levyforchh / clusterfuzz Goto Github PK
View Code? Open in Web Editor NEWThis project forked from google/clusterfuzz
Scalable fuzzing infrastructure.
Home Page: https://google.github.io/clusterfuzz
License: Apache License 2.0
This project forked from google/clusterfuzz
Scalable fuzzing infrastructure.
Home Page: https://google.github.io/clusterfuzz
License: Apache License 2.0
An asynchronous networking framework written in Python
Library home page: https://files.pythonhosted.org/packages/76/38/cf8f81c1d7d84fec922d67f0d92bfa9fee59145d875d7263ceefa2bbbaf4/Twisted-14.0.0.tar.bz2
Path to dependency file: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt
Path to vulnerable library: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/tasks
Dependency Hierarchy:
Found in HEAD commit: aefe4b0859891117218fba5984e5c3e753ea9597
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
Publish Date: 2020-03-11
URL: CVE-2016-1000111
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000111
Release Date: 2016-06-20
Fix Resolution: 16.3.1
tlslite implements SSL and TLS.
Library home page: https://files.pythonhosted.org/packages/29/cf/22c98d36af1f38150e2c0a79589fee799b72eeb91e49ce184e6f3ccb3991/tlslite-0.4.6.tar.gz
Path to dependency file: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt
Path to vulnerable library: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt,clusterfuzz/src/python/bot/tasks,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/requirements.txt,clusterfuzz/src/platform_requirements.txt,clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt,clusterfuzz/src/appengine/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: aefe4b0859891117218fba5984e5c3e753ea9597
The tlslite library before 0.4.9 for Python allows remote attackers to trigger a denial of service (runtime exception and process crash).
Publish Date: 2017-06-13
URL: CVE-2015-3220
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-3220
Release Date: 2017-06-13
Fix Resolution: 0.4.9
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: clusterfuzz/src/python/bot/tasks
Path to vulnerable library: clusterfuzz/src/python/bot/tasks,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/appengine/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/requirements.txt,clusterfuzz/src/platform_requirements.txt
Dependency Hierarchy:
Found in HEAD commit: aefe4b0859891117218fba5984e5c3e753ea9597
A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.
Publish Date: 2020-03-24
URL: CVE-2020-1747
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747
Release Date: 2020-03-24
Fix Resolution: 5.3.1
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b8/86/2692315807539c0f6452c58661d268c88d5fb79acf6c13279eb7b87ecd81/cryptography-3.0-cp27-cp27mu-manylinux2010_x86_64.whl
Path to dependency file: clusterfuzz/src/appengine/requirements.txt
Path to vulnerable library: clusterfuzz/src/appengine/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/tasks,clusterfuzz/src/platform_requirements.txt
Dependency Hierarchy:
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
Publish Date: 2021-02-07
URL: CVE-2020-36242
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
Release Date: 2021-02-07
Fix Resolution: cryptography - 3.3.2
Pure-Python RSA implementation
Library home page: https://files.pythonhosted.org/packages/02/e5/38518af393f7c214357079ce67a317307936896e961e35450b70fad2a9cf/rsa-4.0-py2.py3-none-any.whl
Path to dependency file: clusterfuzz/src/platform_requirements.txt
Path to vulnerable library: clusterfuzz/src/platform_requirements.txt,clusterfuzz/src/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/tasks,clusterfuzz/src/appengine/requirements.txt,clusterfuzz/src/local/butler/scripts
Dependency Hierarchy:
Found in HEAD commit: aefe4b0859891117218fba5984e5c3e753ea9597
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
Publish Date: 2020-06-01
URL: CVE-2020-13757
Base Score Metrics:
Type: Upgrade version
Origin: sybrenstuvel/python-rsa@3283b12
Release Date: 2020-06-01
Fix Resolution: rsa - 4.1
An asynchronous networking framework written in Python
Library home page: https://files.pythonhosted.org/packages/76/38/cf8f81c1d7d84fec922d67f0d92bfa9fee59145d875d7263ceefa2bbbaf4/Twisted-14.0.0.tar.bz2
Path to dependency file: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt
Path to vulnerable library: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/tasks
Dependency Hierarchy:
Found in HEAD commit: aefe4b0859891117218fba5984e5c3e753ea9597
Python Twisted 14.0 trustRoot is not respected in HTTP client
Publish Date: 2019-11-12
URL: CVE-2014-7143
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7143
Release Date: 2019-05-30
Fix Resolution: 14.0.1
Cross-platform lib for process and system monitoring in Python.
Library home page: https://files.pythonhosted.org/packages/64/4b/70601d39b8e445265ed148affc49f7bfbd246940637785be5c80e007fa6e/psutil-2.1.1.tar.gz
Path to dependency file: clusterfuzz/src/python/bot/untrusted_runner/build
Path to vulnerable library: clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/python/bot/tasks,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: aefe4b0859891117218fba5984e5c3e753ea9597
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
Publish Date: 2019-11-12
URL: CVE-2019-18874
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18874
Release Date: 2019-11-12
Fix Resolution: 5.6.6
An asynchronous networking framework written in Python
Library home page: https://files.pythonhosted.org/packages/76/38/cf8f81c1d7d84fec922d67f0d92bfa9fee59145d875d7263ceefa2bbbaf4/Twisted-14.0.0.tar.bz2
Path to dependency file: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt
Path to vulnerable library: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/tasks
Dependency Hierarchy:
Found in HEAD commit: aefe4b0859891117218fba5984e5c3e753ea9597
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
Publish Date: 2019-06-10
URL: CVE-2019-12387
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12387
Release Date: 2019-06-10
Fix Resolution: 19.2.1
Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/03/06/eb9f000882f671a2d494342c1fe93b1c8b18fb04420bb611aeaa3298ef17/lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl
Path to dependency file: clusterfuzz/src/python/bot/tasks
Path to vulnerable library: clusterfuzz/src/python/bot/tasks,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/src/appengine/requirements.txt,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt,clusterfuzz/src/platform_requirements.txt
Dependency Hierarchy:
Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/ae/a8/ad6c2350c65b357faf9a06c7428b5c6159b01bd3014eed93a75513843063/lxml-3.3.5.tar.gz
Path to dependency file: clusterfuzz/src/python/bot/untrusted_runner/build
Path to vulnerable library: clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/python/bot/tasks,clusterfuzz/src/appengine/handlers/cron/project
Dependency Hierarchy:
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
Publish Date: 2020-12-03
URL: CVE-2020-27783
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1901633
Release Date: 2020-10-27
Fix Resolution: 4.6.1
Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/ae/a8/ad6c2350c65b357faf9a06c7428b5c6159b01bd3014eed93a75513843063/lxml-3.3.5.tar.gz
Path to dependency file: clusterfuzz/src/python/bot/untrusted_runner/build
Path to vulnerable library: clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/python/bot/tasks,clusterfuzz/src/appengine/handlers/cron/project
Dependency Hierarchy:
Found in HEAD commit: aefe4b0859891117218fba5984e5c3e753ea9597
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
Publish Date: 2018-12-02
URL: CVE-2018-19787
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19787
Fix Resolution: lxml-4.2.5
An asynchronous networking framework written in Python
Library home page: https://files.pythonhosted.org/packages/76/38/cf8f81c1d7d84fec922d67f0d92bfa9fee59145d875d7263ceefa2bbbaf4/Twisted-14.0.0.tar.bz2
Path to dependency file: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt
Path to vulnerable library: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/tasks
Dependency Hierarchy:
Found in HEAD commit: aefe4b0859891117218fba5984e5c3e753ea9597
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
Publish Date: 2020-03-12
URL: CVE-2020-10109
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p5xh-vx83-mxcj
Release Date: 2020-03-12
Fix Resolution: twisted - 20.3.0
Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/03/06/eb9f000882f671a2d494342c1fe93b1c8b18fb04420bb611aeaa3298ef17/lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl
Path to dependency file: clusterfuzz/src/python/bot/tasks
Path to vulnerable library: clusterfuzz/src/python/bot/tasks,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/src/appengine/requirements.txt,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt,clusterfuzz/src/platform_requirements.txt
Dependency Hierarchy:
Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/ae/a8/ad6c2350c65b357faf9a06c7428b5c6159b01bd3014eed93a75513843063/lxml-3.3.5.tar.gz
Path to dependency file: clusterfuzz/src/python/bot/untrusted_runner/build
Path to vulnerable library: clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/python/bot/tasks,clusterfuzz/src/appengine/handlers/cron/project
Dependency Hierarchy:
lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute.
Publish Date: 2021-03-21
URL: CVE-2021-28957
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
Release Date: 2021-03-21
Fix Resolution: 4.6.2
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: clusterfuzz/src/python/bot/tasks
Path to vulnerable library: clusterfuzz/src/python/bot/tasks,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/appengine/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/requirements.txt,clusterfuzz/src/platform_requirements.txt
Dependency Hierarchy:
Found in HEAD commit: aefe4b0859891117218fba5984e5c3e753ea9597
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
Publish Date: 2020-02-19
URL: CVE-2019-20477
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20477
Release Date: 2020-02-19
Fix Resolution: 5.2
An asynchronous networking framework written in Python
Library home page: https://files.pythonhosted.org/packages/76/38/cf8f81c1d7d84fec922d67f0d92bfa9fee59145d875d7263ceefa2bbbaf4/Twisted-14.0.0.tar.bz2
Path to dependency file: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt
Path to vulnerable library: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/tasks
Dependency Hierarchy:
Found in HEAD commit: aefe4b0859891117218fba5984e5c3e753ea9597
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
Publish Date: 2019-06-16
URL: CVE-2019-12855
Base Score Metrics:
Type: Change files
Origin: GHSA-65rm-h285-5cc5
Release Date: 2019-12-19
Fix Resolution: Replace or update the following file: 19.7.0
An asynchronous networking framework written in Python
Library home page: https://files.pythonhosted.org/packages/76/38/cf8f81c1d7d84fec922d67f0d92bfa9fee59145d875d7263ceefa2bbbaf4/Twisted-14.0.0.tar.bz2
Path to dependency file: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt
Path to vulnerable library: clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/tasks
Dependency Hierarchy:
Found in HEAD commit: aefe4b0859891117218fba5984e5c3e753ea9597
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
Publish Date: 2020-03-12
URL: CVE-2020-10108
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h96w-mmrf-2h6v
Release Date: 2020-03-12
Fix Resolution: twisted - 20.3.0
Pure python implementation of SSL and TLS.
Library home page: https://files.pythonhosted.org/packages/53/3e/2299471198f82fd3c5ba3078609d5100d39037270b13a1ae56b35a7b19a1/tlslite-ng-0.7.5.tar.gz
Path to dependency file: clusterfuzz/src/platform_requirements.txt
Path to vulnerable library: clusterfuzz/src/platform_requirements.txt,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/requirements.txt,clusterfuzz/src/appengine/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/tasks,clusterfuzz/src/python/bot/untrusted_runner/build
Dependency Hierarchy:
tlslite-ng is an open source python library that implements SSL and TLS cryptographic protocols. In tlslite-ng before versions 0.7.6 and 0.8.0-alpha39, the code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependant. In particular, the code has multiple ways in which it leaks information about the decrypted ciphertext. It aborts as soon as the plaintext doesn't start with 0x00, 0x02. All TLS servers that enable RSA key exchange as well as applications that use the RSA decryption API directly are vulnerable. This is patched in versions 0.7.6 and 0.8.0-alpha39. Note: the patches depend on Python processing the individual bytes in side-channel free manner, this is known to not the case (see reference). As such, users that require side-channel resistance are recommended to use different TLS implementations, as stated in the security policy of tlslite-ng.
Publish Date: 2020-12-21
URL: CVE-2020-26263
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wvcv-832q-fjg7
Release Date: 2020-12-21
Fix Resolution: 0.8.0-alpha39, 0.7.6
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b8/86/2692315807539c0f6452c58661d268c88d5fb79acf6c13279eb7b87ecd81/cryptography-3.0-cp27-cp27mu-manylinux2010_x86_64.whl
Path to dependency file: clusterfuzz/src/appengine/requirements.txt
Path to vulnerable library: clusterfuzz/src/appengine/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/tasks,clusterfuzz/src/platform_requirements.txt
Dependency Hierarchy:
python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.
Publish Date: 2021-01-11
URL: CVE-2020-25659
Type: Change files
Origin: pyca/cryptography@58494b4
Release Date: 2020-10-26
Fix Resolution: Replace or update the following file: rsa.py
IPv4/IPv6 manipulation library
Library home page: https://files.pythonhosted.org/packages/c2/f8/49697181b1651d8347d24c095ce46c7346c37335ddc7d255833e7cde674d/ipaddress-1.0.23-py2.py3-none-any.whl
Path to dependency file: clusterfuzz/src/appengine/requirements.txt
Path to vulnerable library: clusterfuzz/src/appengine/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/tasks,clusterfuzz/src/platform_requirements.txt
Dependency Hierarchy:
Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.
Publish Date: 2020-06-18
URL: CVE-2020-14422
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2020-14422
Release Date: 2020-06-18
Fix Resolution: 3.5.3-1+deb9u2, 3.7.3-2+deb10u2, 3.8.4~rc1-1
kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.
Library home page: https://rubygems.org/gems/kramdown-1.17.0.gem
Dependency Hierarchy:
Found in HEAD commit: aefe4b0859891117218fba5984e5c3e753ea9597
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
Publish Date: 2020-07-17
URL: CVE-2020-14001
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001
Release Date: 2020-07-17
Fix Resolution: kramdown - 2.3.0
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: clusterfuzz/src/python/bot/tasks
Path to vulnerable library: clusterfuzz/src/python/bot/tasks,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/appengine/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/requirements.txt,clusterfuzz/src/platform_requirements.txt
Dependency Hierarchy:
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
Publish Date: 2021-02-09
URL: CVE-2020-14343
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343
Release Date: 2021-02-09
Fix Resolution: PyYAML - 5.4
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.