Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.7.1 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.7.1 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
flask | 1.0.2 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Jinja2 | 2.11.3 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
requests | 2.20.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
setuptools | 41.6.0 | <65.5.1 |
show Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
sqlalchemy | 1.3.18 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
setuptools | 41.6.0 | <65.5.1 |
show Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.7.1 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
sqlalchemy | 1.3.18 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.7.1 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
flask | 1.0.2 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
sqlalchemy | 1.3.18 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.7.1 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
flask | 1.0.2 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Jinja2 | 2.11.3 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
sqlalchemy | 1.3.18 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.7.1 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
flask | 1.0.2 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Jinja2 | 2.11.3 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
sqlalchemy | 1.3.18 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
setuptools | 41.6.0 | <65.5.1 |
show Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.7.1 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
flask | 1.0.2 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Jinja2 | 2.11.3 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
setuptools | 41.6.0 | <65.5.1 |
show Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
sqlalchemy | 1.3.18 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
setuptools | 41.6.0 | <65.5.1 |
show Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.7.1 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
flask | 1.0.2 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Jinja2 | 2.11.3 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
requests | 2.20.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
setuptools | 41.6.0 | <65.5.1 |
show Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
sqlalchemy | 1.3.18 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
setuptools | 41.6.0 | <65.5.1 |
show Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
cryptography | 3.4.7 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.4.7 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.4.7 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.4.7 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.4.7 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
cryptography | 3.4.7 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.7.1 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
flask | 1.0.2 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Jinja2 | 2.11.3 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
pyarrow | 0.15.0 | >=0.14.0,<=14.0.0 |
show Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings. It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon. If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions. |
requests | 2.20.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
setuptools | 41.6.0 | <65.5.1 |
show Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
sqlalchemy | 1.3.18 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
setuptools | 41.6.0 | <65.5.1 |
show Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
cryptography | 3.4.7 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.4.7 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.4.7 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.4.7 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.4.7 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
cryptography | 3.4.7 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.7.1 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
flask | 1.0.2 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
pyarrow | 1.0.1 | >=0.14.0,<=14.0.0 |
show Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings. It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon. If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions. |
Jinja2 | 2.11.3 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
pyarrow | 0.15.0 | >=0.14.0,<=14.0.0 |
show Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings. It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon. If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions. |
requests | 2.20.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
setuptools | 41.6.0 | <65.5.1 |
show Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
sqlalchemy | 1.3.18 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
setuptools | 41.6.0 | <65.5.1 |
show Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
cryptography | 3.4.7 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.4.7 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.4.7 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.4.7 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.4.7 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
cryptography | 3.4.7 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.7.1 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
flask | 1.0.2 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
pyarrow | 1.0.1 | >=0.14.0,<=14.0.0 |
show Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings. It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon. If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions. |
Jinja2 | 2.11.3 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
pyarrow | 0.15.0 | >=0.14.0,<=14.0.0 |
show Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings. It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon. If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions. |
requests | 2.20.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
tensorflow | 2.9.1 | <2.8.4 , >=2.10.0,<2.10.1 , >=2.9.0,<2.9.3 |
show Impact: A recurring instance of CVE-2022-35935 has been observed and addressed. In this case, `SobolSample` is prone to denial of service due to assumed scalar inputs. You can replicate this using the following code in Python: ```python import tensorflow as tf tf.raw_ops.SobolSample(dim=tf.constant([1,0]), num_results=tf.constant([1]), skip=tf.constant([1])) ``` Patches: Corrective measures have been taken and the issue has been patched via GitHub commits c65c67f88ad770662e8f191269a907bf2b94b1bf and 02400ea266bd811fc016a848445de1bbff3a23a0. These fixes will be integrated in the forthcoming TensorFlow 2.11 release and will also be added to TensorFlow 2.10.1, 2.9.3, and 2.8.4 as they fall within the supported range. Furthermore, the initial commit will be incorporated into TensorFlow 2.7.4. For more information: You can refer to the TensorFlow's security guide for comprehensive insights into the security model and for details on how to contact them for queries or issues. Attribution: This vulnerability was reported by Kang Hong Jin from Singapore Management University, Neophytos Christou from Secure Systems Labs at Brown University, Liu Liyuan from the Information System & Security and Countermeasures Experiments Center at Beijing Institute of Technology, and Pattarakrit Rattankul. |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show TensorFlow is an open source platform for machine learning. An input 'sparse_matrix' that is not a matrix with a shape with rank 0 will trigger a 'CHECK' fail in 'tf.raw_ops.SparseMatrixNNZ'. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41880: When the 'BaseCandidateSamplerOp' function receives a value in 'true_classes' larger than 'range_max', a heap oob read occurs. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8w5g-3wcv-9g2j |
tensorflow | 2.9.1 | >=0,<2.8.4 , >=2.9.0,<2.9.3 , >=2.10.0,<2.10.1 |
show Affected versions of TensorFlow are susceptible to a Denial of Service (DoS) attack caused by an issue similar to CVE-2022-35991, occurring in TensorListScatter and TensorListScatterV2 when non-scalar inputs are used. |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41886: When 'tf.raw_ops.ImageProjectiveTransformV2' is given a large output shape, it overflows. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-54pp-c6pp-7fpx |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35960: 'CHECK' failure in 'TensorListReserve' via missing validation. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-v5xg-3q2c-c2r4 |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25676: When running versions prior to 2.12.0 and 2.11.1 with XLA, 'tf.raw_ops.ParallelConcat' segfaults with a nullptr dereference when given a parameter 'shape' with rank that is not greater than zero. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6wfh-89q8-44jq |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36002: 'CHECK' fail in 'Unbatch'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mh3m-62v7-68xg |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41910: The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-frqp-wp83-qggv |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35973: Segfault in 'QuantizedMatMul'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25663: Prior to versions 2.12.0 and 2.11.1, when 'ctx->step_containter()' is a null ptr, the Lookup function will be executed with a null pointer. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-64jg-wjww-7c5w |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 , >=2.11.0rc0,<2.11.0 |
show TensorFlow 2.8.4, 2.9.3, 2.10.1 and 2.11.0 include a fix for CVE-2022-35991: 'CHECK' fail in 'TensorListScatter' and 'TensorListScatterV2'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vm7x-4qhj-rrcq https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xf83-q765-xm6m |
tensorflow | 2.9.1 | >=0,<2.8.4 , >=2.9.0,<2.9.3 , >=2.10.0,<2.10.1 |
show Various versions of tensorflow are susceptible to a Denial of Service (DoS) attack stemming from a vulnerability similar to CVE-2022-35935, which occurs in SobolSample due to the handling of scalar inputs. |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35959: 'CHECK' failures in 'AvgPool3DGrad'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wxjj-cgcx-r3vq |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25801: Prior to versions 2.12.0 and 2.11.1, 'nn_ops.fractional_avg_pool_v2' and 'nn_ops.fractional_max_pool_v2' require the first and fourth elements of their parameter 'pooling_ratio' to be equal to 1.0, as pooling on batch and channel dimensions is not supported. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f49c-87jh-g47q |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25659: Prior to versions 2.12.0 and 2.11.1, if the parameter 'indices' for 'DynamicStitch' does not match the shape of the parameter 'data', it can trigger an stack OOB read. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-93vr-9q9m-pj8p |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25661: In versions prior to 2.11.1 a malicious invalid input crashes a tensorflow model (Check Failed) and can be used to trigger a denial of service attack. A proof of concept can be constructed with the 'Convolution3DTranspose' function. This Convolution3DTranspose layer is a very common API in modern neural networks. The ML models containing such vulnerable components could be deployed in ML applications or as cloud services. This failure could be potentially used to trigger a denial of service attack on ML cloud services. An attacker must have privilege to provide input to a 'Convolution3DTranspose' call. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fxgc-95xx-grvq |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35972: Segfault in 'QuantizedBiasAdd'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-4pc4-m9mj-v2r9 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35994: 'CHECK' fail in 'CollectiveGather'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fhfc-2q7x-929f |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41900: The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xvwp-h6jv-7472 |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25664: Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6hg6-5c2q-7rcr |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41895: If 'MirrorPadGrad' is given outsize input 'paddings', TensorFlow will give a heap OOB error. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gq2j-cr96-gvqx |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25665: Prior to versions 2.12.0 and 2.11.1, when 'SparseSparseMaximum' is given invalid sparse tensors as inputs, it can give a null pointer error. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-558h-mq8x-7q9g |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35981: 'CHECK' fail in 'FractionalMaxPoolGrad'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vxv8-r8q2-63xw |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35969: 'CHECK' fail in 'Conv2DBackpropInput'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q2c3-jpmc-gfjx |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41902: The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cg88-rpvp-cjv5 |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25668: Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gw97-ff7c-9v96 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36012: Assertion fail on MLIR empty edge names. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-jvhc-5hhr-w3v5 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35968: 'CHECK' fail in 'AvgPoolGrad'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2475-53vw-vp25 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36011: Null dereference on MLIR on empty function attributes. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fv43-93gv-vm8f |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36019: 'CHECK' fail in 'FakeQuantWithMinMaxVarsPerChannel'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9j4v-pp28-mxv7 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36000: 'CHECK' fail in 'Eig'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fqxc-pvf8-2w9v |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-27579: Constructing a tflite model with a paramater 'filter_input_channel' of less than 1 gives a FPE. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5w96-866f-6rm8 |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41889: If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a 'nullptr', which is not caught. An example can be seen in 'tf.compat.v1.extract_volume_patches' by passing in quantized tensors as input 'ksizes'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xxcj-rhqg-m46g |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25672: The function 'tf.raw_ops.LookupTableImportV2' cannot handle scalars in the 'values' parameter and gives an NPE. A fix is included in TensorFlow version 2.12.0 and version 2.11.1. |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41899: TensorFlow is an open source platform for machine learning. Inputs 'dense_features' or 'example_state_data' not of rank 2 will trigger a 'CHECK' fail in 'SdcaOptimizer'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-27rc-728f-x5w2 |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41890: If 'BCast::ToShape' is given input larger than an 'int32', it will crash, despite being supposed to handle up to an 'int64'. An example can be seen in 'tf.experimental.numpy.outer' by passing in large input to the input 'b'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h246-cgh4-7475 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35990: 'CHECK' fail in 'FakeQuantWithMinMaxVarsPerChannelGradient'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h7ff-cfc9-wmmh |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35983: 'CHECK' fail in 'Save' and 'SaveSlices'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m6vp-8q9j-whx4 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35992: 'CHECK' fail in 'TensorListFromTensor'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9v8w-xmr4-wgxp |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25674: Versions prior to 2.12.0 and 2.11.1 have a null pointer error in RandomShuffle with XLA enabled. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gf97-q72m-7579 |
tensorflow | 2.9.1 | <2.13.0 |
show Improper buffer restrictions in Intel(R) Optimization for TensorFlow before version 2.13.0 may allow an authenticated user to potentially enable escalation of privilege via local access. See CVE-2023-30767. |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36015: Integer overflow in math ops. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rh87-q4vg-m45j |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36004: 'CHECK' fail in 'tf.random.gamma'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mv8m-8x97-937q |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35963: 'CHECK' failures in 'FractionalAvgPoolGrad'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-84jm-4cf3-9jfm |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36003: 'CHECK' fail in 'RandomPoissonV2'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cv2p-32v3-vhwq |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41897: If 'FractionMaxPoolGrad' is given outsize inputs 'row_pooling_sequence' and 'col_pooling_sequence', TensorFlow will crash. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f2w8-jw48-fr7j |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35966: Segfault in 'QuantizedAvgPool'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-4w68-4x85-mjj9 |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41911: When printing a tensor, we get it's data as a 'const char*' array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from 'char' to 'bool' are undefined if the 'char' is not '0' or '1', so sanitizers/fuzzers will crash. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pf36-r9c6-h97j |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41907: When 'tf.raw_ops.ResizeNearestNeighborGrad' is given a large 'size' input, it overflows. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-368v-7v32-52fx |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41898: If 'SparseFillEmptyRowsGrad' is given empty inputs, TensorFlow will crash. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-hq7g-wwwp-q46h |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25660: Prior to versions 2.12.0 and 2.11.1, when the parameter 'summarize' of 'tf.raw_ops.Print' is zero, the new method 'SummarizeArray<bool>' will reference to a nullptr, leading to a seg fault. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qjqc-vqcf-5qvj |
tensorflow | 2.9.1 | <2.8.4 , >=2.10.0,<2.10.1 , >=2.9.0,<2.9.3 |
show The effect of CVE-2022-35991 was seen once more, where TensorListScatter and TensorListScatterV2 could potentially crash due to non scalar inputs in the element_shape parameter while in eager mode. This issue has been identified and resolved. The issue was identified when the following Python code was executed: ```python import tensorflow as tf arg_0=tf.random.uniform(shape=(2, 2, 2), dtype=tf.float16, maxval=None) arg_1=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536) arg_2=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536) arg_3='' tf.raw_ops.TensorListScatter(tensor=arg_0, indices=arg_1, element_shape=arg_2, name=arg_3) ``` A patch to resolve this issue is available in the GitHub commit bf9932fc907aff0e9e8cccf769e8b00d30fd81a1. This fix will be part of TensorFlow 2.11. Additionally, the commitment will be selected for TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these versions are also known to be affected and still under supported range. For further details, please refer to TensorFlow's security guide. If there is any issue or question, contact us please. The person who brought this vulnerability to our attention is Pattarakrit Rattankul. |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35997: 'CHECK' fail in 'tf.sparse.cross'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-p7hr-f446-x6qf |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35999: 'CHECK' fail in 'Conv2DBackpropInput'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-37jf-mjv6-xfqw |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36027: Segfault TFLite converter on per-channel quantized transposed convolutions. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-79h2-q768-fpxr |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41894: The reference kernel of the 'CONV_3D_TRANSPOSE' TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result. Instead of 'data_ptr += num_channels;' it should be 'data_ptr += output_num_channels;' as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a model with a specific number of input channels. It is then possible to write specific values through the bias of the layer outside the bounds of the buffer. This attack only works if the reference kernel resolver is used in the interpreter. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6q3-vv32-2cq5 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35939: OOB write in 'scatter_nd' op in TF Lite. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-ffjm-4qwc-7cmf |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35996: Floating point exception in 'Conv2D'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q5jv-m6qw-5g37 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35941: 'CHECK' failure in 'AvgPoolOp'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mgmh-g2v6-mqw5 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36018: 'CHECK' fail in 'RaggedTensorToVariant'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m6cv-4fmf-66xf |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35974: Segfault in 'QuantizeDownAndShrinkRange'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vgvh-2pf4-jr2x |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35970: Segfault in 'QuantizedInstanceNorm'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g35r-369w-3fqp |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 , >=2.11.0rc0,<2.11.0 |
show TensorFlow 2.8.4, 2.9.3, 2.10.1 and 2.11.0 include a fix for CVE-2022-35935: 'CHECK' failure in 'SobolSample' via missing validation. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-97p7-w86h-vcf9 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cqvq-fvhr-v6hc |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35967: Segfault in 'QuantizedAdd'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-v6h3-348g-6h5x |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25675: When running versions prior to 2.12.0 and 2.11.1 with XLA, 'tf.raw_ops.Bincount' segfaults when given a parameter 'weights' that is neither the same shape as parameter 'arr' nor a length-0 tensor. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7x4v-9gxg-9hwj |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36017: Segfault in 'Requantize'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wqmc-pm8c-2jhc |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25671: There is out-of-bounds access due to mismatched integer type sizes. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-j5w9-hmfh-4cr6 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35937: OOB read in 'Gather_nd' op in TF Lite. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pxrw-j2fv-hx3h |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36001: 'CHECK' fail in 'DrawBoundingBoxes'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-jqm7-m5q7-3hm5 |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41884: If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-jq6x-99hj-q636 |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25670: Versions prior to 2.12.0 and 2.11.1 have a null point error in QuantizedMatMulWithBiasAndDequantize with MKL enabled. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-49rq-hwc3-x77w |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41909: An input 'encoded' that is not a valid 'CompositeTensorVariant' tensor will trigger a segfault in 'tf.raw_ops.CompositeTensorVariantToComponents'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjx6-v474-2ch9 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35995: 'CHECK' fail in 'AudioSummaryV2'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g9h5-vr8m-x2h4 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36005: 'CHECK' fail in 'FakeQuantWithMinMaxVarsGradient'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-r26c-679w-mrjm |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41891: If 'tf.raw_ops.TensorListConcat' is given 'element_shape=[]', it results segmentation fault which can be used to trigger a denial of service attack. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-66vq-54fq-6jvv |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41888: When running on GPU, 'tf.image.generate_bounding_box_proposals' receives a 'scores' input that must be of rank 4 but is not checked. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6x99-gv2v-q76v |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25673: Versions prior to 2.12.0 and 2.11.1 have a Floating Point Exception in TensorListSplit with XLA. A fix is included in TensorFlow version 2.12.0 and version 2.11.1. |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36016: 'CHECK'-fail in 'tensorflow::full_type::SubstituteFromAttrs'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g468-qj8g-vcjc |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35989: 'CHECK' fail in 'MaxPool'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-j43h-pgmg-5hjq |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35987: 'CHECK' fail in 'DenseBincount'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-w62h-8xjm-fv49 |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25658: Prior to versions 2.12.0 and 2.11.1, an out of bounds read is in GRUBlockCellGrad. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-68v3-g9cm-rmm6 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35934: 'CHECK' failure in tf.reshape via overflows. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f4w6-h4f5-wx45 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35993: 'CHECK' fail in 'SetSize'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wq6q-6m32-9rv9 |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25662: Versions prior to 2.12.0 and 2.11.1 are vulnerable to integer overflow in EditDistance. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7jvm-xxmr-v5cw |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25667: Prior to versions 2.12.0 and 2.11.1, integer overflow occurs when '2^31 <= num_frames * height * width * channels < 2^32', for example Full HD screencast of at least 346 frames. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fqm2-gh8w-gr68 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35982: Segfault in 'SparseBincount'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-397c-5g2j-qxpv |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35952: 'CHECK' failures in 'UnbatchGradOp'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h5vq-gw2c-pq47 |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41893: If 'tf.raw_ops.TensorListResize' is given a nonscalar value for input 'size', it results 'CHECK' fail which can be used to trigger a denial of service attack. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-67pf-62xr-q35m |
tensorflow | 2.9.1 | <2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.9.3 and 2.10.1 include a fix for CVE-2022-41887: 'tf.keras.losses.poisson' receives a 'y_pred' and 'y_true' that are passed through 'functor::mul' in 'BinaryOp'. If the resulting dimensions overflow an 'int32', TensorFlow will crash due to a size mismatch during broadcast assignment. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8fvv-46hw-vpg3 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36026: 'CHECK' fail in 'QuantizeAndDequantizeV3'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9cr2-8pwr-fhfq |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35998: 'CHECK' fail in 'EmptyTensorList'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qhw4-wwr7-gjc5 |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41908: TensorFlow is an open source platform for machine learning. An input 'token' that is not a UTF-8 bytestring will trigger a 'CHECK' fail in 'tf.raw_ops.PyFunc'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mv77-9g28-cwg3 |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25666: Prior to versions 2.12.0 and 2.11.1, there is a floating point exception in AudioSpectrogram. A fix is included in TensorFlow version 2.12.0 and version 2.11.1. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f637-vh3r-vfh2 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35988: 'CHECK' fail in 'tf.linalg.matrix_rank'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9vqj-64pv-w55c |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35986: Segfault in 'RaggedBincount'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wr9v-g9vf-c74v |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35979: Segfault in 'QuantizedRelu' and 'QuantizedRelu6'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-v7vw-577f-vp8x |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35971: 'CHECK' fail in 'FakeQuantWithMinMaxVars'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9fpg-838v-wpv7 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35984: 'CHECK' fail in 'ParameterizedTruncatedNormal'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-p2xf-8hgm-hpw5 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35965: Segfault in 'LowerBound' and 'UpperBound'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qxpx-j395-pw36 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35964: Segfault in 'BlockLSTMGradV2'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f7r5-q7cx-h668 |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41896: If 'ThreadUnsafeUnigramCandidateSampler' is given input 'filterbank_channel_count' greater than the allowed max size, TensorFlow will crash. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rmg2-f698-wq35 |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35985: 'CHECK' fail in 'LRNGrad'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9942-r22v-78cp |
tensorflow | 2.9.1 | <2.11.1 , >=2.12.0rc0,<2.12.0 |
show Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25669: Prior to versions 2.12.0 and 2.11.1, if the stride and window size are not positive for 'tf.raw_ops.AvgPoolGrad', it can give a floating point exception. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rcf8-g8jv-vg6p |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36013: Null-dereference in 'mlir::tfg::GraphDefImporter::ConvertNodeDef'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-828c-5j5q-vrjq |
tensorflow | 2.9.1 | <2.8.4 , >=2.9.0rc0,<2.9.3 , >=2.10.0rc0,<2.10.1 |
show Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41885: When 'tf.raw_ops.FusedResizeAndPadConv2D' is given a large tensor shape, it overflows. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-762h-vpvw-3rcx |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35940: Int overflow in 'RaggedRangeOp'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-x989-q2pq-4q5x |
tensorflow | 2.9.1 | <2.7.4 , >=2.8.0rc0,<2.8.3 , >=2.9.0rc0,<2.9.2 |
show TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36014: Null-dereference in 'mlir::tfg::TFOp::nameAttr'. https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7j3m-8g3c-9qqq |
setuptools | 41.6.0 | <65.5.1 |
show Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
sqlalchemy | 1.3.18 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
setuptools | 41.6.0 | <65.5.1 |
show Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
cryptography | 3.4.7 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.4.7 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.4.7 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.4.7 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.4.7 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
cryptography | 3.4.7 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.4.7 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.4.7 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.7.1 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.7.1 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
sqlalchemy | 1.3.18 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
https://pyup.io/repos/github/hi-primus/optimus/python-3-shield.svg
[![Python 3](https://pyup.io/repos/github/hi-primus/optimus/python-3-shield.svg)](https://pyup.io/repos/github/hi-primus/optimus/)
.. image:: https://pyup.io/repos/github/hi-primus/optimus/python-3-shield.svg :target: https://pyup.io/repos/github/hi-primus/optimus/ :alt: Python 3
<a href="https://pyup.io/repos/github/hi-primus/optimus/"><img src="https://pyup.io/repos/github/hi-primus/optimus/shield.svg" alt="Python 3" /></a>
!https://pyup.io/repos/github/hi-primus/optimus/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/hi-primus/optimus/
{<img src="https://pyup.io/repos/github/hi-primus/optimus/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/hi-primus/optimus/]
https://pyup.io/repos/github/hi-primus/optimus/shield.svg
[![Updates](https://pyup.io/repos/github/hi-primus/optimus/shield.svg)](https://pyup.io/repos/github/hi-primus/optimus/)
.. image:: https://pyup.io/repos/github/hi-primus/optimus/shield.svg :target: https://pyup.io/repos/github/hi-primus/optimus/ :alt: Updates
<a href="https://pyup.io/repos/github/hi-primus/optimus/"><img src="https://pyup.io/repos/github/hi-primus/optimus/shield.svg" alt="Updates" /></a>
!https://pyup.io/repos/github/hi-primus/optimus/shield.svg(Updates)!:https://pyup.io/repos/github/hi-primus/optimus/
{<img src="https://pyup.io/repos/github/hi-primus/optimus/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/hi-primus/optimus/]