Safety CI > apihackers/docker-pelican

pyup/update-pygments-2.10.0-to-2.20.0

2 days, 6 hours ago

e9ba5c50

Update pygments from 2.10.0 to 2.20.0

Markdown 3.3.4 and weasyprint 53.3 have known security vulnerabilities.

Package	Installed	Affected	Info
Markdown	3.3.4	<3.8.1	show Affected versions of the Markdown package are vulnerable to an Uncaught Exception due to improper handling of malformed HTML-like input during Markdown parsing. Python-Markdown 3.8 passes crafted HTML-like sequences to Python’s html.parser.HTMLParser, and when HTMLParser raises an AssertionError, the parsing flow does not catch the exception.
weasyprint	53.3	<68.0	show Affected versions of the weasyprint package are vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of redirect destinations in the URL fetching mechanism. The default_url_fetcher function in weasyprint/urls.py relies on Python's urllib.request.urlopen, which automatically follows HTTP redirects (301, 302, 307) without re-invoking the developer's custom url_fetcher validation logic, creating a Time-of-Check to Time-of-Use (TOCTOU) condition. An attacker can supply an external URL that passes initial security checks but redirects to internal network resources such as localhost services or cloud metadata endpoints, enabling exfiltration of sensitive data, including instance credentials.

Package

Installed

Affected

Info

Markdown

3.3.4

<3.8.1

show

Affected versions of the Markdown package are vulnerable to an Uncaught Exception due to improper handling of malformed HTML-like input during Markdown parsing. Python-Markdown 3.8 passes crafted HTML-like sequences to Python’s html.parser.HTMLParser, and when HTMLParser raises an AssertionError, the parsing flow does not catch the exception.

weasyprint

53.3

<68.0

show

Affected versions of the weasyprint package are vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of redirect destinations in the URL fetching mechanism. The default_url_fetcher function in weasyprint/urls.py relies on Python's urllib.request.urlopen, which automatically follows HTTP redirects (301, 302, 307) without re-invoking the developer's custom url_fetcher validation logic, creating a Time-of-Check to Time-of-Use (TOCTOU) condition. An attacker can supply an external URL that passes initial security checks but redirects to internal network resources such as localhost services or cloud metadata endpoints, enabling exfiltration of sensitive data, including instance credentials.

pyup/update-markdown-3.3.4-to-3.10.2

1 month, 2 weeks ago

64eebc2b

Update markdown from 3.3.4 to 3.10.2

pygments 2.10.0 and weasyprint 53.3 have known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2
weasyprint	53.3	<68.0	show Affected versions of the weasyprint package are vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of redirect destinations in the URL fetching mechanism. The default_url_fetcher function in weasyprint/urls.py relies on Python's urllib.request.urlopen, which automatically follows HTTP redirects (301, 302, 307) without re-invoking the developer's custom url_fetcher validation logic, creating a Time-of-Check to Time-of-Use (TOCTOU) condition. An attacker can supply an external URL that passes initial security checks but redirects to internal network resources such as localhost services or cloud metadata endpoints, enabling exfiltration of sensitive data, including instance credentials.

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

weasyprint

53.3

<68.0

show

Affected versions of the weasyprint package are vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of redirect destinations in the URL fetching mechanism. The default_url_fetcher function in weasyprint/urls.py relies on Python's urllib.request.urlopen, which automatically follows HTTP redirects (301, 302, 307) without re-invoking the developer's custom url_fetcher validation logic, creating a Time-of-Check to Time-of-Use (TOCTOU) condition. An attacker can supply an external URL that passes initial security checks but redirects to internal network resources such as localhost services or cloud metadata endpoints, enabling exfiltration of sensitive data, including instance credentials.

pyup/update-weasyprint-53.3-to-68.1

1 month, 3 weeks ago

7f7185d9

Update weasyprint from 53.3 to 68.1

pygments 2.10.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

pyup/update-babel-2.9.1-to-2.18.0

1 month, 4 weeks ago

337cec6d

Update babel from 2.9.1 to 2.18.0

pygments 2.10.0 and weasyprint 53.3 have known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2
weasyprint	53.3	<68.0	show Affected versions of the weasyprint package are vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of redirect destinations in the URL fetching mechanism. The default_url_fetcher function in weasyprint/urls.py relies on Python's urllib.request.urlopen, which automatically follows HTTP redirects (301, 302, 307) without re-invoking the developer's custom url_fetcher validation logic, creating a Time-of-Check to Time-of-Use (TOCTOU) condition. An attacker can supply an external URL that passes initial security checks but redirects to internal network resources such as localhost services or cloud metadata endpoints, enabling exfiltration of sensitive data, including instance credentials.

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

weasyprint

53.3

<68.0

show

Affected versions of the weasyprint package are vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of redirect destinations in the URL fetching mechanism. The default_url_fetcher function in weasyprint/urls.py relies on Python's urllib.request.urlopen, which automatically follows HTTP redirects (301, 302, 307) without re-invoking the developer's custom url_fetcher validation logic, creating a Time-of-Check to Time-of-Use (TOCTOU) condition. An attacker can supply an external URL that passes initial security checks but redirects to internal network resources such as localhost services or cloud metadata endpoints, enabling exfiltration of sensitive data, including instance credentials.

pyup/update-markdown-3.3.4-to-3.10.1

2 months, 1 week ago

cfd9a36a

Update markdown from 3.3.4 to 3.10.1

pygments 2.10.0 and weasyprint 53.3 have known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2
weasyprint	53.3	<68.0	show Affected versions of the weasyprint package are vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of redirect destinations in the URL fetching mechanism. The default_url_fetcher function in weasyprint/urls.py relies on Python's urllib.request.urlopen, which automatically follows HTTP redirects (301, 302, 307) without re-invoking the developer's custom url_fetcher validation logic, creating a Time-of-Check to Time-of-Use (TOCTOU) condition. An attacker can supply an external URL that passes initial security checks but redirects to internal network resources such as localhost services or cloud metadata endpoints, enabling exfiltration of sensitive data, including instance credentials.

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

weasyprint

53.3

<68.0

show

Affected versions of the weasyprint package are vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of redirect destinations in the URL fetching mechanism. The default_url_fetcher function in weasyprint/urls.py relies on Python's urllib.request.urlopen, which automatically follows HTTP redirects (301, 302, 307) without re-invoking the developer's custom url_fetcher validation logic, creating a Time-of-Check to Time-of-Use (TOCTOU) condition. An attacker can supply an external URL that passes initial security checks but redirects to internal network resources such as localhost services or cloud metadata endpoints, enabling exfiltration of sensitive data, including instance credentials.

pyup/update-weasyprint-53.3-to-68.0

2 months, 1 week ago

a4bababe

Update weasyprint from 53.3 to 68.0

pygments 2.10.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

pyup/update-cython-0.29.24-to-3.2.4

2 months, 3 weeks ago

69c179fd

Update cython from 0.29.24 to 3.2.4

pygments 2.10.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

pyup/update-cython-0.29.24-to-3.2.3

3 months, 2 weeks ago

77fe60cf

Update cython from 0.29.24 to 3.2.3

pygments 2.10.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

pyup/update-weasyprint-53.3-to-67.0

3 months, 4 weeks ago

7d976373

Update weasyprint from 53.3 to 67.0

pygments 2.10.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

pyup/update-cython-0.29.24-to-3.2.2

4 months ago

1ef22425

Update cython from 0.29.24 to 3.2.2

pygments 2.10.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

pyup/update-cython-0.29.24-to-3.2.1

4 months, 2 weeks ago

c1412091

Update cython from 0.29.24 to 3.2.1

pygments 2.10.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

pyup/update-cython-0.29.24-to-3.2.0

4 months, 3 weeks ago

83415b19

Update cython from 0.29.24 to 3.2.0

pygments 2.10.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

pyup/update-markdown-3.3.4-to-3.10

4 months, 3 weeks ago

38db205b

Update markdown from 3.3.4 to 3.10

pygments 2.10.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

pyup/update-pelican-4.7.0-to-4.11.0.post0

5 months ago

c2318a67

Update pelican from 4.7.0 to 4.11.0.post0

pygments 2.10.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

pyup/update-cython-0.29.24-to-3.1.6

5 months, 1 week ago

3db8c5d9

Update cython from 0.29.24 to 3.1.6

pygments 2.10.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pygments	2.10.0	<2.15.0	show Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2

Package

Installed

Affected

Info

pygments

2.10.0

<2.15.0

show

Pygments 2.15.0 includes a fix for CVE-2022-40896: The regular expressions used when parsing Smithy, SQL/SQL+Jinja, and Java properties files were discovered to be vulnerable. As a result, pygmentizing a maliciously-crafted file of these kinds would have resulted in high resources consumption or crashing of the application.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2