Code Monkey home page Code Monkey logo

ansible-swisnap's Introduction

SolarWinds Snap Agent Ansible Role

CircleCI

Installs and configures SolarWinds Snap Agent on RHEL/CentOS, Debian/Ubuntu or Windows servers.

For more detailed information about SolarWinds Snap Agent please refer to documentation

Role Variables

Ansible role variables with default values are listed below:

solarwinds_token: ""

AppOptics API token. It has to be configured by user before running the role

swisnap_hostname_alias: ""

Hostname alias for the server which will be used in AppOptics UI

swisnap_main_config_path: /opt/SolarWinds/Snap/etc/config.yaml

Path to SolarWinds Snap Agent's main configuration file

swisnap_plugins_config: /opt/SolarWinds/Snap/etc/plugins.d

Path to SolarWinds Snap Agent's plugin configuration files

swinsap_publisher_appoptics_path: /opt/SolarWinds/Snap/etc/plugins.d/publisher-appoptics.yaml

Path to SolarWinds Snap Agent's publisher AppOptics configuration files

swinsap_processes_appoptics_path: /opt/SolarWinds/Snap/etc/plugins.d/publisher-processes.yaml

Path to SolarWinds Snap Agent's publisher processes configuration files

swisnap_auto_discover_path: /opt/SolarWinds/Snap/autoload

Path to SolarWinds Snap Agent's autoload directory for V1 plugins

swisnap_tasks_autoload_path: /opt/SolarWinds/Snap/etc/tasks-autoload.d

Path to SolarWinds Snap Agent's V2 tasks files

swisnap_plugin_path: /opt/SolarWinds/Snap/bin

Path where SolarWinds Snap Agent's plugins binaries are stored

swisnap_task_path: /opt/SolarWinds/Snap/etc/tasks.d

Path to SolarWinds Snap Agent's V1 tasks files

swisnap_service: swisnapd
swisnap_user: solarwinds
swisnap_user_group: solarwinds

Name of SolarWinds Snap Agent service. User and group under which service will operate

swisnap_log_level: warning
swisnap_log_path: /var/log/SolarWinds/Snap
swisnap_log_format: text

Logging level, path to log file and log format.

swisnap_plugin_trust_level: ""
swisnap_keyring_paths: ""

Plugin trust level for swisnapd. When enabled, only signed plugins that can be verified will be loaded into swisnapd. Signatures are verified from keyring files specified in swisnap_keyring_path. Valid values are 0 - Off, 1 - Enabled, 2 - Warning. Default value is 1 - Enabled. If this is not set, then agent will use default enabled level

swisnap_tls_cert_path: ""
swisnap_tls_key_path: ""
swisnap_plugin_tls_cert_path: ""
swisnap_plugin_tls_key_path: ""
swisnap_ca_cert_paths: ""

Secure plugin communication optional parameters.

swisnap_plugin_load_timeout: ""

The maximal time allowed for a plugin to load. Default value is 30

swisnap_global_tags: {}

Tags that will be applied to collected metrics across tasks

swisnap_restapi_enable: true
swisnap_restapi_https: ""
swisnap_restapi_rest_auth: ""
swisnap_restapi_rest_auth_password: ""
swisnap_restapi_rest_certificate: ""
swisnap_restapi_rest_key: ""
swisnap_restapi_port: ""
swisnap_restapi_addr: ""
swisnap_restapi_plugin_load_timeout: ""

Optional REST API parameters. By default REST API is enabled

publisher_appoptics_url: ""
publisher_processes_url: ""

These parameters can override default URL for publishers

swisnap_proxy_url: ""
swisnap_proxy_user: ""
swisnap_proxy_password: ""

Optional proxy settings

swisnap_host_check_timeout: ""

swisnap_host_check_timeout allows to configure timeout for querying host operating system for identification informations. Default value is set to 5s

swisnap_ec2_check_timeout: ""

swisnap_ec2_check_timeout allows to configure timeout for querying EC2 instance metadata URL to determine if host agent is running on EC2 (or OpenStack) instance. By default it is set to 1s

swisnap_ec2_check_retries: ""

swisnap_ec2_check_retries allows to configure number of retries for querying EC2 instance metadata URL to determine if host agent is running on EC2 (or OpenStack) instance. By default it is set to 3

swisnap_floor_seconds: ""

whether to floor timestamps to a specific interval, default value is 60 seconds

swisnap_period: ""

metrics interval period to report to AppOptics API, default value is 60 seconds

swisnap_custom_v1_task_path: ""
swisnap_custom_v2_task_path: ""
swisnap_custom_plugin_configs_path: ""

Paths to directories with custom task and plugin configuration files. It allows users to configure additional plugins. It should be path to directory e.g. /path/to/directory

swisnap_win_installer_download_path: ""

Path to download Windows installer. It has to be configured by user before running the role on Windows platform

swisnap_package_version: ""

Specific version of package to install e.g. 4.0.0.863 It works only for Linux platforms. For Windows always latest package is installed.

Example Playbook

Install SolarWinds swinsap role using Ansible Galaxy:

ansible-galaxy install solarwinds.swisnap

or clone this repository to directory with your playbook's roles:

git clone https://github.com/solarwinds/ansible-swisnap.git solarwinds.swisnap

Linux

- hosts: localhost
  connection: local
  vars_files:
    - vars/my_vars.yaml
  roles:
    - solarwinds.swisnap

Inside vars/my_vars.yaml:

solarwinds_token: 123456789dbba089e9ff613bb9528320188853b1a08d91d23d2fc9bc1c41ec3e

Windows:

- hosts: windows
  vars_files:
    - vars/main.yml
  roles:
    - solarwinds.swisnap

Inside vars/my_vars.yaml:

solarwinds_token: 123456789dbba089e9ff613bb9528320188853b1a08d91d23d2fc9bc1c41ec3e
swisnap_win_installer_download_path: "C:\\Users\\Administrator\\Downloads\\solarwinds-snap-agent-installer.msi"

Inside inventory:

[windows]
1.2.3.4

Inside group_vars/windows:

ansible_user: Administrator
ansible_password: password
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

ansible-swisnap's People

Contributors

codeowners-change-solarwinds[bot] avatar d-maslyk avatar dominik-maslyk-swi avatar gortyy avatar melord avatar mend-for-github-com[bot] avatar poleszcz avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar

ansible-swisnap's Issues

CVE-2021-27918 (High) detected in gccgcc-10.2.0 - autoclosed

CVE-2021-27918 - High Severity Vulnerability

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/encoding/xml/xml.go
canner/goroot/src/encoding/xml/xml.go

Vulnerability Details

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.

Publish Date: 2021-03-11

URL: CVE-2021-27918

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw

Release Date: 2021-03-11

Fix Resolution: 1.15.9, 1.16.1

CVE-2020-15586 (Medium) detected in gogo1.12.7 - autoclosed

CVE-2020-15586 - Medium Severity Vulnerability

Vulnerable Library - gogo1.12.7

The Go programming language

Library home page: https://github.com/golang/go.git

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/net/http/server.go
canner/goroot/src/net/http/server.go

Vulnerability Details

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.

Publish Date: 2020-07-17

URL: CVE-2020-15586

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15586

Release Date: 2020-07-17

Fix Resolution: 1.13.13,1.14.5

CVE-2021-3115 (High) detected in gogo1.12.6 - autoclosed

CVE-2021-3115 - High Severity Vulnerability

Vulnerable Library - gogo1.12.6

The Go programming language

Library home page: https://github.com/golang/go.git

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/cmd/go/internal/work/action.go
canner/goroot/src/cmd/go/internal/work/action.go

Vulnerability Details

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).

Publish Date: 2021-01-26

URL: CVE-2021-3115

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2021-3115

Release Date: 2021-01-11

Fix Resolution: go1.14.14,go1.15.7

CVE-2021-33197 (Medium) detected in gccgcc-10.2.0 - autoclosed

CVE-2021-33197 - Medium Severity Vulnerability

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (1)

canner/goroot/src/net/http/httputil/reverseproxy.go

Vulnerability Details

A security issue has been found in Go before version 1.16.5. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net, and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.

Publish Date: 2021-05-20

URL: CVE-2021-33197

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security.archlinux.org/CVE-2021-33197

Release Date: 2021-05-20

Fix Resolution: go1.15.13, go1.16.5

CVE-2020-28367 (High) detected in gogo1.12.6 - autoclosed

CVE-2020-28367 - High Severity Vulnerability

Vulnerable Library - gogo1.12.6

The Go programming language

Library home page: https://github.com/golang/go.git

Found in base branch: master

Vulnerable Source Files (1)

canner/goroot/src/cmd/go/internal/work/security.go

Vulnerability Details

Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection.

Publish Date: 2020-11-18

URL: CVE-2020-28367

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM

Release Date: 2020-11-18

Fix Resolution: 1.14.12, 1.15.5

CVE-2020-28362 (High) detected in gccgcc-10.2.0 - autoclosed

CVE-2020-28362 - High Severity Vulnerability

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/math/big/nat.go
canner/goroot/src/math/big/nat.go

Vulnerability Details

Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.

Publish Date: 2020-11-18

URL: CVE-2020-28362

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI

Release Date: 2020-11-18

Fix Resolution: 1.14.12, 1.15.5

CVE-2020-26137 (Medium) detected in https://source.codeaurora.org/quic/lc/external/github.com/python/cpython/v3.7.10 - autoclosed

CVE-2020-26137 - Medium Severity Vulnerability

Vulnerable Library - https://source.codeaurora.org/quic/lc/external/github.com/python/cpython/v3.7.10

Library home page: https://source.codeaurora.org/quic/lc/external/github.com/python/cpython/

Found in base branch: master

Vulnerable Source Files (0)

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution: 1.25.9

CVE-2021-33196 (Medium) detected in gccgcc-10.2.0 - autoclosed

CVE-2021-33196 - Medium Severity Vulnerability

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (0)

Vulnerability Details

A security issue has been found in Go. Due to a pre-allocation optimization in zip.NewReader, a malformed archive which indicates it has a significant number of files can cause either a panic or memory exhaustion.

Publish Date: 2021-05-20

URL: CVE-2021-33196

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2020-28366 (High) detected in gogo1.12.6 - autoclosed

CVE-2020-28366 - High Severity Vulnerability

Vulnerable Library - gogo1.12.6

The Go programming language

Library home page: https://github.com/golang/go.git

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/cmd/go/internal/work/exec.go
canner/goroot/src/cmd/go/internal/work/security.go

Vulnerability Details

Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.

Publish Date: 2020-11-18

URL: CVE-2020-28366

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM

Release Date: 2020-11-18

Fix Resolution: 1.14.12, 1.15.5

CVE-2019-16276 (High) detected in gccgcc-10.2.0 - autoclosed

CVE-2019-16276 - High Severity Vulnerability

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (0)

Vulnerability Details

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

Publish Date: 2019-09-30

URL: CVE-2019-16276

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276

Release Date: 2019-09-30

Fix Resolution: 1.12.10;1.13.1

CVE-2020-7668 (High) detected in gopm0.7.3 - autoclosed

CVE-2020-7668 - High Severity Vulnerability

Vulnerable Library - gopm0.7.3

Go Package Manager (gopm) is a package manager and build tool for Go.

Library home page: https://github.com/giter/gopm.git

Found in base branch: master

Vulnerable Source Files (1)

canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go

Vulnerability Details

In all versions of the package github.com/unknwon/cae/tz, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.

Publish Date: 2020-06-23

URL: CVE-2020-7668

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7668

Release Date: 2020-07-07

Fix Resolution: v1.0.1

CVE-2021-33195 (Low) detected in gccgcc-10.2.0 - autoclosed

CVE-2021-33195 - Low Severity Vulnerability

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (0)

Vulnerability Details

A security issue has been found in Go before version 1.16.5. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net, and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.

Publish Date: 2021-05-20

URL: CVE-2021-33195

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security.archlinux.org/CVE-2021-33195

Release Date: 2021-05-20

Fix Resolution: go1.15.13, go1.16.5

Doesn't work with newer versions of Ansible - '"include" is deprecated, use include_tasks/import_tasks instead.'

Ansible has deprecated the builtin task '"include" and has removed support for it. It instructs us to use the include_tasks/import_tasks instead.'

TASK [solarwinds.swisnap : Check if swisnap_win_installer_download_path is set on Windows] ****************************************************************************************************************************************************************************************
ERROR! [DEPRECATED]: ansible.builtin.include has been removed. Use include_tasks or import_tasks instead. This feature was removed from ansible-core in a release after 2023-05-16. Please update your playbooks.

Can these roles be updated to use the newer/required "include_tasks"?

CVE-2021-33503 (High) detected in urllib31dd69c5c5982fae7c87a620d487c2ebf7a6b436b - autoclosed

CVE-2021-33503 - High Severity Vulnerability

Vulnerable Library - urllib31dd69c5c5982fae7c87a620d487c2ebf7a6b436b

Python HTTP library with thread-safe connection pooling, file post support, user friendly, and more.

Library home page: https://github.com/urllib3/urllib3.git

Found in base branch: master

Vulnerable Source Files (1)

canner/.poetry/lib/poetry/_vendor/py3.7/urllib3/util/url.py

Vulnerability Details

A security issue has been found in python-urllib3 before version 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL was passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-05-22

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-05-22

Fix Resolution: urllib3 - 1.26.5

CVE-2022-24065 (High) detected in cookiecutter-1.7.3-py2.py3-none-any.whl

CVE-2022-24065 - High Severity Vulnerability

Vulnerable Library - cookiecutter-1.7.3-py2.py3-none-any.whl

A command-line utility that creates projects from project templates, e.g. creating a Python package project from a Python package project template.

Library home page: https://files.pythonhosted.org/packages/a2/62/d061b19f307455506e63825586e2e1816b71d56b4a5873c278cb315b9660/cookiecutter-1.7.3-py2.py3-none-any.whl

Path to dependency file: /molecule/requirements.txt

Path to vulnerable library: /molecule/requirements.txt

Dependency Hierarchy:

  • cookiecutter-1.7.3-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Publish Date: 2022-06-08

URL: CVE-2022-24065

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24065

Release Date: 2022-06-08

Fix Resolution: cookiecutter - 2.1.1


  • Check this box to open an automated fix PR

CVE-2019-20916 (High) detected in pip-19.1.1-py2.py3-none-any.whl - autoclosed

CVE-2019-20916 - High Severity Vulnerability

Vulnerable Library - pip-19.1.1-py2.py3-none-any.whl

The PyPA recommended tool for installing Python packages.

Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl

Path to vulnerable library: canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl

Dependency Hierarchy:

  • pip-19.1.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.

Publish Date: 2020-09-04

URL: CVE-2019-20916

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20916

Release Date: 2020-09-04

Fix Resolution: 19.2


  • Check this box to open an automated fix PR

CVE-2020-25659 (Medium) detected in cryptography2.8 - autoclosed

CVE-2020-25659 - Medium Severity Vulnerability

Vulnerable Library - cryptography2.8

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.

Library home page: https://github.com/pyca/cryptography.git

Found in base branch: master

Vulnerable Source Files (2)

canner/.poetry/lib/poetry/_vendor/py3.6/cryptography/hazmat/backends/openssl/rsa.py
canner/.poetry/lib/poetry/_vendor/py3.6/cryptography/hazmat/backends/openssl/rsa.py

Vulnerability Details

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Publish Date: 2021-01-11

URL: CVE-2020-25659

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hggm-jpg3-v476

Release Date: 2020-09-17

Fix Resolution: 3.2

CVE-2020-24553 (Medium) detected in gccgcc-10.2.0 - autoclosed

CVE-2020-24553 - Medium Severity Vulnerability

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/net/http/fcgi/child.go
canner/goroot/src/net/http/fcgi/child.go

Vulnerability Details

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

Publish Date: 2020-09-02

URL: CVE-2020-24553

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs

Release Date: 2020-08-21

Fix Resolution: 1.15.1,1.14.8

CVE-2021-33198 (Medium) detected in gccgcc-10.2.0 - autoclosed

CVE-2021-33198 - Medium Severity Vulnerability

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (1)

canner/goroot/src/math/big/ratconv.go

Vulnerability Details

A security issue has been found in Go before version 1.16.5. The SetString and UnmarshalText methods of math/big.Rat may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents.

Publish Date: 2021-05-20

URL: CVE-2021-33198

CVSS 3 Score Details (6.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security.archlinux.org/CVE-2021-33198

Release Date: 2021-05-20

Fix Resolution: go1.15.13, go1.16.5

CVE-2021-3572 (Medium) detected in pip-19.1.1-py2.py3-none-any.whl, pip-19.3.1-py2.py3-none-any.whl - autoclosed

CVE-2021-3572 - Medium Severity Vulnerability

Vulnerable Libraries - pip-19.1.1-py2.py3-none-any.whl, pip-19.3.1-py2.py3-none-any.whl

pip-19.1.1-py2.py3-none-any.whl

The PyPA recommended tool for installing Python packages.

Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl

Path to vulnerable library: canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl

Dependency Hierarchy:

  • pip-19.1.1-py2.py3-none-any.whl (Vulnerable Library)
pip-19.3.1-py2.py3-none-any.whl

The PyPA recommended tool for installing Python packages.

Library home page: https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl

Path to vulnerable library: canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl

Dependency Hierarchy:

  • pip-19.3.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A security issue has been found in pip before version 21.1. Maliciously formatted tags could be used to hijack a commit-based pin. Using the fact that all of unicode's whitespace characters were allowed as separators - which git allows as a part of a tag name - it is possible to force a different revision to be installed if an attacker gains access to the repository.

Publish Date: 2021-06-01

URL: CVE-2021-3572

CVSS 3 Score Details (4.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security.archlinux.org/CVE-2021-3572

Release Date: 2021-06-01

Fix Resolution: pip - 21.1

CVE-2019-17596 (High) detected in gccgcc-10.2.0 - autoclosed

CVE-2019-17596 - High Severity Vulnerability

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (3)

canner/goroot/src/crypto/dsa/dsa.go
canner/goroot/src/crypto/dsa/dsa.go
canner/goroot/src/crypto/dsa/dsa.go

Vulnerability Details

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

Publish Date: 2019-10-24

URL: CVE-2019-17596

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17596

Release Date: 2019-10-24

Fix Resolution: Go-1.12.11,1.13.2

CVE-2020-14039 (Medium) detected in gccgcc-10.2.0 - autoclosed

CVE-2020-14039 - Medium Severity Vulnerability

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (3)

canner/goroot/src/crypto/x509/root_windows.go
canner/goroot/src/crypto/x509/root_windows.go
canner/goroot/src/crypto/x509/root_windows.go

Vulnerability Details

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.

Publish Date: 2020-07-17

URL: CVE-2020-14039

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14039

Release Date: 2020-07-17

Fix Resolution: 1.13.13,1.14.5

CVE-2019-9514 (High) detected in gogo1.12.7 - autoclosed

CVE-2019-9514 - High Severity Vulnerability

Vulnerable Library - gogo1.12.7

The Go programming language

Library home page: https://github.com/golang/go.git

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/net/http/h2_bundle.go
canner/goroot/src/net/http/h2_bundle.go

Vulnerability Details

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

Publish Date: 2019-08-13

URL: CVE-2019-9514

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514

Release Date: 2019-08-13

Fix Resolution: 7.1.7,8.0.4

CVE-2022-24302 (Medium) detected in paramiko-2.8.0-py2.py3-none-any.whl

CVE-2022-24302 - Medium Severity Vulnerability

Vulnerable Library - paramiko-2.8.0-py2.py3-none-any.whl

SSH2 protocol library

Library home page: https://files.pythonhosted.org/packages/72/b5/7b99a3da446338c8b5c73da549e8bc8d8c3a066a9d535e64191ac3b77137/paramiko-2.8.0-py2.py3-none-any.whl

Path to dependency file: /molecule/requirements.txt

Path to vulnerable library: /molecule/requirements.txt

Dependency Hierarchy:

  • paramiko-2.8.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

Publish Date: 2022-03-17

URL: CVE-2022-24302

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.paramiko.org/changelog.html

Release Date: 2022-03-17

Fix Resolution: paramiko - 2.10.1


  • Check this box to open an automated fix PR

CVE-2020-16845 (High) detected in gccgcc-10.2.0 - autoclosed

CVE-2020-16845 - High Severity Vulnerability

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/encoding/binary/varint.go
canner/goroot/src/encoding/binary/varint.go

Vulnerability Details

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

Publish Date: 2020-08-06

URL: CVE-2020-16845

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/golang/go/tree/go1.14.7

Release Date: 2020-08-05

Fix Resolution: go1.13.15,go1.14.7

CVE-2020-7664 (High) detected in gopm0.7.3 - autoclosed

CVE-2020-7664 - High Severity Vulnerability

Vulnerable Library - gopm0.7.3

Go Package Manager (gopm) is a package manager and build tool for Go.

Library home page: https://github.com/giter/gopm.git

Found in base branch: master

Vulnerable Source Files (1)

canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go

Vulnerability Details

In all versions of the package github.com/unknwon/cae/zip, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.

Publish Date: 2020-06-23

URL: CVE-2020-7664

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7664

Release Date: 2020-07-07

Fix Resolution: v1.0.1

CVE-2019-9741 (Medium) detected in gccgcc-10.2.0, gogo1.12.7 - autoclosed

CVE-2019-9741 - Medium Severity Vulnerability

Vulnerable Libraries - gccgcc-10.2.0, gogo1.12.7

Vulnerability Details

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

Publish Date: 2019-03-13

URL: CVE-2019-9741

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-9741

Release Date: 2019-03-13

Fix Resolution: 1.12.1

CVE-2021-3114 (Medium) detected in gccgcc-10.2.0 - autoclosed

CVE-2021-3114 - Medium Severity Vulnerability

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/crypto/elliptic/p224.go
canner/goroot/src/crypto/elliptic/p224.go

Vulnerability Details

In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.

Publish Date: 2021-01-26

URL: CVE-2021-3114

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1918750

Release Date: 2021-01-11

Fix Resolution: go1.14.14, go1.15.7

CVE-2019-11254 (Medium) detected in multiple libraries - autoclosed

CVE-2019-11254 - Medium Severity Vulnerability

Vulnerable Libraries - gopkg.in/yaml.v2-v2.0.0, gopkg.in/yaml.v2-v2.0.0, gopkg.in/yaml.v2-v2.0.0

gopkg.in/yaml.v2-v2.0.0

YAML support for the Go language.

Dependency Hierarchy:

  • gopkg.in/yaml.v2-v2.0.0 (Vulnerable Library)
gopkg.in/yaml.v2-v2.0.0

YAML support for the Go language.

Dependency Hierarchy:

  • github.com/codegangsta/cli-v1.21.0 (Root Library)
    • gopkg.in/yaml.v2-v2.0.0 (Vulnerable Library)
gopkg.in/yaml.v2-v2.0.0

YAML support for the Go language.

Dependency Hierarchy:

  • gopkg.in/yaml.v2-v2.0.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Publish Date: 2020-04-01

URL: CVE-2019-11254

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/go-yaml/yaml/tree/v2.2.8

Release Date: 2020-04-01

Fix Resolution: v2.2.8

CVE-2020-36242 (High) detected in cryptography2.8 - autoclosed

CVE-2020-36242 - High Severity Vulnerability

Vulnerable Library - cryptography2.8

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.

Library home page: https://github.com/pyca/cryptography.git

Found in base branch: master

Vulnerable Source Files (2)

canner/.poetry/lib/poetry/_vendor/py2.7/cryptography/hazmat/backends/openssl/ciphers.py
canner/.poetry/lib/poetry/_vendor/py2.7/cryptography/hazmat/backends/openssl/ciphers.py

Vulnerability Details

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

Publish Date: 2021-02-07

URL: CVE-2020-36242

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst

Release Date: 2021-02-07

Fix Resolution: cryptography - 3.3.2

CVE-2019-9512 (High) detected in gogo1.12.7 - autoclosed

CVE-2019-9512 - High Severity Vulnerability

Vulnerable Library - gogo1.12.7

The Go programming language

Library home page: https://github.com/golang/go.git

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/net/http/h2_bundle.go
canner/goroot/src/net/http/h2_bundle.go

Vulnerability Details

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Publish Date: 2019-08-13

URL: CVE-2019-9512

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512

Release Date: 2019-08-13

Fix Resolution: io.netty:netty-codec-http2:4.1.39.Final

CVE-2018-20225 (High) detected in pip-19.1.1-py2.py3-none-any.whl, pip-19.3.1-py2.py3-none-any.whl - autoclosed

CVE-2018-20225 - High Severity Vulnerability

Vulnerable Libraries - pip-19.1.1-py2.py3-none-any.whl, pip-19.3.1-py2.py3-none-any.whl

pip-19.1.1-py2.py3-none-any.whl

The PyPA recommended tool for installing Python packages.

Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl

Path to vulnerable library: canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl

Dependency Hierarchy:

  • pip-19.1.1-py2.py3-none-any.whl (Vulnerable Library)
pip-19.3.1-py2.py3-none-any.whl

The PyPA recommended tool for installing Python packages.

Library home page: https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl

Path to vulnerable library: canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl

Dependency Hierarchy:

  • pip-19.3.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.

Publish Date: 2020-05-08

URL: CVE-2018-20225

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.