Safety CI > cookiecutter/cookiecutter-django

pyup-update-django-stubs-1.11.0-to-1.12.0

3 years, 10 months ago

31a77f08

Update django-stubs from 1.11.0 to 1.12.0

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

pyup-update-sphinx-5.0.1-to-5.0.2

3 years, 10 months ago

d919a704

Update sphinx from 5.0.1 to 5.0.2

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

pyup-update-sphinx-5.0.1-to-5.0.2

3 years, 10 months ago

225197bb

Update sphinx from 5.0.1 to 5.0.2

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 10 months ago

223dd6dc

Release 2022.06.15

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 10 months ago

570b7744

Update django-environ to 0.9.0 (#3751)

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

pyup-update-django-environ-0.8.1-to-0.9.0

3 years, 10 months ago

ff17d324

Update django-environ from 0.8.1 to 0.9.0

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 10 months ago

c5f373d1

Release 2022.06.13

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 10 months ago

a51c8d29

Update cookiecutter to 2.1.1 (#3727) * Update cookiecutter from 1.7.3 to 2.1.1 * Fix postgreSQL ve

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

pyup-update-cookiecutter-1.7.3-to-2.1.1

3 years, 10 months ago

93e90a47

Fix front-end pipeline choice in tests

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 10 months ago

d57e2e63

Release 2022.06.11

flower 1.0.0 and cookiecutter 1.7.3 have known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html
cookiecutter	1.7.3	<2.1.1	show Cookiecutter 2.1.1 includes a fix for CVE-2022-24065: Cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

cookiecutter

1.7.3

<2.1.1

show

Cookiecutter 2.1.1 includes a fix for CVE-2022-24065: Cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

master

3 years, 10 months ago

fe6d2900

Update requests from 2.27.1 to 2.28.0 (#3748)

flower 1.0.0 and cookiecutter 1.7.3 have known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html
cookiecutter	1.7.3	<2.1.1	show Cookiecutter 2.1.1 includes a fix for CVE-2022-24065: Cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

cookiecutter

1.7.3

<2.1.1

show

Cookiecutter 2.1.1 includes a fix for CVE-2022-24065: Cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

pyup-update-cookiecutter-1.7.3-to-2.1.1

3 years, 10 months ago

9482b74f

Fix postgreSQL versions in tests

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 10 months ago

c1c1f074

Release 2022.06.09

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

pyup-update-requests-2.27.1-to-2.28.0

3 years, 10 months ago

877d2cdb

Update requests from 2.27.1 to 2.28.0

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html

master

3 years, 11 months ago

2963fd8b

Bump actions/setup-python from 3 to 4 (#3746) Co-authored-by: dependabot[bot] <49699333+dependabot[

flower 1.0.0 has known security vulnerabilities.

Package	Installed	Affected	Info
flower	1.0.0	>=0,<2.0.0	show Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials. https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece
flower	1.0.0	<1.2.0	show Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. https://tprynn.github.io/2022/05/26/flower-vulns.html

Package

Installed

Affected

Info

flower

1.0.0

>=0,<2.0.0

show

Flower before 2.0.0 is vulnerable to a timing attack exploiting the `get_current_user()` functionality. This vulnerability stems from the use of non-constant time string comparison for validating HTTP basic authentication credentials.
https://github.com/mher/flower/pull/1166/commits/7f398f7eeb9d95399b6bf1905e0704646d0c4ece

flower

1.0.0

<1.2.0

show

Flower 1.1.0 and prior are vulnerable to CVE-2022-30034: All versions as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
https://tprynn.github.io/2022/05/26/flower-vulns.html