Product Research Enterprise Plans Docs

PyPi: Runway

CVE-2022-21668

Transitive

Safety vulnerability ID: 44558

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jan 10, 2022 Updated at Mar 11, 2024

Scan your Python projects for vulnerabilities →

Advisory

Runway 2.5.0 updates its dependency 'pipenv' to v2022.1.8 to include a security fix.

Affected package

runway

Latest version: 2.6.14

Simplify infrastructure/app testing/deployment

Affected versions

Fixed versions

Vulnerability changelog

What Changed

🚀 Features

- lookup `TYPE_NAME` is now a ClassVar of `LookupHandler` instead of a constant ITProKyle (1020)
- replace custom VersionTuple with `packaging.version.Version` ITProKyle (1055)
- replace use of zgitignore with igittigitt ITProKyle (1074)
- add `runway.mixins.DelCachedPropMixin` ITProKyle (1075)
- add new awslambda hooks + lookups & deprecate aws_lambda hook ITProKyle (1081)
- `runway.cfngin.hooks.base.Hook.ARGS_PARSER` is now a `ClassVar` ITProKyle (1131)
- use `pydantic` for `runway.core.providers.aws._response` ITProKyle (1132)
- change `aws.s3.Bucket.exists`, add `aws.s3.Bucket.__bool__` ITProKyle (1133)
- static site: replace `.`with `-` when used in module name ITProKyle (1144)
- pass `encoding` when opening a file in text mode ITProKyle (1148)
- remove uses of non f-string string formatting ITProKyle (1149)
- changed how some pydantic model field aliases are set to better align expectations with type checker behavior ITProKyle (1151)

🧶 Dependencies

- change `pyyaml` version requirement from ^5 to >5.4 ITProKyle (1024)
- change `docker` version requirement to `>=3.0.0` ITProKyle (1079)
- change `jinja2` version requirement to `>=2.7` ITProKyle (1129)

📖 Doc Updates

- add note to hook & lookups docs for passing `allow_reuse` to pydantic validators ITProKyle (1019)

🧰 Maintenance

- fix an issue with the CDK functional test ITProKyle (1078)
- add stubs for docker, update some annotations around docker usage ITProKyle (1076)
- improve CFNgin recreate failed functional test consistency ITProKyle (1127)
- update infrastructure node dependencies ITProKyle (1145)
- change protocol used in git source test ITProKyle (1147)
- cleanup useless pylint suppressions ITProKyle (1152)
- update pipenv requirement to `^2022.1.8` to patch security exploit ITProKyle (1163)

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21668

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 8.6

CVSS v3 Details

HIGH 8.6

Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH

CVSS v2 Details

HIGH 9.3

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): COMPLETE
Integrity Impact (I): COMPLETE
Availability Impact (A): COMPLETE