scrapedia / r18 Goto Github PK

Vulnerable Library - certifi-2020.6.20-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/5e/c4/6c4fe722df5343c33226f0b4e0bb042e4dc13483228b4718baf286f86d87/certifi-2020.6.20-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• sentry_sdk-0.17.4-py2.py3-none-any.whl (Root Library)
  • ❌ certifi-2020.6.20-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution (certifi): 2022.12.7

Direct dependency fix Resolution (sentry-sdk): 0.17.5

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.

Publish Date: 2021-06-02

URL: CVE-2021-28675

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28675

Release Date: 2021-06-02

Fix Resolution: Pillow - 8.2.0

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.

Publish Date: 2021-06-02

URL: CVE-2021-28677

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28677

Release Date: 2021-06-02

Fix Resolution: Pillow - 8.2.0

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.

Publish Date: 2022-01-10

URL: CVE-2022-22816

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22816

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 6a78aed794546b99c2cc08e83d5aebf75d2958d9

Vulnerability Details

A flaw was found in python-pillow. The vulnerability occurs due to the not validated remove operation, leading to Improper input validation. This flaw allows an attacker to externally-influenced input commands that modify or remove the intended command.

Publish Date: 2022-02-02

URL: CVE-2022-24303

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-9j59-75qj-795w

Release Date: 2022-02-02

Fix Resolution: Pillow - 9.0.1

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.

Publish Date: 2021-09-03

URL: CVE-2021-23437

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html

Release Date: 2021-09-03

Fix Resolution: Pillow - 8.3.2

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of Pillow up to version 8.1.1 are vulnerable to CVE-2021-27921.

Publish Date: 2021-03-03

URL: CVE-2021-27921

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html

Release Date: 2021-03-03

Fix Resolution: Pillow - 8.1.2

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.

Publish Date: 2021-03-19

URL: CVE-2021-25289

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-03-19

Fix Resolution: 8.1.1

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.

Publish Date: 2021-06-02

URL: CVE-2021-25287

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25287

Release Date: 2021-06-02

Fix Resolution: Pillow - 8.2.0

Vulnerable Library - Twisted-20.3.0-cp27-cp27mu-manylinux1_x86_64.whl

An asynchronous networking framework written in Python

Library home page: https://files.pythonhosted.org/packages/4d/15/890ba1d83dc29ad71427ce5174d5963b84a25c8cf1973815107709fbb520/Twisted-20.3.0-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • Scrapy-1.8.0-py2.py3-none-any.whl
    • ❌ Twisted-20.3.0-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the twited.web.RedirectAgent and twisted.web. BrowserLikeRedirectAgent functions. Users are advised to upgrade. There are no known workarounds.

Publish Date: 2022-02-07

URL: CVE-2022-21712

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-92x2-jw7w-xvvx

Release Date: 2022-02-07

Fix Resolution: Twisted - 22.1.0

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.

Publish Date: 2021-01-12

URL: CVE-2020-35653

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35653

Release Date: 2021-01-12

Fix Resolution: 8.1.0

Vulnerable Library - cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/88/68/3b54d44fbc5ba20dc4cd6b3f58d4fa28933f5d49136e0c4a80432e360cd7/cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • Scrapy-1.8.0-py2.py3-none-any.whl
    • ❌ cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

Publish Date: 2021-02-07

URL: CVE-2020-36242

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-07

Fix Resolution: cryptography - 3.3.2

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.

Publish Date: 2022-01-10

URL: CVE-2022-22817

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

Vulnerable Library - sentry_sdk-0.17.4-py2.py3-none-any.whl

Python client for Sentry (https://sentry.io)

Library home page: https://files.pythonhosted.org/packages/0e/60/29048f4341088a505062f2ca267b56bde8a07fa74952ee1b23a0e63626b7/sentry_sdk-0.17.4-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ sentry_sdk-0.17.4-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have sendDefaultPII set to True; one must use a custom name for either SESSION_COOKIE_NAME or CSRF_COOKIE_NAME in one's Django settings; and one must not be configured in one's organization or project settings to use Sentry's data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the sentry-sdk will detect the custom cookie names based on one's Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK's filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the before_send callback method and for performance related events (transactions) one can use the before_send_transaction callback method. Those who want to handle filtering of these values on the server-side can also use Sentry's advanced data scrubbing feature to account for the custom cookie names. Look for the $http.cookies, $http.headers, $request.cookies, or $request.headers fields to target with a scrubbing rule.

Publish Date: 2023-03-22

URL: CVE-2023-28117

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-29pr-6jr8-q5jm

Release Date: 2023-03-22

Fix Resolution: 1.14.0

Vulnerable Library - Scrapy-1.8.0-py2.py3-none-any.whl

A high-level Web Crawling and Web Scraping framework

Library home page: https://files.pythonhosted.org/packages/3b/e4/69b87d7827abf03dea2ea984230d50f347b00a7a3897bc93f6ec3dafa494/Scrapy-1.8.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • ❌ Scrapy-1.8.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Scrapy before v2.6.2 and v1.8.3 vulnerable to one proxy sending credentials to another

Publish Date: 2022-07-29

URL: WS-2022-0181

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-9x8m-2xpf-crp3

Release Date: 2022-07-29

Fix Resolution: Scrapy - 1.8.3,2.6.2

Vulnerable Library - lxml-4.5.2-cp27-cp27mu-manylinux1_x86_64.whl

Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.

Library home page: https://files.pythonhosted.org/packages/d1/2d/642ef7013aa56af52e14b5b7d53c5d591e6d038c9688e06d0f2a20ed26b2/lxml-4.5.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • Scrapy-1.8.0-py2.py3-none-any.whl
    • ❌ lxml-4.5.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Publish Date: 2020-12-03

URL: CVE-2020-27783

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1901633

Release Date: 2020-12-03

Fix Resolution: 4.6.1

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.

Publish Date: 2021-07-13

URL: CVE-2021-34552

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow

Release Date: 2021-07-13

Fix Resolution: Pillow-8.3.0

Vulnerable Library - Scrapy-1.8.0-py2.py3-none-any.whl

A high-level Web Crawling and Web Scraping framework

Library home page: https://files.pythonhosted.org/packages/3b/e4/69b87d7827abf03dea2ea984230d50f347b00a7a3897bc93f6ec3dafa494/Scrapy-1.8.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • ❌ Scrapy-1.8.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.
Mend Note: Converted from WS-2022-0091, on 2022-11-07.

Publish Date: 2022-03-02

URL: CVE-2022-0577

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-mfjm-vh54-3f96

Release Date: 2022-03-02

Fix Resolution: Scrapy - 1.8.2,2.6.0

Vulnerable Library - Twisted-19.2.1.tar.bz2

An asynchronous networking framework written in Python

Library home page: https://files.pythonhosted.org/packages/79/59/035de19362320e632301ed7bbde23e4c8cd6fc5e2f1cf8d354cdba857854/Twisted-19.2.1.tar.bz2

Dependency Hierarchy:

• ❌ Twisted-19.2.1.tar.bz2 (Vulnerable Library)

Found in HEAD commit: 3643f4a37a0c00ccb4b85a56e283cb0c86249b68

Vulnerability Details

In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.

Publish Date: 2019-06-16

URL: CVE-2019-12855

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.

Publish Date: 2021-06-02

URL: CVE-2021-25288

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25288

Release Date: 2021-06-02

Fix Resolution: Pillow - 8.2.0

Vulnerable Library - urllib3-1.25.10-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/9f/f0/a391d1463ebb1b233795cabfc0ef38d3db4442339de68f847026199e69d7/urllib3-1.25.10-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• sentry_sdk-0.17.4-py2.py3-none-any.whl (Root Library)
  • ❌ urllib3-1.25.10-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution (urllib3): 1.26.5

Direct dependency fix Resolution (sentry-sdk): 0.17.5

Vulnerable Library - lxml-4.5.2-cp27-cp27mu-manylinux1_x86_64.whl

Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.

Library home page: https://files.pythonhosted.org/packages/d1/2d/642ef7013aa56af52e14b5b7d53c5d591e6d038c9688e06d0f2a20ed26b2/lxml-4.5.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • Scrapy-1.8.0-py2.py3-none-any.whl
    • ❌ lxml-4.5.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

Publish Date: 2021-12-13

URL: CVE-2021-43818

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-55x5-fj6c-h6m8

Release Date: 2021-12-13

Fix Resolution: lxml - 4.6.5

Vulnerable Library - Scrapy-1.8.0-py2.py3-none-any.whl

A high-level Web Crawling and Web Scraping framework

Library home page: https://files.pythonhosted.org/packages/3b/e4/69b87d7827abf03dea2ea984230d50f347b00a7a3897bc93f6ec3dafa494/Scrapy-1.8.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • ❌ Scrapy-1.8.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Scrapy is a high-level web crawling and scraping framework for Python. If you use HttpAuthMiddleware (i.e. the http_user and http_pass spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as robots.txt requests sent by Scrapy when the ROBOTSTXT_OBEY setting is set to True, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new http_auth_domain spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the w3lib.http.basic_auth_header function to convert your credentials into a value that you can assign to the Authorization header of your request, instead of defining your credentials globally using HttpAuthMiddleware.

Publish Date: 2021-10-06

URL: CVE-2021-41125

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-jwqp-28gf-p498

Release Date: 2021-10-06

Fix Resolution: scrapy - 1.8.1, 2.5.1

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 6a78aed794546b99c2cc08e83d5aebf75d2958d9

Vulnerability Details

JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.

If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.

Publish Date: 2022-03-11

URL: WS-2022-0097

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-4fx9-vc88-q2xc

Release Date: 2022-03-11

Fix Resolution: Pillow - 9.0.0

Vulnerable Library - setuptools-44.1.1-py2.py3-none-any.whl

Easily download, build, install, upgrade, and uninstall Python packages

Library home page: https://files.pythonhosted.org/packages/e1/b7/182161210a13158cd3ccc41ee19aadef54496b74f2817cc147006ec932b4/setuptools-44.1.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • Scrapy-1.8.0-py2.py3-none-any.whl
    • zope.interface-5.1.0-cp27-cp27mu-manylinux2010_x86_64.whl
      • ❌ setuptools-44.1.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

Publish Date: 2022-12-23

URL: CVE-2022-40897

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

Release Date: 2022-12-23

Fix Resolution: setuptools - 65.5.1

Vulnerable Library - Twisted-20.3.0-cp27-cp27mu-manylinux1_x86_64.whl

An asynchronous networking framework written in Python

Library home page: https://files.pythonhosted.org/packages/4d/15/890ba1d83dc29ad71427ce5174d5963b84a25c8cf1973815107709fbb520/Twisted-20.3.0-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • Scrapy-1.8.0-py2.py3-none-any.whl
    • ❌ Twisted-20.3.0-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

Publish Date: 2022-10-26

URL: CVE-2022-39348

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-39348

Release Date: 2022-10-26

Fix Resolution: twisted - 19.2.1,18.4.0;Twisted - 22.10.0rc1

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.

Publish Date: 2021-06-02

URL: CVE-2021-28676

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28676

Release Date: 2021-06-02

Fix Resolution: Pillow - 8.2.0

Vulnerable Library - Twisted-19.10.0-cp27-cp27mu-manylinux1_x86_64.whl

An asynchronous networking framework written in Python

Library home page: https://files.pythonhosted.org/packages/22/c2/5a30a4ad78af4d3e5df1701ec6a0dd59e1b0213dc2323dbf61b3af342ad5/Twisted-19.10.0-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /tmp/ws-scm/r18/requirements.txt

Path to vulnerable library: /tmp/ws-scm/r18/requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • txmongo-19.2.0-py2.py3-none-any.whl
    • ❌ Twisted-19.10.0-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: aaa1d248858154ce7af0638af690901c68f0eba9

Vulnerability Details

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Publish Date: 2020-03-12

URL: CVE-2020-10108

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.

Publish Date: 2021-03-19

URL: CVE-2021-25292

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-03-19

Fix Resolution: 8.1.1

Vulnerable Library - ipython-7.14.0-py3-none-any.whl

IPython: Productive Interactive Computing

Library home page: https://files.pythonhosted.org/packages/b0/00/afc3968a3cdf5f30c5c9dfb8e6a61e63231d6869a461dc1ff418280c5ea4/ipython-7.14.0-py3-none-any.whl

Path to dependency file: /tests/requirements.txt

Path to vulnerable library: /tests/requirements.txt

Dependency Hierarchy:

• ❌ ipython-7.14.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade.

Publish Date: 2022-01-19

URL: CVE-2022-21699

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-pq7m-3gw7-gq5x

Release Date: 2022-01-19

Fix Resolution: ipython - 5.11,7.16.3,7.31.1,8.0.1

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.

Publish Date: 2021-03-19

URL: CVE-2021-25293

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-03-19

Fix Resolution: 8.1.1

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.

Publish Date: 2021-01-12

URL: CVE-2020-35654

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35654

Release Date: 2021-01-12

Fix Resolution: 8.1.0

.circleci/config.yml

• circleci/python 3.8.5

docker/MongoDB/docker-compose.yml

docker/Sentry/docker-compose.yml

requirements.txt

• pillow ==7.2.0
• scrapy ==2.4.0
• Scrapy-Pipelines ==0.2
• sentry-sdk ==0.17.4

Pipfile

Vulnerable Library - lxml-4.5.2-cp27-cp27mu-manylinux1_x86_64.whl

Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.

Library home page: https://files.pythonhosted.org/packages/d1/2d/642ef7013aa56af52e14b5b7d53c5d591e6d038c9688e06d0f2a20ed26b2/lxml-4.5.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • Scrapy-1.8.0-py2.py3-none-any.whl
    • ❌ lxml-4.5.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Publish Date: 2022-07-05

URL: CVE-2022-2309

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-07-05

Fix Resolution: lxml - 4.9.1

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.

Publish Date: 2021-03-19

URL: CVE-2021-25291

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-03-19

Fix Resolution: 8.1.1

Vulnerable Library - Twisted-20.3.0-cp27-cp27mu-manylinux1_x86_64.whl

An asynchronous networking framework written in Python

Library home page: https://files.pythonhosted.org/packages/4d/15/890ba1d83dc29ad71427ce5174d5963b84a25c8cf1973815107709fbb520/Twisted-20.3.0-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • Scrapy-1.8.0-py2.py3-none-any.whl
    • ❌ Twisted-20.3.0-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.

Publish Date: 2022-04-04

URL: CVE-2022-24801

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24801

Release Date: 2022-04-04

Fix Resolution: twisted - 22.4.0rc1

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.

Publish Date: 2021-03-19

URL: CVE-2021-25290

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-03-19

Fix Resolution: 8.1.1

Vulnerable Library - cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/88/68/3b54d44fbc5ba20dc4cd6b3f58d4fa28933f5d49136e0c4a80432e360cd7/cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • Scrapy-1.8.0-py2.py3-none-any.whl
    • ❌ cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.

Publish Date: 2023-02-08

URL: CVE-2023-0286

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-x4qr-2fvf-3mr5

Release Date: 2023-02-08

Fix Resolution: openssl-3.0.8;cryptography - 39.0.1;openssl-src - 111.25.0+1.1.1t,300.0.12+3.0.8

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.

Publish Date: 2021-06-02

URL: CVE-2021-28678

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28678

Release Date: 2021-06-02

Fix Resolution: Pillow - 8.2.0

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of Pillow up to version 8.1.1 are vulnerable to CVE-2021-27923.

Publish Date: 2021-03-03

URL: CVE-2021-27923

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html

Release Date: 2021-03-03

Fix Resolution: Pillow - 8.1.2

Vulnerable Library - cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/88/68/3b54d44fbc5ba20dc4cd6b3f58d4fa28933f5d49136e0c4a80432e360cd7/cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • Scrapy-1.8.0-py2.py3-none-any.whl
    • ❌ cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into was originally introduced in cryptography 1.8.

Publish Date: 2023-02-07

URL: CVE-2023-23931

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23931

Release Date: 2023-02-07

Fix Resolution: cryptography - 39.0.1

Vulnerable Library - cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/88/68/3b54d44fbc5ba20dc4cd6b3f58d4fa28933f5d49136e0c4a80432e360cd7/cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • Scrapy-1.8.0-py2.py3-none-any.whl
    • ❌ cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Publish Date: 2021-01-11

URL: CVE-2020-25659

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-hggm-jpg3-v476

Release Date: 2021-01-11

Fix Resolution: 3.2

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of Pillow up to version 8.1.1 are vulnerable to CVE-2021-27922.

Publish Date: 2021-03-03

URL: CVE-2021-27922

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html

Release Date: 2021-03-03

Fix Resolution: Pillow - 8.1.2

Vulnerable Library - lxml-4.5.2-cp27-cp27mu-manylinux1_x86_64.whl

Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.

Library home page: https://files.pythonhosted.org/packages/d1/2d/642ef7013aa56af52e14b5b7d53c5d591e6d038c9688e06d0f2a20ed26b2/lxml-4.5.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • Scrapy-1.8.0-py2.py3-none-any.whl
    • ❌ lxml-4.5.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

Publish Date: 2021-03-21

URL: CVE-2021-28957

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-jq4v-f5q6-mjqq

Release Date: 2021-03-21

Fix Resolution: 4.6.3

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.

Publish Date: 2022-01-10

URL: CVE-2022-22815

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22815

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

Vulnerable Library - ipaddress-1.0.23-py2.py3-none-any.whl

IPv4/IPv6 manipulation library

Library home page: https://files.pythonhosted.org/packages/c2/f8/49697181b1651d8347d24c095ce46c7346c37335ddc7d255833e7cde674d/ipaddress-1.0.23-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • Scrapy-1.8.0-py2.py3-none-any.whl
    • cryptography-3.1-cp27-cp27mu-manylinux2010_x86_64.whl
      • ❌ ipaddress-1.0.23-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: d22e4090ff9665864cd594bbe0e472b15db6e644

Found in base branch: master

Vulnerability Details

Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.

Publish Date: 2020-06-18

URL: CVE-2020-14422

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14422

Release Date: 2020-06-18

Fix Resolution: v3.5.10,v3.6.12,v3.7.9,v3.8.4v3.9.0

Vulnerable Library - Twisted-19.10.0-cp27-cp27mu-manylinux1_x86_64.whl

An asynchronous networking framework written in Python

Library home page: https://files.pythonhosted.org/packages/22/c2/5a30a4ad78af4d3e5df1701ec6a0dd59e1b0213dc2323dbf61b3af342ad5/Twisted-19.10.0-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /tmp/ws-scm/r18/requirements.txt

Path to vulnerable library: /tmp/ws-scm/r18/requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • txmongo-19.2.0-py2.py3-none-any.whl
    • ❌ Twisted-19.10.0-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: aaa1d248858154ce7af0638af690901c68f0eba9

Vulnerability Details

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Publish Date: 2020-03-12

URL: CVE-2020-10109

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - Scrapy-1.8.0-py2.py3-none-any.whl

A high-level Web Crawling and Web Scraping framework

Library home page: https://files.pythonhosted.org/packages/3b/e4/69b87d7827abf03dea2ea984230d50f347b00a7a3897bc93f6ec3dafa494/Scrapy-1.8.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Scrapy-Pipelines-0.2.tar.gz (Root Library)
  • ❌ Scrapy-1.8.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Scrapy versions prior to 1.8.2 and prior to 2.6.0 are able to set cookies that are included in requests to any other domain sharing the same domain name suffix.

Publish Date: 2022-03-02

URL: WS-2022-0091

CVSS 3 Score Details (4.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: c84e21918247c59d62f103faa9a8f2555ea1c81e

Vulnerability Details

In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.

Publish Date: 2021-01-12

URL: CVE-2020-35655

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35655

Release Date: 2021-01-12

Fix Resolution: 8.1.0