Update vulnerable dependencies [SECURITY] #1723
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pulumi-renovate[bot]](https://avatars.githubusercontent.com/u/21992475?s=60&v=4){kind=small}
pulumi-renovate
bot
added
dependencies
pulumi-renovate
bot
force-pushed
the
renovate/security
branch
from
b2ab553 to
1a833a4
Compare
pulumi-renovate
bot
force-pushed
the
renovate/security
branch
from
1a833a4 to
6ec64b2
Compare
blampe
force-pushed
the
renovate/security
branch
from
7ac859e to
3713011
Compare
blampe
approved these changes
Dec 7, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==1.0.2->==2.2.5==2.10->==3.1.4==0.14.1->==3.0.6==2023.7.22->==2024.7.4==41.0.6->==43.0.1==3.1->==4.2.16==1.15.0->==2.6.1==3.4->==3.7^8.5.1->8.5.113.4.12->14.2.78.4.27->8.4.31^2.8.0->2.8.0==2.20.0->==2.32.2==2.31.0->==2.32.2==1.26.18->==1.26.19Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header
CVE-2023-30861 / GHSA-m2qf-hxjv-5gpq / PYSEC-2023-62
More information
Details
When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches
Set-Cookieheaders, it may send one client'ssessioncookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.session.permanent = True.SESSION_REFRESH_EACH_REQUESTis enabled (the default).Cache-Controlheader to indicate that a page is private or should not be cached.This happens because vulnerable versions of Flask only set the
Vary: Cookieheader when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2023-30861 / GHSA-m2qf-hxjv-5gpq / PYSEC-2023-62
More information
Details
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches
Set-Cookieheaders, it may send one client'ssessioncookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.session.permanent = TrueSESSION_REFRESH_EACH_REQUESTenabled (the default).Cache-Controlheader to indicate that a page is private or should not be cached.This happens because vulnerable versions of Flask only set the
Vary: Cookieheader when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
CVE-2019-10906 / GHSA-462w-v97r-4m45 / PYSEC-2019-217
More information
Details
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Jinja2 sandbox escape via string formatting
CVE-2019-10906 / GHSA-462w-v97r-4m45 / PYSEC-2019-217
More information
Details
In Pallets Jinja before 2.10.1,
str.format_mapallows a sandbox escape.The sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the
str.format_mapmethod could be used to escape the sandbox.This issue was previously addressed for the
str.formatmethod in Jinja 2.8.1, which discusses the issue in detail. However, the less-commonstr.format_mapmethod was overlooked. This release applies the same sandboxing to both methods.If you cannot upgrade Jinja, you can override the
is_safe_attributemethod on the sandbox and explicitly disallow theformat_mapmethod on string objects.Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2020-28493 / GHSA-g3rq-g295-4j3m / PYSEC-2021-66 / SNYK-PYTHON-JINJA2-1012994
More information
Details
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the
_punctuation_re regexoperator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Regular Expression Denial of Service (ReDoS) in Jinja2
CVE-2020-28493 / GHSA-g3rq-g295-4j3m / PYSEC-2021-66 / SNYK-PYTHON-JINJA2-1012994
More information
Details
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9.-]+.[a-zA-Z0-9.-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
CVE-2024-22195 / GHSA-h5c8-rqwp-cp95
More information
Details
The
xmlattrfilter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of thexmlattrfilter, and an application doing so should already be verifying what keys are provided regardless of this fix.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
CGA-g5xx-83xq-8g5j / CVE-2024-34064 / GHSA-h75v-3vvj-5mfj
More information
Details
The
xmlattrfilter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces,/,>, or=, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.Accepting keys as user input is now explicitly considered an unintended use case of the
xmlattrfilter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2019-14806 / GHSA-gq9m-qvpx-68hc / PYSEC-2019-140
More information
Details
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Pallets Werkzeug Insufficient Entropy
CVE-2019-14806 / GHSA-gq9m-qvpx-68hc / PYSEC-2019-140
More information
Details
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Pallets Werkzeug vulnerable to Path Traversal
CVE-2019-14322 / GHSA-j544-7q9p-6xp8
More information
Details
In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2022-29361 / PYSEC-2022-203
More information
Details
** DISPUTED ** Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project.
Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
High resource usage when parsing multipart form data with many fields
CVE-2023-25577 / GHSA-xg9f-g7g7-2323 / PYSEC-2023-58
More information
Details
Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses
request.data,request.form,request.files, orrequest.get_data(parse_form_data=False), it can cause unexpectedly high resource usage.This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2023-23934 / GHSA-px8h-6qxv-m22q / PYSEC-2023-57
More information
Details
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like
=valueinstead ofkey=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like=__Host-test=badfor another subdomain. Werkzeug prior to 2.2.3 will parse the cookie=__Host-test=badas __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
CVE-2023-25577 / GHSA-xg9f-g7g7-2323 / PYSEC-2023-58
More information
Details
Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses
request.data,request.form,request.files, orrequest.get_data(parse_form_data=False), it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Incorrect parsing of nameless cookies leads to __Host- cookies bypass
CVE-2023-23934 / GHSA-px8h-6qxv-m22q / PYSEC-2023-57
More information
Details
Browsers may allow "nameless" cookies that look like
=valueinstead ofkey=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like=__Host-test=badfor another subdomain.Werkzeug <= 2.2.2 will parse the cookie
=__Host-test=badas__Host-test=bad. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.Severity
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2023-46136 / GHSA-hrfv-mqp8-q5rw / PYSEC-2023-221
More information
Details
Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
CVE-2023-46136 / GHSA-hrfv-mqp8-q5rw / PYSEC-2023-221
More information
Details
Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.
This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
Severity
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
CGA-4f6v-wx38-68gq / CVE-2024-34069 / GHSA-2g68-c3qc-8985
More information
Details
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Werkzeug safe_join not safe on Windows
CVE-2024-49766 / GHSA-f9vj-2wh5-fj8j
More information
Details
On Python < 3.11 on Windows,
os.path.isabs()does not catch UNC paths like//server/share. Werkzeug'ssafe_join()relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Werkzeug possible resource exhaustion when parsing file data in forms
CVE-2024-49767 / GHSA-q34m-jh98-gwm2
More information
Details
Applications using Werkzeug to parse
multipart/form-datarequests are vulnerable to resource exhaustion. A specially crafted form body can bypass theRequest.max_form_memory_sizesetting.The
Request.max_content_lengthsetting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
GitHub Vulnerability Alerts
CVE-2024-39689
Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust store.
GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues". Conclusions of Mozilla's investigation can be found here.
Certifi removes GLOBALTRUST root certificate
CVE-2024-39689 / GHSA-248v-346w-9cwc
More information
Details
Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust store.
GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues". Conclusions of Mozilla's investigation can be found here.
Severity
Low
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2023-50782
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
CVE-2024-0727
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack
Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.
A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.
OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.
The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.
CVE-2024-26130
If
pkcs12.serialize_key_and_certificatesis called with both:encryption_algorithmwithhmac_hashset (viaPrivateFormat.PKCS12.encryption_builder().hmac_hash(...)Then a NULL pointer dereference would occur, crashing the Python process.
This has been resolved, and now a
ValueErroris properly raised.Patched in https://github.com/pyca/cryptography/pull/10423
Python Cryptography package vulnerable to Bleichenbacher timing oracle attack
CGA-45f3-3fmq-7h5w / CVE-2023-50782 / GHSA-3ww4-gg4f-jr7f
More information
Details
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Null