Package | Installed | Affected | Info |
---|---|---|---|
idna | 2.9 | <3.7 |
show CVE-2024-3651 impacts the idna.encode() function, where a specially crafted argument could lead to significant resource consumption, causing a denial-of-service. In version 3.7, this function has been updated to reject such inputs efficiently, minimizing resource use. A practical workaround involves enforcing a maximum domain name length of 253 characters before encoding, as the vulnerability is triggered by unusually large inputs that normal operations wouldn't encounter. |
py | 1.8.1 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
py | 1.8.1 | <=1.9.0 |
show Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.34.2 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
jinja2 | 2.11.1 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
jinja2 | 2.11.1 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
pygments | 2.6.1 | >=1.5,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-20270: An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
pygments | 2.6.1 | >=1.1,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-27291: In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
pygments | 2.6.1 | <2.15.0 |
show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2 |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
requests | 2.23.0 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
virtualenv | 20.0.11 | <20.21.0 |
show Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. |
Package | Installed | Affected | Info |
---|---|---|---|
idna | 2.9 | <3.7 |
show CVE-2024-3651 impacts the idna.encode() function, where a specially crafted argument could lead to significant resource consumption, causing a denial-of-service. In version 3.7, this function has been updated to reject such inputs efficiently, minimizing resource use. A practical workaround involves enforcing a maximum domain name length of 253 characters before encoding, as the vulnerability is triggered by unusually large inputs that normal operations wouldn't encounter. |
py | 1.8.1 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
py | 1.8.1 | <=1.9.0 |
show Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.34.2 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
jinja2 | 2.11.1 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
jinja2 | 2.11.1 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
pygments | 2.6.1 | >=1.5,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-20270: An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
pygments | 2.6.1 | >=1.1,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-27291: In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
pygments | 2.6.1 | <2.15.0 |
show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2 |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
requests | 2.23.0 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
virtualenv | 20.0.11 | <20.21.0 |
show Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
Package | Installed | Affected | Info |
---|---|---|---|
idna | 2.9 | <3.7 |
show CVE-2024-3651 impacts the idna.encode() function, where a specially crafted argument could lead to significant resource consumption, causing a denial-of-service. In version 3.7, this function has been updated to reject such inputs efficiently, minimizing resource use. A practical workaround involves enforcing a maximum domain name length of 253 characters before encoding, as the vulnerability is triggered by unusually large inputs that normal operations wouldn't encounter. |
py | 1.8.1 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
py | 1.8.1 | <=1.9.0 |
show Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.34.2 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
jinja2 | 2.11.1 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
jinja2 | 2.11.1 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
pygments | 2.6.1 | >=1.5,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-20270: An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
pygments | 2.6.1 | >=1.1,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-27291: In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
pygments | 2.6.1 | <2.15.0 |
show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2 |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
requests | 2.23.0 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
virtualenv | 20.0.11 | <20.21.0 |
show Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. |
Package | Installed | Affected | Info |
---|---|---|---|
idna | 2.9 | <3.7 |
show CVE-2024-3651 impacts the idna.encode() function, where a specially crafted argument could lead to significant resource consumption, causing a denial-of-service. In version 3.7, this function has been updated to reject such inputs efficiently, minimizing resource use. A practical workaround involves enforcing a maximum domain name length of 253 characters before encoding, as the vulnerability is triggered by unusually large inputs that normal operations wouldn't encounter. |
py | 1.8.1 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
py | 1.8.1 | <=1.9.0 |
show Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.34.2 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
jinja2 | 2.11.1 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
jinja2 | 2.11.1 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
pygments | 2.6.1 | >=1.5,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-20270: An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
pygments | 2.6.1 | >=1.1,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-27291: In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
pygments | 2.6.1 | <2.15.0 |
show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2 |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
requests | 2.23.0 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
virtualenv | 20.0.11 | <20.21.0 |
show Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. |
Package | Installed | Affected | Info |
---|---|---|---|
idna | 2.9 | <3.7 |
show CVE-2024-3651 impacts the idna.encode() function, where a specially crafted argument could lead to significant resource consumption, causing a denial-of-service. In version 3.7, this function has been updated to reject such inputs efficiently, minimizing resource use. A practical workaround involves enforcing a maximum domain name length of 253 characters before encoding, as the vulnerability is triggered by unusually large inputs that normal operations wouldn't encounter. |
py | 1.8.1 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
py | 1.8.1 | <=1.9.0 |
show Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.34.2 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
jinja2 | 2.11.1 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
jinja2 | 2.11.1 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
pygments | 2.6.1 | >=1.5,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-20270: An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
pygments | 2.6.1 | >=1.1,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-27291: In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
pygments | 2.6.1 | <2.15.0 |
show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2 |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
requests | 2.23.0 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
virtualenv | 20.0.11 | <20.21.0 |
show Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. |
Package | Installed | Affected | Info |
---|---|---|---|
idna | 2.9 | <3.7 |
show CVE-2024-3651 impacts the idna.encode() function, where a specially crafted argument could lead to significant resource consumption, causing a denial-of-service. In version 3.7, this function has been updated to reject such inputs efficiently, minimizing resource use. A practical workaround involves enforcing a maximum domain name length of 253 characters before encoding, as the vulnerability is triggered by unusually large inputs that normal operations wouldn't encounter. |
py | 1.8.1 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
py | 1.8.1 | <=1.9.0 |
show Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.34.2 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
jinja2 | 2.11.1 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
jinja2 | 2.11.1 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
pygments | 2.6.1 | >=1.5,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-20270: An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
pygments | 2.6.1 | >=1.1,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-27291: In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
pygments | 2.6.1 | <2.15.0 |
show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2 |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
requests | 2.23.0 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
virtualenv | 20.0.11 | <20.21.0 |
show Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
Package | Installed | Affected | Info |
---|---|---|---|
idna | 2.9 | <3.7 |
show CVE-2024-3651 impacts the idna.encode() function, where a specially crafted argument could lead to significant resource consumption, causing a denial-of-service. In version 3.7, this function has been updated to reject such inputs efficiently, minimizing resource use. A practical workaround involves enforcing a maximum domain name length of 253 characters before encoding, as the vulnerability is triggered by unusually large inputs that normal operations wouldn't encounter. |
py | 1.8.1 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
py | 1.8.1 | <=1.9.0 |
show Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.34.2 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
jinja2 | 2.11.1 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
jinja2 | 2.11.1 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
pygments | 2.6.1 | >=1.5,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-20270: An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
pygments | 2.6.1 | >=1.1,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-27291: In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
pygments | 2.6.1 | <2.15.0 |
show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2 |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
requests | 2.23.0 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
certifi | 2019.11.28 | >=2015.04.28,<2023.07.22 |
show Certifi 2023.07.22 includes a fix for CVE-2023-37920: Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7 |
certifi | 2019.11.28 | <2022.12.07 |
show Certifi 2022.12.07 includes a fix for CVE-2022-23491: Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion. https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8 https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ |
virtualenv | 20.0.11 | <20.21.0 |
show Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. |
Package | Installed | Affected | Info |
---|---|---|---|
idna | 2.9 | <3.7 |
show CVE-2024-3651 impacts the idna.encode() function, where a specially crafted argument could lead to significant resource consumption, causing a denial-of-service. In version 3.7, this function has been updated to reject such inputs efficiently, minimizing resource use. A practical workaround involves enforcing a maximum domain name length of 253 characters before encoding, as the vulnerability is triggered by unusually large inputs that normal operations wouldn't encounter. |
py | 1.8.1 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
py | 1.8.1 | <=1.9.0 |
show Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.34.2 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
jinja2 | 2.11.1 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
jinja2 | 2.11.1 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
pygments | 2.6.1 | >=1.5,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-20270: An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
pygments | 2.6.1 | >=1.1,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-27291: In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
pygments | 2.6.1 | <2.15.0 |
show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2 |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
requests | 2.23.0 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
virtualenv | 20.0.11 | <20.21.0 |
show Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. |
Package | Installed | Affected | Info |
---|---|---|---|
idna | 2.9 | <3.7 |
show CVE-2024-3651 impacts the idna.encode() function, where a specially crafted argument could lead to significant resource consumption, causing a denial-of-service. In version 3.7, this function has been updated to reject such inputs efficiently, minimizing resource use. A practical workaround involves enforcing a maximum domain name length of 253 characters before encoding, as the vulnerability is triggered by unusually large inputs that normal operations wouldn't encounter. |
py | 1.8.1 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
py | 1.8.1 | <=1.9.0 |
show Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.34.2 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
jinja2 | 2.11.1 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
jinja2 | 2.11.1 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
pygments | 2.6.1 | >=1.5,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-20270: An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
pygments | 2.6.1 | >=1.1,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-27291: In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
pygments | 2.6.1 | <2.15.0 |
show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2 |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
requests | 2.23.0 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
virtualenv | 20.0.11 | <20.21.0 |
show Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. |
Package | Installed | Affected | Info |
---|---|---|---|
idna | 2.9 | <3.7 |
show CVE-2024-3651 impacts the idna.encode() function, where a specially crafted argument could lead to significant resource consumption, causing a denial-of-service. In version 3.7, this function has been updated to reject such inputs efficiently, minimizing resource use. A practical workaround involves enforcing a maximum domain name length of 253 characters before encoding, as the vulnerability is triggered by unusually large inputs that normal operations wouldn't encounter. |
py | 1.8.1 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
py | 1.8.1 | <=1.9.0 |
show Py 1.10.0 includes a fix for CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
sphinx | 2.4.4 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.34.2 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
jinja2 | 2.11.1 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
jinja2 | 2.11.1 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
pygments | 2.6.1 | >=1.5,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-20270: An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
pygments | 2.6.1 | >=1.1,<2.7.4 |
show Pygments 2.7.4 includes a fix for CVE-2021-27291: In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. |
pygments | 2.6.1 | <2.15.0 |
show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2 |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
requests | 2.23.0 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
virtualenv | 20.0.11 | <20.21.0 |
show Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
wheel | 0.34.2 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
virtualenv | 20.0.11 | <20.21.0 |
show Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
wheel | 0.34.2 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
virtualenv | 20.0.11 | <20.21.0 |
show Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
ecdsa | 0.19.0 | >=0 |
show The python-ecdsa library, used for ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This flaw allows the extraction of private keys from ECDSA signatures due to a side-channel in ecdsa.SigningKey.sign_digest(). The vulnerability is pronounced in the signing process, especially in operations involving over 719,882 observations. Key generation and ECDH operations are also affected, but signature verification remains secure. https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp |
ecdsa | 0.19.0 | >=0 |
show Ecdsa does not protects against side-channel attacks. This is because Python does not provide side-channel secure primitives (with the exception of hmac.compare_digest()), making side-channel secure programming impossible. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. https://pypi.org/project/ecdsa/#Security |
wheel | 0.34.2 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
virtualenv | 20.0.11 | <20.21.0 |
show Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. |
https://pyup.io/repos/github/aergoio/herapy/python-3-shield.svg
[![Python 3](https://pyup.io/repos/github/aergoio/herapy/python-3-shield.svg)](https://pyup.io/repos/github/aergoio/herapy/)
.. image:: https://pyup.io/repos/github/aergoio/herapy/python-3-shield.svg :target: https://pyup.io/repos/github/aergoio/herapy/ :alt: Python 3
<a href="https://pyup.io/repos/github/aergoio/herapy/"><img src="https://pyup.io/repos/github/aergoio/herapy/shield.svg" alt="Python 3" /></a>
!https://pyup.io/repos/github/aergoio/herapy/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/aergoio/herapy/
{<img src="https://pyup.io/repos/github/aergoio/herapy/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/aergoio/herapy/]
https://pyup.io/repos/github/aergoio/herapy/shield.svg
[![Updates](https://pyup.io/repos/github/aergoio/herapy/shield.svg)](https://pyup.io/repos/github/aergoio/herapy/)
.. image:: https://pyup.io/repos/github/aergoio/herapy/shield.svg :target: https://pyup.io/repos/github/aergoio/herapy/ :alt: Updates
<a href="https://pyup.io/repos/github/aergoio/herapy/"><img src="https://pyup.io/repos/github/aergoio/herapy/shield.svg" alt="Updates" /></a>
!https://pyup.io/repos/github/aergoio/herapy/shield.svg(Updates)!:https://pyup.io/repos/github/aergoio/herapy/
{<img src="https://pyup.io/repos/github/aergoio/herapy/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/aergoio/herapy/]