RC4, RC5, CCM, GCM, and OCB. A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. \r\n\r\nBoth truncations and overruns of the key and the IV will produce incorrect results and could, in some cases, trigger a memory exception.\n# Remediation\nUpgrade `cryptography` to version 41.0.5 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [Security Advisory](https://www.openssl.org/news/secadv/20231024.txt)\n"},"properties":{"cvssv3_baseScore":5.3,"security-severity":"5.3","tags":["security","CWE-325","pip"]}} + Message: This file introduces a vulnerable cryptography package with a medium severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-6050294\This file introduces a vulnerable cryptography package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-6050294","shortDescription":{"text":"Medium severity - Denial of Service (DoS) vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2023-5678) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when the `DH_generate_key()`, `DH_check_pub_key()`, `DH_check_pub_key_ex()`, `EVP_PKEY_public_check()`, and `EVP_PKEY_generate()` functions are used. An attacker can cause long delays and potentially a Denial of Service by supplying excessively long X9.42 DH keys or parameters obtained from an untrusted source. \r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the application uses these functions to generate or check an X9.42 DH key or parameters. Also, the OpenSSL `pkey` command line application, when using the `-pubcheck` option, as well as the OpenSSL `genpkey` command line application, are vulnerable to this issue.\n# Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2248616)\n- [Security Advisory](https://www.openssl.org/news/secadv/20231106.txt)\n"},"properties":{"cvssv3_baseScore":5.3,"security-severity":"5.3","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable cryptography package with a medium severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-6092044\This file introduces a vulnerable cryptography package with a medium severity vulnerability. : MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-6092044","shortDescription":{"text":"Medium severity - NULL Pointer Dereference vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2023-49083) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference when loading PKCS7 certificates. An attacker can cause a Denial of Service (DoS) by attempting to deserialize a PKCS7 blob/certificate. \r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` functions are called.\n# PoC\n```python\r\nfrom cryptography.hazmat.primitives.serialization.pkcs7 import load_der_pkcs7_certificates, load_pem_pkcs7_certificates\r\n\r\npem_p7 = b\"\"\"\r\n-----BEGIN PKCS7-----\r\nMAsGCSqGSIb3DQEHAg==\r\n-----END PKCS7-----\r\n\"\"\"\r\n\r\nder_p7 = b\"\\x30\\x0B\\x06\\x09\\x2A\\x86\\x48\\x86\\xF7\\x0D\\x01\\x07\\x02\"\r\n\r\nload_pem_pkcs7_certificates(pem_p7)\r\nload_der_pkcs7_certificates(der_p7)\r\n```\n# Remediation\nUpgrade `cryptography` to version 41.0.6 or higher.\n# References\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a)\n"},"properties":{"cvssv3_baseScore":5.9,"security-severity":"5.9","tags":["security","CWE-476","pip"]}} + Message: This file introduces a vulnerable cryptography package with a medium severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-6126975ZThis file introduces a vulnerable cryptography package with a high severity vulnerability. : +MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-6126975","shortDescription":{"text":"High severity - Observable Timing Discrepancy vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2023-50782) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Observable Timing Discrepancy. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data (Marvin).\r\n\r\n**Note:**\r\n\r\n\r\nThis vulnerability exists due to an incomplete fix for [CVE-2020-25659](https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-1022152).\n# Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n# References\n- [GitHub Issue](https://github.com/pyca/cryptography/issues/9785#issuecomment-1856209406)\n- [Vulnerability Report](https://people.redhat.com/~hkario/marvin/)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-203","pip"]}} + Message: This file introduces a vulnerable cryptography package with a high severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-6149518\This file introduces a vulnerable cryptography package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-6149518","shortDescription":{"text":"Medium severity - Use of a Broken or Risky Cryptographic Algorithm vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2023-6129) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to an issue in the `POLY1305` MAC implementation on PowerPC CPUs. An attacker can corrupt the application state and cause incorrect calculations or potential denial of service by influencing the use of the `POLY1305` MAC algorithm.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the attacker has the ability to affect the algorithm's usage and the application relies on non-volatile XMM registers.\n# Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240109.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2257571)\n"},"properties":{"cvssv3_baseScore":5.9,"security-severity":"5.9","tags":["security","CWE-328","pip"]}} + Message: This file introduces a vulnerable cryptography package with a medium severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-6157248\This file introduces a vulnerable cryptography package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-6157248","shortDescription":{"text":"Medium severity - Resource Exhaustion vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2023-6237) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Resource Exhaustion via the `EVP_PKEY_public_check` function. When the function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An attacker can cause a denial of service by supplying a specially crafted RSA key that triggers extensive computation.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240115.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2258502)\n"},"properties":{"cvssv3_baseScore":5.9,"security-severity":"5.9","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable cryptography package with a medium severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-6210214\This file introduces a vulnerable cryptography package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-6210214","shortDescription":{"text":"Medium severity - NULL Pointer Dereference vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2024-0727) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference when processing a maliciously formatted PKCS12 file. The vulnerability exists due to improper handling of optional `ContentInfo` fields, which can be set to null. An attacker can cause a denial of service by sending crafted input that leads to applications loading files in PKCS12 format from untrusted sources to terminate abruptly.\n# Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n# References\n- [GitHub Commit](https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d)\n- [GitHub PR](https://github.com/openssl/openssl/pull/23362)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240125.txt)\n"},"properties":{"cvssv3_baseScore":5.5,"security-severity":"5.5","tags":["security","CWE-476","pip"]}} + Message: This file introduces a vulnerable cryptography package with a medium severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-6261585\This file introduces a vulnerable cryptography package with a medium severity vulnerability. : +MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-6261585","shortDescription":{"text":"Medium severity - NULL Pointer Dereference vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2024-26130) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference in the `pkcs12.serialize_key_and_certificates` function. An attacker can crash the Python process. \r\n\r\n**Note:**\r\nThis is only exploitable if the vulnerable function is called with both:\r\n\r\n1) A certificate whose public key does not match the provided private key.\r\n\r\n2) An encryption_algorithm with hmac_hash set via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`.\n# Remediation\nUpgrade `cryptography` to version 42.0.4 or higher.\n# References\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55)\n- [GitHub PR](https://github.com/pyca/cryptography/pull/10423)\n"},"properties":{"cvssv3_baseScore":5.9,"security-severity":"5.9","tags":["security","CWE-476","pip"]}} + Message: This file introduces a vulnerable cryptography package with a medium severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-6592767YThis file introduces a vulnerable cryptography package with a low severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-6592767","shortDescription":{"text":"Low severity - Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2024-2511) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to the session cache entering an incorrect state and failing to flush properly as it fills, leading to uncontrolled memory consumption. This condition is triggered under certain server configurations when processing TLSv1.3 sessions. Specifically, this occurs if the non-default `SSL_OP_NO_TICKET` option is enabled, but not if early_data support is configured along with the default anti-replay protection. A malicious client could deliberately create this scenario to force a service disruption. It may also occur accidentally in normal operation.\r\n\r\n**Note:**\r\n\r\nThis issue is only exploitable if the server supports TLSv1.3 and is configured with the `SSL_OP_NO_TICKET` option enabled.\n# Remediation\nUpgrade `cryptography` to version 42.0.6 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/21df7f04f6c4a560b4de56d10e1e58958c7e566d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/4a3e8f08306c64366318e26162ae0a0eb7b1a006)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/7984fa683e9dfac0cad50ef2a9d5a13330222044)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/42192fab0a96b484089021148ed1eaa12053f7ed)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2274020)\n- [Vulnerability Advisory](https://www.openssl.org/news/secadv/20240408.txt)\n"},"properties":{"cvssv3_baseScore":3.7,"security-severity":"3.7","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable cryptography package with a low severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-6913422YThis file introduces a vulnerable cryptography package with a low severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-6913422","shortDescription":{"text":"Low severity - Uncontrolled Resource Consumption vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2024-4603) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption due to improper user input validation in the `EVP_PKEY_param_check` or `EVP_PKEY_public_check` functions. An attacker can cause a denial of service by supplying excessively long DSA keys or parameters obtained from an untrusted source.\r\n\r\n**Note:**\r\n\r\nOpenSSL does not call these functions on untrusted DSA keys, so only applications that directly call these functions may be vulnerable.\r\n\r\nAlso vulnerable are the OpenSSL `pkey` and `pkeyparam` command line applications when using the \"-check\" option.\n# Remediation\nUpgrade `cryptography` to version 42.0.8 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/85ccbab216da245cf9a6503dd327072f21950d9b)\n- [GitHub Commit 3.0](https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397)\n- [GitHub Commit 3.1](https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d)\n- [GitHub Commit 3.2](https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740)\n- [GitHub Commit 3.3](https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e)\n- [GitHub Commit cryptography](https://github.com/pyca/cryptography/commit/38852224f455af1915a628542b930ad11d2a884c)\n- [GitHub PR](https://github.com/openssl/openssl/pull/24346)\n- [OpenSSL advisory](https://www.openssl.org/news/secadv/20240516.txt)\n"},"properties":{"cvssv3_baseScore":3.7,"security-severity":"3.7","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable cryptography package with a low severity vulnerability.Bunknown +requirements.txt:1-1 SNYK-PYTHON-CRYPTOGRAPHY-7886970ZThis file introduces a vulnerable cryptography package with a high severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-CRYPTOGRAPHY-7886970","shortDescription":{"text":"High severity - Type Confusion vulnerability in cryptography"},"fullDescription":{"text":"(CVE-2024-6119) cryptography@39.0.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Type Confusion in the `do_x509_check()` function in `x509/v3_utl.c`, which is responsible for certificate name checks. An application that specifies an expected DNS name, Email address or IP address that performs a name check on an `otherName` subject alternative name of an X.509 certificate can be made to crash when it attempts to read an invalid memory address.\n\n**Note:** Users that are building cryptography source (\"sdist\") are responsible for upgrading their copy of OpenSSL.\n\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `cryptography` to version 43.0.1 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/6687bab97aef31d6ee6cc94ecc87a972137b5d4a)\n- [openssl News](https://openssl-library.org/news/secadv/20240903.txt)\n"},"properties":{"cvssv3_baseScore":8.2,"security-severity":"8.2","tags":["security","CWE-843","pip"]}} + Message: This file introduces a vulnerable cryptography package with a high severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-DJANGO-5496950VThis file introduces a vulnerable django package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-DJANGO-5496950","shortDescription":{"text":"Medium severity - Arbitrary File Upload vulnerability in django"},"fullDescription":{"text":"(CVE-2023-31047) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Arbitrary File Upload by bypassing of validation of all but the last file when uploading multiple files using a single `forms.FileField` or `forms.ImageField`.\n# Remediation\nUpgrade `django` to version 3.2.19, 4.1.9, 4.2.1 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2023/may/03/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/21b1b1fc03e5f9e9f8c977ee6e35618dd3b353dd)\n- [GitHub Commit](https://github.com/django/django/commit/e7c3a2ccc3a562328600be05068ed9149e12ce64)\n- [GitHub Commit](https://github.com/django/django/commit/eed53d0011622e70b936e203005f0e6f4ac48965)\n- [GitHub Commit](https://github.com/django/django/commit/fb4c55d9ec4bb812a7fb91fa20510d91645e411b)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2192565)\n"},"properties":{"cvssv3_baseScore":5.3,"security-severity":"5.3","tags":["security","CWE-434","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown- +requirements.txt:1-1SNYK-PYTHON-DJANGO-5750790TThis file introduces a vulnerable django package with a high severity vulnerability. :,MatchedRule: {"id":"SNYK-PYTHON-DJANGO-5750790","shortDescription":{"text":"High severity - Regular Expression Denial of Service (ReDoS) vulnerability in django"},"fullDescription":{"text":"(CVE-2023-36053) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `EmailValidator` and `URLValidator` classes, when processing a very large number of domain name labels on emails or URLs.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `django` to version 3.2.20, 4.1.10, 4.2.3 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2023/jul/03/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582)\n- [GitHub Commit](https://github.com/django/django/commit/ad0410ec4f458aa39803e5f6b9a3736527062dcd)\n- [GitHub Commit](https://github.com/django/django/commit/b7c5feb35a31799de6e582ad6a5a91a9de74e0f9)\n- [GitHub Commit](https://github.com/django/django/commit/beb3f3d55940d9aa7198bf9d424ab74e873aec3d)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-1333","pip"]}} + Message: This file introduces a vulnerable django package with a high severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-DJANGO-5880505TThis file introduces a vulnerable django package with a high severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-DJANGO-5880505","shortDescription":{"text":"High severity - Denial of Service (DoS) vulnerability in django"},"fullDescription":{"text":"(CVE-2023-41164) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `django.utils.encoding.uri_to_iri()` function when processing inputs with a large number of Unicode characters.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 3.2.21, 4.1.11, 4.2.5 or higher.\n# References\n- [Django Release Notes](https://docs.djangoproject.com/en/dev/releases/3.2.21/)\n- [Django Release Notes](https://docs.djangoproject.com/en/dev/releases/4.1.11/)\n- [Django Release Notes](https://docs.djangoproject.com/en/dev/releases/4.2.5/)\n- [GitHub Commit](https://github.com/django/django/commit/6f030b1149bd8fa4ba90452e77cb3edc095ce54e)\n- [GitHub Commit](https://github.com/django/django/commit/9c51b4dcfa0cefcb48231f4d71cafa80821f87b9)\n- [GitHub Commit](https://github.com/django/django/commit/ba00bc5ec6a7eff5e08be438f7b5b0e9574e8ff0)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable django package with a high severity vulnerability.Bunknown/ +requirements.txt:1-1SNYK-PYTHON-DJANGO-5932095VThis file introduces a vulnerable django package with a medium severity vulnerability. :.MatchedRule: {"id":"SNYK-PYTHON-DJANGO-5932095","shortDescription":{"text":"Medium severity - Regular Expression Denial of Service (ReDoS) vulnerability in django"},"fullDescription":{"text":"(CVE-2023-43665) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `chars()` and `words()` methods in the `django.utils.text.Truncator` function. An attacker can cause a denial of service by exploiting the inefficient regular expression complexity, which exhibits linear backtracking complexity and can be slow, given certain long and potentially malformed HTML inputs.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `django` to version 3.2.22, 4.1.12, 4.2.6 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2023/oct/04/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/3db945a6b337443a2792a70b3971b2c2a3d40b1c)\n- [GitHub Commit](https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473)\n- [GitHub Commit](https://github.com/django/django/commit/c7b7024742250414e426ad49fb80db943e7ba4e8)\n- [GitHub Commit](https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2241046)\n"},"properties":{"cvssv3_baseScore":5.9,"security-severity":"5.9","tags":["security","CWE-1333","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-DJANGO-6041515VThis file introduces a vulnerable django package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-DJANGO-6041515","shortDescription":{"text":"Medium severity - Denial of Service (DoS) vulnerability in django"},"fullDescription":{"text":"(CVE-2023-46695) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via the `NFKC normalization` function in `django.contrib.auth.forms.UsernameField`. A potential attack can be executed via certain inputs with a very large number of Unicode characters.\r\n\r\n**Note:** This vulnerability is only exploitable on Windows systems.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 3.2.23, 4.1.13, 4.2.7 or higher.\n# References\n- [GitHub Commit](https://github.com/django/django/commit/05ba4130ee878c4f520b5d34bb11eaad794623be)\n- [Vulnerability Advisory](https://www.djangoproject.com/weblog/2023/nov/01/security-releases/)\n"},"properties":{"cvssv3_baseScore":5.3,"security-severity":"5.3","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown. +requirements.txt:1-1SNYK-PYTHON-DJANGO-6370660VThis file introduces a vulnerable django package with a medium severity vulnerability. :,MatchedRule: {"id":"SNYK-PYTHON-DJANGO-6370660","shortDescription":{"text":"Medium severity - Regular Expression Denial of Service (ReDoS) vulnerability in django"},"fullDescription":{"text":"(CVE-2024-27351) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in `django.utils.text.Truncator.words()`, whose performance can be degraded when processing a malicious input involving repeated `\u003c` characters. \r\n\r\n**Note:**\r\n\r\nThe function is only vulnerable when `html=True` is set and the `truncatewords_html` template filter is in use.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `django` to version 3.2.25, 4.2.11, 5.0.3 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/mar/04/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521)\n- [GitHub Commit](https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e)\n- [GitHub Commit](https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a)\n"},"properties":{"cvssv3_baseScore":5.3,"security-severity":"5.3","tags":["security","CWE-1333","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-DJANGO-7435780VThis file introduces a vulnerable django package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-DJANGO-7435780","shortDescription":{"text":"Medium severity - Denial of Service (DoS) vulnerability in django"},"fullDescription":{"text":"(CVE-2024-39614) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in `django.utils.translation.get_supported_language_variant()` function due to improper user input validation. An attacker can exploit this vulnerability by using very long strings containing specific characters. Exploiting this vulnerability could lead to a system crash.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 4.2.14, 5.0.7 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/jul/09/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/9e9792228a6bb5d6402a5d645bc3be4cf364aefb)\n"},"properties":{"cvssv3_baseScore":6.9,"security-severity":"6.9","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-DJANGO-7436273VThis file introduces a vulnerable django package with a medium severity vulnerability. : MatchedRule: {"id":"SNYK-PYTHON-DJANGO-7436273","shortDescription":{"text":"Medium severity - Timing Attack vulnerability in django"},"fullDescription":{"text":"(CVE-2024-39329) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Timing Attack via the `django.contrib.auth.backends.ModelBackend.authenticate()` method. This allows remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords.\n# Remediation\nUpgrade `django` to version 4.2.14, 5.0.7 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/jul/09/security-releases/)\n- [Follow-up GitHub Commit](https://github.com/django/django/commit/e1606d27b4fed653c80817f3a13cf8bc6f3163f0)\n- [GitHub Commit](https://github.com/django/django/commit/07cefdee4a9d1fcd9a3a631cbd07c78defd1923b)\n"},"properties":{"cvssv3_baseScore":6.3,"security-severity":"6.3","tags":["security","CWE-208","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-DJANGO-7436514VThis file introduces a vulnerable django package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-DJANGO-7436514","shortDescription":{"text":"Medium severity - Directory Traversal vulnerability in django"},"fullDescription":{"text":"(CVE-2024-39330) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Directory Traversal via the derived classes of the `django.core.files.storage.Storage` base class which override `generate_filename()` without replicating the file path validations existing in the parent class. This allows potential access to out of scope data via certain inputs when calling `save()` method.\r\n\r\n**Note:**\r\nBuilt-in Storage sub-classes were not affected by this vulnerability.\n\n# Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n# Remediation\nUpgrade `django` to version 4.2.14, 5.0.7 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/jul/09/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/fe4a0bbe2088d0c2b331216dad21ccd0bb3ee80d)\n"},"properties":{"cvssv3_baseScore":6.9,"security-severity":"6.9","tags":["security","CWE-22","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-DJANGO-7436646VThis file introduces a vulnerable django package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-DJANGO-7436646","shortDescription":{"text":"Medium severity - Denial of Service (DoS) vulnerability in django"},"fullDescription":{"text":"(CVE-2024-38875) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via the in `django.utils.html.urlize()` and `django.utils.html.urlizetrunc()` functions. If certain inputs with a very large number of brackets are provided, this could lead to a system crash.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 4.2.14, 5.0.7 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/jul/09/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/d6664574539c1531612dea833d264ed5c2b04e1e)\n"},"properties":{"cvssv3_baseScore":6.9,"security-severity":"6.9","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-DJANGO-7642790VThis file introduces a vulnerable django package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-DJANGO-7642790","shortDescription":{"text":"Medium severity - Denial of Service (DoS) vulnerability in django"},"fullDescription":{"text":"(CVE-2024-41990) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via very large inputs with a specific sequence of characters in the `urlize()` and `urlizetrunc()` template filters.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 4.2.15, 5.0.8 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/aug/06/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/0c1a8909164d8f2846322efb1143b72ad1616bd8)\n- [GitHub Commit](https://github.com/django/django/commit/7b7b909579c8311c140c89b8a9431bf537febf93)\n- [GitHub Commit](https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88)\n- [GitHub Release](https://github.com/django/django/blob/fdc638bf4a35b5497d0b3b4faedaf552da792f99/docs/releases/4.2.15.txt#L19)\n- [GitHub Release](https://github.com/django/django/blob/fdc638bf4a35b5497d0b3b4faedaf552da792f99/docs/releases/5.0.8.txt#L19)\n"},"properties":{"cvssv3_baseScore":6.9,"security-severity":"6.9","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-DJANGO-7642791VThis file introduces a vulnerable django package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-DJANGO-7642791","shortDescription":{"text":"Medium severity - Denial of Service (DoS) vulnerability in django"},"fullDescription":{"text":"(CVE-2024-41991) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via certain inputs with a very large number of Unicode characters in the `urlize` and `urlizetrunc` template filters, and the `AdminURLFieldWidget` widget.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 4.2.15, 5.0.8 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/aug/06/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/523da8771bce321023f490f70d71a9e973ddc927)\n- [GitHub Commit](https://github.com/django/django/commit/bd807c0c25ab69361a4c08edcc1cf04d4652aa0a)\n- [GitHub Commit](https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f)\n- [GitHub Release](https://github.com/django/django/blob/fdc638bf4a35b5497d0b3b4faedaf552da792f99/docs/releases/4.2.15.txt#L26)\n- [GitHub Release](https://github.com/django/django/blob/fdc638bf4a35b5497d0b3b4faedaf552da792f99/docs/releases/5.0.8.txt#L26)\n"},"properties":{"cvssv3_baseScore":6.9,"security-severity":"6.9","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-DJANGO-7642813VThis file introduces a vulnerable django package with a medium severity vulnerability. : MatchedRule: {"id":"SNYK-PYTHON-DJANGO-7642813","shortDescription":{"text":"Medium severity - Uncontrolled Resource Consumption vulnerability in django"},"fullDescription":{"text":"(CVE-2024-41989) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption via the `floatformat()` template filter, when given a string representation of a number in scientific notation with a large exponent.\n# Remediation\nUpgrade `django` to version 4.2.15, 5.0.8 or higher.\n# References\n- [GitHub Commit](https://github.com/django/django/commit/1a5aca65174c2cdd6ab7f10087f9486987b8bbaf)\n- [GitHub Commit](https://github.com/django/django/commit/d787e44e1e8e8c578ef1feb630164ef009e775d1)\n- [GitHub Commit](https://github.com/django/django/commit/e0579ce27746b04a37cf43559df445068fd2a781)\n"},"properties":{"cvssv3_baseScore":6.9,"security-severity":"6.9","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-DJANGO-7642814VThis file introduces a vulnerable django package with a medium severity vulnerability. : MatchedRule: {"id":"SNYK-PYTHON-DJANGO-7642814","shortDescription":{"text":"Medium severity - SQL Injection vulnerability in django"},"fullDescription":{"text":"(CVE-2024-42005) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to SQL Injection via the `QuerySet.values()` and `values_list()` methods on models with a `JSONField`.\nAn attacker can exploit this vulnerability through column aliases by using a maliciously crafted JSON object object key as a passed `*arg`.\n# Remediation\nUpgrade `django` to version 4.2.15, 5.0.8 or higher.\n# References\n- [GitHub Commit](https://github.com/django/django/commit/1a5aca65174c2cdd6ab7f10087f9486987b8bbaf)\n- [GitHub Commit](https://github.com/django/django/commit/d787e44e1e8e8c578ef1feb630164ef009e775d1)\n- [GitHub Commit](https://github.com/django/django/commit/e0579ce27746b04a37cf43559df445068fd2a781)\n"},"properties":{"cvssv3_baseScore":6.9,"security-severity":"6.9","tags":["security","CWE-89","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-DJANGO-7886958VThis file introduces a vulnerable django package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-DJANGO-7886958","shortDescription":{"text":"Medium severity - Improper Check for Unusual or Exceptional Conditions vulnerability in django"},"fullDescription":{"text":"(CVE-2024-45231) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions due to unhandled email sending failures in the `django.contrib.auth.forms.PasswordResetForm` class. This allows attackers to enumerate user email addresses by brute forcing password reset requests and observing the outcomes.\n# Remediation\nUpgrade `django` to version 4.2.16, 5.0.9, 5.1.1 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/sep/03/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/3c733c78d6f8e50296d6e248968b6516c92a53ca)\n- [GitHub Commit](https://github.com/django/django/commit/96d84047715ea1715b4bd1594e46122b8a77b9e2)\n- [GitHub Commit](https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199)\n"},"properties":{"cvssv3_baseScore":6.3,"security-severity":"6.3","tags":["security","CWE-754","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-DJANGO-7886959VThis file introduces a vulnerable django package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-DJANGO-7886959","shortDescription":{"text":"Medium severity - Denial of Service (DoS) vulnerability in django"},"fullDescription":{"text":"(CVE-2024-45230) django@4.1.7"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to not accounting for very large inputs involving intermediate `;`s, in the `django.utils.html.urlize()` and `django.utils.html.urlizetrunc()` template filter functions.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 4.2.16, 5.0.9, 5.1.1 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/sep/03/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/022ab0a75c76ab2ea31dfcc5f2cf5501e378d397)\n- [GitHub Commit](https://github.com/django/django/commit/813de2672bd7361e9a453ab62cd6e52f96b6525b)\n- [GitHub Commit](https://github.com/django/django/commit/d147a8ebbdf28c17cafbbe2884f0bc57e2bf82e2)\n"},"properties":{"cvssv3_baseScore":6.9,"security-severity":"6.9","tags":["security","CWE-770","pip"]}} + Message: This file introduces a vulnerable django package with a medium severity vulnerability.Bunknown +requirements.txt:1-1!SNYK-PYTHON-DJANGOALLAUTH-5406296\This file introduces a vulnerable django-allauth package with a high severity vulnerability. : +MatchedRule: {"id":"SNYK-PYTHON-DJANGOALLAUTH-5406296","shortDescription":{"text":"High severity - Timing Attack vulnerability in django-allauth"},"fullDescription":{"text":"django-allauth@0.52.0"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django-allauth\n* Introduced through: pygoat@0.0.0 and django-allauth@0.52.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0\n# Overview\n[django-allauth](http://github.com/pennersr/django-allauth) is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.\n\nAffected versions of this package are vulnerable to Timing Attack which allows an attacker to infer whether or not a given account exists based on the response time of an authentication attempt. This occurs even when account enumeration prevention is turned on.\n# Remediation\nUpgrade `django-allauth` to version 0.54.0 or higher.\n# References\n- [GitHub Commit](https://github.com/pennersr/django-allauth/commit/6acb0dccf9a1f860781ae06bdede8fb862618148)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-208","pip"]}} + Message: This file introduces a vulnerable django-allauth package with a high severity vulnerability.Bunknown +requirements.txt:1-1!SNYK-PYTHON-DJANGOALLAUTH-7413652^This file introduces a vulnerable django-allauth package with a medium severity vulnerability. : MatchedRule: {"id":"SNYK-PYTHON-DJANGOALLAUTH-7413652","shortDescription":{"text":"Medium severity - Cross-site Request Forgery (CSRF) vulnerability in django-allauth"},"fullDescription":{"text":"django-allauth@0.52.0"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django-allauth\n* Introduced through: pygoat@0.0.0 and django-allauth@0.52.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0\n# Overview\n[django-allauth](http://github.com/pennersr/django-allauth) is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.\n\nAffected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) in the SAML login flow. `RelayState` was used to keep track of whether or not the login flow was IdP or SP initiated. As `RelayState` is a separate field, not part of the `SAMLResponse` payload, it was not signed, allowing the existence of this vulnerability.\n# Remediation\nUpgrade `django-allauth` to version 0.63.3 or higher.\n# References\n- [GitHub Commit](https://github.com/pennersr/django-allauth/commit/1f631a1bcd5062518a7ba437457242eadfd521ab)\n"},"properties":{"cvssv3_baseScore":5.1,"security-severity":"5.1","tags":["security","CWE-352","pip"]}} + Message: This file introduces a vulnerable django-allauth package with a medium severity vulnerability.Bunknown* +requirements.txt:1-1!SNYK-PYTHON-DJANGOALLAUTH-7577207^This file introduces a vulnerable django-allauth package with a medium severity vulnerability. :)MatchedRule: {"id":"SNYK-PYTHON-DJANGOALLAUTH-7577207","shortDescription":{"text":"Medium severity - Cross-site Scripting (XSS) vulnerability in django-allauth"},"fullDescription":{"text":"django-allauth@0.52.0"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: django-allauth\n* Introduced through: pygoat@0.0.0 and django-allauth@0.52.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0\n# Overview\n[django-allauth](http://github.com/pennersr/django-allauth) is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization, allowing an attacker to exploit this vulnerability when configuring the Facebook provider to use the `js_sdk` method, potentially compromising user sessions or stealing sensitive information.\n# Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `\u003c` can be coded as `\u0026lt`; and `\u003e` can be coded as `\u0026gt`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `\u003c` and `\u003e` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n## Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n## Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n## How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `\u0026`, `/`, `\u003c`, `\u003e` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n# Remediation\nUpgrade `django-allauth` to version 0.63.6 or higher.\n# References\n- [GitHub Commit](https://github.com/pennersr/django-allauth/commit/8fead343c1d3e75cc842e0ee1e21a39c6d145155)\n"},"properties":{"cvssv3_baseScore":5.1,"security-severity":"5.1","tags":["security","CWE-79","pip"]}} + Message: This file introduces a vulnerable django-allauth package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-IDNA-6597975TThis file introduces a vulnerable idna package with a medium severity vulnerability. : MatchedRule: {"id":"SNYK-PYTHON-IDNA-6597975","shortDescription":{"text":"Medium severity - Resource Exhaustion vulnerability in idna"},"fullDescription":{"text":"(CVE-2024-3651) idna@3.4"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: idna\n* Introduced through: pygoat@0.0.0 and idna@3.4\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › idna@3.4\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2 › idna@3.4\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2 › idna@3.4\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2 › idna@3.4\n# Overview\n\nAffected versions of this package are vulnerable to Resource Exhaustion via the `idna.encode` function. An attacker can consume significant resources and potentially cause a denial-of-service by supplying specially crafted arguments to this function. \r\n\r\n**Note:**\r\nThis is triggered by arbitrarily large inputs that would not occur in normal usage but may be passed to the library assuming there is no preliminary input validation by the higher-level application.\n# Remediation\nUpgrade `idna` to version 3.7 or higher.\n# References\n- [GitHub Commit](https://github.com/kjd/idna/commit/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7)\n"},"properties":{"cvssv3_baseScore":6.2,"security-severity":"6.2","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable idna package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-PILLOW-5918878XThis file introduces a vulnerable pillow package with a critical severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-PILLOW-5918878","shortDescription":{"text":"Critical severity - Heap-based Buffer Overflow vulnerability in pillow"},"fullDescription":{"text":"(CVE-2023-4863) pillow@9.4.0"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: pillow\n* Introduced through: pygoat@0.0.0 and pillow@9.4.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pillow@9.4.0\n# Overview\n[Pillow](https://python-pillow.org/) is a PIL (Python Imaging Library) fork.\n\nAffected versions of this package are vulnerable to Heap-based Buffer Overflow when the `ReadHuffmanCodes()` function is used. An attacker can craft a special `WebP` lossless file that triggers the `ReadHuffmanCodes()` function to allocate the HuffmanCode buffer with a size that comes from an array of precomputed sizes: `kTableSize`. The `color_cache_bits` value defines which size to use. The `kTableSize` array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (`MAX_ALLOWED_CODE_LENGTH`). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.\r\n\r\n**Notes:**\r\n\r\nThis is only exploitable if the `color_cache_bits` value defines which size to use.\r\n\r\nThis vulnerability was also published on libwebp [CVE-2023-5129](https://security.snyk.io/vuln/SNYK-UNMANAGED-WEBMPROJECTLIBWEBP-5918283)\r\n\r\n**Changelog:**\r\n\r\n2023-09-12: Initial advisory publication\r\n\r\n2023-09-27: Advisory details updated, including CVSS, references\r\n\r\n2023-09-27: CVE-2023-5129 rejected as a duplicate of CVE-2023-4863\r\n\r\n2023-09-28: Research and addition of additional affected libraries\r\n\r\n2024-01-28: Additional fix information\n# Remediation\nUpgrade `Pillow` to version 10.0.1 or higher.\n# References\n- [Chrome Releases](https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html)\n- [Github Commit](https://github.com/cefsharp/CefSharp/commit/f2890ba66170afb0bf742839febe4d20449f758c)\n- [GitHub PR](https://github.com/electron/electron/pull/39823)\n- [GitHub PR](https://github.com/electron/electron/pull/39824)\n- [GitHub PR](https://github.com/electron/electron/pull/39825)\n- [GitHub PR](https://github.com/electron/electron/pull/39826)\n- [GitHub PR](https://github.com/electron/electron/pull/39827)\n- [Imagemagick Commit](https://github.com/dlemstra/Magick.NET/commit/d8673e7690007d8c73a37f3a5c8104fa9321a8da)\n- [Mozilla Advisory](https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/)\n- [PoC](https://blog.isosceles.com/the-webp-0day/)\n- [Security Advisory](https://chromium.googlesource.com/webm/libwebp/+/2af26267cdfcb63a88e5c74a85927a12d6ca1d76)\n- [Security Advisory](https://chromium.googlesource.com/webm/libwebp/+/902bc9190331343b2017211debcec8d2ab87e17a)\n- [Snyk Blog](https://snyk.io/blog/critical-webp-0-day-cve-2023-4863/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n"},"properties":{"cvssv3_baseScore":9.6,"security-severity":"9.6","tags":["security","CWE-122","pip"]}} + Message: This file introduces a vulnerable pillow package with a critical severity vulnerability.Bunknown + +requirements.txt:1-1SNYK-PYTHON-PILLOW-6043904TThis file introduces a vulnerable pillow package with a high severity vulnerability. : MatchedRule: {"id":"SNYK-PYTHON-PILLOW-6043904","shortDescription":{"text":"High severity - Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability in pillow"},"fullDescription":{"text":"(CVE-2023-44271) pillow@9.4.0"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: pillow\n* Introduced through: pygoat@0.0.0 and pillow@9.4.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pillow@9.4.0\n# Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') when the `ImageFont` truetype in an `ImageDraw` instance operates on a long text argument. An attacker can cause the service to crash by processing a task that uncontrollably allocates memory.\n# Remediation\nUpgrade `pillow` to version 10.0.0 or higher.\n# References\n- [GitHub Commit](https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7)\n- [GitHub PR](https://github.com/python-pillow/Pillow/pull/7244)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable pillow package with a high severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-PILLOW-6182918TThis file introduces a vulnerable pillow package with a high severity vulnerability. : MatchedRule: {"id":"SNYK-PYTHON-PILLOW-6182918","shortDescription":{"text":"High severity - Eval Injection vulnerability in pillow"},"fullDescription":{"text":"(CVE-2023-50447) pillow@9.4.0"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: pillow\n* Introduced through: pygoat@0.0.0 and pillow@9.4.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pillow@9.4.0\n# Overview\n\nAffected versions of this package are vulnerable to Eval Injection via the `PIL.ImageMath.eval` function when an attacker has control over the keys passed to the `environment` argument.\n# PoC\n```python\nfrom PIL import Image, ImageMath\n\nimage1 = Image.open('__class__')\nimage2 = Image.open('__bases__')\nimage3 = Image.open('__subclasses__')\nimage4 = Image.open('load_module')\nimage5 = Image.open('system')\n\nexpression = \"().__class__.__bases__[0].__subclasses__()[104].load_module('os').system('whoami')\"\n\nenvironment = {\n image1.filename: image1,\n image2.filename: image2,\n image3.filename: image3,\n image4.filename: image4,\n image5.filename: image5\n}\n\nImageMath.eval(expression, **environment)\n```\n# Remediation\nUpgrade `pillow` to version 10.2.0 or higher.\n# References\n- [GitHub Commit](https://github.com/python-pillow/Pillow/commit/02c6183d41c68a8dd080f5739f566bd82485822d)\n- [GitHub Release](https://github.com/python-pillow/Pillow/releases/tag/10.2.0)\n- [Security Advisory](https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/)\n"},"properties":{"cvssv3_baseScore":8.1,"security-severity":"8.1","tags":["security","CWE-95","pip"]}} + Message: This file introduces a vulnerable pillow package with a high severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-PILLOW-6219984TThis file introduces a vulnerable pillow package with a high severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-PILLOW-6219984","shortDescription":{"text":"High severity - Denial of Service (DoS) vulnerability in pillow"},"fullDescription":{"text":"pillow@9.4.0"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: pillow\n* Introduced through: pygoat@0.0.0 and pillow@9.4.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pillow@9.4.0\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when using arbitrary strings as text input and the number of characters passed into `PIL.ImageFont.ImageFont.getmask()` is over a certain limit. This can lead to a system crash.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `pillow` to version 10.2.0 or higher.\n# References\n- [GitHub Commit](https://github.com/python-pillow/Pillow/commit/2ec53e36e9135fda4e2eb6bbd5343a7facae71da)\n- [Pillow Release Notes](https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable pillow package with a high severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-PILLOW-6219986TThis file introduces a vulnerable pillow package with a high severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-PILLOW-6219986","shortDescription":{"text":"High severity - Denial of Service (DoS) vulnerability in pillow"},"fullDescription":{"text":"pillow@9.4.0"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: pillow\n* Introduced through: pygoat@0.0.0 and pillow@9.4.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pillow@9.4.0\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) if the size of individual glyphs extends beyond the bitmap image, when using `PIL.ImageFont.ImageFont` function. Exploiting this vulnerability could lead to a system crash.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `pillow` to version 10.2.0 or higher.\n# References\n- [GitHub Commit](https://github.com/python-pillow/Pillow/commit/10c2df5430f3c111f25508152eb1f2ea8741c686)\n- [Pillow Release Notes](https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable pillow package with a high severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-PILLOW-6514866TThis file introduces a vulnerable pillow package with a high severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-PILLOW-6514866","shortDescription":{"text":"High severity - Buffer Overflow vulnerability in pillow"},"fullDescription":{"text":"(CVE-2024-28219) pillow@9.4.0"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: pillow\n* Introduced through: pygoat@0.0.0 and pillow@9.4.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pillow@9.4.0\n# Overview\n\nAffected versions of this package are vulnerable to Buffer Overflow via the `strcpy` function in `_imagingcms.c`, due to two calls that were able to copy too much data into fixed length strings.\n# Remediation\nUpgrade `pillow` to version 10.3.0 or higher.\n# References\n- [GitHub Commit](https://github.com/python-pillow/Pillow/commit/2776126aa9af322b416eaca247f4f8ebefd08128)\n- [GitHub PR](https://github.com/python-pillow/Pillow/pull/7928)\n"},"properties":{"cvssv3_baseScore":7.3,"security-severity":"7.3","tags":["security","CWE-120","pip"]}} + Message: This file introduces a vulnerable pillow package with a high severity vulnerability.Bunknown + +requirements.txt:1-1SNYK-PYTHON-PYYAML-550022XThis file introduces a vulnerable pyyaml package with a critical severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-PYYAML-550022","shortDescription":{"text":"Critical severity - Improper Access Control vulnerability in pyyaml"},"fullDescription":{"text":"(CVE-2019-20477) pyyaml@5.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: pyyaml\n* Introduced through: pygoat@0.0.0 and pyyaml@5.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pyyaml@5.1\n# Overview\n\nAffected versions of this package are vulnerable to Improper Access Control. It has insufficient restrictions on the `load` and `load_all` functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module.\n# Remediation\nUpgrade `PyYAML` to version 5.2 or higher.\n# References\n- [GitHub Changes](https://github.com/yaml/pyyaml/blob/master/CHANGES)\n- [GitHub Issue](https://github.com/yaml/pyyaml/issues/265)\n- [Research Paper](https://www.exploit-db.com/download/47655)\n"},"properties":{"cvssv3_baseScore":9.8,"security-severity":"9.8","tags":["security","CWE-284","pip"]}} + Message: This file introduces a vulnerable pyyaml package with a critical severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-PYYAML-559098XThis file introduces a vulnerable pyyaml package with a critical severity vulnerability. : +MatchedRule: {"id":"SNYK-PYTHON-PYYAML-559098","shortDescription":{"text":"Critical severity - Arbitrary Code Execution vulnerability in pyyaml"},"fullDescription":{"text":"(CVE-2020-1747) pyyaml@5.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: pyyaml\n* Introduced through: pygoat@0.0.0 and pyyaml@5.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pyyaml@5.1\n# Overview\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. It is susceptible to arbitrary code execution when it processes untrusted YAML files through the `full_load` method or with the `FullLoader` loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n# Remediation\nUpgrade `PyYAML` to version 5.3.1 or higher.\n# References\n- [GitHub Commit](https://github.com/yaml/pyyaml/commit/5080ba513377b6355a0502104846ee804656f1e0)\n- [GitHub PR](https://github.com/yaml/pyyaml/pull/386)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1807367)\n"},"properties":{"cvssv3_baseScore":9.8,"security-severity":"9.8","tags":["security","CWE-20","pip"]}} + Message: This file introduces a vulnerable pyyaml package with a critical severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-PYYAML-590151XThis file introduces a vulnerable pyyaml package with a critical severity vulnerability. : +MatchedRule: {"id":"SNYK-PYTHON-PYYAML-590151","shortDescription":{"text":"Critical severity - Arbitrary Code Execution vulnerability in pyyaml"},"fullDescription":{"text":"(CVE-2020-14343) pyyaml@5.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: pyyaml\n* Introduced through: pygoat@0.0.0 and pyyaml@5.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pyyaml@5.1\n# Overview\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. It processes untrusted YAML files through the `full_load` method or with the `FullLoader` loader. This is due to an incomplete fix for [CVE-2020-1747](https://security.snyk.io/vuln/SNYK-PYTHON-PYYAML-559098).\n# Remediation\nUpgrade `PyYAML` to version 5.4 or higher.\n# References\n- [Exploit Writeup](https://hackmd.io/@harrier/uiuctf20)\n- [GitHub Commit](https://github.com/yaml/pyyaml/commit/a001f2782501ad2d24986959f0239a354675f9dc)\n- [GitHub Issue](https://github.com/yaml/pyyaml/issues/420)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1860466)\n- [Research Blog Post](https://blog.arxenix.dev/pyyaml-cve/)\n"},"properties":{"cvssv3_baseScore":9.8,"security-severity":"9.8","tags":["security","CWE-94","pip"]}} + Message: This file introduces a vulnerable pyyaml package with a critical severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-REQUESTS-5595532XThis file introduces a vulnerable requests package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-REQUESTS-5595532","shortDescription":{"text":"Medium severity - Information Exposure vulnerability in requests"},"fullDescription":{"text":"(CVE-2023-32681) requests@2.28.2"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: requests\n* Introduced through: pygoat@0.0.0 and requests@2.28.2\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests-oauthlib@1.3.1 › requests@2.28.2\n# Overview\n\nAffected versions of this package are vulnerable to Information Exposure by leaking `Proxy-Authorization` headers to destination servers during redirects to an HTTPS origin. This is a result of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. \r\n\r\n**NOTE:** This behavior has only been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`), and only when redirecting to HTTPS:\r\n\r\n1) HTTP → HTTPS: leak\r\n\r\n2) HTTPS → HTTP: no leak\r\n\r\n3) HTTPS → HTTPS: leak\r\n\r\n4) HTTP → HTTP: no leak\r\n\r\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the `CONNECT` request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\r\n\r\n# Workaround\r\n\r\nThis vulnerability can be avoided by setting `allow_redirects` to `False` on all calls through Requests top-level APIs, and then capturing the 3xx response codes to make a new request to the redirect destination.\n# Remediation\nUpgrade `requests` to version 2.31.0 or higher.\n# References\n- [GitHub Commit](https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5)\n- [GitHub Release](https://github.com/psf/requests/releases/tag/v2.31.0)\n"},"properties":{"cvssv3_baseScore":6.1,"security-severity":"6.1","tags":["security","CWE-200","pip"]}} + Message: This file introduces a vulnerable requests package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-REQUESTS-6928867XThis file introduces a vulnerable requests package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-REQUESTS-6928867","shortDescription":{"text":"Medium severity - Always-Incorrect Control Flow Implementation vulnerability in requests"},"fullDescription":{"text":"(CVE-2024-35195) requests@2.28.2"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: requests\n* Introduced through: pygoat@0.0.0 and requests@2.28.2\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests-oauthlib@1.3.1 › requests@2.28.2\n# Overview\n\nAffected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when making requests through a Requests `Session`. An attacker can bypass certificate verification by making the first request with `verify=False`, causing all subsequent requests to ignore certificate verification regardless of changes to the `verify` value.\r\n\r\n**Notes:**\r\n\r\n1) For requests \u003c2.32.0, avoid setting `verify=False` for the first request to a host while using a Requests Session.\r\n\r\n2) For requests \u003c2.32.0, call `close()` on Session objects to clear existing connections if `verify=False` is used.\r\n\r\n3) This vulnerability was initially fixed in version [2.32.0](https://pypi.org/project/requests/2.32.0/), which was yanked. Therefore, the next available fixed version is 2.32.2.\n# Remediation\nUpgrade `requests` to version 2.32.2 or higher.\n# References\n- [GitHub Commit](https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac)\n- [GitHub PR](https://github.com/psf/requests/pull/6655)\n"},"properties":{"cvssv3_baseScore":5.6,"security-severity":"5.6","tags":["security","CWE-670","pip"]}} + Message: This file introduces a vulnerable requests package with a medium severity vulnerability.Bunknown+ +requirements.txt:1-1SNYK-PYTHON-SQLPARSE-1584201VThis file introduces a vulnerable sqlparse package with a high severity vulnerability. :*MatchedRule: {"id":"SNYK-PYTHON-SQLPARSE-1584201","shortDescription":{"text":"High severity - Regular Expression Denial of Service (ReDoS) vulnerability in sqlparse"},"fullDescription":{"text":"(CVE-2021-32839) sqlparse@0.3.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: sqlparse\n* Introduced through: pygoat@0.0.0 and sqlparse@0.3.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7 › sqlparse@0.3.1\n# Overview\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS. The regular expression may cause exponential backtracking on strings containing many repetitions of `\\r\\n` in SQL comments.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `sqlparse` to version 0.4.2 or higher.\n# References\n- [GitHub Commit](https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-400","pip"]}} + Message: This file introduces a vulnerable sqlparse package with a high severity vulnerability.Bunknown+ +requirements.txt:1-1SNYK-PYTHON-SQLPARSE-5426157VThis file introduces a vulnerable sqlparse package with a high severity vulnerability. :*MatchedRule: {"id":"SNYK-PYTHON-SQLPARSE-5426157","shortDescription":{"text":"High severity - Regular Expression Denial of Service (ReDoS) vulnerability in sqlparse"},"fullDescription":{"text":"(CVE-2023-30608) sqlparse@0.3.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: sqlparse\n* Introduced through: pygoat@0.0.0 and sqlparse@0.3.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7 › sqlparse@0.3.1\n# Overview\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to using an inefficient pattern which can cause excessive backtracking, leading to performance degradation.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `sqlparse` to version 0.4.4 or higher.\n# References\n- [GitHub Commit](https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb)\n- [Vulnerable Code](https://github.com/andialbrecht/sqlparse/blob/e75e35869473832a1eb67772b1adfee2db11b85a/sqlparse/lexer.py#L194)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-1333","pip"]}} + Message: This file introduces a vulnerable sqlparse package with a high severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-SQLPARSE-6615674VThis file introduces a vulnerable sqlparse package with a high severity vulnerability. : MatchedRule: {"id":"SNYK-PYTHON-SQLPARSE-6615674","shortDescription":{"text":"High severity - Uncontrolled Recursion vulnerability in sqlparse"},"fullDescription":{"text":"(CVE-2024-4340) sqlparse@0.3.1"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: sqlparse\n* Introduced through: pygoat@0.0.0 and sqlparse@0.3.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7 › sqlparse@0.3.1\n# Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Recursion due to the parsing of heavily nested lists. An attacker can cause the application to crash by submitting a specially crafted list that triggers a `RecursionError`.\r\n\r\n**Note:**\r\nThe impact depends on the use, so anyone parsing a user input with `sqlparse.parse()` is affected.\n# PoC\n```py\r\n\r\nimport sqlparse\r\nsqlparse.parse('[' * 10000 + ']' * 10000)\r\n```\n# Remediation\nUpgrade `sqlparse` to version 0.5.0 or higher.\n# References\n- [GitHub Commit](https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-674","pip"]}} + Message: This file introduces a vulnerable sqlparse package with a high severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-URLLIB3-5926907WThis file introduces a vulnerable urllib3 package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-URLLIB3-5926907","shortDescription":{"text":"Medium severity - Information Exposure Through Sent Data vulnerability in urllib3"},"fullDescription":{"text":"(CVE-2023-43804) urllib3@1.26.9"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: urllib3\n* Introduced through: pygoat@0.0.0 and urllib3@1.26.9\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2 › urllib3@1.26.9\n# Overview\n[urllib3](https://pypi.org/project/urllib3/) is a HTTP library with thread-safe connection pooling, file post, and more.\n\nAffected versions of this package are vulnerable to Information Exposure Through Sent Data when the `Cookie` HTTP header is used. An attacker can leak information via HTTP redirects to a different origin by exploiting the fact that the `Cookie` HTTP header isn't stripped on cross-origin redirects. \r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the user is using the `Cookie` header on requests, not disabling HTTP redirects, and either not using HTTPS or for the origin server to redirect to a malicious origin.\r\n\r\n##Workaround:\r\n\r\nThis vulnerability can be mitigated by disabling HTTP redirects using `redirects=False` when sending requests and by not using the `Cookie` header.\n# Remediation\nUpgrade `urllib3` to version 1.26.17, 2.0.6 or higher.\n# References\n- [GitHub Commit](https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb)\n- [GitHub Commit](https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d)\n- [GitHub Release](https://github.com/urllib3/urllib3/releases/tag/1.26.17)\n- [GitHub Release](https://github.com/urllib3/urllib3/releases/tag/2.0.6)\n"},"properties":{"cvssv3_baseScore":5.9,"security-severity":"5.9","tags":["security","CWE-200","pip"]}} + Message: This file introduces a vulnerable urllib3 package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-URLLIB3-6002459WThis file introduces a vulnerable urllib3 package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-URLLIB3-6002459","shortDescription":{"text":"Medium severity - Information Exposure Through Sent Data vulnerability in urllib3"},"fullDescription":{"text":"(CVE-2023-45803) urllib3@1.26.9"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: urllib3\n* Introduced through: pygoat@0.0.0 and urllib3@1.26.9\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2 › urllib3@1.26.9\n# Overview\n[urllib3](https://pypi.org/project/urllib3/) is a HTTP library with thread-safe connection pooling, file post, and more.\n\nAffected versions of this package are vulnerable to Information Exposure Through Sent Data when it processes HTTP redirects with a 303 status code, due to not stripping the request body when changing the request method from `POST` to `GET`. An attacker can potentially expose sensitive information by compromising the origin service and redirecting requests to a malicious peer.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if sensitive information is being submitted in the HTTP request body and the origin service is compromised, starting to redirect using 303 to a malicious peer or the redirected-to service becomes compromised.\r\n\r\n# Workaround\r\n\r\nThis vulnerability can be mitigated by disabling redirects for services that are not expected to respond with redirects, or disabling automatic redirects and manually handling 303 redirects by stripping the HTTP request body.\n# Remediation\nUpgrade `urllib3` to version 1.26.18, 2.0.7 or higher.\n# References\n- [GitHub Commit](https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3)\n- [GitHub Commit](https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36)\n- [GitHub Release](https://github.com/urllib3/urllib3/releases/tag/1.26.18)\n- [GitHub Release](https://github.com/urllib3/urllib3/releases/tag/2.0.7)\n"},"properties":{"cvssv3_baseScore":4.2,"security-severity":"4.2","tags":["security","CWE-201","pip"]}} + Message: This file introduces a vulnerable urllib3 package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-URLLIB3-7267250WThis file introduces a vulnerable urllib3 package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-URLLIB3-7267250","shortDescription":{"text":"Medium severity - Improper Removal of Sensitive Information Before Storage or Transfer vulnerability in urllib3"},"fullDescription":{"text":"(CVE-2024-37891) urllib3@1.26.9"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: urllib3\n* Introduced through: pygoat@0.0.0 and urllib3@1.26.9\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2 › urllib3@1.26.9\n# Overview\n[urllib3](https://pypi.org/project/urllib3/) is a HTTP library with thread-safe connection pooling, file post, and more.\n\nAffected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer due to the improper handling of the `Proxy-Authorization` header during cross-origin redirects when `ProxyManager` is not in use. When the conditions below are met, including non-recommended configurations, the contents of this header can be sent in an automatic HTTP redirect.\r\n\r\n**Notes:**\r\n\r\nTo be vulnerable, the application must be doing all of the following:\r\n\r\n1) Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support.\r\n\r\n2) Not disabling HTTP redirects (e.g. with `redirects=False`)\r\n\r\n3) Either not using an HTTPS origin server, or having a proxy or target origin that redirects to a malicious origin.\r\n\r\n# Workarounds\r\n\r\n1) Using the `Proxy-Authorization` header with urllib3's `ProxyManager`.\r\n\r\n2) Disabling HTTP redirects using `redirects=False` when sending requests.\r\n\r\n3) Not using the `Proxy-Authorization` header.\n# Remediation\nUpgrade `urllib3` to version 1.26.19, 2.2.2 or higher.\n# References\n- [GitHub Commit](https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468)\n- [GitHub Commit](https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e)\n"},"properties":{"cvssv3_baseScore":6,"security-severity":"6","tags":["security","CWE-212","pip"]}} + Message: This file introduces a vulnerable urllib3 package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-WERKZEUG-3319935UThis file introduces a vulnerable werkzeug package with a low severity vulnerability. : +MatchedRule: {"id":"SNYK-PYTHON-WERKZEUG-3319935","shortDescription":{"text":"Low severity - Access Restriction Bypass vulnerability in werkzeug"},"fullDescription":{"text":"(CVE-2023-23934) werkzeug@2.1.2"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: werkzeug\n* Introduced through: pygoat@0.0.0 and werkzeug@2.1.2\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › werkzeug@2.1.2\n# Overview\n\nAffected versions of this package are vulnerable to Access Restriction Bypass that allows a malicious application on an adjacent subdomain to present \"nameless\" cookies that look like `=value` instead of `key=value` and have them accepted by the affected browser. For example, a cookie like `=__Host-test=bad` would be parsed as `__Host-test=bad` and the key treated as valid while the value is ignored.\n# Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n# References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n"},"properties":{"cvssv3_baseScore":2.6,"security-severity":"2.6","tags":["security","CWE-284","pip"]}} + Message: This file introduces a vulnerable werkzeug package with a low severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-WERKZEUG-3319936VThis file introduces a vulnerable werkzeug package with a high severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-WERKZEUG-3319936","shortDescription":{"text":"High severity - Denial of Service (DoS) vulnerability in werkzeug"},"fullDescription":{"text":"(CVE-2023-25577) werkzeug@2.1.2"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: werkzeug\n* Introduced through: pygoat@0.0.0 and werkzeug@2.1.2\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › werkzeug@2.1.2\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when parsing multipart form data. An attacker can trigger the opening of multipart files containing a large number of file parts, which are processed using `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, consuming CPU, memory, or file handles resources. The amount of CPU time required can block worker processes from handling other requests. The amount of RAM required can trigger an out-of-memory and crash the process.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n# References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-770","pip"]}} + Message: This file introduces a vulnerable werkzeug package with a high severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-WERKZEUG-6035177XThis file introduces a vulnerable werkzeug package with a medium severity vulnerability. : MatchedRule: {"id":"SNYK-PYTHON-WERKZEUG-6035177","shortDescription":{"text":"Medium severity - Inefficient Algorithmic Complexity vulnerability in werkzeug"},"fullDescription":{"text":"(CVE-2023-46136) werkzeug@2.1.2"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: werkzeug\n* Introduced through: pygoat@0.0.0 and werkzeug@2.1.2\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › werkzeug@2.1.2\n# Overview\n\nAffected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers. \r\n\r\nExploiting this vulnerability is possible if the uploaded file starts with `CR` or `LF` and is followed by megabytes of data without these characters.\n# Remediation\nUpgrade `werkzeug` to version 2.3.8, 3.0.1 or higher.\n# References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9)\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2)\n"},"properties":{"cvssv3_baseScore":6.5,"security-severity":"6.5","tags":["security","CWE-407","pip"]}} + Message: This file introduces a vulnerable werkzeug package with a medium severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-WERKZEUG-6808933VThis file introduces a vulnerable werkzeug package with a high severity vulnerability. : MatchedRule: {"id":"SNYK-PYTHON-WERKZEUG-6808933","shortDescription":{"text":"High severity - Remote Code Execution (RCE) vulnerability in werkzeug"},"fullDescription":{"text":"(CVE-2024-34069) werkzeug@2.1.2"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: werkzeug\n* Introduced through: pygoat@0.0.0 and werkzeug@2.1.2\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › werkzeug@2.1.2\n# Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) due to insufficient hostname checks and the use of relative paths to resolve requests. When the debugger is enabled, an attacker can convince a user to enter their own PIN to interact with a domain and subdomain they control, and thereby cause malicious code to be executed.\r\n\r\nThe demonstrated attack vector requires a number of conditions that render this attack very difficult to achieve, especially if the victim application is running in the recommended configuration of not having the debugger enabled in production.\n# Remediation\nUpgrade `werkzeug` to version 3.0.3 or higher.\n# References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/71b69dfb7df3d912e66bab87fbb1f21f83504967)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/3.0.3)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-94","pip"]}} + Message: This file introduces a vulnerable werkzeug package with a high severity vulnerability.Bunknown +requirements.txt:1-1SNYK-PYTHON-ZIPP-7430899TThis file introduces a vulnerable zipp package with a medium severity vulnerability. :MatchedRule: {"id":"SNYK-PYTHON-ZIPP-7430899","shortDescription":{"text":"Medium severity - Infinite loop vulnerability in zipp"},"fullDescription":{"text":"(CVE-2024-5569) zipp@3.8.0"},"help":{"text":"","markdown":"* Package Manager: pip\n* Vulnerable module: zipp\n* Introduced through: pygoat@0.0.0 and zipp@3.8.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › zipp@3.8.0\n# Overview\n\nAffected versions of this package are vulnerable to Infinite loop where an attacker can cause the application to stop responding by initiating a loop through functions affecting the `Path` module, such as `joinpath`, the overloaded division operator, and `iterdir`.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `zipp` to version 3.19.1 or higher.\n# References\n- [GitHub Commit](https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd)\n- [GitHub Issue](https://github.com/jaraco/zipp/issues/119)\n- [GitHub PR](https://github.com/jaraco/zipp/pull/120)\n"},"properties":{"cvssv3_baseScore":6.9,"security-severity":"6.9","tags":["security","CWE-835","pip"]}} + Message: This file introduces a vulnerable zipp package with a medium severity vulnerability.Bunknown \ No newline at end of file diff --git a/components/producers/snyk-python/exampleData/snyk.out b/components/producers/snyk-python/exampleData/snyk.out new file mode 100644 index 000000000..7456bd03f --- /dev/null +++ b/components/producers/snyk-python/exampleData/snyk.out @@ -0,0 +1,2829 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "Snyk Open Source", + "semanticVersion": "1.1293.1", + "version": "1.1293.1", + "informationUri": "https://docs.snyk.io/", + "properties": { + "artifactsScanned": 33 + }, + "rules": [ + { + "id": "SNYK-PYTHON-CERTIFI-5805047", + "shortDescription": { + "text": "Critical severity - Improper Following of a Certificate's Chain of Trust vulnerability in certifi" + }, + "fullDescription": { + "text": "(CVE-2023-37920) certifi@2022.12.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: certifi\n* Introduced through: pygoat@0.0.0 and certifi@2022.12.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › certifi@2022.12.7\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2 › certifi@2022.12.7\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2 › certifi@2022.12.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2 › certifi@2022.12.7\n# Overview\n\nAffected versions of this package are vulnerable to Improper Following of a Certificate's Chain of Trust. E-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found [here](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A).\r\n\r\n**Note:**\r\n\r\nThis issue is not an inherent vulnerability in the package, but a security measure against potential harmful effects of trusting the now-revoked root certificates.\n# Remediation\nUpgrade `certifi` to version 2023.7.22 or higher.\n# References\n- [GitHub Commit](https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909)\n- [Google Groups Forum](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-296", + "pip" + ], + "cvssv3_baseScore": 9.8, + "security-severity": "9.8" + } + }, + { + "id": "SNYK-PYTHON-CERTIFI-7430173", + "shortDescription": { + "text": "Medium severity - Insufficient Verification of Data Authenticity vulnerability in certifi" + }, + "fullDescription": { + "text": "(CVE-2024-39689) certifi@2022.12.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: certifi\n* Introduced through: pygoat@0.0.0 and certifi@2022.12.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › certifi@2022.12.7\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2 › certifi@2022.12.7\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2 › certifi@2022.12.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2 › certifi@2022.12.7\n# Overview\n\nAffected versions of this package are vulnerable to Insufficient Verification of Data Authenticity due to the presence of the root certificate for GLOBALTRUST in the root store. The root certificates are being removed pursuant to an investigation into non-compliance.\n# Remediation\nUpgrade `certifi` to version 2024.7.4 or higher.\n# References\n- [GitHub Commit](https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463)\n- [Mozilla Root Discussion](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-345", + "pip" + ], + "cvssv3_baseScore": 6.1, + "security-severity": "6.1" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-5663682", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2023-2650) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when processing specially crafted ASN.1 objects identifiers.\r\nApplications that use `OBJ_obj2txt()` directly, or use any of the OpenSSL subsystems OCSP, `PKCS7/SMIME`, `CMS`, `CMP/CRMF` or `TS` with no message size limit may experience notable to very long delays when processing those messages, which may lead to a exploitation of this vulnerability.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `cryptography` to version 41.0.0 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/db779b0e10b047f2585615e0b8f2acdf21f8544a)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2207947)\n- [Security Advisory](https://www.openssl.org/news/secadv/20230530.txt)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 5.9, + "security-severity": "5.9" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-5777683", + "shortDescription": { + "text": "High severity - Improper Certificate Validation vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2023-38325) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Improper Certificate Validation in the SSH certificate decoding process. An attacker can cause the application to accept unauthorized SSH certificates generated by `ssh-keygen`, or cause certificates generated by `SSHCertificateBuilder ` to fail when read by `ssh-keygen`. \r\n\r\n**Note:**\r\nThis is only exploitable if the attacker controls the SSH certificate generation process or can introduce crafted SSH certificates into the system.\n# Remediation\nUpgrade `cryptography` to version 41.0.2 or higher.\n# References\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/e190ef190525999d1f599cf8c3aef5cb7f3a8bc4)\n- [GitHub Diff](https://github.com/pyca/cryptography/compare/41.0.1...41.0.2)\n- [GitHub Issue](https://github.com/pyca/cryptography/issues/9207)\n- [GitHub PR](https://github.com/pyca/cryptography/pull/9208)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-295", + "pip" + ], + "cvssv3_baseScore": 7.4, + "security-severity": "7.4" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-5813745", + "shortDescription": { + "text": "Low severity - Insufficient Verification of Data Authenticity vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2023-2975) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the AES-SIV cipher implementation in `ciphers/cipher_aes_siv.c`, which ignores empty associated data entries, making them unauthenticated. \r\n\r\nApplications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding or reordering such empty entries as these are ignored by the OpenSSL implementation. \r\n\r\n**NOTE:** This issue does not affect non-empty associated data authentication and the maintainers are currently unaware of any applications that use empty associated data entries.\n# Remediation\nUpgrade `cryptography` to version 41.0.3 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/00e2f5eea29994d19293ec4e8c8775ba73678598)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2223016)\n- [Vulnerability Advisory](https://www.openssl.org/news/secadv/20230714.txt)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-345", + "pip" + ], + "cvssv3_baseScore": 3.7, + "security-severity": "3.7" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-5813746", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2023-3446) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `DH_check()`, `DH_check_ex()` and `EVP_PKEY_param_check()` functions, which are used to check a DH key or DH parameters.\r\n\r\nWhen the key or parameters that are being checked contain an excessively large modulus value (the `p` parameter) this may cause slowness in processing. Some checks use the supplied modulus value even if it has already been found to be too large. \r\n\r\nThe OpenSSL `dhparam` and `pkeyparam` command line applications are also vulnerable, when using the `-check` option. \r\n\r\n**NOTE:** The OpenSSL SSL/TLS implementation is not affected by this issue.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `cryptography` to version 41.0.3 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/1fa20cf2f506113c761777127a38bce5068740eb)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/8780a896543a654e757db1b9396383f9d8095528)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/fc9867c1e03c22ebf56943be205202e576aabf23)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2224962)\n- [Vulnerability Advisory](https://www.openssl.org/news/secadv/20230719.txt)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-5813750", + "shortDescription": { + "text": "Low severity - Denial of Service (DoS) vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2023-3817) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when the `DH_check()`, `DH_check_ex()`, or `EVP_PKEY_param_check()` functions are used to check a DH key or DH parameters. An attacker can cause long delays and potentially a Denial of Service (DoS) by providing excessively long DH keys or parameters from an untrusted source. This is only exploitable if the application calls these functions and supplies a key or parameters obtained from an untrusted source.\r\n\r\n**Note:**\r\nThe OpenSSL SSL/TLS implementation and the OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `cryptography` to version 41.0.3 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/1c16253f3c3a8d1e25918c3f404aae6a5b0893de)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/91ddeba0f2269b017dc06c46c993a788974b1aa5)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d)\n- [Security Advisory](https://www.openssl.org/news/secadv/20230731.txt)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 3.7, + "security-severity": "3.7" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-5914629", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2023-4807) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). The POLY1305 MAC (message authentication code) implementation might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting AVX512-IFMA instructions. If an attacker can influence whether the POLY1305 MAC algorithm is used in an application, the application state might be corrupted with various application dependent consequences, the most likely of which being denial of service. The maintainers are currently not aware of any concrete application that would be affected by this issue.\r\n\r\n\r\n**NOTES:**\r\n\r\nThis vulnerability is only exploitable on Windows.\r\n\r\nThe FIPS provider is not affected by this issue.\r\n\r\n# Workaround \r\n\r\nDisable `AVX512-IFMA` instructions by setting the environment variable `OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000`\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `cryptography` to version 41.0.4 or higher.\n# References\n- [Github Commit](https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/4bfac4471f53c4f74c8d81020beb938f92d84ca5)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/6754de4a121ec7f261b16723180df6592cbb4508)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a632d534c73eeb3e3db8c7540d811194ef7c79ff)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2238009)\n- [Vulnerability Advisory](https://www.openssl.org/news/secadv/20230908.txt)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 6.5, + "security-severity": "6.5" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6036192", + "shortDescription": { + "text": "Medium severity - Missing Cryptographic Step vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2023-5363) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Missing Cryptographic Step when the `EVP_EncryptInit_ex2()`, `EVP_DecryptInit_ex2()` or `EVP_CipherInit_ex2()` functions are used. An attacker can cause truncation or overreading of key and initialization vector (IV) lengths by altering the \"keylen\" or \"ivlen\" parameters within the `OSSL_PARAM` array after the key and IV have been established. This can lead to potential truncation or overruns during the initialization of some symmetric ciphers, such as RC2, RC4, RC5, CCM, GCM, and OCB. A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. \r\n\r\nBoth truncations and overruns of the key and the IV will produce incorrect results and could, in some cases, trigger a memory exception.\n# Remediation\nUpgrade `cryptography` to version 41.0.5 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0df40630850fb2740e6be6890bb905d3fc623b2d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/5f69f5c65e483928c4b28ed16af6e5742929f1ee)\n- [Security Advisory](https://www.openssl.org/news/secadv/20231024.txt)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-325", + "pip" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6050294", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2023-5678) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when the `DH_generate_key()`, `DH_check_pub_key()`, `DH_check_pub_key_ex()`, `EVP_PKEY_public_check()`, and `EVP_PKEY_generate()` functions are used. An attacker can cause long delays and potentially a Denial of Service by supplying excessively long X9.42 DH keys or parameters obtained from an untrusted source. \r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the application uses these functions to generate or check an X9.42 DH key or parameters. Also, the OpenSSL `pkey` command line application, when using the `-pubcheck` option, as well as the OpenSSL `genpkey` command line application, are vulnerable to this issue.\n# Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/db925ae2e65d0d925adef429afc37f75bd1c2017)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/ec061bf8ff2add8050599058557178c03295bcc0)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/01d55b2af8ae167315288c03b192c59c86425009)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2248616)\n- [Security Advisory](https://www.openssl.org/news/secadv/20231106.txt)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6092044", + "shortDescription": { + "text": "Medium severity - NULL Pointer Dereference vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2023-49083) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference when loading PKCS7 certificates. An attacker can cause a Denial of Service (DoS) by attempting to deserialize a PKCS7 blob/certificate. \r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` functions are called.\n# PoC\n```python\r\nfrom cryptography.hazmat.primitives.serialization.pkcs7 import load_der_pkcs7_certificates, load_pem_pkcs7_certificates\r\n\r\npem_p7 = b\"\"\"\r\n-----BEGIN PKCS7-----\r\nMAsGCSqGSIb3DQEHAg==\r\n-----END PKCS7-----\r\n\"\"\"\r\n\r\nder_p7 = b\"\\x30\\x0B\\x06\\x09\\x2A\\x86\\x48\\x86\\xF7\\x0D\\x01\\x07\\x02\"\r\n\r\nload_pem_pkcs7_certificates(pem_p7)\r\nload_der_pkcs7_certificates(der_p7)\r\n```\n# Remediation\nUpgrade `cryptography` to version 41.0.6 or higher.\n# References\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-476", + "pip" + ], + "cvssv3_baseScore": 5.9, + "security-severity": "5.9" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6126975", + "shortDescription": { + "text": "High severity - Observable Timing Discrepancy vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2023-50782) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Observable Timing Discrepancy. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data (Marvin).\r\n\r\n**Note:**\r\n\r\n\r\nThis vulnerability exists due to an incomplete fix for [CVE-2020-25659](https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-1022152).\n# Remediation\nUpgrade `cryptography` to version 42.0.0 or higher.\n# References\n- [GitHub Issue](https://github.com/pyca/cryptography/issues/9785#issuecomment-1856209406)\n- [Vulnerability Report](https://people.redhat.com/~hkario/marvin/)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-203", + "pip" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6149518", + "shortDescription": { + "text": "Medium severity - Use of a Broken or Risky Cryptographic Algorithm vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2023-6129) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to an issue in the `POLY1305` MAC implementation on PowerPC CPUs. An attacker can corrupt the application state and cause incorrect calculations or potential denial of service by influencing the use of the `POLY1305` MAC algorithm.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the attacker has the ability to affect the algorithm's usage and the application relies on non-volatile XMM registers.\n# Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240109.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2257571)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-328", + "pip" + ], + "cvssv3_baseScore": 5.9, + "security-severity": "5.9" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6157248", + "shortDescription": { + "text": "Medium severity - Resource Exhaustion vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2023-6237) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Resource Exhaustion via the `EVP_PKEY_public_check` function. When the function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An attacker can cause a denial of service by supplying a specially crafted RSA key that triggers extensive computation.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240115.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2258502)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 5.9, + "security-severity": "5.9" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6210214", + "shortDescription": { + "text": "Medium severity - NULL Pointer Dereference vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2024-0727) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference when processing a maliciously formatted PKCS12 file. The vulnerability exists due to improper handling of optional `ContentInfo` fields, which can be set to null. An attacker can cause a denial of service by sending crafted input that leads to applications loading files in PKCS12 format from untrusted sources to terminate abruptly.\n# Remediation\nUpgrade `cryptography` to version 42.0.2 or higher.\n# References\n- [GitHub Commit](https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d)\n- [GitHub PR](https://github.com/openssl/openssl/pull/23362)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240125.txt)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-476", + "pip" + ], + "cvssv3_baseScore": 5.5, + "security-severity": "5.5" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6261585", + "shortDescription": { + "text": "Medium severity - NULL Pointer Dereference vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2024-26130) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference in the `pkcs12.serialize_key_and_certificates` function. An attacker can crash the Python process. \r\n\r\n**Note:**\r\nThis is only exploitable if the vulnerable function is called with both:\r\n\r\n1) A certificate whose public key does not match the provided private key.\r\n\r\n2) An encryption_algorithm with hmac_hash set via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`.\n# Remediation\nUpgrade `cryptography` to version 42.0.4 or higher.\n# References\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55)\n- [GitHub PR](https://github.com/pyca/cryptography/pull/10423)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-476", + "pip" + ], + "cvssv3_baseScore": 5.9, + "security-severity": "5.9" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6592767", + "shortDescription": { + "text": "Low severity - Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2024-2511) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to the session cache entering an incorrect state and failing to flush properly as it fills, leading to uncontrolled memory consumption. This condition is triggered under certain server configurations when processing TLSv1.3 sessions. Specifically, this occurs if the non-default `SSL_OP_NO_TICKET` option is enabled, but not if early_data support is configured along with the default anti-replay protection. A malicious client could deliberately create this scenario to force a service disruption. It may also occur accidentally in normal operation.\r\n\r\n**Note:**\r\n\r\nThis issue is only exploitable if the server supports TLSv1.3 and is configured with the `SSL_OP_NO_TICKET` option enabled.\n# Remediation\nUpgrade `cryptography` to version 42.0.6 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/21df7f04f6c4a560b4de56d10e1e58958c7e566d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/4a3e8f08306c64366318e26162ae0a0eb7b1a006)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/7984fa683e9dfac0cad50ef2a9d5a13330222044)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/42192fab0a96b484089021148ed1eaa12053f7ed)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2274020)\n- [Vulnerability Advisory](https://www.openssl.org/news/secadv/20240408.txt)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 3.7, + "security-severity": "3.7" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-6913422", + "shortDescription": { + "text": "Low severity - Uncontrolled Resource Consumption vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2024-4603) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption due to improper user input validation in the `EVP_PKEY_param_check` or `EVP_PKEY_public_check` functions. An attacker can cause a denial of service by supplying excessively long DSA keys or parameters obtained from an untrusted source.\r\n\r\n**Note:**\r\n\r\nOpenSSL does not call these functions on untrusted DSA keys, so only applications that directly call these functions may be vulnerable.\r\n\r\nAlso vulnerable are the OpenSSL `pkey` and `pkeyparam` command line applications when using the \"-check\" option.\n# Remediation\nUpgrade `cryptography` to version 42.0.8 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/85ccbab216da245cf9a6503dd327072f21950d9b)\n- [GitHub Commit 3.0](https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397)\n- [GitHub Commit 3.1](https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d)\n- [GitHub Commit 3.2](https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740)\n- [GitHub Commit 3.3](https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e)\n- [GitHub Commit cryptography](https://github.com/pyca/cryptography/commit/38852224f455af1915a628542b930ad11d2a884c)\n- [GitHub PR](https://github.com/openssl/openssl/pull/24346)\n- [OpenSSL advisory](https://www.openssl.org/news/secadv/20240516.txt)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 3.7, + "security-severity": "3.7" + } + }, + { + "id": "SNYK-PYTHON-CRYPTOGRAPHY-7886970", + "shortDescription": { + "text": "High severity - Type Confusion vulnerability in cryptography" + }, + "fullDescription": { + "text": "(CVE-2024-6119) cryptography@39.0.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: cryptography\n* Introduced through: pygoat@0.0.0 and cryptography@39.0.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › cryptography@39.0.1\n# Overview\n\nAffected versions of this package are vulnerable to Type Confusion in the `do_x509_check()` function in `x509/v3_utl.c`, which is responsible for certificate name checks. An application that specifies an expected DNS name, Email address or IP address that performs a name check on an `otherName` subject alternative name of an X.509 certificate can be made to crash when it attempts to read an invalid memory address.\n\n**Note:** Users that are building cryptography source (\"sdist\") are responsible for upgrading their copy of OpenSSL.\n\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `cryptography` to version 43.0.1 or higher.\n# References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/6687bab97aef31d6ee6cc94ecc87a972137b5d4a)\n- [openssl News](https://openssl-library.org/news/secadv/20240903.txt)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-843", + "pip" + ], + "cvssv3_baseScore": 8.2, + "security-severity": "8.2" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-5496950", + "shortDescription": { + "text": "Medium severity - Arbitrary File Upload vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2023-31047) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Arbitrary File Upload by bypassing of validation of all but the last file when uploading multiple files using a single `forms.FileField` or `forms.ImageField`.\n# Remediation\nUpgrade `django` to version 3.2.19, 4.1.9, 4.2.1 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2023/may/03/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/21b1b1fc03e5f9e9f8c977ee6e35618dd3b353dd)\n- [GitHub Commit](https://github.com/django/django/commit/e7c3a2ccc3a562328600be05068ed9149e12ce64)\n- [GitHub Commit](https://github.com/django/django/commit/eed53d0011622e70b936e203005f0e6f4ac48965)\n- [GitHub Commit](https://github.com/django/django/commit/fb4c55d9ec4bb812a7fb91fa20510d91645e411b)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2192565)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-434", + "pip" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-5750790", + "shortDescription": { + "text": "High severity - Regular Expression Denial of Service (ReDoS) vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2023-36053) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `EmailValidator` and `URLValidator` classes, when processing a very large number of domain name labels on emails or URLs.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `django` to version 3.2.20, 4.1.10, 4.2.3 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2023/jul/03/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582)\n- [GitHub Commit](https://github.com/django/django/commit/ad0410ec4f458aa39803e5f6b9a3736527062dcd)\n- [GitHub Commit](https://github.com/django/django/commit/b7c5feb35a31799de6e582ad6a5a91a9de74e0f9)\n- [GitHub Commit](https://github.com/django/django/commit/beb3f3d55940d9aa7198bf9d424ab74e873aec3d)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-1333", + "pip" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-5880505", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2023-41164) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `django.utils.encoding.uri_to_iri()` function when processing inputs with a large number of Unicode characters.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 3.2.21, 4.1.11, 4.2.5 or higher.\n# References\n- [Django Release Notes](https://docs.djangoproject.com/en/dev/releases/3.2.21/)\n- [Django Release Notes](https://docs.djangoproject.com/en/dev/releases/4.1.11/)\n- [Django Release Notes](https://docs.djangoproject.com/en/dev/releases/4.2.5/)\n- [GitHub Commit](https://github.com/django/django/commit/6f030b1149bd8fa4ba90452e77cb3edc095ce54e)\n- [GitHub Commit](https://github.com/django/django/commit/9c51b4dcfa0cefcb48231f4d71cafa80821f87b9)\n- [GitHub Commit](https://github.com/django/django/commit/ba00bc5ec6a7eff5e08be438f7b5b0e9574e8ff0)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-5932095", + "shortDescription": { + "text": "Medium severity - Regular Expression Denial of Service (ReDoS) vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2023-43665) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `chars()` and `words()` methods in the `django.utils.text.Truncator` function. An attacker can cause a denial of service by exploiting the inefficient regular expression complexity, which exhibits linear backtracking complexity and can be slow, given certain long and potentially malformed HTML inputs.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `django` to version 3.2.22, 4.1.12, 4.2.6 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2023/oct/04/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/3db945a6b337443a2792a70b3971b2c2a3d40b1c)\n- [GitHub Commit](https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473)\n- [GitHub Commit](https://github.com/django/django/commit/c7b7024742250414e426ad49fb80db943e7ba4e8)\n- [GitHub Commit](https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2241046)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-1333", + "pip" + ], + "cvssv3_baseScore": 5.9, + "security-severity": "5.9" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-6041515", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2023-46695) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via the `NFKC normalization` function in `django.contrib.auth.forms.UsernameField`. A potential attack can be executed via certain inputs with a very large number of Unicode characters.\r\n\r\n**Note:** This vulnerability is only exploitable on Windows systems.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 3.2.23, 4.1.13, 4.2.7 or higher.\n# References\n- [GitHub Commit](https://github.com/django/django/commit/05ba4130ee878c4f520b5d34bb11eaad794623be)\n- [Vulnerability Advisory](https://www.djangoproject.com/weblog/2023/nov/01/security-releases/)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-6370660", + "shortDescription": { + "text": "Medium severity - Regular Expression Denial of Service (ReDoS) vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2024-27351) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in `django.utils.text.Truncator.words()`, whose performance can be degraded when processing a malicious input involving repeated `<` characters. \r\n\r\n**Note:**\r\n\r\nThe function is only vulnerable when `html=True` is set and the `truncatewords_html` template filter is in use.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `django` to version 3.2.25, 4.2.11, 5.0.3 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/mar/04/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521)\n- [GitHub Commit](https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e)\n- [GitHub Commit](https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-1333", + "pip" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-7435780", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2024-39614) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in `django.utils.translation.get_supported_language_variant()` function due to improper user input validation. An attacker can exploit this vulnerability by using very long strings containing specific characters. Exploiting this vulnerability could lead to a system crash.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 4.2.14, 5.0.7 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/jul/09/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/9e9792228a6bb5d6402a5d645bc3be4cf364aefb)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 6.9, + "security-severity": "6.9" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-7436273", + "shortDescription": { + "text": "Medium severity - Timing Attack vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2024-39329) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Timing Attack via the `django.contrib.auth.backends.ModelBackend.authenticate()` method. This allows remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords.\n# Remediation\nUpgrade `django` to version 4.2.14, 5.0.7 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/jul/09/security-releases/)\n- [Follow-up GitHub Commit](https://github.com/django/django/commit/e1606d27b4fed653c80817f3a13cf8bc6f3163f0)\n- [GitHub Commit](https://github.com/django/django/commit/07cefdee4a9d1fcd9a3a631cbd07c78defd1923b)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-208", + "pip" + ], + "cvssv3_baseScore": 6.3, + "security-severity": "6.3" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-7436514", + "shortDescription": { + "text": "Medium severity - Directory Traversal vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2024-39330) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Directory Traversal via the derived classes of the `django.core.files.storage.Storage` base class which override `generate_filename()` without replicating the file path validations existing in the parent class. This allows potential access to out of scope data via certain inputs when calling `save()` method.\r\n\r\n**Note:**\r\nBuilt-in Storage sub-classes were not affected by this vulnerability.\n\n# Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n# Remediation\nUpgrade `django` to version 4.2.14, 5.0.7 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/jul/09/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/fe4a0bbe2088d0c2b331216dad21ccd0bb3ee80d)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-22", + "pip" + ], + "cvssv3_baseScore": 6.9, + "security-severity": "6.9" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-7436646", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2024-38875) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via the in `django.utils.html.urlize()` and `django.utils.html.urlizetrunc()` functions. If certain inputs with a very large number of brackets are provided, this could lead to a system crash.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 4.2.14, 5.0.7 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/jul/09/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/d6664574539c1531612dea833d264ed5c2b04e1e)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 6.9, + "security-severity": "6.9" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-7642790", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2024-41990) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via very large inputs with a specific sequence of characters in the `urlize()` and `urlizetrunc()` template filters.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 4.2.15, 5.0.8 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/aug/06/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/0c1a8909164d8f2846322efb1143b72ad1616bd8)\n- [GitHub Commit](https://github.com/django/django/commit/7b7b909579c8311c140c89b8a9431bf537febf93)\n- [GitHub Commit](https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88)\n- [GitHub Release](https://github.com/django/django/blob/fdc638bf4a35b5497d0b3b4faedaf552da792f99/docs/releases/4.2.15.txt#L19)\n- [GitHub Release](https://github.com/django/django/blob/fdc638bf4a35b5497d0b3b4faedaf552da792f99/docs/releases/5.0.8.txt#L19)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 6.9, + "security-severity": "6.9" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-7642791", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2024-41991) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via certain inputs with a very large number of Unicode characters in the `urlize` and `urlizetrunc` template filters, and the `AdminURLFieldWidget` widget.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 4.2.15, 5.0.8 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/aug/06/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/523da8771bce321023f490f70d71a9e973ddc927)\n- [GitHub Commit](https://github.com/django/django/commit/bd807c0c25ab69361a4c08edcc1cf04d4652aa0a)\n- [GitHub Commit](https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f)\n- [GitHub Release](https://github.com/django/django/blob/fdc638bf4a35b5497d0b3b4faedaf552da792f99/docs/releases/4.2.15.txt#L26)\n- [GitHub Release](https://github.com/django/django/blob/fdc638bf4a35b5497d0b3b4faedaf552da792f99/docs/releases/5.0.8.txt#L26)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 6.9, + "security-severity": "6.9" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-7642813", + "shortDescription": { + "text": "Medium severity - Uncontrolled Resource Consumption vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2024-41989) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption via the `floatformat()` template filter, when given a string representation of a number in scientific notation with a large exponent.\n# Remediation\nUpgrade `django` to version 4.2.15, 5.0.8 or higher.\n# References\n- [GitHub Commit](https://github.com/django/django/commit/1a5aca65174c2cdd6ab7f10087f9486987b8bbaf)\n- [GitHub Commit](https://github.com/django/django/commit/d787e44e1e8e8c578ef1feb630164ef009e775d1)\n- [GitHub Commit](https://github.com/django/django/commit/e0579ce27746b04a37cf43559df445068fd2a781)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 6.9, + "security-severity": "6.9" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-7642814", + "shortDescription": { + "text": "Medium severity - SQL Injection vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2024-42005) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to SQL Injection via the `QuerySet.values()` and `values_list()` methods on models with a `JSONField`.\nAn attacker can exploit this vulnerability through column aliases by using a maliciously crafted JSON object object key as a passed `*arg`.\n# Remediation\nUpgrade `django` to version 4.2.15, 5.0.8 or higher.\n# References\n- [GitHub Commit](https://github.com/django/django/commit/1a5aca65174c2cdd6ab7f10087f9486987b8bbaf)\n- [GitHub Commit](https://github.com/django/django/commit/d787e44e1e8e8c578ef1feb630164ef009e775d1)\n- [GitHub Commit](https://github.com/django/django/commit/e0579ce27746b04a37cf43559df445068fd2a781)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-89", + "pip" + ], + "cvssv3_baseScore": 6.9, + "security-severity": "6.9" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-7886958", + "shortDescription": { + "text": "Medium severity - Improper Check for Unusual or Exceptional Conditions vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2024-45231) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions due to unhandled email sending failures in the `django.contrib.auth.forms.PasswordResetForm` class. This allows attackers to enumerate user email addresses by brute forcing password reset requests and observing the outcomes.\n# Remediation\nUpgrade `django` to version 4.2.16, 5.0.9, 5.1.1 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/sep/03/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/3c733c78d6f8e50296d6e248968b6516c92a53ca)\n- [GitHub Commit](https://github.com/django/django/commit/96d84047715ea1715b4bd1594e46122b8a77b9e2)\n- [GitHub Commit](https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-754", + "pip" + ], + "cvssv3_baseScore": 6.3, + "security-severity": "6.3" + } + }, + { + "id": "SNYK-PYTHON-DJANGO-7886959", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in django" + }, + "fullDescription": { + "text": "(CVE-2024-45230) django@4.1.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django\n* Introduced through: pygoat@0.0.0 and django@4.1.7\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django-crispy-forms@2.0 › django@4.1.7\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to not accounting for very large inputs involving intermediate `;`s, in the `django.utils.html.urlize()` and `django.utils.html.urlizetrunc()` template filter functions.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `django` to version 4.2.16, 5.0.9, 5.1.1 or higher.\n# References\n- [Django Security Release](https://www.djangoproject.com/weblog/2024/sep/03/security-releases/)\n- [GitHub Commit](https://github.com/django/django/commit/022ab0a75c76ab2ea31dfcc5f2cf5501e378d397)\n- [GitHub Commit](https://github.com/django/django/commit/813de2672bd7361e9a453ab62cd6e52f96b6525b)\n- [GitHub Commit](https://github.com/django/django/commit/d147a8ebbdf28c17cafbbe2884f0bc57e2bf82e2)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-770", + "pip" + ], + "cvssv3_baseScore": 6.9, + "security-severity": "6.9" + } + }, + { + "id": "SNYK-PYTHON-DJANGOALLAUTH-5406296", + "shortDescription": { + "text": "High severity - Timing Attack vulnerability in django-allauth" + }, + "fullDescription": { + "text": "django-allauth@0.52.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django-allauth\n* Introduced through: pygoat@0.0.0 and django-allauth@0.52.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0\n# Overview\n[django-allauth](http://github.com/pennersr/django-allauth) is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.\n\nAffected versions of this package are vulnerable to Timing Attack which allows an attacker to infer whether or not a given account exists based on the response time of an authentication attempt. This occurs even when account enumeration prevention is turned on.\n# Remediation\nUpgrade `django-allauth` to version 0.54.0 or higher.\n# References\n- [GitHub Commit](https://github.com/pennersr/django-allauth/commit/6acb0dccf9a1f860781ae06bdede8fb862618148)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-208", + "pip" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-PYTHON-DJANGOALLAUTH-7413652", + "shortDescription": { + "text": "Medium severity - Cross-site Request Forgery (CSRF) vulnerability in django-allauth" + }, + "fullDescription": { + "text": "django-allauth@0.52.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django-allauth\n* Introduced through: pygoat@0.0.0 and django-allauth@0.52.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0\n# Overview\n[django-allauth](http://github.com/pennersr/django-allauth) is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.\n\nAffected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) in the SAML login flow. `RelayState` was used to keep track of whether or not the login flow was IdP or SP initiated. As `RelayState` is a separate field, not part of the `SAMLResponse` payload, it was not signed, allowing the existence of this vulnerability.\n# Remediation\nUpgrade `django-allauth` to version 0.63.3 or higher.\n# References\n- [GitHub Commit](https://github.com/pennersr/django-allauth/commit/1f631a1bcd5062518a7ba437457242eadfd521ab)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-352", + "pip" + ], + "cvssv3_baseScore": 5.1, + "security-severity": "5.1" + } + }, + { + "id": "SNYK-PYTHON-DJANGOALLAUTH-7577207", + "shortDescription": { + "text": "Medium severity - Cross-site Scripting (XSS) vulnerability in django-allauth" + }, + "fullDescription": { + "text": "django-allauth@0.52.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: django-allauth\n* Introduced through: pygoat@0.0.0 and django-allauth@0.52.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0\n# Overview\n[django-allauth](http://github.com/pennersr/django-allauth) is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization, allowing an attacker to exploit this vulnerability when configuring the Facebook provider to use the `js_sdk` method, potentially compromising user sessions or stealing sensitive information.\n# Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n## Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n## Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n## How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n# Remediation\nUpgrade `django-allauth` to version 0.63.6 or higher.\n# References\n- [GitHub Commit](https://github.com/pennersr/django-allauth/commit/8fead343c1d3e75cc842e0ee1e21a39c6d145155)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-79", + "pip" + ], + "cvssv3_baseScore": 5.1, + "security-severity": "5.1" + } + }, + { + "id": "SNYK-PYTHON-IDNA-6597975", + "shortDescription": { + "text": "Medium severity - Resource Exhaustion vulnerability in idna" + }, + "fullDescription": { + "text": "(CVE-2024-3651) idna@3.4" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: idna\n* Introduced through: pygoat@0.0.0 and idna@3.4\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › idna@3.4\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2 › idna@3.4\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2 › idna@3.4\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2 › idna@3.4\n# Overview\n\nAffected versions of this package are vulnerable to Resource Exhaustion via the `idna.encode` function. An attacker can consume significant resources and potentially cause a denial-of-service by supplying specially crafted arguments to this function. \r\n\r\n**Note:**\r\nThis is triggered by arbitrarily large inputs that would not occur in normal usage but may be passed to the library assuming there is no preliminary input validation by the higher-level application.\n# Remediation\nUpgrade `idna` to version 3.7 or higher.\n# References\n- [GitHub Commit](https://github.com/kjd/idna/commit/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 6.2, + "security-severity": "6.2" + } + }, + { + "id": "SNYK-PYTHON-PILLOW-5918878", + "shortDescription": { + "text": "Critical severity - Heap-based Buffer Overflow vulnerability in pillow" + }, + "fullDescription": { + "text": "(CVE-2023-4863) pillow@9.4.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: pillow\n* Introduced through: pygoat@0.0.0 and pillow@9.4.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pillow@9.4.0\n# Overview\n[Pillow](https://python-pillow.org/) is a PIL (Python Imaging Library) fork.\n\nAffected versions of this package are vulnerable to Heap-based Buffer Overflow when the `ReadHuffmanCodes()` function is used. An attacker can craft a special `WebP` lossless file that triggers the `ReadHuffmanCodes()` function to allocate the HuffmanCode buffer with a size that comes from an array of precomputed sizes: `kTableSize`. The `color_cache_bits` value defines which size to use. The `kTableSize` array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (`MAX_ALLOWED_CODE_LENGTH`). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.\r\n\r\n**Notes:**\r\n\r\nThis is only exploitable if the `color_cache_bits` value defines which size to use.\r\n\r\nThis vulnerability was also published on libwebp [CVE-2023-5129](https://security.snyk.io/vuln/SNYK-UNMANAGED-WEBMPROJECTLIBWEBP-5918283)\r\n\r\n**Changelog:**\r\n\r\n2023-09-12: Initial advisory publication\r\n\r\n2023-09-27: Advisory details updated, including CVSS, references\r\n\r\n2023-09-27: CVE-2023-5129 rejected as a duplicate of CVE-2023-4863\r\n\r\n2023-09-28: Research and addition of additional affected libraries\r\n\r\n2024-01-28: Additional fix information\n# Remediation\nUpgrade `Pillow` to version 10.0.1 or higher.\n# References\n- [Chrome Releases](https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html)\n- [Github Commit](https://github.com/cefsharp/CefSharp/commit/f2890ba66170afb0bf742839febe4d20449f758c)\n- [GitHub PR](https://github.com/electron/electron/pull/39823)\n- [GitHub PR](https://github.com/electron/electron/pull/39824)\n- [GitHub PR](https://github.com/electron/electron/pull/39825)\n- [GitHub PR](https://github.com/electron/electron/pull/39826)\n- [GitHub PR](https://github.com/electron/electron/pull/39827)\n- [Imagemagick Commit](https://github.com/dlemstra/Magick.NET/commit/d8673e7690007d8c73a37f3a5c8104fa9321a8da)\n- [Mozilla Advisory](https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/)\n- [PoC](https://blog.isosceles.com/the-webp-0day/)\n- [Security Advisory](https://chromium.googlesource.com/webm/libwebp/+/2af26267cdfcb63a88e5c74a85927a12d6ca1d76)\n- [Security Advisory](https://chromium.googlesource.com/webm/libwebp/+/902bc9190331343b2017211debcec8d2ab87e17a)\n- [Snyk Blog](https://snyk.io/blog/critical-webp-0-day-cve-2023-4863/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-122", + "pip" + ], + "cvssv3_baseScore": 9.6, + "security-severity": "9.6" + } + }, + { + "id": "SNYK-PYTHON-PILLOW-6043904", + "shortDescription": { + "text": "High severity - Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability in pillow" + }, + "fullDescription": { + "text": "(CVE-2023-44271) pillow@9.4.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: pillow\n* Introduced through: pygoat@0.0.0 and pillow@9.4.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pillow@9.4.0\n# Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') when the `ImageFont` truetype in an `ImageDraw` instance operates on a long text argument. An attacker can cause the service to crash by processing a task that uncontrollably allocates memory.\n# Remediation\nUpgrade `pillow` to version 10.0.0 or higher.\n# References\n- [GitHub Commit](https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7)\n- [GitHub PR](https://github.com/python-pillow/Pillow/pull/7244)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-PYTHON-PILLOW-6182918", + "shortDescription": { + "text": "High severity - Eval Injection vulnerability in pillow" + }, + "fullDescription": { + "text": "(CVE-2023-50447) pillow@9.4.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: pillow\n* Introduced through: pygoat@0.0.0 and pillow@9.4.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pillow@9.4.0\n# Overview\n\nAffected versions of this package are vulnerable to Eval Injection via the `PIL.ImageMath.eval` function when an attacker has control over the keys passed to the `environment` argument.\n# PoC\n```python\nfrom PIL import Image, ImageMath\n\nimage1 = Image.open('__class__')\nimage2 = Image.open('__bases__')\nimage3 = Image.open('__subclasses__')\nimage4 = Image.open('load_module')\nimage5 = Image.open('system')\n\nexpression = \"().__class__.__bases__[0].__subclasses__()[104].load_module('os').system('whoami')\"\n\nenvironment = {\n image1.filename: image1,\n image2.filename: image2,\n image3.filename: image3,\n image4.filename: image4,\n image5.filename: image5\n}\n\nImageMath.eval(expression, **environment)\n```\n# Remediation\nUpgrade `pillow` to version 10.2.0 or higher.\n# References\n- [GitHub Commit](https://github.com/python-pillow/Pillow/commit/02c6183d41c68a8dd080f5739f566bd82485822d)\n- [GitHub Release](https://github.com/python-pillow/Pillow/releases/tag/10.2.0)\n- [Security Advisory](https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-95", + "pip" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-PYTHON-PILLOW-6219984", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in pillow" + }, + "fullDescription": { + "text": "pillow@9.4.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: pillow\n* Introduced through: pygoat@0.0.0 and pillow@9.4.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pillow@9.4.0\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when using arbitrary strings as text input and the number of characters passed into `PIL.ImageFont.ImageFont.getmask()` is over a certain limit. This can lead to a system crash.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `pillow` to version 10.2.0 or higher.\n# References\n- [GitHub Commit](https://github.com/python-pillow/Pillow/commit/2ec53e36e9135fda4e2eb6bbd5343a7facae71da)\n- [Pillow Release Notes](https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-PYTHON-PILLOW-6219986", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in pillow" + }, + "fullDescription": { + "text": "pillow@9.4.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: pillow\n* Introduced through: pygoat@0.0.0 and pillow@9.4.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pillow@9.4.0\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) if the size of individual glyphs extends beyond the bitmap image, when using `PIL.ImageFont.ImageFont` function. Exploiting this vulnerability could lead to a system crash.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `pillow` to version 10.2.0 or higher.\n# References\n- [GitHub Commit](https://github.com/python-pillow/Pillow/commit/10c2df5430f3c111f25508152eb1f2ea8741c686)\n- [Pillow Release Notes](https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-PYTHON-PILLOW-6514866", + "shortDescription": { + "text": "High severity - Buffer Overflow vulnerability in pillow" + }, + "fullDescription": { + "text": "(CVE-2024-28219) pillow@9.4.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: pillow\n* Introduced through: pygoat@0.0.0 and pillow@9.4.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pillow@9.4.0\n# Overview\n\nAffected versions of this package are vulnerable to Buffer Overflow via the `strcpy` function in `_imagingcms.c`, due to two calls that were able to copy too much data into fixed length strings.\n# Remediation\nUpgrade `pillow` to version 10.3.0 or higher.\n# References\n- [GitHub Commit](https://github.com/python-pillow/Pillow/commit/2776126aa9af322b416eaca247f4f8ebefd08128)\n- [GitHub PR](https://github.com/python-pillow/Pillow/pull/7928)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-120", + "pip" + ], + "cvssv3_baseScore": 7.3, + "security-severity": "7.3" + } + }, + { + "id": "SNYK-PYTHON-PYYAML-550022", + "shortDescription": { + "text": "Critical severity - Improper Access Control vulnerability in pyyaml" + }, + "fullDescription": { + "text": "(CVE-2019-20477) pyyaml@5.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: pyyaml\n* Introduced through: pygoat@0.0.0 and pyyaml@5.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pyyaml@5.1\n# Overview\n\nAffected versions of this package are vulnerable to Improper Access Control. It has insufficient restrictions on the `load` and `load_all` functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module.\n# Remediation\nUpgrade `PyYAML` to version 5.2 or higher.\n# References\n- [GitHub Changes](https://github.com/yaml/pyyaml/blob/master/CHANGES)\n- [GitHub Issue](https://github.com/yaml/pyyaml/issues/265)\n- [Research Paper](https://www.exploit-db.com/download/47655)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-284", + "pip" + ], + "cvssv3_baseScore": 9.8, + "security-severity": "9.8" + } + }, + { + "id": "SNYK-PYTHON-PYYAML-559098", + "shortDescription": { + "text": "Critical severity - Arbitrary Code Execution vulnerability in pyyaml" + }, + "fullDescription": { + "text": "(CVE-2020-1747) pyyaml@5.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: pyyaml\n* Introduced through: pygoat@0.0.0 and pyyaml@5.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pyyaml@5.1\n# Overview\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. It is susceptible to arbitrary code execution when it processes untrusted YAML files through the `full_load` method or with the `FullLoader` loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n# Remediation\nUpgrade `PyYAML` to version 5.3.1 or higher.\n# References\n- [GitHub Commit](https://github.com/yaml/pyyaml/commit/5080ba513377b6355a0502104846ee804656f1e0)\n- [GitHub PR](https://github.com/yaml/pyyaml/pull/386)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1807367)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "pip" + ], + "cvssv3_baseScore": 9.8, + "security-severity": "9.8" + } + }, + { + "id": "SNYK-PYTHON-PYYAML-590151", + "shortDescription": { + "text": "Critical severity - Arbitrary Code Execution vulnerability in pyyaml" + }, + "fullDescription": { + "text": "(CVE-2020-14343) pyyaml@5.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: pyyaml\n* Introduced through: pygoat@0.0.0 and pyyaml@5.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › pyyaml@5.1\n# Overview\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. It processes untrusted YAML files through the `full_load` method or with the `FullLoader` loader. This is due to an incomplete fix for [CVE-2020-1747](https://security.snyk.io/vuln/SNYK-PYTHON-PYYAML-559098).\n# Remediation\nUpgrade `PyYAML` to version 5.4 or higher.\n# References\n- [Exploit Writeup](https://hackmd.io/@harrier/uiuctf20)\n- [GitHub Commit](https://github.com/yaml/pyyaml/commit/a001f2782501ad2d24986959f0239a354675f9dc)\n- [GitHub Issue](https://github.com/yaml/pyyaml/issues/420)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1860466)\n- [Research Blog Post](https://blog.arxenix.dev/pyyaml-cve/)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "pip" + ], + "cvssv3_baseScore": 9.8, + "security-severity": "9.8" + } + }, + { + "id": "SNYK-PYTHON-REQUESTS-5595532", + "shortDescription": { + "text": "Medium severity - Information Exposure vulnerability in requests" + }, + "fullDescription": { + "text": "(CVE-2023-32681) requests@2.28.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: requests\n* Introduced through: pygoat@0.0.0 and requests@2.28.2\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests-oauthlib@1.3.1 › requests@2.28.2\n# Overview\n\nAffected versions of this package are vulnerable to Information Exposure by leaking `Proxy-Authorization` headers to destination servers during redirects to an HTTPS origin. This is a result of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. \r\n\r\n**NOTE:** This behavior has only been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`), and only when redirecting to HTTPS:\r\n\r\n1) HTTP → HTTPS: leak\r\n\r\n2) HTTPS → HTTP: no leak\r\n\r\n3) HTTPS → HTTPS: leak\r\n\r\n4) HTTP → HTTP: no leak\r\n\r\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the `CONNECT` request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\r\n\r\n# Workaround\r\n\r\nThis vulnerability can be avoided by setting `allow_redirects` to `False` on all calls through Requests top-level APIs, and then capturing the 3xx response codes to make a new request to the redirect destination.\n# Remediation\nUpgrade `requests` to version 2.31.0 or higher.\n# References\n- [GitHub Commit](https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5)\n- [GitHub Release](https://github.com/psf/requests/releases/tag/v2.31.0)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-200", + "pip" + ], + "cvssv3_baseScore": 6.1, + "security-severity": "6.1" + } + }, + { + "id": "SNYK-PYTHON-REQUESTS-6928867", + "shortDescription": { + "text": "Medium severity - Always-Incorrect Control Flow Implementation vulnerability in requests" + }, + "fullDescription": { + "text": "(CVE-2024-35195) requests@2.28.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: requests\n* Introduced through: pygoat@0.0.0 and requests@2.28.2\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests-oauthlib@1.3.1 › requests@2.28.2\n# Overview\n\nAffected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when making requests through a Requests `Session`. An attacker can bypass certificate verification by making the first request with `verify=False`, causing all subsequent requests to ignore certificate verification regardless of changes to the `verify` value.\r\n\r\n**Notes:**\r\n\r\n1) For requests <2.32.0, avoid setting `verify=False` for the first request to a host while using a Requests Session.\r\n\r\n2) For requests <2.32.0, call `close()` on Session objects to clear existing connections if `verify=False` is used.\r\n\r\n3) This vulnerability was initially fixed in version [2.32.0](https://pypi.org/project/requests/2.32.0/), which was yanked. Therefore, the next available fixed version is 2.32.2.\n# Remediation\nUpgrade `requests` to version 2.32.2 or higher.\n# References\n- [GitHub Commit](https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac)\n- [GitHub PR](https://github.com/psf/requests/pull/6655)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-670", + "pip" + ], + "cvssv3_baseScore": 5.6, + "security-severity": "5.6" + } + }, + { + "id": "SNYK-PYTHON-SQLPARSE-1584201", + "shortDescription": { + "text": "High severity - Regular Expression Denial of Service (ReDoS) vulnerability in sqlparse" + }, + "fullDescription": { + "text": "(CVE-2021-32839) sqlparse@0.3.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: sqlparse\n* Introduced through: pygoat@0.0.0 and sqlparse@0.3.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7 › sqlparse@0.3.1\n# Overview\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS. The regular expression may cause exponential backtracking on strings containing many repetitions of `\\r\\n` in SQL comments.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `sqlparse` to version 0.4.2 or higher.\n# References\n- [GitHub Commit](https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "pip" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-PYTHON-SQLPARSE-5426157", + "shortDescription": { + "text": "High severity - Regular Expression Denial of Service (ReDoS) vulnerability in sqlparse" + }, + "fullDescription": { + "text": "(CVE-2023-30608) sqlparse@0.3.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: sqlparse\n* Introduced through: pygoat@0.0.0 and sqlparse@0.3.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7 › sqlparse@0.3.1\n# Overview\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to using an inefficient pattern which can cause excessive backtracking, leading to performance degradation.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `sqlparse` to version 0.4.4 or higher.\n# References\n- [GitHub Commit](https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb)\n- [Vulnerable Code](https://github.com/andialbrecht/sqlparse/blob/e75e35869473832a1eb67772b1adfee2db11b85a/sqlparse/lexer.py#L194)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-1333", + "pip" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-PYTHON-SQLPARSE-6615674", + "shortDescription": { + "text": "High severity - Uncontrolled Recursion vulnerability in sqlparse" + }, + "fullDescription": { + "text": "(CVE-2024-4340) sqlparse@0.3.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: sqlparse\n* Introduced through: pygoat@0.0.0 and sqlparse@0.3.1\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-crispy-forms@2.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › crispy-bootstrap4@2022.1 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › django@4.1.7 › sqlparse@0.3.1\n* _Introduced through_: pygoat@0.0.0 › django-heroku@0.3.1 › django@4.1.7 › sqlparse@0.3.1\n# Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Recursion due to the parsing of heavily nested lists. An attacker can cause the application to crash by submitting a specially crafted list that triggers a `RecursionError`.\r\n\r\n**Note:**\r\nThe impact depends on the use, so anyone parsing a user input with `sqlparse.parse()` is affected.\n# PoC\n```py\r\n\r\nimport sqlparse\r\nsqlparse.parse('[' * 10000 + ']' * 10000)\r\n```\n# Remediation\nUpgrade `sqlparse` to version 0.5.0 or higher.\n# References\n- [GitHub Commit](https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-674", + "pip" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-PYTHON-URLLIB3-5926907", + "shortDescription": { + "text": "Medium severity - Information Exposure Through Sent Data vulnerability in urllib3" + }, + "fullDescription": { + "text": "(CVE-2023-43804) urllib3@1.26.9" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: urllib3\n* Introduced through: pygoat@0.0.0 and urllib3@1.26.9\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2 › urllib3@1.26.9\n# Overview\n[urllib3](https://pypi.org/project/urllib3/) is a HTTP library with thread-safe connection pooling, file post, and more.\n\nAffected versions of this package are vulnerable to Information Exposure Through Sent Data when the `Cookie` HTTP header is used. An attacker can leak information via HTTP redirects to a different origin by exploiting the fact that the `Cookie` HTTP header isn't stripped on cross-origin redirects. \r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the user is using the `Cookie` header on requests, not disabling HTTP redirects, and either not using HTTPS or for the origin server to redirect to a malicious origin.\r\n\r\n##Workaround:\r\n\r\nThis vulnerability can be mitigated by disabling HTTP redirects using `redirects=False` when sending requests and by not using the `Cookie` header.\n# Remediation\nUpgrade `urllib3` to version 1.26.17, 2.0.6 or higher.\n# References\n- [GitHub Commit](https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb)\n- [GitHub Commit](https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d)\n- [GitHub Release](https://github.com/urllib3/urllib3/releases/tag/1.26.17)\n- [GitHub Release](https://github.com/urllib3/urllib3/releases/tag/2.0.6)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-200", + "pip" + ], + "cvssv3_baseScore": 5.9, + "security-severity": "5.9" + } + }, + { + "id": "SNYK-PYTHON-URLLIB3-6002459", + "shortDescription": { + "text": "Medium severity - Information Exposure Through Sent Data vulnerability in urllib3" + }, + "fullDescription": { + "text": "(CVE-2023-45803) urllib3@1.26.9" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: urllib3\n* Introduced through: pygoat@0.0.0 and urllib3@1.26.9\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2 › urllib3@1.26.9\n# Overview\n[urllib3](https://pypi.org/project/urllib3/) is a HTTP library with thread-safe connection pooling, file post, and more.\n\nAffected versions of this package are vulnerable to Information Exposure Through Sent Data when it processes HTTP redirects with a 303 status code, due to not stripping the request body when changing the request method from `POST` to `GET`. An attacker can potentially expose sensitive information by compromising the origin service and redirecting requests to a malicious peer.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if sensitive information is being submitted in the HTTP request body and the origin service is compromised, starting to redirect using 303 to a malicious peer or the redirected-to service becomes compromised.\r\n\r\n# Workaround\r\n\r\nThis vulnerability can be mitigated by disabling redirects for services that are not expected to respond with redirects, or disabling automatic redirects and manually handling 303 redirects by stripping the HTTP request body.\n# Remediation\nUpgrade `urllib3` to version 1.26.18, 2.0.7 or higher.\n# References\n- [GitHub Commit](https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3)\n- [GitHub Commit](https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36)\n- [GitHub Release](https://github.com/urllib3/urllib3/releases/tag/1.26.18)\n- [GitHub Release](https://github.com/urllib3/urllib3/releases/tag/2.0.7)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-201", + "pip" + ], + "cvssv3_baseScore": 4.2, + "security-severity": "4.2" + } + }, + { + "id": "SNYK-PYTHON-URLLIB3-7267250", + "shortDescription": { + "text": "Medium severity - Improper Removal of Sensitive Information Before Storage or Transfer vulnerability in urllib3" + }, + "fullDescription": { + "text": "(CVE-2024-37891) urllib3@1.26.9" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: urllib3\n* Introduced through: pygoat@0.0.0 and urllib3@1.26.9\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › requests@2.28.2 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › requests-oauthlib@1.3.1 › requests@2.28.2 › urllib3@1.26.9\n* _Introduced through_: pygoat@0.0.0 › django-allauth@0.52.0 › requests@2.28.2 › urllib3@1.26.9\n# Overview\n[urllib3](https://pypi.org/project/urllib3/) is a HTTP library with thread-safe connection pooling, file post, and more.\n\nAffected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer due to the improper handling of the `Proxy-Authorization` header during cross-origin redirects when `ProxyManager` is not in use. When the conditions below are met, including non-recommended configurations, the contents of this header can be sent in an automatic HTTP redirect.\r\n\r\n**Notes:**\r\n\r\nTo be vulnerable, the application must be doing all of the following:\r\n\r\n1) Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support.\r\n\r\n2) Not disabling HTTP redirects (e.g. with `redirects=False`)\r\n\r\n3) Either not using an HTTPS origin server, or having a proxy or target origin that redirects to a malicious origin.\r\n\r\n# Workarounds\r\n\r\n1) Using the `Proxy-Authorization` header with urllib3's `ProxyManager`.\r\n\r\n2) Disabling HTTP redirects using `redirects=False` when sending requests.\r\n\r\n3) Not using the `Proxy-Authorization` header.\n# Remediation\nUpgrade `urllib3` to version 1.26.19, 2.2.2 or higher.\n# References\n- [GitHub Commit](https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468)\n- [GitHub Commit](https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-212", + "pip" + ], + "cvssv3_baseScore": 6, + "security-severity": "6" + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319935", + "shortDescription": { + "text": "Low severity - Access Restriction Bypass vulnerability in werkzeug" + }, + "fullDescription": { + "text": "(CVE-2023-23934) werkzeug@2.1.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: werkzeug\n* Introduced through: pygoat@0.0.0 and werkzeug@2.1.2\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › werkzeug@2.1.2\n# Overview\n\nAffected versions of this package are vulnerable to Access Restriction Bypass that allows a malicious application on an adjacent subdomain to present \"nameless\" cookies that look like `=value` instead of `key=value` and have them accepted by the affected browser. For example, a cookie like `=__Host-test=bad` would be parsed as `__Host-test=bad` and the key treated as valid while the value is ignored.\n# Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n# References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-284", + "pip" + ], + "cvssv3_baseScore": 2.6, + "security-severity": "2.6" + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-3319936", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in werkzeug" + }, + "fullDescription": { + "text": "(CVE-2023-25577) werkzeug@2.1.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: werkzeug\n* Introduced through: pygoat@0.0.0 and werkzeug@2.1.2\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › werkzeug@2.1.2\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when parsing multipart form data. An attacker can trigger the opening of multipart files containing a large number of file parts, which are processed using `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, consuming CPU, memory, or file handles resources. The amount of CPU time required can block worker processes from handling other requests. The amount of RAM required can trigger an out-of-memory and crash the process.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `werkzeug` to version 2.2.3 or higher.\n# References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/2.2.3)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-770", + "pip" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-6035177", + "shortDescription": { + "text": "Medium severity - Inefficient Algorithmic Complexity vulnerability in werkzeug" + }, + "fullDescription": { + "text": "(CVE-2023-46136) werkzeug@2.1.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: werkzeug\n* Introduced through: pygoat@0.0.0 and werkzeug@2.1.2\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › werkzeug@2.1.2\n# Overview\n\nAffected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers. \r\n\r\nExploiting this vulnerability is possible if the uploaded file starts with `CR` or `LF` and is followed by megabytes of data without these characters.\n# Remediation\nUpgrade `werkzeug` to version 2.3.8, 3.0.1 or higher.\n# References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9)\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-407", + "pip" + ], + "cvssv3_baseScore": 6.5, + "security-severity": "6.5" + } + }, + { + "id": "SNYK-PYTHON-WERKZEUG-6808933", + "shortDescription": { + "text": "High severity - Remote Code Execution (RCE) vulnerability in werkzeug" + }, + "fullDescription": { + "text": "(CVE-2024-34069) werkzeug@2.1.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: werkzeug\n* Introduced through: pygoat@0.0.0 and werkzeug@2.1.2\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › werkzeug@2.1.2\n# Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) due to insufficient hostname checks and the use of relative paths to resolve requests. When the debugger is enabled, an attacker can convince a user to enter their own PIN to interact with a domain and subdomain they control, and thereby cause malicious code to be executed.\r\n\r\nThe demonstrated attack vector requires a number of conditions that render this attack very difficult to achieve, especially if the victim application is running in the recommended configuration of not having the debugger enabled in production.\n# Remediation\nUpgrade `werkzeug` to version 3.0.3 or higher.\n# References\n- [GitHub Commit](https://github.com/pallets/werkzeug/commit/71b69dfb7df3d912e66bab87fbb1f21f83504967)\n- [GitHub Release](https://github.com/pallets/werkzeug/releases/tag/3.0.3)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "pip" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-PYTHON-ZIPP-7430899", + "shortDescription": { + "text": "Medium severity - Infinite loop vulnerability in zipp" + }, + "fullDescription": { + "text": "(CVE-2024-5569) zipp@3.8.0" + }, + "help": { + "text": "", + "markdown": "* Package Manager: pip\n* Vulnerable module: zipp\n* Introduced through: pygoat@0.0.0 and zipp@3.8.0\n### Detailed paths\n* _Introduced through_: pygoat@0.0.0 › zipp@3.8.0\n# Overview\n\nAffected versions of this package are vulnerable to Infinite loop where an attacker can cause the application to stop responding by initiating a loop through functions affecting the `Path` module, such as `joinpath`, the overloaded division operator, and `iterdir`.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `zipp` to version 3.19.1 or higher.\n# References\n- [GitHub Commit](https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd)\n- [GitHub Issue](https://github.com/jaraco/zipp/issues/119)\n- [GitHub PR](https://github.com/jaraco/zipp/pull/120)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-835", + "pip" + ], + "cvssv3_baseScore": 6.9, + "security-severity": "6.9" + } + } + ] + } + }, + "results": [ + { + "ruleId": "SNYK-PYTHON-CERTIFI-5805047", + "level": "error", + "message": { + "text": "This file introduces a vulnerable certifi package with a critical severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "certifi@2022.12.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CERTIFI-7430173", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable certifi package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "certifi@2022.12.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-5663682", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable cryptography package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-5777683", + "level": "error", + "message": { + "text": "This file introduces a vulnerable cryptography package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-5813745", + "level": "note", + "message": { + "text": "This file introduces a vulnerable cryptography package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-5813746", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable cryptography package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-5813750", + "level": "note", + "message": { + "text": "This file introduces a vulnerable cryptography package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-5914629", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable cryptography package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-6036192", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable cryptography package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-6050294", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable cryptography package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-6092044", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable cryptography package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-6126975", + "level": "error", + "message": { + "text": "This file introduces a vulnerable cryptography package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-6149518", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable cryptography package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-6157248", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable cryptography package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-6210214", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable cryptography package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-6261585", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable cryptography package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-6592767", + "level": "note", + "message": { + "text": "This file introduces a vulnerable cryptography package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-6913422", + "level": "note", + "message": { + "text": "This file introduces a vulnerable cryptography package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-CRYPTOGRAPHY-7886970", + "level": "error", + "message": { + "text": "This file introduces a vulnerable cryptography package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "cryptography@39.0.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-5496950", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-5750790", + "level": "error", + "message": { + "text": "This file introduces a vulnerable django package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-5880505", + "level": "error", + "message": { + "text": "This file introduces a vulnerable django package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-5932095", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-6041515", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-6370660", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-7435780", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-7436273", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-7436514", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-7436646", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-7642790", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-7642791", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-7642813", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-7642814", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-7886958", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGO-7886959", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django@4.1.7" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGOALLAUTH-5406296", + "level": "error", + "message": { + "text": "This file introduces a vulnerable django-allauth package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django-allauth@0.52.0" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGOALLAUTH-7413652", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django-allauth package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django-allauth@0.52.0" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-DJANGOALLAUTH-7577207", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable django-allauth package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "django-allauth@0.52.0" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-IDNA-6597975", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable idna package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "idna@3.4" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-PILLOW-5918878", + "level": "error", + "message": { + "text": "This file introduces a vulnerable pillow package with a critical severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "pillow@9.4.0" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-PILLOW-6043904", + "level": "error", + "message": { + "text": "This file introduces a vulnerable pillow package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "pillow@9.4.0" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-PILLOW-6182918", + "level": "error", + "message": { + "text": "This file introduces a vulnerable pillow package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "pillow@9.4.0" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-PILLOW-6219984", + "level": "error", + "message": { + "text": "This file introduces a vulnerable pillow package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "pillow@9.4.0" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-PILLOW-6219986", + "level": "error", + "message": { + "text": "This file introduces a vulnerable pillow package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "pillow@9.4.0" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-PILLOW-6514866", + "level": "error", + "message": { + "text": "This file introduces a vulnerable pillow package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "pillow@9.4.0" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-PYYAML-550022", + "level": "error", + "message": { + "text": "This file introduces a vulnerable pyyaml package with a critical severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "pyyaml@5.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-PYYAML-559098", + "level": "error", + "message": { + "text": "This file introduces a vulnerable pyyaml package with a critical severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "pyyaml@5.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-PYYAML-590151", + "level": "error", + "message": { + "text": "This file introduces a vulnerable pyyaml package with a critical severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "pyyaml@5.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-REQUESTS-5595532", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable requests package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "requests@2.28.2" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-REQUESTS-6928867", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable requests package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "requests@2.28.2" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-SQLPARSE-1584201", + "level": "error", + "message": { + "text": "This file introduces a vulnerable sqlparse package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "sqlparse@0.3.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-SQLPARSE-5426157", + "level": "error", + "message": { + "text": "This file introduces a vulnerable sqlparse package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "sqlparse@0.3.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-SQLPARSE-6615674", + "level": "error", + "message": { + "text": "This file introduces a vulnerable sqlparse package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "sqlparse@0.3.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-URLLIB3-5926907", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable urllib3 package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "urllib3@1.26.9" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-URLLIB3-6002459", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable urllib3 package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "urllib3@1.26.9" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-URLLIB3-7267250", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable urllib3 package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "urllib3@1.26.9" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-WERKZEUG-3319935", + "level": "note", + "message": { + "text": "This file introduces a vulnerable werkzeug package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "werkzeug@2.1.2" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-WERKZEUG-3319936", + "level": "error", + "message": { + "text": "This file introduces a vulnerable werkzeug package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "werkzeug@2.1.2" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-WERKZEUG-6035177", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable werkzeug package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "werkzeug@2.1.2" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-WERKZEUG-6808933", + "level": "error", + "message": { + "text": "This file introduces a vulnerable werkzeug package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "werkzeug@2.1.2" + } + ] + } + ] + }, + { + "ruleId": "SNYK-PYTHON-ZIPP-7430899", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable zipp package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "requirements.txt" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "zipp@3.8.0" + } + ] + } + ] + } + ] + } + ] +} diff --git a/components/producers/snyk-python/task.yaml b/components/producers/snyk-python/task.yaml new file mode 100644 index 000000000..24c40f8d6 --- /dev/null +++ b/components/producers/snyk-python/task.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: producer-snyk-python + labels: + v1.dracon.ocurity.com/component: producer + v1.dracon.ocurity.com/test-type: sast + v1.dracon.ocurity.com/language: docpythoner +spec: + params: + - name: producer-snyk-python-api-key + type: string + - name: producer-snyk-python-relative-path-to-requirements-txt + type: string + default: "" + description: Run Snyk For python + volumes: + - name: scratch + emptyDir: {} + workspaces: + - name: output + description: The workspace containing the source-code to scan. + steps: + - name: run-snyk + imagePullPolicy: IfNotPresent + env: + - name: SNYK_INTEGRATION_VERSION + value: docker + + image: 'snyk/snyk:python' + script: | + #!/usr/bin/env bash + set -x + set +e + echo "authenticating to snyk" + snyk auth $(params.producer-snyk-python-api-key) + if [[ -n "$(params.producer-snyk-python-relative-path-to-requirements-txt)" ]]; then + echo "installing dependencies" + pip install -r "$(workspaces.output.path)/source-code/$(params.producer-snyk-python-relative-path-to-requirements-txt)" + fi + + echo "running snyk test" + ls -lah $(workspaces.output.path)/source-code/ + snyk test --prune-repeated-subdependencies --skip-unresolved --sarif-file-output=/scratch/snyk.out $(workspaces.output.path)/source-code/ + exitCode=$? + if [[ $exitCode -ne 0 && $exitCode -ne 1 ]]; then + echo "Snyk failed with exit code $exitCode" + exit $exitCode + else + echo "Snyk completed successfully! exitcode $exitCode" + fi + volumeMounts: + - mountPath: /scratch + name: scratch + + - name: produce-issues + imagePullPolicy: IfNotPresent + image: '{{ default "ghcr.io/ocurity/dracon" .Values.image.registry }}/components/producers/snyk-docker:{{ .Chart.AppVersion }}' + command: ["/app/components/producers/snyk-docker/snyk-docker-parser"] + args: + - "-in=/scratch/snyk.out" + - "-out=$(workspaces.output.path)/.dracon/producers/snyk.pb" + volumeMounts: + - mountPath: /scratch + name: scratch diff --git a/examples/pipelines/snyk-project/kustomization.yaml b/examples/pipelines/snyk-project/kustomization.yaml index f9c3c63de..59228a4a6 100644 --- a/examples/pipelines/snyk-project/kustomization.yaml +++ b/examples/pipelines/snyk-project/kustomization.yaml @@ -4,7 +4,9 @@ kind: Kustomization nameSuffix: -snyk-project components: - pkg:helm/dracon-oss-components/base - - pkg:helm/dracon-oss-components/producer-snyk + - pkg:helm/dracon-oss-components/git-clone + - pkg:helm/dracon-oss-components/producer-snyk-docker + - pkg:helm/dracon-oss-components/producer-snyk-python - pkg:helm/dracon-oss-components/producer-aggregator - pkg:helm/dracon-oss-components/enricher-deduplication - pkg:helm/dracon-oss-components/enricher-aggregator diff --git a/examples/pipelines/snyk-project/pipelinerun.yaml b/examples/pipelines/snyk-project/pipelinerun.yaml index 4bfda0945..40529b6e1 100644 --- a/examples/pipelines/snyk-project/pipelinerun.yaml +++ b/examples/pipelines/snyk-project/pipelinerun.yaml @@ -7,10 +7,18 @@ spec: pipelineRef: name: dracon-snyk-project params: + - name: git-clone-url + value: https://github.com/adeyosemanputra/pygoat.git - name: producer-snyk-docker-api-key - value: "" + value: "$snyk-api-key" - name: producer-snyk-docker-image value: ubuntu + + - name: producer-snyk-python-api-key + value: "$snyk-api-key" + - name: producer-snyk-python-relative-path-to-requirements-txt + value: "./requirements.txt" + workspaces: - name: output volumeClaimTemplate: