From 4ef9c849306d5e2087b7c73ce0feee73a3bc73f3 Mon Sep 17 00:00:00 2001 From: "github.actions" Date: Sat, 26 Oct 2024 08:05:07 +0000 Subject: [PATCH] Latest data: Sat Oct 26 08:05:07 UTC 2024 --- audits/aws-sam-cli-requirements.audit.json | 471 ++++++++++++++++++ audits/buku-requirements.audit.json | 455 +++++++++++++++++ audits/certsync-requirements.audit.json | 471 ++++++++++++++++++ ...cloudformation-cli-requirements.audit.json | 471 ++++++++++++++++++ audits/fava-requirements.audit.json | 471 ++++++++++++++++++ audits/gdbgui-requirements.audit.json | 455 +++++++++++++++++ audits/grip-requirements.audit.json | 471 ++++++++++++++++++ audits/icloudpd-requirements.audit.json | 469 +++++++++++++++++ audits/locust-requirements.audit.json | 471 ++++++++++++++++++ audits/mapproxy-requirements.audit.json | 455 +++++++++++++++++ audits/moto-requirements.audit.json | 471 ++++++++++++++++++ audits/prowler-requirements.audit.json | 471 ++++++++++++++++++ audits/recon-ng-requirements.audit.json | 471 ++++++++++++++++++ audits/schemathesis-requirements.audit.json | 471 ++++++++++++++++++ requirements/bbot-requirements.txt | 7 +- requirements/gptme-requirements.txt | 16 +- requirements/keepkey-agent-requirements.txt | 4 +- requirements/onlykey-agent-requirements.txt | 4 +- requirements/sigstore-requirements.txt | 2 +- requirements/sqlfluff-requirements.txt | 2 +- requirements/trezor-agent-requirements.txt | 4 +- 21 files changed, 6563 insertions(+), 20 deletions(-) create mode 100644 audits/aws-sam-cli-requirements.audit.json create mode 100644 audits/certsync-requirements.audit.json create mode 100644 audits/cloudformation-cli-requirements.audit.json create mode 100644 audits/fava-requirements.audit.json create mode 100644 audits/grip-requirements.audit.json create mode 100644 audits/locust-requirements.audit.json create mode 100644 audits/moto-requirements.audit.json create mode 100644 audits/prowler-requirements.audit.json create mode 100644 audits/recon-ng-requirements.audit.json create mode 100644 audits/schemathesis-requirements.audit.json diff --git a/audits/aws-sam-cli-requirements.audit.json b/audits/aws-sam-cli-requirements.audit.json new file mode 100644 index 00000000..0552c621 --- /dev/null +++ b/audits/aws-sam-cli-requirements.audit.json @@ -0,0 +1,471 @@ +[ + { + "package": { + "name": "werkzeug", + "version": "3.0.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "aws-sam-cli-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" + } + ] + } +] \ No newline at end of file diff --git a/audits/buku-requirements.audit.json b/audits/buku-requirements.audit.json index b18a5967..a4eaa143 100644 --- a/audits/buku-requirements.audit.json +++ b/audits/buku-requirements.audit.json @@ -192,6 +192,441 @@ "nvd_published_at": "2024-05-06T15:15:23Z", "severity": "HIGH" } + }, + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } } ], "groups": [ @@ -205,6 +640,26 @@ "GHSA-2g68-c3qc-8985" ], "max_severity": "7.5" + }, + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" } ] } diff --git a/audits/certsync-requirements.audit.json b/audits/certsync-requirements.audit.json new file mode 100644 index 00000000..3c806f19 --- /dev/null +++ b/audits/certsync-requirements.audit.json @@ -0,0 +1,471 @@ +[ + { + "package": { + "name": "werkzeug", + "version": "3.0.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "certsync-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" + } + ] + } +] \ No newline at end of file diff --git a/audits/cloudformation-cli-requirements.audit.json b/audits/cloudformation-cli-requirements.audit.json new file mode 100644 index 00000000..6652ef92 --- /dev/null +++ b/audits/cloudformation-cli-requirements.audit.json @@ -0,0 +1,471 @@ +[ + { + "package": { + "name": "werkzeug", + "version": "3.0.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "cloudformation-cli-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" + } + ] + } +] \ No newline at end of file diff --git a/audits/fava-requirements.audit.json b/audits/fava-requirements.audit.json new file mode 100644 index 00000000..d0f3dd2f --- /dev/null +++ b/audits/fava-requirements.audit.json @@ -0,0 +1,471 @@ +[ + { + "package": { + "name": "werkzeug", + "version": "3.0.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "fava-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" + } + ] + } +] \ No newline at end of file diff --git a/audits/gdbgui-requirements.audit.json b/audits/gdbgui-requirements.audit.json index 0f487d2a..7fe76fff 100644 --- a/audits/gdbgui-requirements.audit.json +++ b/audits/gdbgui-requirements.audit.json @@ -781,6 +781,178 @@ "severity": "HIGH" } }, + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, { "modified": "2024-02-22T05:33:55Z", "published": "2023-10-25T14:22:59Z", @@ -1002,6 +1174,269 @@ "severity": "MODERATE" } }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, { "modified": "2023-11-08T18:38:34Z", "published": "2023-10-25T18:17:00Z", @@ -1180,6 +1615,16 @@ ], "max_severity": "7.5" }, + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, { "ids": [ "PYSEC-2023-221", @@ -1191,6 +1636,16 @@ "PYSEC-2023-221" ], "max_severity": "7.5" + }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" } ] } diff --git a/audits/grip-requirements.audit.json b/audits/grip-requirements.audit.json new file mode 100644 index 00000000..96fc5784 --- /dev/null +++ b/audits/grip-requirements.audit.json @@ -0,0 +1,471 @@ +[ + { + "package": { + "name": "werkzeug", + "version": "3.0.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "grip-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" + } + ] + } +] \ No newline at end of file diff --git a/audits/icloudpd-requirements.audit.json b/audits/icloudpd-requirements.audit.json index da7f6c33..1c4d10fc 100644 --- a/audits/icloudpd-requirements.audit.json +++ b/audits/icloudpd-requirements.audit.json @@ -1692,5 +1692,474 @@ "max_severity": "8.1" } ] + }, + { + "package": { + "name": "werkzeug", + "version": "3.0.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "icloudpd-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" + } + ] } ] \ No newline at end of file diff --git a/audits/locust-requirements.audit.json b/audits/locust-requirements.audit.json new file mode 100644 index 00000000..aef60c84 --- /dev/null +++ b/audits/locust-requirements.audit.json @@ -0,0 +1,471 @@ +[ + { + "package": { + "name": "werkzeug", + "version": "3.0.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "locust-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" + } + ] + } +] \ No newline at end of file diff --git a/audits/mapproxy-requirements.audit.json b/audits/mapproxy-requirements.audit.json index c2f87765..ded1445e 100644 --- a/audits/mapproxy-requirements.audit.json +++ b/audits/mapproxy-requirements.audit.json @@ -193,6 +193,178 @@ "severity": "HIGH" } }, + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, { "modified": "2024-02-22T05:33:55Z", "published": "2023-10-25T14:22:59Z", @@ -583,6 +755,269 @@ "severity": "LOW" } }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, { "modified": "2024-02-17T05:16:27Z", "published": "2023-02-15T15:36:26Z", @@ -1352,6 +1787,16 @@ ], "max_severity": "7.5" }, + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, { "ids": [ "PYSEC-2023-221", @@ -1376,6 +1821,16 @@ ], "max_severity": "2.6" }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" + }, { "ids": [ "PYSEC-2023-58", diff --git a/audits/moto-requirements.audit.json b/audits/moto-requirements.audit.json new file mode 100644 index 00000000..86238843 --- /dev/null +++ b/audits/moto-requirements.audit.json @@ -0,0 +1,471 @@ +[ + { + "package": { + "name": "werkzeug", + "version": "3.0.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "moto-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" + } + ] + } +] \ No newline at end of file diff --git a/audits/prowler-requirements.audit.json b/audits/prowler-requirements.audit.json new file mode 100644 index 00000000..7004a5e5 --- /dev/null +++ b/audits/prowler-requirements.audit.json @@ -0,0 +1,471 @@ +[ + { + "package": { + "name": "werkzeug", + "version": "3.0.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "prowler-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" + } + ] + } +] \ No newline at end of file diff --git a/audits/recon-ng-requirements.audit.json b/audits/recon-ng-requirements.audit.json new file mode 100644 index 00000000..f10a605a --- /dev/null +++ b/audits/recon-ng-requirements.audit.json @@ -0,0 +1,471 @@ +[ + { + "package": { + "name": "werkzeug", + "version": "3.0.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "recon-ng-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" + } + ] + } +] \ No newline at end of file diff --git a/audits/schemathesis-requirements.audit.json b/audits/schemathesis-requirements.audit.json new file mode 100644 index 00000000..f0c3413c --- /dev/null +++ b/audits/schemathesis-requirements.audit.json @@ -0,0 +1,471 @@ +[ + { + "package": { + "name": "werkzeug", + "version": "3.0.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "schemathesis-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-10-25T21:42:39Z", + "published": "2024-10-25T19:43:41Z", + "schema_version": "1.6.0", + "id": "GHSA-f9vj-2wh5-fj8j", + "aliases": [ + "CVE-2024-49766" + ], + "summary": "Werkzeug safe_join not safe on Windows", + "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:43:41Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-10-25T21:45:09Z", + "published": "2024-10-25T19:44:43Z", + "schema_version": "1.6.0", + "id": "GHSA-q34m-jh98-gwm2", + "aliases": [ + "CVE-2024-49767" + ], + "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", + "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.6" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "3.0.0", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5" + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.0.5", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "quart", + "purl": "pkg:pypi/quart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.19.7" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.10.0", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.15.0", + "0.15.1", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.17.0", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.19.1", + "0.19.2", + "0.19.3", + "0.19.4", + "0.19.5", + "0.19.6", + "0.2.0", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.10", + "0.6.11", + "0.6.12", + "0.6.13", + "0.6.14", + "0.6.15", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.6.7", + "0.6.8", + "0.6.9", + "0.7.0", + "0.7.1", + "0.7.2", + "0.8.0", + "0.8.1", + "0.9.0", + "0.9.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.19.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-10-25T19:44:43Z", + "nvd_published_at": "2024-10-25T20:15:04Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-f9vj-2wh5-fj8j" + ], + "aliases": [ + "CVE-2024-49766", + "GHSA-f9vj-2wh5-fj8j" + ], + "max_severity": "6.3" + }, + { + "ids": [ + "GHSA-q34m-jh98-gwm2" + ], + "aliases": [ + "CVE-2024-49767", + "GHSA-q34m-jh98-gwm2" + ], + "max_severity": "6.9" + } + ] + } +] \ No newline at end of file diff --git a/requirements/bbot-requirements.txt b/requirements/bbot-requirements.txt index 38e65444..edf55547 100644 --- a/requirements/bbot-requirements.txt +++ b/requirements/bbot-requirements.txt @@ -10,7 +10,6 @@ charset-normalizer==3.4.0 cloudcheck==5.0.1.595 deepdiff==7.0.1 dnspython==2.7.0 -docutils==0.21.2 filelock==3.16.1 h11==0.14.0 httpcore==1.0.6 @@ -31,7 +30,7 @@ pycryptodome==3.21.0 pydantic==2.9.2 pydantic-core==2.23.4 pyjwt==2.9.0 -python-daemon==3.0.1 +python-daemon==3.1.0 pyyaml==6.0.2 pyzmq==26.2.0 radixtarget==1.1.0.18 @@ -51,6 +50,6 @@ unidecode==1.3.8 urllib3==2.2.3 websockets==12.0 wordninja==2.0.0 -xmltodict==0.12.0 -xmltojson==2.0.2 +xmltodict==0.14.2 +xmltojson==2.0.3 yara-python==4.5.1 diff --git a/requirements/gptme-requirements.txt b/requirements/gptme-requirements.txt index 9d7f2959..e60fadbf 100644 --- a/requirements/gptme-requirements.txt +++ b/requirements/gptme-requirements.txt @@ -1,6 +1,6 @@ annotated-types==0.7.0 -anthropic==0.34.2 -anyio==4.6.0 +anthropic==0.36.2 +anyio==4.6.2.post1 asttokens==2.4.1 bashlex==0.18 charset-normalizer==3.4.0 @@ -9,13 +9,13 @@ decorator==5.1.1 distro==1.9.0 executing==2.1.0 filelock==3.16.1 -fsspec==2024.9.0 +fsspec==2024.10.0 h11==0.14.0 httpcore==1.0.6 httpx==0.27.2 -huggingface-hub==0.25.2 +huggingface-hub==0.26.1 idna==3.10 -ipython==8.28.0 +ipython==8.29.0 jedi==0.19.1 jiter==0.6.1 lxml==5.3.0 @@ -23,7 +23,7 @@ markdown-it-py==3.0.0 matplotlib-inline==0.1.7 mdurl==0.1.2 multiprocessing-logging==any.whl -openai==1.51.2 +openai==1.52.2 packaging==24.1 parso==0.8.4 pexpect==4.9.0 @@ -39,12 +39,12 @@ python-dotenv==1.0.1 pyyaml==6.0.2 regex==2024.9.11 requests==2.32.3 -rich==13.9.2 +rich==13.9.3 six==1.16.0 sniffio==1.3.1 stack-data==0.6.3 tabulate==0.9.0 -tiktoken==0.7.0 +tiktoken==0.8.0 tokenizers==0.20.1 tomlkit==0.13.2 tqdm==4.66.5 diff --git a/requirements/keepkey-agent-requirements.txt b/requirements/keepkey-agent-requirements.txt index 8cd4bbd1..7b974ccd 100644 --- a/requirements/keepkey-agent-requirements.txt +++ b/requirements/keepkey-agent-requirements.txt @@ -12,9 +12,9 @@ mnemonic==0.21 protobuf==3.20.3 pymsgbox==1.0.9 pynacl==1.5.0 -python-daemon==3.0.1 +python-daemon==3.1.0 semver==3.0.2 -setuptools==75.1.0 +setuptools==75.2.0 six==1.16.0 unidecode==1.3.8 wheel==0.44.0 diff --git a/requirements/onlykey-agent-requirements.txt b/requirements/onlykey-agent-requirements.txt index 5c75f548..b957ef50 100644 --- a/requirements/onlykey-agent-requirements.txt +++ b/requirements/onlykey-agent-requirements.txt @@ -21,11 +21,11 @@ pycryptodome==3.21.0 pymsgbox==1.0.9 pynacl==1.5.0 pyserial==3.5 -python-daemon==3.0.1 +python-daemon==3.1.0 pyusb==1.2.1 requests==2.32.3 semver==3.0.2 -setuptools==75.1.0 +setuptools==75.2.0 six==1.16.0 unidecode==1.3.8 urllib3==2.2.3 diff --git a/requirements/sigstore-requirements.txt b/requirements/sigstore-requirements.txt index 8c8f5e94..1787deb3 100644 --- a/requirements/sigstore-requirements.txt +++ b/requirements/sigstore-requirements.txt @@ -22,7 +22,7 @@ pyopenssl==24.2.1 python-dateutil==2.9.0.post0 requests==2.32.3 rfc8785==0.1.4 -rich==13.9.2 +rich==13.9.3 securesystemslib==1.1.0 sigstore-protobuf-specs==0.3.2 sigstore-rekor-types==0.0.13 diff --git a/requirements/sqlfluff-requirements.txt b/requirements/sqlfluff-requirements.txt index 22f84436..ba19d087 100644 --- a/requirements/sqlfluff-requirements.txt +++ b/requirements/sqlfluff-requirements.txt @@ -5,7 +5,7 @@ colorama==0.4.6 diff-cover==9.2.0 iniconfig==2.0.0 jinja2==3.1.4 -markupsafe==3.0.1 +markupsafe==3.0.2 packaging==24.1 pathspec==0.12.1 pluggy==1.5.0 diff --git a/requirements/trezor-agent-requirements.txt b/requirements/trezor-agent-requirements.txt index 3433994d..1042ceeb 100644 --- a/requirements/trezor-agent-requirements.txt +++ b/requirements/trezor-agent-requirements.txt @@ -33,12 +33,12 @@ pyobjc-framework-cocoa==10.3.1 pyobjc-framework-corebluetooth==10.3.1 pyobjc-framework-libdispatch==10.3.1 pyserial==3.5 -python-daemon==3.0.1 +python-daemon==3.1.0 python-gnupg==0.5.3 python-u2flib-host==3.0.3 requests==2.32.3 semver==3.0.2 -setuptools==75.1.0 +setuptools==75.2.0 six==1.16.0 trezor==0.13.9 typing-extensions==4.12.2