Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.6.3 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.6.3 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.6.3 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.6.3 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.6.3 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.6.3 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.6.3 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.6.3 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.6.3 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.6.3 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.6.3 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.6.3 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.6.3 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.6.3 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.6.3 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.6.3 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.6.3 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.6.3 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.6.3 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.6.3 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.6.3 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.6.3 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.6.3 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.6.3 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
Package | Installed | Affected | Info |
---|---|---|---|
pip | 20.3.4 | >=0 |
show ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
pip | 20.3.4 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. |
pip | 20.3.4 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
pip | 20.3.4 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
Click | 7.1.2 | <8.0.0 |
show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 |
Pillow | 8.2.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.2.0 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 8.2.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 8.2.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.2.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.2.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.2.0 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.2.0 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 8.2.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.2.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
Sphinx | 3.2.0 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
future | 0.18.2 | <=0.18.2 |
show Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215 https://github.com/python/cpython/pull/17157 |
cryptography | 3.3.2 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
cryptography | 3.3.2 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
cryptography | 3.3.2 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
cryptography | 3.3.2 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=3.1,<41.0.6 |
show Cryptography 41.0.6 includes a fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates. https://github.com/advisories/GHSA-jfhm-5ghh-2f97 |
cryptography | 3.3.2 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
cryptography | 3.3.2 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
cryptography | 3.3.2 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
cryptography | 3.3.2 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
cryptography | 3.3.2 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
https://pyup.io/repos/github/wandering-tales/redmine2jira/python-3-shield.svg
[![Python 3](https://pyup.io/repos/github/wandering-tales/redmine2jira/python-3-shield.svg)](https://pyup.io/repos/github/wandering-tales/redmine2jira/)
.. image:: https://pyup.io/repos/github/wandering-tales/redmine2jira/python-3-shield.svg :target: https://pyup.io/repos/github/wandering-tales/redmine2jira/ :alt: Python 3
<a href="https://pyup.io/repos/github/wandering-tales/redmine2jira/"><img src="https://pyup.io/repos/github/wandering-tales/redmine2jira/shield.svg" alt="Python 3" /></a>
!https://pyup.io/repos/github/wandering-tales/redmine2jira/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/wandering-tales/redmine2jira/
{<img src="https://pyup.io/repos/github/wandering-tales/redmine2jira/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/wandering-tales/redmine2jira/]
https://pyup.io/repos/github/wandering-tales/redmine2jira/shield.svg
[![Updates](https://pyup.io/repos/github/wandering-tales/redmine2jira/shield.svg)](https://pyup.io/repos/github/wandering-tales/redmine2jira/)
.. image:: https://pyup.io/repos/github/wandering-tales/redmine2jira/shield.svg :target: https://pyup.io/repos/github/wandering-tales/redmine2jira/ :alt: Updates
<a href="https://pyup.io/repos/github/wandering-tales/redmine2jira/"><img src="https://pyup.io/repos/github/wandering-tales/redmine2jira/shield.svg" alt="Updates" /></a>
!https://pyup.io/repos/github/wandering-tales/redmine2jira/shield.svg(Updates)!:https://pyup.io/repos/github/wandering-tales/redmine2jira/
{<img src="https://pyup.io/repos/github/wandering-tales/redmine2jira/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/wandering-tales/redmine2jira/]