Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 18.1 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 18.1 | <19.2 |
show Versions of Pip prior to 19.2 are vulnerable to a directory traversal attack during the installation process from a URL. This vulnerability stems from improperly handling filenames in the Content-Disposition header that include path traversal sequences, potentially allowing unauthorized overwrite of critical files such as /root/.ssh/authorized_keys. The flaw is specifically found in the _download_http_url function within _internal/download.py. |
pip | 18.1 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
pip | 18.1 | <23.3 |
show Pip 23.3 includes a fix for CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. https://github.com/pypa/pip/pull/12306 |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.6.3 |
show Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes. |
bandit | 1.5.1 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 1.8.2 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
wheel | 0.32.3 | <0.38.1 |
show Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg |
aiohttp | 3.4.4 | <3.7.4 |
show Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg |
aiohttp | 3.4.4 | <3.9.0 |
show Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection. https://github.com/aio-libs/aiohttp/issues/4818 |
aiohttp | 3.4.4 | <=3.8.4 |
show Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w |
aiohttp | 3.4.4 | <3.8.0 |
show Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j |
aiohttp | 3.4.4 | >1.0.5,<3.9.2 |
show The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended. https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b |
aiohttp | 3.4.4 | <3.9.1 |
show The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows exceptions during validation that aren't handled consistently with other malformed inputs. |
aiohttp | 3.4.4 | <3.9.0 |
show Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 |
aiohttp | 3.4.4 | <3.8.6 |
show Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 |
https://pyup.io/repos/github/inplat/aioapp/python-3-shield.svg
[![Python 3](https://pyup.io/repos/github/inplat/aioapp/python-3-shield.svg)](https://pyup.io/repos/github/inplat/aioapp/)
.. image:: https://pyup.io/repos/github/inplat/aioapp/python-3-shield.svg :target: https://pyup.io/repos/github/inplat/aioapp/ :alt: Python 3
<a href="https://pyup.io/repos/github/inplat/aioapp/"><img src="https://pyup.io/repos/github/inplat/aioapp/shield.svg" alt="Python 3" /></a>
!https://pyup.io/repos/github/inplat/aioapp/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/inplat/aioapp/
{<img src="https://pyup.io/repos/github/inplat/aioapp/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/inplat/aioapp/]
https://pyup.io/repos/github/inplat/aioapp/shield.svg
[![Updates](https://pyup.io/repos/github/inplat/aioapp/shield.svg)](https://pyup.io/repos/github/inplat/aioapp/)
.. image:: https://pyup.io/repos/github/inplat/aioapp/shield.svg :target: https://pyup.io/repos/github/inplat/aioapp/ :alt: Updates
<a href="https://pyup.io/repos/github/inplat/aioapp/"><img src="https://pyup.io/repos/github/inplat/aioapp/shield.svg" alt="Updates" /></a>
!https://pyup.io/repos/github/inplat/aioapp/shield.svg(Updates)!:https://pyup.io/repos/github/inplat/aioapp/
{<img src="https://pyup.io/repos/github/inplat/aioapp/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/inplat/aioapp/]