matrix-profile-foundation / mass-ts-examples Goto Github PK

Vulnerable Library - jupyter_core-4.6.1-py2.py3-none-any.whl

Jupyter core package. A base package on which Jupyter projects rely.

Library home page: https://files.pythonhosted.org/packages/fb/82/86437f661875e30682e99d04c13ba6c216f86f5f6ca6ef212d3ee8b6ca11/jupyter_core-4.6.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • nbconvert-5.6.1-py2.py3-none-any.whl
    • ❌ jupyter_core-4.6.1-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in jupyter_core that stems from jupyter_core executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.

Publish Date: 2022-10-26

URL: CVE-2022-39286

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3363

Release Date: 2022-10-26

Fix Resolution: jupyter-core - 4.11.2

Vulnerable Library - Jinja2-2.10.3-py2.py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/65/e0/eb35e762802015cab1ccee04e8a277b03f1d8e53da3ec3106882ec42558b/Jinja2-2.10.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • nbconvert-5.6.1-py2.py3-none-any.whl
    • ❌ Jinja2-2.10.3-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

Publish Date: 2021-02-01

URL: CVE-2020-28493

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28493

Release Date: 2021-02-01

Fix Resolution: Jinja2 - 2.11.3

Vulnerable Library - numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/3a/5f/47e578b3ae79e2624e205445ab77a1848acdaa2929a00eeef6b16eaaeb20/numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

** DISPUTED ** A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. NOTE: The vendor does not agree this is a vulneraility; In (very limited) circumstances a user may be able provoke the buffer overflow, the user is most likely already privileged to at least provoke denial of service by exhausting memory. Triggering this further requires the use of uncommon API (complicated structured dtypes), which is very unlikely to be available to an unprivileged user.
Mend Note: After conducting further research, Mend has determined that numpy versions before 1.21.0 are vulnerable to CVE-2021-33430

Publish Date: 2021-12-17

URL: CVE-2021-33430

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33430

Release Date: 2021-12-17

Fix Resolution: 1.21.0

Vulnerable Library - notebook-5.7.8-py2.py3-none-any.whl

A web-based notebook environment for interactive computing

Library home page: https://files.pythonhosted.org/packages/f6/36/89ebfffc9dd8c8dbd81c1ffb53e3d4233ee666414c143959477cb07cc5f5/notebook-5.7.8-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • ❌ notebook-5.7.8-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.

Publish Date: 2022-03-31

URL: CVE-2022-24758

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-m87f-39q9-6f55

Release Date: 2022-03-31

Fix Resolution: notebook - 6.4.10

Vulnerable Library - Pygments-2.5.2-py2.py3-none-any.whl

Pygments is a syntax highlighting package written in Python.

Library home page: https://files.pythonhosted.org/packages/be/39/32da3184734730c0e4d3fa3b2b5872104668ad6dc1b5a73d8e477e5fe967/Pygments-2.5.2-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • nbconvert-5.6.1-py2.py3-none-any.whl
    • ❌ Pygments-2.5.2-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

Publish Date: 2021-03-23

URL: CVE-2021-20270

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w8r-397f-prfh

Release Date: 2021-03-23

Fix Resolution: Pygments - 20.12.3

Vulnerable Library - notebook-5.7.8-py2.py3-none-any.whl

A web-based notebook environment for interactive computing

Library home page: https://files.pythonhosted.org/packages/f6/36/89ebfffc9dd8c8dbd81c1ffb53e3d4233ee666414c143959477cb07cc5f5/notebook-5.7.8-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • ❌ notebook-5.7.8-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet. The issue is patched in version 6.1.5.

Publish Date: 2020-11-18

URL: CVE-2020-26215

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-c7vm-f5p4-8fqh

Release Date: 2020-11-18

Fix Resolution: 6.1.5

Vulnerable Library - notebook-5.7.8-py2.py3-none-any.whl

A web-based notebook environment for interactive computing

Library home page: https://files.pythonhosted.org/packages/f6/36/89ebfffc9dd8c8dbd81c1ffb53e3d4233ee666414c143959477cb07cc5f5/notebook-5.7.8-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • ❌ notebook-5.7.8-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs.

Publish Date: 2021-08-09

URL: CVE-2021-32798

CVSS 3 Score Details (9.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hwvq-6gjx-j797

Release Date: 2021-08-09

Fix Resolution: notebook - 5.7.11, 6.4.1

Vulnerable Library - mistune-0.8.4-py2.py3-none-any.whl

The fastest markdown parser in pure Python

Library home page: https://files.pythonhosted.org/packages/09/ec/4b43dae793655b7d8a25f76119624350b4d65eb663459eb9603d7f1f0345/mistune-0.8.4-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • nbconvert-5.6.1-py2.py3-none-any.whl
    • ❌ mistune-0.8.4-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.

Publish Date: 2022-07-25

URL: CVE-2022-34749

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-fw3v-x4f2-v673

Release Date: 2022-07-25

Fix Resolution: mistune - 2.0.3

Vulnerable Library - bleach-3.1.0-py2.py3-none-any.whl

An easy safelist-based HTML-sanitizing tool.

Library home page: https://files.pythonhosted.org/packages/ab/05/27e1466475e816d3001efb6e0a85a819be17411420494a1e602c36f8299d/bleach-3.1.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • nbconvert-5.6.1-py2.py3-none-any.whl
    • ❌ bleach-3.1.0-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

In Mozilla Bleach before 3.3.0, a mutation XSS in bleach.clean when p, br, style, title, noscript, script, textarea, noframes, iframe, or xmp and either svg or math tags are whitelisted and the keyword argument strip_comments=False.

Publish Date: 2021-02-01

URL: WS-2021-0011

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-vv2x-vrpj-qqpq

Release Date: 2021-02-01

Fix Resolution: bleach - 3.3.0

Vulnerable Library - notebook-5.7.8-py2.py3-none-any.whl

A web-based notebook environment for interactive computing

Library home page: https://files.pythonhosted.org/packages/f6/36/89ebfffc9dd8c8dbd81c1ffb53e3d4233ee666414c143959477cb07cc5f5/notebook-5.7.8-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • ❌ notebook-5.7.8-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

Jupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with ContentsManager.allow_hidden = False only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed. Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. ~/.ssh while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed. Version 6.4.12 contains a patch for this issue. There are currently no known workarounds.

Publish Date: 2022-06-14

URL: CVE-2022-29238

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-v7vq-3x77-87vg

Release Date: 2022-06-14

Fix Resolution: notebook - 6.4.12

Vulnerable Library - nbconvert-5.6.1-py2.py3-none-any.whl

Converting Jupyter Notebooks

Library home page: https://files.pythonhosted.org/packages/79/6c/05a569e9f703d18aacb89b7ad6075b404e8a4afde2c26b73ca77bb644b14/nbconvert-5.6.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • ❌ nbconvert-5.6.1-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).

Publish Date: 2022-08-18

URL: CVE-2021-32862

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-9jmq-rx5f-8jwq

Release Date: 2022-08-18

Fix Resolution: nbconvert - 6.3.0

Vulnerable Library - ipython-5.8.0-py2-none-any.whl

IPython: Productive Interactive Computing

Library home page: https://files.pythonhosted.org/packages/b0/88/d996ab8be22cea1eaa18baee3678a11265e18cf09974728d683c51102148/ipython-5.8.0-py2-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • jupyter_console-5.2.0-py2.py3-none-any.whl
    • ❌ ipython-5.8.0-py2-none-any.whl (Vulnerable Library)

Vulnerability Details

IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade.

Publish Date: 2022-01-19

URL: CVE-2022-21699

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-pq7m-3gw7-gq5x

Release Date: 2022-01-19

Fix Resolution: ipython - 5.11,7.16.3,7.31.1,8.0.1

Vulnerable Library - tornado-5.1.1.tar.gz

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Library home page: https://files.pythonhosted.org/packages/e6/78/6e7b5af12c12bdf38ca9bfe863fcaf53dc10430a312d0324e76c1e5ca426/tornado-5.1.1.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • jupyter_console-5.2.0-py2.py3-none-any.whl
    • jupyter_client-5.3.4-py2.py3-none-any.whl
      • ❌ tornado-5.1.1.tar.gz (Vulnerable Library)

Vulnerability Details

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

Publish Date: 2023-05-25

URL: CVE-2023-28370

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-05-25

Fix Resolution: tornado - 6.3.2

Vulnerable Library - ipaddress-1.0.23-py2.py3-none-any.whl

IPv4/IPv6 manipulation library

Library home page: https://files.pythonhosted.org/packages/c2/f8/49697181b1651d8347d24c095ce46c7346c37335ddc7d255833e7cde674d/ipaddress-1.0.23-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • notebook-5.7.8-py2.py3-none-any.whl
    • ❌ ipaddress-1.0.23-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.

Publish Date: 2020-06-18

URL: CVE-2020-14422

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14422

Release Date: 2020-06-18

Fix Resolution: v3.5.10,v3.6.12,v3.7.9,v3.8.4v3.9.0

Vulnerable Library - numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/3a/5f/47e578b3ae79e2624e205445ab77a1848acdaa2929a00eeef6b16eaaeb20/numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141

Publish Date: 2021-12-17

URL: CVE-2021-34141

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141

Release Date: 2021-12-17

Fix Resolution: 1.22.0

Vulnerable Library - Pygments-2.5.2-py2.py3-none-any.whl

Pygments is a syntax highlighting package written in Python.

Library home page: https://files.pythonhosted.org/packages/be/39/32da3184734730c0e4d3fa3b2b5872104668ad6dc1b5a73d8e477e5fe967/Pygments-2.5.2-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • nbconvert-5.6.1-py2.py3-none-any.whl
    • ❌ Pygments-2.5.2-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

Publish Date: 2021-03-17

URL: CVE-2021-27291

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-17

Fix Resolution: Pygments - 2.7.4

Vulnerable Library - numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/3a/5f/47e578b3ae79e2624e205445ab77a1848acdaa2929a00eeef6b16eaaeb20/numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

** DISPUTED ** Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values. NOTE: The vendor does not agree this is a vulnerability; the negative dimensions can only be created by an already privileged user (or internally).
Mend Note: After conducting further research, Mend has determined that numpy versions before 1.22.0 are vulnerable to CVE-2021-41496

Publish Date: 2021-12-17

URL: CVE-2021-41496

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - bleach-3.1.0-py2.py3-none-any.whl

An easy safelist-based HTML-sanitizing tool.

Library home page: https://files.pythonhosted.org/packages/ab/05/27e1466475e816d3001efb6e0a85a819be17411420494a1e602c36f8299d/bleach-3.1.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • nbconvert-5.6.1-py2.py3-none-any.whl
    • ❌ bleach-3.1.0-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.

Publish Date: 2020-03-24

URL: CVE-2020-6816

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-m6xf-fq7q-8743

Release Date: 2020-03-24

Fix Resolution: bleach - 3.1.2

Vulnerable Library - bleach-3.1.0-py2.py3-none-any.whl

An easy safelist-based HTML-sanitizing tool.

Library home page: https://files.pythonhosted.org/packages/ab/05/27e1466475e816d3001efb6e0a85a819be17411420494a1e602c36f8299d/bleach-3.1.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • nbconvert-5.6.1-py2.py3-none-any.whl
    • ❌ bleach-3.1.0-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.

Publish Date: 2020-03-24

URL: CVE-2020-6802

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q65m-pv3f-wr5r

Release Date: 2020-03-24

Fix Resolution: 3.1.1

Vulnerable Library - ipython-5.8.0-py2-none-any.whl

IPython: Productive Interactive Computing

Library home page: https://files.pythonhosted.org/packages/b0/88/d996ab8be22cea1eaa18baee3678a11265e18cf09974728d683c51102148/ipython-5.8.0-py2-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • jupyter_console-5.2.0-py2.py3-none-any.whl
    • ❌ ipython-5.8.0-py2-none-any.whl (Vulnerable Library)

Vulnerability Details

IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function IPython.utils.terminal.set_term_title be called on Windows in a Python environment where ctypes is not available. The dependency on ctypes in IPython.utils._process_win32 prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool set_term_title could be called and hence introduce a vulnerability. Should an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. Users of ipython as a library are advised to upgrade. Users unable to upgrade should ensure that any calls to the IPython.utils.terminal.set_term_title function are done with trusted or filtered input.

Publish Date: 2023-02-10

URL: CVE-2023-24816

CVSS 3 Score Details (7.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-24816

Release Date: 2023-02-10

Fix Resolution: ipython - 8.10.0