** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

Rsa 4.7 includes a fix for CVE-2020-25658: It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Rsa 4.3 includes a fix for CVE-2020-13757: Python-RSA before 4.3 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML.
https://bugs.launchpad.net/lxml/+bug/1888153

Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Ipython versions 8.0.1, 7.31.1, 7.16.3 and 5.11 include a fix for CVE-2022-21699: Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine.
https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x

IPython 8.10.0 includes a fix for CVE-2023-24816: Versions prior to 8.10.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function 'IPython.utils.terminal.set_term_title' be called on Windows in a Python environment where ctypes is not available. The dependency on 'ctypes' in 'IPython.utils._process_win32' prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool 'set_term_title' could be called and hence introduce a vulnerability. If an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. As a workaround, users should ensure that any calls to the 'IPython.utils.terminal.set_term_title' function are done with trusted or filtered input.
https://github.com/ipython/ipython/security/advisories/GHSA-29gw-9793-fvw7

Paramiko 3.4.0 has been released to fix vulnerabilities affecting encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305. The fix requires cooperation from both ends of the connection, making it effective when the remote end is OpenSSH >= 9.6 and configured to use the new “strict kex” mode. For further details, refer to the official Paramiko documentation or GitHub repository.
https://github.com/advisories/GHSA-45x7-px36-x8w8

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Prompt-toolkit 3.0.13 fixes a race condition in `ThreadedHistory` which could lead to a deadlock. 
https://github.com/prompt-toolkit/python-prompt-toolkit/commit/99092a8c6d4b411645ac4b84d504e5226e7eebb8#diff-48c0ff10dc3990285d19b3f54e6bfec763089ba1229dc6f9e88463a1046adad7R163

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

Rsa 4.7 includes a fix for CVE-2020-25658: It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Rsa 4.3 includes a fix for CVE-2020-13757: Python-RSA before 4.3 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML.
https://bugs.launchpad.net/lxml/+bug/1888153

Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Ipython versions 8.0.1, 7.31.1, 7.16.3 and 5.11 include a fix for CVE-2022-21699: Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine.
https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x

IPython 8.10.0 includes a fix for CVE-2023-24816: Versions prior to 8.10.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function 'IPython.utils.terminal.set_term_title' be called on Windows in a Python environment where ctypes is not available. The dependency on 'ctypes' in 'IPython.utils._process_win32' prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool 'set_term_title' could be called and hence introduce a vulnerability. If an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. As a workaround, users should ensure that any calls to the 'IPython.utils.terminal.set_term_title' function are done with trusted or filtered input.
https://github.com/ipython/ipython/security/advisories/GHSA-29gw-9793-fvw7

Paramiko 3.4.0 has been released to fix vulnerabilities affecting encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305. The fix requires cooperation from both ends of the connection, making it effective when the remote end is OpenSSH >= 9.6 and configured to use the new “strict kex” mode. For further details, refer to the official Paramiko documentation or GitHub repository.
https://github.com/advisories/GHSA-45x7-px36-x8w8

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Prompt-toolkit 3.0.13 fixes a race condition in `ThreadedHistory` which could lead to a deadlock. 
https://github.com/prompt-toolkit/python-prompt-toolkit/commit/99092a8c6d4b411645ac4b84d504e5226e7eebb8#diff-48c0ff10dc3990285d19b3f54e6bfec763089ba1229dc6f9e88463a1046adad7R163

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

Rsa 4.7 includes a fix for CVE-2020-25658: It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Rsa 4.3 includes a fix for CVE-2020-13757: Python-RSA before 4.3 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML.
https://bugs.launchpad.net/lxml/+bug/1888153

Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Ipython versions 8.0.1, 7.31.1, 7.16.3 and 5.11 include a fix for CVE-2022-21699: Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine.
https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x

IPython 8.10.0 includes a fix for CVE-2023-24816: Versions prior to 8.10.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function 'IPython.utils.terminal.set_term_title' be called on Windows in a Python environment where ctypes is not available. The dependency on 'ctypes' in 'IPython.utils._process_win32' prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool 'set_term_title' could be called and hence introduce a vulnerability. If an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. As a workaround, users should ensure that any calls to the 'IPython.utils.terminal.set_term_title' function are done with trusted or filtered input.
https://github.com/ipython/ipython/security/advisories/GHSA-29gw-9793-fvw7

Paramiko 3.4.0 has been released to fix vulnerabilities affecting encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305. The fix requires cooperation from both ends of the connection, making it effective when the remote end is OpenSSH >= 9.6 and configured to use the new “strict kex” mode. For further details, refer to the official Paramiko documentation or GitHub repository.
https://github.com/advisories/GHSA-45x7-px36-x8w8

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Prompt-toolkit 3.0.13 fixes a race condition in `ThreadedHistory` which could lead to a deadlock. 
https://github.com/prompt-toolkit/python-prompt-toolkit/commit/99092a8c6d4b411645ac4b84d504e5226e7eebb8#diff-48c0ff10dc3990285d19b3f54e6bfec763089ba1229dc6f9e88463a1046adad7R163

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

Rsa 4.7 includes a fix for CVE-2020-25658: It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Rsa 4.3 includes a fix for CVE-2020-13757: Python-RSA before 4.3 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML.
https://bugs.launchpad.net/lxml/+bug/1888153

Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Ipython versions 8.0.1, 7.31.1, 7.16.3 and 5.11 include a fix for CVE-2022-21699: Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine.
https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x

IPython 8.10.0 includes a fix for CVE-2023-24816: Versions prior to 8.10.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function 'IPython.utils.terminal.set_term_title' be called on Windows in a Python environment where ctypes is not available. The dependency on 'ctypes' in 'IPython.utils._process_win32' prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool 'set_term_title' could be called and hence introduce a vulnerability. If an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. As a workaround, users should ensure that any calls to the 'IPython.utils.terminal.set_term_title' function are done with trusted or filtered input.
https://github.com/ipython/ipython/security/advisories/GHSA-29gw-9793-fvw7

Paramiko 3.4.0 has been released to fix vulnerabilities affecting encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305. The fix requires cooperation from both ends of the connection, making it effective when the remote end is OpenSSH >= 9.6 and configured to use the new “strict kex” mode. For further details, refer to the official Paramiko documentation or GitHub repository.
https://github.com/advisories/GHSA-45x7-px36-x8w8

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Prompt-toolkit 3.0.13 fixes a race condition in `ThreadedHistory` which could lead to a deadlock. 
https://github.com/prompt-toolkit/python-prompt-toolkit/commit/99092a8c6d4b411645ac4b84d504e5226e7eebb8#diff-48c0ff10dc3990285d19b3f54e6bfec763089ba1229dc6f9e88463a1046adad7R163

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Rsa 4.7 includes a fix for CVE-2020-25658: It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Rsa 4.3 includes a fix for CVE-2020-13757: Python-RSA before 4.3 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

Rsa 4.7 includes a fix for CVE-2020-25658: It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Rsa 4.3 includes a fix for CVE-2020-13757: Python-RSA before 4.3 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML.
https://bugs.launchpad.net/lxml/+bug/1888153

Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Ipython versions 8.0.1, 7.31.1, 7.16.3 and 5.11 include a fix for CVE-2022-21699: Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine.
https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x

IPython 8.10.0 includes a fix for CVE-2023-24816: Versions prior to 8.10.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function 'IPython.utils.terminal.set_term_title' be called on Windows in a Python environment where ctypes is not available. The dependency on 'ctypes' in 'IPython.utils._process_win32' prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool 'set_term_title' could be called and hence introduce a vulnerability. If an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. As a workaround, users should ensure that any calls to the 'IPython.utils.terminal.set_term_title' function are done with trusted or filtered input.
https://github.com/ipython/ipython/security/advisories/GHSA-29gw-9793-fvw7

Paramiko 3.4.0 has been released to fix vulnerabilities affecting encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305. The fix requires cooperation from both ends of the connection, making it effective when the remote end is OpenSSH >= 9.6 and configured to use the new “strict kex” mode. For further details, refer to the official Paramiko documentation or GitHub repository.
https://github.com/advisories/GHSA-45x7-px36-x8w8

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Prompt-toolkit 3.0.13 fixes a race condition in `ThreadedHistory` which could lead to a deadlock. 
https://github.com/prompt-toolkit/python-prompt-toolkit/commit/99092a8c6d4b411645ac4b84d504e5226e7eebb8#diff-48c0ff10dc3990285d19b3f54e6bfec763089ba1229dc6f9e88463a1046adad7R163

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Rsa 4.7 includes a fix for CVE-2020-25658: It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Rsa 4.3 includes a fix for CVE-2020-13757: Python-RSA before 4.3 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

Rsa 4.7 includes a fix for CVE-2020-25658: It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Rsa 4.3 includes a fix for CVE-2020-13757: Python-RSA before 4.3 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML.
https://bugs.launchpad.net/lxml/+bug/1888153

Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Ipython versions 8.0.1, 7.31.1, 7.16.3 and 5.11 include a fix for CVE-2022-21699: Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine.
https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x

IPython 8.10.0 includes a fix for CVE-2023-24816: Versions prior to 8.10.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function 'IPython.utils.terminal.set_term_title' be called on Windows in a Python environment where ctypes is not available. The dependency on 'ctypes' in 'IPython.utils._process_win32' prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool 'set_term_title' could be called and hence introduce a vulnerability. If an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. As a workaround, users should ensure that any calls to the 'IPython.utils.terminal.set_term_title' function are done with trusted or filtered input.
https://github.com/ipython/ipython/security/advisories/GHSA-29gw-9793-fvw7

Paramiko 3.4.0 has been released to fix vulnerabilities affecting encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305. The fix requires cooperation from both ends of the connection, making it effective when the remote end is OpenSSH >= 9.6 and configured to use the new “strict kex” mode. For further details, refer to the official Paramiko documentation or GitHub repository.
https://github.com/advisories/GHSA-45x7-px36-x8w8

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Prompt-toolkit 3.0.13 fixes a race condition in `ThreadedHistory` which could lead to a deadlock. 
https://github.com/prompt-toolkit/python-prompt-toolkit/commit/99092a8c6d4b411645ac4b84d504e5226e7eebb8#diff-48c0ff10dc3990285d19b3f54e6bfec763089ba1229dc6f9e88463a1046adad7R163

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Rsa 4.7 includes a fix for CVE-2020-25658: It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Rsa 4.3 includes a fix for CVE-2020-13757: Python-RSA before 4.3 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

Rsa 4.7 includes a fix for CVE-2020-25658: It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Rsa 4.3 includes a fix for CVE-2020-13757: Python-RSA before 4.3 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML.
https://bugs.launchpad.net/lxml/+bug/1888153

Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch.

Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
https://github.com/python-babel/babel/pull/782

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Ipython versions 8.0.1, 7.31.1, 7.16.3 and 5.11 include a fix for CVE-2022-21699: Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine.
https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x

IPython 8.10.0 includes a fix for CVE-2023-24816: Versions prior to 8.10.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function 'IPython.utils.terminal.set_term_title' be called on Windows in a Python environment where ctypes is not available. The dependency on 'ctypes' in 'IPython.utils._process_win32' prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool 'set_term_title' could be called and hence introduce a vulnerability. If an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. As a workaround, users should ensure that any calls to the 'IPython.utils.terminal.set_term_title' function are done with trusted or filtered input.
https://github.com/ipython/ipython/security/advisories/GHSA-29gw-9793-fvw7

Paramiko 3.4.0 has been released to fix vulnerabilities affecting encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305. The fix requires cooperation from both ends of the connection, making it effective when the remote end is OpenSSH >= 9.6 and configured to use the new “strict kex” mode. For further details, refer to the official Paramiko documentation or GitHub repository.
https://github.com/advisories/GHSA-45x7-px36-x8w8

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Prompt-toolkit 3.0.13 fixes a race condition in `ThreadedHistory` which could lead to a deadlock. 
https://github.com/prompt-toolkit/python-prompt-toolkit/commit/99092a8c6d4b411645ac4b84d504e5226e7eebb8#diff-48c0ff10dc3990285d19b3f54e6bfec763089ba1229dc6f9e88463a1046adad7R163

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Rsa 4.7 includes a fix for CVE-2020-25658: It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Rsa 4.3 includes a fix for CVE-2020-13757: Python-RSA before 4.3 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

** DISPUTED ** Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

Rsa 4.7 includes a fix for CVE-2020-25658: It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Rsa 4.3 includes a fix for CVE-2020-13757: Python-RSA before 4.3 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML.
https://bugs.launchpad.net/lxml/+bug/1888153

Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch.

Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
https://github.com/python-babel/babel/pull/782

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Scrapy is vulnerable to CVE-2017-14158: Scrapy allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

Ipython versions 8.0.1, 7.31.1, 7.16.3 and 5.11 include a fix for CVE-2022-21699: Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine.
https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x

IPython 8.10.0 includes a fix for CVE-2023-24816: Versions prior to 8.10.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function 'IPython.utils.terminal.set_term_title' be called on Windows in a Python environment where ctypes is not available. The dependency on 'ctypes' in 'IPython.utils._process_win32' prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool 'set_term_title' could be called and hence introduce a vulnerability. If an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. As a workaround, users should ensure that any calls to the 'IPython.utils.terminal.set_term_title' function are done with trusted or filtered input.
https://github.com/ipython/ipython/security/advisories/GHSA-29gw-9793-fvw7

Paramiko 3.4.0 has been released to fix vulnerabilities affecting encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305. The fix requires cooperation from both ends of the connection, making it effective when the remote end is OpenSSH >= 9.6 and configured to use the new “strict kex” mode. For further details, refer to the official Paramiko documentation or GitHub repository.
https://github.com/advisories/GHSA-45x7-px36-x8w8

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Prompt-toolkit 3.0.13 fixes a race condition in `ThreadedHistory` which could lead to a deadlock. 
https://github.com/prompt-toolkit/python-prompt-toolkit/commit/99092a8c6d4b411645ac4b84d504e5226e7eebb8#diff-48c0ff10dc3990285d19b3f54e6bfec763089ba1229dc6f9e88463a1046adad7R163