Cortx-Test is automated system and end to end test cases repository and includes distributed automated testing framework and pluggable tools developed to ensure functional and performance test coverage of the CORTX object storage.
Home Page: https://github.com/Seagate/cortx
License: GNU Affero General Public License v3.0
Why are we using generic exception to handle error/exceptions . Figure out what exception you want to handle e.g. socket exception and then do handling .
Also, are you connecting telnet in this function and why it is named as connect ? Alternatively you may pull connection code and make it as a behavior.
Originally posted by @seagate-sarang-sawant in #16 (comment)
Vulnerable Library - Pillow-9.2.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlPython Imaging Library (Fork)
Path to dependency file: /tools/requirements.txt
Path to vulnerable library: /tools/requirements.txt,/requirements.txt,/libs/csm/csm,/switch
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.
Publish Date: 2022-11-14
URL: CVE-2022-45199
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-11-14
Fix Resolution: 9.3.0
Vulnerable Library - setuptools-41.6.0-py2.py3-none-any.whlEasily download, build, install, upgrade, and uninstall Python packages
Library home page: https://files.pythonhosted.org/packages/d9/de/554b6310ac87c5b921bc45634b07b11394fe63bc4cb5176f5240addf18ab/setuptools-41.6.0-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/switch,/libs/csm/csm,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 2a86195797b4352c780fa88a5a2cf3dfea63af99
Found in base branch: main
Vulnerability Details
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
Publish Date: 2022-12-23
URL: CVE-2022-40897
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
Release Date: 2022-12-23
Fix Resolution: 65.5.1
Vulnerable Libraries - Flask-1.1.2-py2.py3-none-any.whl, Flask-2.2.2-py3-none-any.whl
A simple framework for building complex web applications.
Library home page: https://files.pythonhosted.org/packages/f2/28/2a03252dfb9ebf377f40fba6a7841b47083260bf8bd8e737b0c6952df83f/Flask-1.1.2-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/switch,/libs/csm/csm,/requirements.txt
Dependency Hierarchy:
A simple framework for building complex web applications.
Library home page: https://files.pythonhosted.org/packages/0f/43/15f4f9ab225b0b25352412e8daa3d0e3d135fcf5e127070c74c3632c8b4c/Flask-2.2.2-py3-none-any.whl
Path to dependency file: /tools/requirements.txt
Path to vulnerable library: /tools/requirements.txt,/switch,/tools/requirements.txt,/libs/csm/csm
Dependency Hierarchy:
Found in HEAD commit: 2a86195797b4352c780fa88a5a2cf3dfea63af99
Found in base branch: main
Vulnerability Details
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.
session.permanent = TrueSESSION_REFRESH_EACH_REQUEST enabled (the default).Cache-Control header to indicate that a page is private or should not be cached.This happens because vulnerable versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.
Publish Date: 2023-05-02
URL: CVE-2023-30861
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30861
Release Date: 2023-05-02
Fix Resolution: flask - 2.2.5,2.3.2
Vulnerable Library - py-1.11.0-py2.py3-none-any.whllibrary with cross-python path, ini-parsing, io, code, log facilities
Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/libs/csm/csm,/switch
Dependency Hierarchy:
Found in HEAD commit: 2a86195797b4352c780fa88a5a2cf3dfea63af99
Found in base branch: main
Vulnerability Details
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
Publish Date: 2022-10-16
URL: CVE-2022-42969
CVSS 3 Score Details (7.5)
Base Score Metrics:
S3bench logs are bloating in cortx-test root folder precisely in the CWD instead of log folder. Collect s3bench logs into test log folder itself.
Collect s3bench logs into test log folder itself.
Run sanity test cases.
Single test client i.e Corbot on CentOS 7+
No response
Remove following imports :
from libs.csm.cli.cortx_cli_s3_buckets import CortxCliS3BucketOperations
from libs.csm.cli.cortx_cli_s3_accounts import CortxCliS3AccountOperations
and associated Object
self.s3bkt_obj = CortxCliS3BucketOperations()
and use only
libs/s3/cortxcli_test_lib.py for cli related operations (may add required imports/calls method here)
Vulnerable Library - PyYAML-5.1.2.tar.gzYAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/e3/e8/b3212641ee2718d556df0f23f78de8303f068fe29cdaa7a91018849582fe/PyYAML-5.1.2.tar.gz
Path to dependency file: /switch
Path to vulnerable library: /switch,/requirements.txt,/libs/csm/csm
Dependency Hierarchy:
Found in HEAD commit: ef77fa6ea195cb251a124be382b5c33f280e7db1
Found in base branch: main
Vulnerability Details
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
Publish Date: 2021-02-09
URL: CVE-2020-14343
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343
Release Date: 2021-02-09
Fix Resolution: PyYAML - 5.4
Vulnerable Library - numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whlNumPy is the fundamental package for array computing with Python.
Library home page: https://files.pythonhosted.org/packages/08/d6/a6aaa29fea945bc6c61d11f6e0697b325ff7446de5ffd62c2fa02f627048/numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /tools/dash_server/requirements.txt
Path to vulnerable library: /tools/dash_server/requirements.txt,/switch,/libs/csm/csm,/tools/dash_server/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: ef77fa6ea195cb251a124be382b5c33f280e7db1
Found in base branch: main
Vulnerability Details
** DISPUTED ** A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. NOTE: The vendor does not agree this is a vulneraility; In (very limited) circumstances a user may be able provoke the buffer overflow, the user is most likely already privileged to at least provoke denial of service by exhausting memory. Triggering this further requires the use of uncommon API (complicated structured dtypes), which is very unlikely to be available to an unprivileged user.
Publish Date: 2021-12-17
URL: CVE-2021-33430
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33430
Release Date: 2021-12-17
Fix Resolution: numpy - 1.21.0
Vulnerable Library - urllib3-1.25.3-py2.py3-none-any.whlHTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Path to dependency file: /switch
Path to vulnerable library: /switch,/requirements.txt,/libs/csm/csm,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: ef77fa6ea195cb251a124be382b5c33f280e7db1
Found in base branch: main
Vulnerability Details
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution: 1.25.9
This file won't be reloaded in the process memory. Do you plan to add the load function?
Originally posted by @seagate-sarang-sawant in #16 (comment)
Too many local variables (18/15)def develop_execution_plan(rev_tag_map, selected_tag_map, skip_test, test_map, tickets):Execute command is expected to timeout after the given duration of timeout. But it is observed its not getting timeout, and solution is to have a time wrapper on recv_exit_status as shown in https://stackoverflow.com/a/45844203
Vulnerable Library - paramiko-2.6.0-py2.py3-none-any.whlSSH2 protocol library
Library home page: https://files.pythonhosted.org/packages/4b/80/74dace9e48b0ef923633dfb5e48798f58a168e4734bca8ecfaf839ba051a/paramiko-2.6.0-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/libs/csm/csm,/switch,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 2a86195797b4352c780fa88a5a2cf3dfea63af99
Found in base branch: main
Vulnerability Details
In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.
Publish Date: 2022-03-17
URL: CVE-2022-24302
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.paramiko.org/changelog.html
Release Date: 2022-03-17
Fix Resolution: paramiko - 2.10.1
Vulnerable Library - numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whlNumPy is the fundamental package for array computing with Python.
Path to dependency file: /switch
Path to vulnerable library: /switch,/requirements.txt,/requirements.txt,/libs/csm/csm
Dependency Hierarchy:
Found in HEAD commit: 2a86195797b4352c780fa88a5a2cf3dfea63af99
Found in base branch: main
Vulnerability Details
An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141
Publish Date: 2021-12-17
URL: CVE-2021-34141
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
Release Date: 2021-12-17
Fix Resolution: 1.22.0
Vulnerable Library - GitPython-3.1.27-py3-none-any.whlGitPython is a python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/83/32/ce68915670da6fd6b1e3fb4b3554b4462512f6441dddd194fc0f4f6ec653/GitPython-3.1.27-py3-none-any.whl
Path to dependency file: /switch
Path to vulnerable library: /switch,/libs/csm/csm,/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
Publish Date: 2022-12-06
URL: CVE-2022-24439
CVSS 3 Score Details (9.8)
Base Score Metrics:
Vulnerable Libraries - cryptography-37.0.0-cp36-abi3-manylinux_2_24_x86_64.whl, cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/fb/12/ed7aed6d59dbb3886fd14d3423ec9730f6a68e9d1271160732b1d9738046/cryptography-37.0.0-cp36-abi3-manylinux_2_24_x86_64.whl
Path to dependency file: /switch
Path to vulnerable library: /switch,/requirements.txt,/libs/csm/csm,/requirements.txt
Dependency Hierarchy:
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/9b/4e/d7454551c3c7b327510e35d88db35c300484225ba47be861e28f0b520b33/cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl
Path to dependency file: /libs/csm/csm
Path to vulnerable library: /libs/csm/csm,/tools/requirements.txt,/switch
Dependency Hierarchy:
Found in HEAD commit: 2a86195797b4352c780fa88a5a2cf3dfea63af99
Found in base branch: main
Vulnerability Details
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-38.0.3 are vulnerable to a number of security issues. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
Publish Date: 2022-11-02
URL: WS-2022-0365
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-39hc-v87j-747x
Release Date: 2022-11-02
Fix Resolution: 38.0.3
Vulnerable Library - PyYAML-5.1.2.tar.gzYAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/e3/e8/b3212641ee2718d556df0f23f78de8303f068fe29cdaa7a91018849582fe/PyYAML-5.1.2.tar.gz
Path to dependency file: /switch
Path to vulnerable library: /switch,/requirements.txt,/libs/csm/csm
Dependency Hierarchy:
Found in HEAD commit: ef77fa6ea195cb251a124be382b5c33f280e7db1
Found in base branch: main
Vulnerability Details
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
Publish Date: 2020-02-19
URL: CVE-2019-20477
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20477
Release Date: 2020-03-01
Fix Resolution: 5.2
Vulnerable Libraries - Werkzeug-2.2.2-py3-none-any.whl, Werkzeug-1.0.1-py2.py3-none-any.whl
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl
Path to dependency file: /tools/requirements.txt
Path to vulnerable library: /tools/requirements.txt,/switch,/libs/csm/csm
Dependency Hierarchy:
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/libs/csm/csm,/requirements.txt,/switch
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.
Publish Date: 2023-02-14
URL: CVE-2023-25577
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25577
Release Date: 2023-02-14
Fix Resolution: Werkzeug - 2.2.3
No description provided.
Test Environment field from Jira TE is used to mention the deployment tags used to group the test cases. We don't want these tags to propagate in code as tests are writing for N+ (N = 3 nodes) cluster deployment.
What we want is to have cluster_deployment as the test env tag. If the nodes in a cluster is 3 or 4 or N , it can be put in Jira labels. The setup entry or the Common config is aware of the number of nodes (CMN_CFG["nodes"]) in the cluster and test should be using that value in the test or lib code.
Currently used tags are mention in the list below.
three_node_deployment
four_node_deployment
five_node_deployment
six_node_deployment
seven_node_deployment
eight_node_deployment
nine_node_deployment
ten_node_deployment
eleven_node_deployment
twelve_node_deployment
thirteen_node_deployment
fourteen_node_deployment
fifteen_node_deployment
A better solution needs to be identified and developed to reduce the number of invalid tags in code base.
A better solution needs to be identified and developed to reduce the number of invalid tags in code base. "cluster_deployment" tag should be used as the test env tag.
Refer pytest.ini file for three_node_deployment, four_node_deployment, etc tags. This is a design issue.
NA
No response
Simplify this method into multiple methods.
Originally posted by @seagate-sarang-sawant in #1569 (comment)
Vulnerable Libraries - cryptography-37.0.0-cp36-abi3-manylinux_2_24_x86_64.whl, cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/fb/12/ed7aed6d59dbb3886fd14d3423ec9730f6a68e9d1271160732b1d9738046/cryptography-37.0.0-cp36-abi3-manylinux_2_24_x86_64.whl
Path to dependency file: /switch
Path to vulnerable library: /switch,/requirements.txt,/libs/csm/csm,/requirements.txt
Dependency Hierarchy:
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/9b/4e/d7454551c3c7b327510e35d88db35c300484225ba47be861e28f0b520b33/cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl
Path to dependency file: /libs/csm/csm
Path to vulnerable library: /libs/csm/csm,/tools/requirements.txt,/switch
Dependency Hierarchy:
Found in HEAD commit: 2a86195797b4352c780fa88a5a2cf3dfea63af99
Found in base branch: main
Vulnerability Details
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
Publish Date: 2023-02-08
URL: CVE-2023-0286
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.openssl.org/news/vulnerabilities.html
Release Date: 2023-02-08
Fix Resolution: openssl-3.0.8, OpenSSL_1_1_1t
For debugging assert are easier to debug than assert_utils, as It logs failing tests where with assert utils it logs assert_util file.
Any specific reason for promoting this?
Originally posted by @kachhwahadivya in #1390 (comment)
For keeping uniformity, need to update assert_utils to print all test details in case of failure
As soon as possible, please make this repo public. Please leave this Issue open until we make it public.
Tracking Page:
[Open Sourcing Cortx-Test and CORIO - Private-Cortx - Confluence (atlassian.net)|https://seagate-systems.atlassian.net/wiki/spaces/PRIVATECOR/pages/898039873/Open+Sourcing+Cortx-Test+and+CORIO]
Vulnerable Library - Werkzeug-1.0.1-py2.py3-none-any.whlThe comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/libs/csm/csm,/requirements.txt,/switch
Dependency Hierarchy:
Found in HEAD commit: 2a86195797b4352c780fa88a5a2cf3dfea63af99
Found in base branch: main
Vulnerability Details
** DISPUTED ** Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project.
Publish Date: 2022-05-25
URL: CVE-2022-29361
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29361
Release Date: 2022-05-25
Fix Resolution: Werkzeug - 2.1.1
Vulnerable Libraries - certifi-2019.6.16-py2.py3-none-any.whl, certifi-2022.9.14-py3-none-any.whl
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/69/1b/b853c7a9d4f6a6d00749e94eb6f3a041e342a885b87340b79c1ef73e3a78/certifi-2019.6.16-py2.py3-none-any.whl
Path to dependency file: /switch
Path to vulnerable library: /switch,/requirements.txt,/requirements.txt,/libs/csm/csm
Dependency Hierarchy:
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/6a/34/cd29f4dd8a23ce45f2b8ce9631ff2d4205fb74eddb412a3dc4fd1e4aa800/certifi-2022.9.14-py3-none-any.whl
Path to dependency file: /switch
Path to vulnerable library: /switch,/libs/csm/csm,/tools/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
Publish Date: 2022-12-07
URL: CVE-2022-23491
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491
Release Date: 2022-12-07
Fix Resolution: certifi - 2022.12.07
Vulnerable Library - PyYAML-5.1.2.tar.gzYAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/e3/e8/b3212641ee2718d556df0f23f78de8303f068fe29cdaa7a91018849582fe/PyYAML-5.1.2.tar.gz
Path to dependency file: /switch
Path to vulnerable library: /switch,/requirements.txt,/libs/csm/csm
Dependency Hierarchy:
Found in HEAD commit: ef77fa6ea195cb251a124be382b5c33f280e7db1
Found in base branch: main
Vulnerability Details
A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.
Publish Date: 2020-03-24
URL: CVE-2020-1747
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-6757-jp84-gxfx
Release Date: 2020-03-24
Fix Resolution: pyyaml - 5.3.1
Need to add error handling in create_file function in commons/utils/system_utils.py file.
def create_file(
fpath: str,
count: int,
dev: str = "/dev/zero",
b_size: str = "1M") -> tuple:
"""
Create file using dd command.
:param fpath: File path.
:param count: size of the file in MB.
:param dev: Input file used.
:param b_size: block size.
:return:
"""
cmd = commands.CREATE_FILE.format(dev, fpath, b_size, count)
LOGGER.debug(cmd)
result = run_local_cmd(cmd, flg=True)
LOGGER.debug("output = %s", str(result))
result = (os.path.exists(fpath), result[1])
return result
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/fb/12/ed7aed6d59dbb3886fd14d3423ec9730f6a68e9d1271160732b1d9738046/cryptography-37.0.0-cp36-abi3-manylinux_2_24_x86_64.whl
Path to dependency file: /switch
Path to vulnerable library: /switch,/requirements.txt,/libs/csm/csm,/requirements.txt
Dependency Hierarchy:
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/9b/4e/d7454551c3c7b327510e35d88db35c300484225ba47be861e28f0b520b33/cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl
Path to dependency file: /libs/csm/csm
Path to vulnerable library: /libs/csm/csm,/tools/requirements.txt,/switch
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into was originally introduced in cryptography 1.8.
Publish Date: 2023-02-07
URL: CVE-2023-23931
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23931
Release Date: 2023-02-07
Fix Resolution: 39.0.1
Vulnerable Library - urllib3-1.25.3-py2.py3-none-any.whlHTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Path to dependency file: /switch
Path to vulnerable library: /switch,/requirements.txt,/libs/csm/csm,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: ef77fa6ea195cb251a124be382b5c33f280e7db1
Found in base branch: main
Vulnerability Details
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
Vulnerable Libraries - Werkzeug-2.2.2-py3-none-any.whl, Werkzeug-1.0.1-py2.py3-none-any.whl
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl
Path to dependency file: /tools/requirements.txt
Path to vulnerable library: /tools/requirements.txt,/switch,/libs/csm/csm
Dependency Hierarchy:
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/libs/csm/csm,/requirements.txt,/switch
Dependency Hierarchy:
Found in HEAD commit: 2a86195797b4352c780fa88a5a2cf3dfea63af99
Found in base branch: main
Vulnerability Details
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
Publish Date: 2023-02-14
URL: CVE-2023-23934
CVSS 3 Score Details (3.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934
Release Date: 2023-02-14
Fix Resolution: Werkzeug - 2.2.3
Vulnerable Library - urllib3-1.25.3-py2.py3-none-any.whlHTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Path to dependency file: /switch
Path to vulnerable library: /switch,/requirements.txt,/libs/csm/csm,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: ef77fa6ea195cb251a124be382b5c33f280e7db1
Found in base branch: main
Vulnerability Details
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
Publish Date: 2020-03-06
URL: CVE-2020-7212
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-hmv2-79q8-fv6g
Release Date: 2020-03-09
Fix Resolution: urllib3 - 1.25.8
Unused variable 'PSU_FAULT' (unused-variable)PSU_FAULT = {"enclid": 0, "pos": "left", "fru": "psu", Vulnerable Library - Jinja2-2.10.1-py2.py3-none-any.whlA very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/1d/e7/fd8b501e7a6dfe492a433deb7b9d833d39ca74916fa8bc63dd1a4947a671/Jinja2-2.10.1-py2.py3-none-any.whl
Path to dependency file: /libs/csm/csm
Path to vulnerable library: /libs/csm/csm,/requirements.txt,/switch,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: ef77fa6ea195cb251a124be382b5c33f280e7db1
Found in base branch: main
Vulnerability Details
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Publish Date: 2021-02-01
URL: CVE-2020-28493
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28493
Release Date: 2021-02-01
Fix Resolution: Jinja2 - 2.11.3
UT should have cover positive, negative scenarios or possible outcome/behavior of the function. Please, refer NFS UTs from eos-test repo.
Originally posted by @DhobaleVishal in #16 (comment)
Vulnerable Library - oauthlib-3.2.1-py3-none-any.whlA generic, spec-compliant, thorough implementation of the OAuth request-signing logic
Library home page: https://files.pythonhosted.org/packages/92/bb/d669baf53d4ffe081dab80aad93c5c79f84eeac885dd31507c8c055a98d5/oauthlib-3.2.1-py3-none-any.whl
Path to dependency file: /switch
Path to vulnerable library: /switch,/requirements.txt,/libs/csm/csm,/tools/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of uri_validate functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly uri_validate are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.
Mend Note: After conducting further research, Mend has determined that versions 3.1.1 through 3.2.1 of oauthlib are vulnerable to CVE-2022-36087.
Publish Date: 2022-09-09
URL: CVE-2022-36087
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-3pgj-pg6c-r5p7
Release Date: 2022-09-09
Fix Resolution: oauthlib - 3.2.2
Vulnerable Library - numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whlNumPy is the fundamental package for array computing with Python.
Path to dependency file: /switch
Path to vulnerable library: /switch,/requirements.txt,/requirements.txt,/libs/csm/csm
Dependency Hierarchy:
Found in HEAD commit: 2a86195797b4352c780fa88a5a2cf3dfea63af99
Found in base branch: main
Vulnerability Details
** DISPUTED ** Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values. NOTE: The vendor does not agree this is a vulnerability; the negative dimensions can only be created by an already privileged user (or internally).
Mend Note: After conducting further research, Mend has determined that numpy versions before 1.22.0 are vulnerable to CVE-2021-41496
Publish Date: 2021-12-17
URL: CVE-2021-41496
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41496
Release Date: 2021-12-17
Fix Resolution: numpy - 1.22.3
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.