Safety CI > cookiecutter/cookiecutter-django

master

3 years, 9 months ago

b2b082d8

Fix warning from django-coverage-plugin in tests (#3790) Co-authored-by: Bruno Alla <browniebroke@u

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 9 months ago

ee20b4d1

Update coverage to 6.4.2 (#3783)

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 9 months ago

78826c2d

Update mypy to 0.971 (#3788)

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 9 months ago

a46d94de

Update sentry-sdk to 1.8.0 (#3792)

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 9 months ago

8f0d3010

Update Contributors

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 9 months ago

071a4d24

Always use `const` instead of `var` in `gulpfile.js` (#3786)

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 9 months ago

9ccee834

Update pre-commit to 2.20.0 (#3779) * Update pre-commit from 2.19.0 to 2.20.0 * Update pre-commi

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 9 months ago

c764b8d4

Update django-extensions to 3.2.0 (#3774)

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 9 months ago

0996c367

Update tox to 3.25.1 (#3767)

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 9 months ago

fc4307df

Update uvicorn from 0.17.6 to 0.18.2 (#3762)

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 9 months ago

ae9203f6

Update redis from 4.3.3 to 4.3.4 (#3763)

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 9 months ago

41e56592

Update requests to 2.28.1 (#3766)

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

pyup-update-sentry-sdk-1.6.0-to-1.8.0

3 years, 9 months ago

8bcffe18

Update sentry-sdk from 1.6.0 to 1.8.0

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

update/pre-commit-autoupdate

3 years, 9 months ago

009393f0

Auto-update pre-commit hooks

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

pyup-update-mypy-0.950-to-0.971

3 years, 9 months ago

355b8ccd

Update mypy from 0.950 to 0.971

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html