The Federated Model Aggregation (FMA) Service is a collection of installable python components that make up the generic workflow/infrastructure needed for federated learning.
Home Page: https://capitalone.github.io/federated-model-aggregation/
License: Apache License 2.0
Is your feature request related to a problem? Please describe.
Currently users have to manually terminate their experiments.
Describe the outcome you'd like:
I would like users to be able to specify their end condition such as:
Additional context:
N/A
Vulnerable Library - Django-3.2.18-py3-none-any.whlA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/57/12/da22535f809b8c06c8d58eaf236ec8683ffd4e1dc4eced175b174e6446fa/Django-3.2.18-py3-none-any.whl
Path to dependency file: /connectors/django/requirements.txt
Path to vulnerable library: /connectors/django/requirements.txt,/connectors/django/requirements.txt,/api_service,/connectors/django
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (Django version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2023-31047 |  Critical |
9.8 | Django-3.2.18-py3-none-any.whl | Direct | 3.2.19 | ✅ |
| CVE-2023-36053 |  Medium |
5.5 | Django-3.2.18-py3-none-any.whl | Direct | Django -3.2.20,4.1.10,4.2.3 | ✅ |
CVE-2023-31047A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/57/12/da22535f809b8c06c8d58eaf236ec8683ffd4e1dc4eced175b174e6446fa/Django-3.2.18-py3-none-any.whl
Path to dependency file: /connectors/django/requirements.txt
Path to vulnerable library: /connectors/django/requirements.txt,/connectors/django/requirements.txt,/api_service,/connectors/django
Dependency Hierarchy:
Found in base branch: main
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
Publish Date: 2023-05-07
URL: CVE-2023-31047
Base Score Metrics:
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q2/110
Release Date: 2023-05-07
Fix Resolution: 3.2.19
⛑️ Automatic Remediation is available for this issue
CVE-2023-36053A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/57/12/da22535f809b8c06c8d58eaf236ec8683ffd4e1dc4eced175b174e6446fa/Django-3.2.18-py3-none-any.whl
Path to dependency file: /connectors/django/requirements.txt
Path to vulnerable library: /connectors/django/requirements.txt,/connectors/django/requirements.txt,/api_service,/connectors/django
Dependency Hierarchy:
Found in base branch: main
Django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator
Publish Date: 2023-06-21
URL: CVE-2023-36053
Base Score Metrics:
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q3/2
Release Date: 2023-06-21
Fix Resolution: Django -3.2.20,4.1.10,4.2.3
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
Is your feature request related to a problem? Please describe.
The aggregation requirement for all clients to push to the server is Django dependent.
Describe the outcome you'd like:
This Django dependency needs to be abstracted away from aggregation requirements.
Additional context:
Location to django dependency: https://github.com/capitalone/federated-model-aggregation/blob/main/fma-core/fma_core/algorithms/requirements/common.py#L15
Is your feature request related to a problem? Please describe.
Currently, there's only a python client.
Describe the outcome you'd like:
Similar to the python client here:
https://github.com/capitalone/federated-model-aggregation/tree/main/clients
We need a typescript client that similarly interacts with the API.
Additional context:
Mimic the API schema from the python client. Folder structure, etc.
Contributor is able to take liberties from the below.
These are suggested solutions.
In a file called settings.ts:
export class DefaultSettings {
url: string;
constructor(){
this.url = "http://127.0.0.1:8000/";
}
}In a file called clients.ts:
export class WebClient {
/**
*REST API Wrapper to interact with the federated model aggregation service.
**/
private _url: string;
private _uuid: any;
private _federated_model_id: number;
is_registered: boolean;
last_model_aggregate: number | null;
constructor(federated_model_id:number, uuid:any=null, url:any=null) {
...
}
private _get_auth_header(uuid=null){...}
async register() {...}
async send_update(data:any, base_aggregate=null){...}
async check_for_new_model_aggregate(update_after=null){...}
async get_current_artifact(){...}
async check_for_latest_model(update_after=null){...}
async send_val_results ...
...
} Vulnerable Library - Django-3.2.20-py3-none-any.whlA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/84/eb/5329ae72bf26b91844985d0de74e4edf876e3ca409d085820f230eea2eba/Django-3.2.20-py3-none-any.whl
Path to dependency file: /connectors/django
Path to vulnerable library: /connectors/django,/connectors/django/requirements.txt,/connectors/django/requirements.txt
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (Django version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-46695 |  High |
7.5 | Django-3.2.20-py3-none-any.whl | Direct | Django - 3.2.23,4.1.13,4.2.7 | ✅ |
| CVE-2023-41164 | High |
7.5 | Django-3.2.20-py3-none-any.whl | Direct | Django - 3.2.21,4.1.11,4.2.5 | ✅ |
| CVE-2023-43665 | High |
7.5 | Django-3.2.20-py3-none-any.whl | Direct | Django - 3.2.22,4.1.12,4.2.6 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-46695A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/84/eb/5329ae72bf26b91844985d0de74e4edf876e3ca409d085820f230eea2eba/Django-3.2.20-py3-none-any.whl
Path to dependency file: /connectors/django
Path to vulnerable library: /connectors/django,/connectors/django/requirements.txt,/connectors/django/requirements.txt
Dependency Hierarchy:
Found in base branch: main
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Publish Date: 2023-11-02
URL: CVE-2023-46695
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
Release Date: 2023-10-25
Fix Resolution: Django - 3.2.23,4.1.13,4.2.7
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-41164A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/84/eb/5329ae72bf26b91844985d0de74e4edf876e3ca409d085820f230eea2eba/Django-3.2.20-py3-none-any.whl
Path to dependency file: /connectors/django
Path to vulnerable library: /connectors/django,/connectors/django/requirements.txt,/connectors/django/requirements.txt
Dependency Hierarchy:
Found in base branch: main
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Publish Date: 2023-11-03
URL: CVE-2023-41164
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2023/sep/04/security-releases/
Release Date: 2023-11-03
Fix Resolution: Django - 3.2.21,4.1.11,4.2.5
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-43665A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/84/eb/5329ae72bf26b91844985d0de74e4edf876e3ca409d085820f230eea2eba/Django-3.2.20-py3-none-any.whl
Path to dependency file: /connectors/django
Path to vulnerable library: /connectors/django,/connectors/django/requirements.txt,/connectors/django/requirements.txt
Dependency Hierarchy:
Found in base branch: main
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Publish Date: 2023-11-03
URL: CVE-2023-43665
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2023-43665
Release Date: 2023-11-03
Fix Resolution: Django - 3.2.22,4.1.12,4.2.6
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Is your feature request related to a problem? Please describe.
Currently, the only form of validation available is centralized/traditional validation on the server. (i.e. the server has a validation dataset that it runs against models to create validation reports.)
Describe the outcome you'd like:
I would like for user to have the configuration option to enable federated validation using the following steps:
Additional context:
N/A
Vulnerable Library - Django-4.2.4-py3-none-any.whlA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/7f/9e/fc6bab255ae10bc57fa2f65646eace3d5405fbb7f5678b90140052d1db0f/Django-4.2.4-py3-none-any.whl
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (Django version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-46695 | High |
7.5 | Django-4.2.4-py3-none-any.whl | Direct | Django - 3.2.23,4.1.13,4.2.7 | ❌ |
| CVE-2023-41164 | High |
7.5 | Django-4.2.4-py3-none-any.whl | Direct | Django - 3.2.21,4.1.11,4.2.5 | ❌ |
| CVE-2023-43665 | High |
7.5 | Django-4.2.4-py3-none-any.whl | Direct | Django - 3.2.22,4.1.12,4.2.6 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-46695A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/7f/9e/fc6bab255ae10bc57fa2f65646eace3d5405fbb7f5678b90140052d1db0f/Django-4.2.4-py3-none-any.whl
Dependency Hierarchy:
Found in base branch: main
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Publish Date: 2023-11-02
URL: CVE-2023-46695
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
Release Date: 2023-10-25
Fix Resolution: Django - 3.2.23,4.1.13,4.2.7
CVE-2023-41164A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/7f/9e/fc6bab255ae10bc57fa2f65646eace3d5405fbb7f5678b90140052d1db0f/Django-4.2.4-py3-none-any.whl
Dependency Hierarchy:
Found in base branch: main
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Publish Date: 2023-11-03
URL: CVE-2023-41164
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2023/sep/04/security-releases/
Release Date: 2023-11-03
Fix Resolution: Django - 3.2.21,4.1.11,4.2.5
CVE-2023-43665A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/7f/9e/fc6bab255ae10bc57fa2f65646eace3d5405fbb7f5678b90140052d1db0f/Django-4.2.4-py3-none-any.whl
Dependency Hierarchy:
Found in base branch: main
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Publish Date: 2023-11-03
URL: CVE-2023-43665
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2023-43665
Release Date: 2023-11-03
Fix Resolution: Django - 3.2.22,4.1.12,4.2.6
Vulnerable Library - sqlparse-0.4.4-py3-none-any.whlA non-validating SQL parser.
Library home page: https://files.pythonhosted.org/packages/98/5a/66d7c9305baa9f11857f247d4ba761402cea75db6058ff850ed7128957b7/sqlparse-0.4.4-py3-none-any.whl
Path to dependency file: /connectors/django/Pipfile
Path to vulnerable library: /connectors/django/Pipfile,/connectors/django/requirements.txt,/connectors/django
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (sqlparse version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-4340 | High |
7.5 | sqlparse-0.4.4-py3-none-any.whl | Direct | sqlparse - 0.5.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2024-4340A non-validating SQL parser.
Library home page: https://files.pythonhosted.org/packages/98/5a/66d7c9305baa9f11857f247d4ba761402cea75db6058ff850ed7128957b7/sqlparse-0.4.4-py3-none-any.whl
Path to dependency file: /connectors/django/Pipfile
Path to vulnerable library: /connectors/django/Pipfile,/connectors/django/requirements.txt,/connectors/django
Dependency Hierarchy:
Found in base branch: main
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
Publish Date: 2024-04-30
URL: CVE-2024-4340
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-4340
Release Date: 2024-04-30
Fix Resolution: sqlparse - 0.5.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Vulnerable Library - Django-4.1.7-py3-none-any.whlA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/89/86/59e237f7176cfc1544446914fa329fd560bb8fce46be52dd7af5dc7c54f9/Django-4.1.7-py3-none-any.whl
Path to dependency file: /connectors/django/Pipfile
Path to vulnerable library: /connectors/django/Pipfile,/connectors/django/Pipfile
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (Django version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2023-31047 | Critical |
9.8 | Django-4.1.7-py3-none-any.whl | Direct | 4.1.9 | ✅ |
| CVE-2023-36053 | Medium |
5.5 | Django-4.1.7-py3-none-any.whl | Direct | Django -3.2.20,4.1.10,4.2.3 | ✅ |
CVE-2023-31047A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/89/86/59e237f7176cfc1544446914fa329fd560bb8fce46be52dd7af5dc7c54f9/Django-4.1.7-py3-none-any.whl
Path to dependency file: /connectors/django/Pipfile
Path to vulnerable library: /connectors/django/Pipfile,/connectors/django/Pipfile
Dependency Hierarchy:
Found in base branch: main
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
Publish Date: 2023-05-07
URL: CVE-2023-31047
Base Score Metrics:
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q2/110
Release Date: 2023-05-07
Fix Resolution: 4.1.9
⛑️ Automatic Remediation is available for this issue
CVE-2023-36053A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/89/86/59e237f7176cfc1544446914fa329fd560bb8fce46be52dd7af5dc7c54f9/Django-4.1.7-py3-none-any.whl
Path to dependency file: /connectors/django/Pipfile
Path to vulnerable library: /connectors/django/Pipfile,/connectors/django/Pipfile
Dependency Hierarchy:
Found in base branch: main
Django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator
Publish Date: 2023-06-21
URL: CVE-2023-36053
Base Score Metrics:
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q3/2
Release Date: 2023-06-21
Fix Resolution: Django -3.2.20,4.1.10,4.2.3
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
General Information:
Describe the bug:
The github pages does not explicitly install all requirements from the repository to generate documentation
To Reproduce:
Generate documentation from github pages and include a library in one of the requirements.txt files that aren't called out in the readme for the github pages branch.
Expected behavior:
documentation generation will fail
Screenshots:
Additional context:
Is your feature request related to a problem? Please describe.
Currently, there aren't any tests for the post agg service function in tasks.py.
Describe the outcome you'd like:
I would like unit testing coverage on the post agg service function in tasks.py.
Additional context:
Is your feature request related to a problem? Please describe.
Currently tags that are created in the deployment scripts and the fma_settings are individually unique. This opens up the possibility for ambiguity between tags.
Describe the outcome you'd like:
In order to removed any potential ambiguity with the tags, there needs to be some shared tracking on which tags have been created between both configuration files.
Additional context:
fix in aggregator/federated_learning_project/settings_remote.py
General Information:
To Reproduce:
Standup API service and try to set the allow aggregation attribute on the web form.
Expected behavior:
No matter what the attribute is set to the allow aggregation attribute will be set to "false". Even if an update patch is done from the web page the change will not propagate to the database entry
Additional context:
Proposed fix:
change logic on lines 69-74 in serializers.py to account for the instance.scheduler not existing when deploying remotely
General Information:
Describe the bug:
The fma-django forces the region to be us-east-1 for remote deployment on 106 in connectors/django/fma_django/models.py
To Reproduce:
do remote deployment
Expected behavior:
will only properly deploy remotely to us-east-1 aws region
Screenshots:
Additional context:
The connectors/django/fma_django/models.py forces the aggregation scheduler to use aws remotely. This should be abstracted out so that any remote deployment is enabled for the service.
Specific reference to line 106 and the use of boto in general within that file
Is your feature request related to a problem? Please describe.
The JS client is being created, and there is some code being produced. Most of the PR Review comments at this early stage can be addressed through following a proper style guide. Enforcing a standard lint library along with test with coverage and pre-commit hooks helps developer productivity and maintains high standard in code.
Describe the outcome you'd like:
Enable support for:
Vulnerable Library - urllib3-2.0.4-py3-none-any.whlHTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/9b/81/62fd61001fa4b9d0df6e31d47ff49cfa9de4af03adecf339c7bc30656b37/urllib3-2.0.4-py3-none-any.whl
Path to dependency file: /clients/python_client/Pipfile
Path to vulnerable library: /clients/python_client/Pipfile,/clients/python_client,/clients/python_client/requirements.txt,/examples/client_examples/python_client/requirements.txt
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (urllib3 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-43804 | High |
8.1 | urllib3-2.0.4-py3-none-any.whl | Direct | 2.0.6 | ✅ |
| CVE-2023-45803 | Medium |
4.2 | urllib3-2.0.4-py3-none-any.whl | Direct | 2.0.7 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-43804HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/9b/81/62fd61001fa4b9d0df6e31d47ff49cfa9de4af03adecf339c7bc30656b37/urllib3-2.0.4-py3-none-any.whl
Path to dependency file: /clients/python_client/Pipfile
Path to vulnerable library: /clients/python_client/Pipfile,/clients/python_client,/clients/python_client/requirements.txt,/examples/client_examples/python_client/requirements.txt
Dependency Hierarchy:
Found in base branch: main
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
Publish Date: 2023-10-04
URL: CVE-2023-43804
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804
Release Date: 2023-10-04
Fix Resolution: 2.0.6
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-45803HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/9b/81/62fd61001fa4b9d0df6e31d47ff49cfa9de4af03adecf339c7bc30656b37/urllib3-2.0.4-py3-none-any.whl
Path to dependency file: /clients/python_client/Pipfile
Path to vulnerable library: /clients/python_client/Pipfile,/clients/python_client,/clients/python_client/requirements.txt,/examples/client_examples/python_client/requirements.txt
Dependency Hierarchy:
Found in base branch: main
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False and disable automatic redirects with redirects=False and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.
Publish Date: 2023-10-17
URL: CVE-2023-45803
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g4mx-q9vg-27p4
Release Date: 2023-10-17
Fix Resolution: 2.0.7
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Vulnerable Library - fetch-mock-9.11.0.tgzPath to dependency file: /clients/javascript_client/package.json
Path to vulnerable library: /clients/javascript_client/node_modules/@babel/traverse/package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (fetch-mock version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-45133 | High |
8.8 | traverse-7.22.10.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-45133Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.22.10.tgz
Path to dependency file: /clients/javascript_client/package.json
Path to vulnerable library: /clients/javascript_client/node_modules/@babel/traverse/package.json
Dependency Hierarchy:
Found in base branch: main
Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.
Publish Date: 2023-10-12
URL: CVE-2023-45133
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution: @babel/traverse - 7.23.2
Is your feature request related to a problem? Please describe.
Currently, clients can pull their own model updates from the server.
Describe the outcome you'd like:
Clients should only be given read-only access to their model updates. They shouldn't have the ability to update or modify.
Additional context:
Vulnerable Library - requests-2.27.1-py2.py3-none-any.whlPython HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/2d/61/08076519c80041bc0ffa1a8af0cbd3bf3e2b62af10435d269a9d0f40564d/requests-2.27.1-py2.py3-none-any.whl
Path to dependency file: /clients/python_client/Pipfile
Path to vulnerable library: /clients/python_client/Pipfile
Found in HEAD commit: 98f9a1b8dfae73863edf6e5ad1e8920c5cd5723e
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (requests version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-32681 | Medium |
6.1 | requests-2.27.1-py2.py3-none-any.whl | Direct | requests -2.31.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-32681Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/2d/61/08076519c80041bc0ffa1a8af0cbd3bf3e2b62af10435d269a9d0f40564d/requests-2.27.1-py2.py3-none-any.whl
Path to dependency file: /clients/python_client/Pipfile
Path to vulnerable library: /clients/python_client/Pipfile
Dependency Hierarchy:
Found in HEAD commit: 98f9a1b8dfae73863edf6e5ad1e8920c5cd5723e
Found in base branch: main
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies to reattach the Proxy-Authorization header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
Publish Date: 2023-05-26
URL: CVE-2023-32681
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j8r2-6x86-q33q
Release Date: 2023-05-26
Fix Resolution: requests -2.31.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Is your feature request related to a problem? Please describe.
Currently, users log into the django webserver using a username and password which isn't secure.
Describe the outcome you'd like:
I would like user login/authentication to support OAuth.
Additional context:
N/A
Is your feature request related to a problem? Please describe.
The current method of aggregation on allows for users to average the gradient updates from all clients and apply a global update.
Describe the outcome you'd like:
I would like functionality to pass in parameters to the aggregation methods. For example, client weights, to weight the averaging of gradient updates.
Additional context:
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.