Safety CI > vertexproject/vtx-base-image

pyup-update-requests-2.33.1-to-2.34.1

1 month, 1 week ago

e3a20680

Update requests from 2.33.1 to 2.34.1

urllib3 2.6.3 has known security vulnerabilities.

Package	Installed	Affected	Info
urllib3	2.6.3	>=1.23,<2.7.0	show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path.
urllib3	2.6.3	>=2.6.0,<2.7.0	show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion.

Package

Installed

Affected

Info

urllib3

2.6.3

>=1.23,<2.7.0

show

Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path.

urllib3

2.6.3

>=2.6.0,<2.7.0

show

Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion.

pyup-update-cbor2-5.9.0-to-6.1.1

1 month, 1 week ago

8a0eeac2

Update cbor2 from 5.9.0 to 6.1.1

urllib3 2.6.3 has known security vulnerabilities.

Package	Installed	Affected	Info
urllib3	2.6.3	>=1.23,<2.7.0	show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path.
urllib3	2.6.3	>=2.6.0,<2.7.0	show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion.

Package

Installed

Affected

Info

urllib3

2.6.3

>=1.23,<2.7.0

show

Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path.

urllib3

2.6.3

>=2.6.0,<2.7.0

show

Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion.

pyup-update-idna-3.11-to-3.15

1 month, 1 week ago

1b1181db

Update idna from 3.11 to 3.15

urllib3 2.6.3 has known security vulnerabilities.

Package	Installed	Affected	Info
urllib3	2.6.3	>=1.23,<2.7.0	show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path.
urllib3	2.6.3	>=2.6.0,<2.7.0	show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion.

Package

Installed

Affected

Info

urllib3

2.6.3

>=1.23,<2.7.0

show

Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path.

urllib3

2.6.3

>=2.6.0,<2.7.0

show

Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion.

pyup-update-cbor2-5.9.0-to-6.1.0

1 month, 1 week ago

ef5eaed4

Update cbor2 from 5.9.0 to 6.1.0

urllib3 2.6.3 has known security vulnerabilities.

Package	Installed	Affected	Info
urllib3	2.6.3	>=1.23,<2.7.0	show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path.
urllib3	2.6.3	>=2.6.0,<2.7.0	show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion.

Package

Installed

Affected

Info

urllib3

2.6.3

>=1.23,<2.7.0

show

Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path.

urllib3

2.6.3

>=2.6.0,<2.7.0

show

Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion.

pyup-update-stix2-validator-3.2.0-to-3.3.1

1 month, 1 week ago

6a5bb328

Update stix2-validator from 3.2.0 to 3.3.1

urllib3 2.6.3 has known security vulnerabilities.

Package	Installed	Affected	Info
urllib3	2.6.3	>=1.23,<2.7.0	show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path.
urllib3	2.6.3	>=2.6.0,<2.7.0	show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion.

Package

Installed

Affected

Info

urllib3

2.6.3

>=1.23,<2.7.0

show

Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path.

urllib3

2.6.3

>=2.6.0,<2.7.0

show

Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion.

pyup-update-requests-2.33.1-to-2.34.0

1 month, 2 weeks ago

ca09f9b1

Update requests from 2.33.1 to 2.34.0

urllib3 2.6.3 has known security vulnerabilities.

Package	Installed	Affected	Info
urllib3	2.6.3	>=1.23,<2.7.0	show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path.
urllib3	2.6.3	>=2.6.0,<2.7.0	show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion.

Package

Installed

Affected

Info

urllib3

2.6.3

>=1.23,<2.7.0

show

Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path.

urllib3

2.6.3

>=2.6.0,<2.7.0

show

Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion.

pyup-update-idna-3.11-to-3.14

1 month, 2 weeks ago

fbe728f9

Update idna from 3.11 to 3.14