diff --git a/audits/alot-requirements.audit.json b/audits/alot-requirements.audit.json
index 8024503b..c08d99bf 100644
--- a/audits/alot-requirements.audit.json
+++ b/audits/alot-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
@@ -134,7 +134,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:13:41Z",
+ "modified": "2024-02-16T08:14:29Z",
"published": "2023-10-25T21:15:13Z",
"schema_version": "1.6.0",
"id": "GHSA-xc8x-vp79-p3wm",
diff --git a/audits/animdl-requirements.audit.json b/audits/animdl-requirements.audit.json
index 522c541e..65f89ab7 100644
--- a/audits/animdl-requirements.audit.json
+++ b/audits/animdl-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-19T19:46:52Z",
+ "modified": "2024-02-16T08:21:19Z",
"published": "2024-01-05T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-j225-cvw7-qrx7",
diff --git a/audits/athenacli-requirements.audit.json b/audits/athenacli-requirements.audit.json
index ae06ddef..23bef02f 100644
--- a/audits/athenacli-requirements.audit.json
+++ b/audits/athenacli-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
diff --git a/audits/aws-shell-requirements.audit.json b/audits/aws-shell-requirements.audit.json
index d8afc49a..e22d441b 100644
--- a/audits/aws-shell-requirements.audit.json
+++ b/audits/aws-shell-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
diff --git a/audits/awscli-requirements.audit.json b/audits/awscli-requirements.audit.json
index cdc856d5..8a2478ec 100644
--- a/audits/awscli-requirements.audit.json
+++ b/audits/awscli-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-14T21:47:44Z",
+ "modified": "2024-02-16T08:18:58Z",
"published": "2024-02-05T21:30:31Z",
"schema_version": "1.6.0",
"id": "GHSA-3ww4-gg4f-jr7f",
@@ -207,7 +207,236 @@
}
},
{
- "modified": "2024-02-15T05:32:36Z",
+ "modified": "2024-02-16T21:11:52Z",
+ "published": "2024-01-26T09:30:23Z",
+ "schema_version": "1.6.0",
+ "id": "GHSA-9v9h-cgj8-h64p",
+ "aliases": [
+ "CVE-2024-0727"
+ ],
+ "summary": "Null pointer dereference in PKCS12 parsing",
+ "details": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "cryptography",
+ "purl": "pkg:pypi/cryptography"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "42.0.2"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.1",
+ "0.2",
+ "0.2.1",
+ "0.2.2",
+ "0.3",
+ "0.4",
+ "0.5",
+ "0.5.1",
+ "0.5.2",
+ "0.5.3",
+ "0.5.4",
+ "0.6",
+ "0.6.1",
+ "0.7",
+ "0.7.1",
+ "0.7.2",
+ "0.8",
+ "0.8.1",
+ "0.8.2",
+ "0.9",
+ "0.9.1",
+ "0.9.2",
+ "0.9.3",
+ "1.0",
+ "1.0.1",
+ "1.0.2",
+ "1.1",
+ "1.1.1",
+ "1.1.2",
+ "1.2",
+ "1.2.1",
+ "1.2.2",
+ "1.2.3",
+ "1.3",
+ "1.3.1",
+ "1.3.2",
+ "1.3.3",
+ "1.3.4",
+ "1.4",
+ "1.5",
+ "1.5.1",
+ "1.5.2",
+ "1.5.3",
+ "1.6",
+ "1.7",
+ "1.7.1",
+ "1.7.2",
+ "1.8",
+ "1.8.1",
+ "1.8.2",
+ "1.9",
+ "2.0",
+ "2.0.1",
+ "2.0.2",
+ "2.0.3",
+ "2.1",
+ "2.1.1",
+ "2.1.2",
+ "2.1.3",
+ "2.1.4",
+ "2.2",
+ "2.2.1",
+ "2.2.2",
+ "2.3",
+ "2.3.1",
+ "2.4",
+ "2.4.1",
+ "2.4.2",
+ "2.5",
+ "2.6",
+ "2.6.1",
+ "2.7",
+ "2.8",
+ "2.9",
+ "2.9.1",
+ "2.9.2",
+ "3.0",
+ "3.1",
+ "3.1.1",
+ "3.2",
+ "3.2.1",
+ "3.3",
+ "3.3.1",
+ "3.3.2",
+ "3.4",
+ "3.4.1",
+ "3.4.2",
+ "3.4.3",
+ "3.4.4",
+ "3.4.5",
+ "3.4.6",
+ "3.4.7",
+ "3.4.8",
+ "35.0.0",
+ "36.0.0",
+ "36.0.1",
+ "36.0.2",
+ "37.0.0",
+ "37.0.1",
+ "37.0.2",
+ "37.0.3",
+ "37.0.4",
+ "38.0.0",
+ "38.0.1",
+ "38.0.2",
+ "38.0.3",
+ "38.0.4",
+ "39.0.0",
+ "39.0.1",
+ "39.0.2",
+ "40.0.0",
+ "40.0.1",
+ "40.0.2",
+ "41.0.0",
+ "41.0.1",
+ "41.0.2",
+ "41.0.3",
+ "41.0.4",
+ "41.0.5",
+ "41.0.6",
+ "41.0.7",
+ "42.0.0",
+ "42.0.1"
+ ],
+ "database_specific": {
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-9v9h-cgj8-h64p/GHSA-9v9h-cgj8-h64p.json"
+ },
+ "ecosystem_specific": {
+ "affected_functions": [
+ "cryptography.hazmat.backends.openssl.backend.load_pkcs12"
+ ]
+ }
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/github/advisory-database/pull/3472"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openssl/openssl/pull/23362"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539"
+ },
+ {
+ "type": "WEB",
+ "url": "https://security.netapp.com/advisory/ntap-20240208-0006"
+ },
+ {
+ "type": "WEB",
+ "url": "https://www.openssl.org/news/secadv/20240125.txt"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [],
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-02-16T20:48:36Z",
+ "nvd_published_at": "2024-01-26T09:15:07Z",
+ "severity": "MODERATE"
+ }
+ },
+ {
+ "modified": "2024-02-16T08:08:09Z",
"published": "2023-07-14T21:31:08Z",
"schema_version": "1.6.0",
"id": "GHSA-cf7p-gm2m-833m",
@@ -312,12 +541,13 @@
}
},
{
- "modified": "2024-02-02T22:16:01Z",
+ "modified": "2024-02-17T07:41:40Z",
"published": "2023-11-28T20:46:46Z",
"schema_version": "1.6.0",
"id": "GHSA-jfhm-5ghh-2f97",
"aliases": [
- "CVE-2023-49083"
+ "CVE-2023-49083",
+ "PYSEC-2023-254"
],
"summary": "cryptography vulnerable to NULL-dereference when loading PKCS7 certificates",
"details": "### Summary\n\nCalling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault.\n\n### PoC\nHere is a Python code that triggers the issue:\n```python\nfrom cryptography.hazmat.primitives.serialization.pkcs7 import load_der_pkcs7_certificates, load_pem_pkcs7_certificates\n\npem_p7 = b\"\"\"\n-----BEGIN PKCS7-----\nMAsGCSqGSIb3DQEHAg==\n-----END PKCS7-----\n\"\"\"\n\nder_p7 = b\"\\x30\\x0B\\x06\\x09\\x2A\\x86\\x48\\x86\\xF7\\x0D\\x01\\x07\\x02\"\n\nload_pem_pkcs7_certificates(pem_p7)\nload_der_pkcs7_certificates(der_p7)\n```\n\n### Impact\nExploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability.",
@@ -423,6 +653,10 @@
"type": "PACKAGE",
"url": "https://github.com/pyca/cryptography"
},
+ {
+ "type": "WEB",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV"
+ },
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/11/29/2"
@@ -498,6 +732,122 @@
"url": "https://github.com/pyca/cryptography/pull/9208"
}
]
+ },
+ {
+ "modified": "2024-02-17T07:41:40Z",
+ "published": "2023-11-29T19:15:00Z",
+ "schema_version": "1.6.0",
+ "id": "PYSEC-2023-254",
+ "aliases": [
+ "CVE-2023-49083",
+ "GHSA-jfhm-5ghh-2f97"
+ ],
+ "details": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "cryptography",
+ "purl": "pkg:pypi/cryptography"
+ },
+ "ranges": [
+ {
+ "type": "GIT",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "f09c261ca10a31fe41b1262306db7f8f1da0e48a"
+ }
+ ],
+ "repo": "https://github.com/pyca/cryptography"
+ },
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "3.1"
+ },
+ {
+ "fixed": "41.0.6"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "3.1",
+ "3.1.1",
+ "3.2",
+ "3.2.1",
+ "3.3",
+ "3.3.1",
+ "3.3.2",
+ "3.4",
+ "3.4.1",
+ "3.4.2",
+ "3.4.3",
+ "3.4.4",
+ "3.4.5",
+ "3.4.6",
+ "3.4.7",
+ "3.4.8",
+ "35.0.0",
+ "36.0.0",
+ "36.0.1",
+ "36.0.2",
+ "37.0.0",
+ "37.0.1",
+ "37.0.2",
+ "37.0.3",
+ "37.0.4",
+ "38.0.0",
+ "38.0.1",
+ "38.0.2",
+ "38.0.3",
+ "38.0.4",
+ "39.0.0",
+ "39.0.1",
+ "39.0.2",
+ "40.0.0",
+ "40.0.1",
+ "40.0.2",
+ "41.0.0",
+ "41.0.1",
+ "41.0.2",
+ "41.0.3",
+ "41.0.4",
+ "41.0.5"
+ ],
+ "database_specific": {
+ "source": "https://github.com/pypa/advisory-database/blob/main/vulns/cryptography/PYSEC-2023-254.yaml"
+ }
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/pyca/cryptography/pull/9926"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/"
+ }
+ ]
}
],
"groups": [
@@ -510,6 +860,15 @@
"GHSA-3ww4-gg4f-jr7f"
]
},
+ {
+ "ids": [
+ "GHSA-9v9h-cgj8-h64p"
+ ],
+ "aliases": [
+ "CVE-2024-0727",
+ "GHSA-9v9h-cgj8-h64p"
+ ]
+ },
{
"ids": [
"GHSA-cf7p-gm2m-833m",
@@ -523,11 +882,13 @@
},
{
"ids": [
- "GHSA-jfhm-5ghh-2f97"
+ "GHSA-jfhm-5ghh-2f97",
+ "PYSEC-2023-254"
],
"aliases": [
"CVE-2023-49083",
- "GHSA-jfhm-5ghh-2f97"
+ "GHSA-jfhm-5ghh-2f97",
+ "PYSEC-2023-254"
]
}
]
diff --git a/audits/azure-cli-requirements.audit.json b/audits/azure-cli-requirements.audit.json
index ac05314a..36c06f34 100644
--- a/audits/azure-cli-requirements.audit.json
+++ b/audits/azure-cli-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-14T21:47:44Z",
+ "modified": "2024-02-16T08:18:58Z",
"published": "2024-02-05T21:30:31Z",
"schema_version": "1.6.0",
"id": "GHSA-3ww4-gg4f-jr7f",
@@ -205,6 +205,235 @@
"nvd_published_at": "2024-02-05T21:15:11Z",
"severity": "MODERATE"
}
+ },
+ {
+ "modified": "2024-02-16T21:11:52Z",
+ "published": "2024-01-26T09:30:23Z",
+ "schema_version": "1.6.0",
+ "id": "GHSA-9v9h-cgj8-h64p",
+ "aliases": [
+ "CVE-2024-0727"
+ ],
+ "summary": "Null pointer dereference in PKCS12 parsing",
+ "details": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "cryptography",
+ "purl": "pkg:pypi/cryptography"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "42.0.2"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.1",
+ "0.2",
+ "0.2.1",
+ "0.2.2",
+ "0.3",
+ "0.4",
+ "0.5",
+ "0.5.1",
+ "0.5.2",
+ "0.5.3",
+ "0.5.4",
+ "0.6",
+ "0.6.1",
+ "0.7",
+ "0.7.1",
+ "0.7.2",
+ "0.8",
+ "0.8.1",
+ "0.8.2",
+ "0.9",
+ "0.9.1",
+ "0.9.2",
+ "0.9.3",
+ "1.0",
+ "1.0.1",
+ "1.0.2",
+ "1.1",
+ "1.1.1",
+ "1.1.2",
+ "1.2",
+ "1.2.1",
+ "1.2.2",
+ "1.2.3",
+ "1.3",
+ "1.3.1",
+ "1.3.2",
+ "1.3.3",
+ "1.3.4",
+ "1.4",
+ "1.5",
+ "1.5.1",
+ "1.5.2",
+ "1.5.3",
+ "1.6",
+ "1.7",
+ "1.7.1",
+ "1.7.2",
+ "1.8",
+ "1.8.1",
+ "1.8.2",
+ "1.9",
+ "2.0",
+ "2.0.1",
+ "2.0.2",
+ "2.0.3",
+ "2.1",
+ "2.1.1",
+ "2.1.2",
+ "2.1.3",
+ "2.1.4",
+ "2.2",
+ "2.2.1",
+ "2.2.2",
+ "2.3",
+ "2.3.1",
+ "2.4",
+ "2.4.1",
+ "2.4.2",
+ "2.5",
+ "2.6",
+ "2.6.1",
+ "2.7",
+ "2.8",
+ "2.9",
+ "2.9.1",
+ "2.9.2",
+ "3.0",
+ "3.1",
+ "3.1.1",
+ "3.2",
+ "3.2.1",
+ "3.3",
+ "3.3.1",
+ "3.3.2",
+ "3.4",
+ "3.4.1",
+ "3.4.2",
+ "3.4.3",
+ "3.4.4",
+ "3.4.5",
+ "3.4.6",
+ "3.4.7",
+ "3.4.8",
+ "35.0.0",
+ "36.0.0",
+ "36.0.1",
+ "36.0.2",
+ "37.0.0",
+ "37.0.1",
+ "37.0.2",
+ "37.0.3",
+ "37.0.4",
+ "38.0.0",
+ "38.0.1",
+ "38.0.2",
+ "38.0.3",
+ "38.0.4",
+ "39.0.0",
+ "39.0.1",
+ "39.0.2",
+ "40.0.0",
+ "40.0.1",
+ "40.0.2",
+ "41.0.0",
+ "41.0.1",
+ "41.0.2",
+ "41.0.3",
+ "41.0.4",
+ "41.0.5",
+ "41.0.6",
+ "41.0.7",
+ "42.0.0",
+ "42.0.1"
+ ],
+ "database_specific": {
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-9v9h-cgj8-h64p/GHSA-9v9h-cgj8-h64p.json"
+ },
+ "ecosystem_specific": {
+ "affected_functions": [
+ "cryptography.hazmat.backends.openssl.backend.load_pkcs12"
+ ]
+ }
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/github/advisory-database/pull/3472"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openssl/openssl/pull/23362"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539"
+ },
+ {
+ "type": "WEB",
+ "url": "https://security.netapp.com/advisory/ntap-20240208-0006"
+ },
+ {
+ "type": "WEB",
+ "url": "https://www.openssl.org/news/secadv/20240125.txt"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [],
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-02-16T20:48:36Z",
+ "nvd_published_at": "2024-01-26T09:15:07Z",
+ "severity": "MODERATE"
+ }
}
],
"groups": [
@@ -216,6 +445,15 @@
"CVE-2023-50782",
"GHSA-3ww4-gg4f-jr7f"
]
+ },
+ {
+ "ids": [
+ "GHSA-9v9h-cgj8-h64p"
+ ],
+ "aliases": [
+ "CVE-2024-0727",
+ "GHSA-9v9h-cgj8-h64p"
+ ]
}
]
}
diff --git a/audits/bbot-requirements.audit.json b/audits/bbot-requirements.audit.json
index bbb704f4..51aa1ab8 100644
--- a/audits/bbot-requirements.audit.json
+++ b/audits/bbot-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-02T15:28:50Z",
+ "modified": "2024-02-16T08:08:28Z",
"published": "2023-12-28T21:30:37Z",
"schema_version": "1.6.0",
"id": "GHSA-jpvw-p8pr-9g2x",
@@ -456,7 +456,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-12-20T20:57:57Z",
+ "modified": "2024-02-16T08:21:46Z",
"published": "2023-12-13T00:30:37Z",
"schema_version": "1.6.0",
"id": "GHSA-7j69-qfc3-2fq9",
@@ -730,7 +730,7 @@
}
},
{
- "modified": "2024-02-14T15:11:38Z",
+ "modified": "2024-02-16T08:15:12Z",
"published": "2024-02-06T12:30:31Z",
"schema_version": "1.6.0",
"id": "GHSA-h24r-m9qc-pvpg",
@@ -1022,7 +1022,7 @@
}
},
{
- "modified": "2023-11-18T12:46:01Z",
+ "modified": "2024-02-16T08:30:57Z",
"published": "2023-10-04T15:30:35Z",
"schema_version": "1.6.0",
"id": "GHSA-ww3m-ffrm-qvqv",
@@ -1149,6 +1149,11 @@
"2.14.10rc1",
"2.14.11",
"2.14.11rc1",
+ "2.14.12",
+ "2.14.12rc1",
+ "2.14.13",
+ "2.14.14",
+ "2.14.14rc1",
"2.14.1rc1",
"2.14.2",
"2.14.2rc1",
@@ -1267,7 +1272,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-14T05:32:56Z",
+ "modified": "2024-02-16T08:18:43Z",
"published": "2024-01-11T15:20:48Z",
"schema_version": "1.6.0",
"id": "GHSA-h5c8-rqwp-cp95",
@@ -1429,7 +1434,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-19T19:46:52Z",
+ "modified": "2024-02-16T08:21:19Z",
"published": "2024-01-05T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-j225-cvw7-qrx7",
diff --git a/audits/breezy-requirements.audit.json b/audits/breezy-requirements.audit.json
index e0b0413d..2accbbdc 100644
--- a/audits/breezy-requirements.audit.json
+++ b/audits/breezy-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
diff --git a/audits/buku-requirements.audit.json b/audits/buku-requirements.audit.json
index 290ca21b..07b763a3 100644
--- a/audits/buku-requirements.audit.json
+++ b/audits/buku-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-24T09:49:21Z",
+ "modified": "2024-02-16T08:12:37Z",
"published": "2023-10-25T14:22:59Z",
"schema_version": "1.6.0",
"id": "GHSA-hrfv-mqp8-q5rw",
diff --git a/audits/bzt-requirements.audit.json b/audits/bzt-requirements.audit.json
index 796fc775..6d45640b 100644
--- a/audits/bzt-requirements.audit.json
+++ b/audits/bzt-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:13:39Z",
+ "modified": "2024-02-16T08:10:31Z",
"published": "2023-10-17T20:15:25Z",
"schema_version": "1.6.0",
"id": "GHSA-g4mx-q9vg-27p4",
diff --git a/audits/certbot-requirements.audit.json b/audits/certbot-requirements.audit.json
index 7bb7b37e..f157e45a 100644
--- a/audits/certbot-requirements.audit.json
+++ b/audits/certbot-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
diff --git a/audits/certsync-requirements.audit.json b/audits/certsync-requirements.audit.json
index bfbe4b60..19567f35 100644
--- a/audits/certsync-requirements.audit.json
+++ b/audits/certsync-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-14T05:32:56Z",
+ "modified": "2024-02-16T08:18:43Z",
"published": "2024-01-11T15:20:48Z",
"schema_version": "1.6.0",
"id": "GHSA-h5c8-rqwp-cp95",
@@ -172,7 +172,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-19T19:46:52Z",
+ "modified": "2024-02-16T08:21:19Z",
"published": "2024-01-05T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-j225-cvw7-qrx7",
@@ -400,7 +400,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-19T19:46:52Z",
+ "modified": "2024-02-16T08:21:19Z",
"published": "2024-01-05T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-j225-cvw7-qrx7",
diff --git a/audits/charm-tools-requirements.audit.json b/audits/charm-tools-requirements.audit.json
index c9e6dca4..a2e8dec0 100644
--- a/audits/charm-tools-requirements.audit.json
+++ b/audits/charm-tools-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-12-06T01:03:17Z",
+ "modified": "2024-02-16T08:16:40Z",
"published": "2023-10-25T18:32:26Z",
"schema_version": "1.6.0",
"id": "GHSA-mq26-g339-26xf",
@@ -440,7 +440,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:13:39Z",
+ "modified": "2024-02-16T08:10:31Z",
"published": "2023-10-17T20:15:25Z",
"schema_version": "1.6.0",
"id": "GHSA-g4mx-q9vg-27p4",
diff --git a/audits/cloudiscovery-requirements.audit.json b/audits/cloudiscovery-requirements.audit.json
index 9e82b92c..b9472f43 100644
--- a/audits/cloudiscovery-requirements.audit.json
+++ b/audits/cloudiscovery-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-14T05:32:56Z",
+ "modified": "2024-02-16T08:18:43Z",
"published": "2024-01-11T15:20:48Z",
"schema_version": "1.6.0",
"id": "GHSA-h5c8-rqwp-cp95",
diff --git a/audits/dnsviz-requirements.audit.json b/audits/dnsviz-requirements.audit.json
index 817bb206..150f82c0 100644
--- a/audits/dnsviz-requirements.audit.json
+++ b/audits/dnsviz-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-05T22:56:53Z",
+ "modified": "2024-02-16T08:24:18Z",
"published": "2024-02-05T21:30:31Z",
"schema_version": "1.6.0",
"id": "GHSA-944j-8ch6-rf6x",
diff --git a/audits/dstack-requirements.audit.json b/audits/dstack-requirements.audit.json
index 9242217c..843f25d8 100644
--- a/audits/dstack-requirements.audit.json
+++ b/audits/dstack-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:12:36Z",
+ "modified": "2024-02-16T08:08:47Z",
"published": "2023-05-15T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-4xqq-73wg-5mjp",
diff --git a/audits/duplicity-requirements.audit.json b/audits/duplicity-requirements.audit.json
index bea27786..cdc17c38 100644
--- a/audits/duplicity-requirements.audit.json
+++ b/audits/duplicity-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-23T00:46:00Z",
+ "modified": "2024-02-16T08:13:36Z",
"published": "2024-01-22T21:35:27Z",
"schema_version": "1.6.0",
"id": "GHSA-wj6h-64fc-37mp",
diff --git a/audits/dvc-requirements.audit.json b/audits/dvc-requirements.audit.json
index 7ab19b1f..8ab77350 100644
--- a/audits/dvc-requirements.audit.json
+++ b/audits/dvc-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
diff --git a/audits/esphome-requirements.audit.json b/audits/esphome-requirements.audit.json
index 4283d838..50ace7b0 100644
--- a/audits/esphome-requirements.audit.json
+++ b/audits/esphome-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-23T00:46:00Z",
+ "modified": "2024-02-16T08:13:36Z",
"published": "2024-01-22T21:35:27Z",
"schema_version": "1.6.0",
"id": "GHSA-wj6h-64fc-37mp",
diff --git a/audits/esptool-requirements.audit.json b/audits/esptool-requirements.audit.json
index 3ae97c7d..6efc8b82 100644
--- a/audits/esptool-requirements.audit.json
+++ b/audits/esptool-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-23T00:46:00Z",
+ "modified": "2024-02-16T08:13:36Z",
"published": "2024-01-22T21:35:27Z",
"schema_version": "1.6.0",
"id": "GHSA-wj6h-64fc-37mp",
diff --git a/audits/fdroidserver-requirements.audit.json b/audits/fdroidserver-requirements.audit.json
index c1e44e8c..4d3fad40 100644
--- a/audits/fdroidserver-requirements.audit.json
+++ b/audits/fdroidserver-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-19T16:45:30Z",
+ "modified": "2024-02-16T08:14:20Z",
"published": "2024-01-10T15:46:00Z",
"schema_version": "1.6.0",
"id": "GHSA-2mqj-m65w-jghx",
@@ -371,7 +371,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-15T05:29:30Z",
+ "modified": "2024-02-16T08:04:59Z",
"published": "2023-12-18T19:22:09Z",
"schema_version": "1.6.0",
"id": "GHSA-45x7-px36-x8w8",
diff --git a/audits/flintrock-requirements.audit.json b/audits/flintrock-requirements.audit.json
index 57e8dbc1..3ece5773 100644
--- a/audits/flintrock-requirements.audit.json
+++ b/audits/flintrock-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-15T05:29:30Z",
+ "modified": "2024-02-16T08:04:59Z",
"published": "2023-12-18T19:22:09Z",
"schema_version": "1.6.0",
"id": "GHSA-45x7-px36-x8w8",
diff --git a/audits/http-prompt-requirements.audit.json b/audits/http-prompt-requirements.audit.json
index 1aecd896..d48dcc0e 100644
--- a/audits/http-prompt-requirements.audit.json
+++ b/audits/http-prompt-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-22T18:19:11Z",
+ "modified": "2024-02-16T08:21:08Z",
"published": "2023-11-16T18:30:31Z",
"schema_version": "1.6.0",
"id": "GHSA-8r96-8889-qg2x",
diff --git a/audits/icloudpd-requirements.audit.json b/audits/icloudpd-requirements.audit.json
index 3d900116..c039d20f 100644
--- a/audits/icloudpd-requirements.audit.json
+++ b/audits/icloudpd-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-15T05:31:27Z",
+ "modified": "2024-02-16T08:23:44Z",
"published": "2023-07-25T14:43:53Z",
"schema_version": "1.6.0",
"id": "GHSA-xqr8-7jwr-rhp7",
@@ -261,7 +261,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:13:39Z",
+ "modified": "2024-02-16T08:10:31Z",
"published": "2023-10-17T20:15:25Z",
"schema_version": "1.6.0",
"id": "GHSA-g4mx-q9vg-27p4",
diff --git a/audits/iredis-requirements.audit.json b/audits/iredis-requirements.audit.json
index ee5e26b1..a711749d 100644
--- a/audits/iredis-requirements.audit.json
+++ b/audits/iredis-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
diff --git a/audits/keepkey-agent-requirements.audit.json b/audits/keepkey-agent-requirements.audit.json
index 42f7deee..df9b73e0 100644
--- a/audits/keepkey-agent-requirements.audit.json
+++ b/audits/keepkey-agent-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-23T00:46:00Z",
+ "modified": "2024-02-16T08:13:36Z",
"published": "2024-01-22T21:35:27Z",
"schema_version": "1.6.0",
"id": "GHSA-wj6h-64fc-37mp",
diff --git a/audits/khal-requirements.audit.json b/audits/khal-requirements.audit.json
index 886ca51b..86705e93 100644
--- a/audits/khal-requirements.audit.json
+++ b/audits/khal-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
diff --git a/audits/khard-requirements.audit.json b/audits/khard-requirements.audit.json
index 0ccbbc3e..f61d6f9b 100644
--- a/audits/khard-requirements.audit.json
+++ b/audits/khard-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
diff --git a/audits/litani-requirements.audit.json b/audits/litani-requirements.audit.json
index 5063748b..7014b2df 100644
--- a/audits/litani-requirements.audit.json
+++ b/audits/litani-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-14T05:32:56Z",
+ "modified": "2024-02-16T08:18:43Z",
"published": "2024-01-11T15:20:48Z",
"schema_version": "1.6.0",
"id": "GHSA-h5c8-rqwp-cp95",
diff --git a/audits/litecli-requirements.audit.json b/audits/litecli-requirements.audit.json
index 4d4b036f..a195e202 100644
--- a/audits/litecli-requirements.audit.json
+++ b/audits/litecli-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
diff --git a/audits/literate-git-requirements.audit.json b/audits/literate-git-requirements.audit.json
index 0869bd07..f3668a07 100644
--- a/audits/literate-git-requirements.audit.json
+++ b/audits/literate-git-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-14T05:32:56Z",
+ "modified": "2024-02-16T08:18:43Z",
"published": "2024-01-11T15:20:48Z",
"schema_version": "1.6.0",
"id": "GHSA-h5c8-rqwp-cp95",
@@ -172,7 +172,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:04:36Z",
+ "modified": "2024-02-16T08:10:21Z",
"published": "2021-04-20T16:35:47Z",
"schema_version": "1.6.0",
"id": "GHSA-9w8r-397f-prfh",
@@ -285,7 +285,7 @@
}
},
{
- "modified": "2024-02-14T05:21:11Z",
+ "modified": "2024-02-16T08:22:13Z",
"published": "2023-07-19T15:30:26Z",
"schema_version": "1.6.0",
"id": "GHSA-mrwq-x4v8-fh7p",
@@ -444,7 +444,7 @@
}
},
{
- "modified": "2023-11-08T04:05:24Z",
+ "modified": "2024-02-16T08:16:19Z",
"published": "2021-03-29T16:33:03Z",
"schema_version": "1.6.0",
"id": "GHSA-pq64-v7f5-gqh8",
diff --git a/audits/localstack-requirements.audit.json b/audits/localstack-requirements.audit.json
index 64fac32a..8511cf3b 100644
--- a/audits/localstack-requirements.audit.json
+++ b/audits/localstack-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-23T00:46:00Z",
+ "modified": "2024-02-16T08:13:36Z",
"published": "2024-01-22T21:35:27Z",
"schema_version": "1.6.0",
"id": "GHSA-wj6h-64fc-37mp",
diff --git a/audits/magic-wormhole-requirements.audit.json b/audits/magic-wormhole-requirements.audit.json
index 9a15ade1..0d08a42a 100644
--- a/audits/magic-wormhole-requirements.audit.json
+++ b/audits/magic-wormhole-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:13:41Z",
+ "modified": "2024-02-16T08:14:29Z",
"published": "2023-10-25T21:15:13Z",
"schema_version": "1.6.0",
"id": "GHSA-xc8x-vp79-p3wm",
diff --git a/audits/mavsdk-requirements.audit.json b/audits/mavsdk-requirements.audit.json
index 544bf753..00519cf6 100644
--- a/audits/mavsdk-requirements.audit.json
+++ b/audits/mavsdk-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-14T05:32:56Z",
+ "modified": "2024-02-16T08:18:43Z",
"published": "2024-01-11T15:20:48Z",
"schema_version": "1.6.0",
"id": "GHSA-h5c8-rqwp-cp95",
diff --git a/audits/mentat-requirements.audit.json b/audits/mentat-requirements.audit.json
index 1cecc562..b5ee889b 100644
--- a/audits/mentat-requirements.audit.json
+++ b/audits/mentat-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-19T16:45:30Z",
+ "modified": "2024-02-16T08:14:20Z",
"published": "2024-01-10T15:46:00Z",
"schema_version": "1.6.0",
"id": "GHSA-2mqj-m65w-jghx",
diff --git a/audits/moto-requirements.audit.json b/audits/moto-requirements.audit.json
index c7609449..7a168f47 100644
--- a/audits/moto-requirements.audit.json
+++ b/audits/moto-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-23T00:46:00Z",
+ "modified": "2024-02-16T08:13:36Z",
"published": "2024-01-22T21:35:27Z",
"schema_version": "1.6.0",
"id": "GHSA-wj6h-64fc-37mp",
diff --git a/audits/mycli-requirements.audit.json b/audits/mycli-requirements.audit.json
index cfcc0536..b475211c 100644
--- a/audits/mycli-requirements.audit.json
+++ b/audits/mycli-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
diff --git a/audits/onlykey-agent-requirements.audit.json b/audits/onlykey-agent-requirements.audit.json
index 0a535f3d..02a65fbe 100644
--- a/audits/onlykey-agent-requirements.audit.json
+++ b/audits/onlykey-agent-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-23T00:46:00Z",
+ "modified": "2024-02-16T08:13:36Z",
"published": "2024-01-22T21:35:27Z",
"schema_version": "1.6.0",
"id": "GHSA-wj6h-64fc-37mp",
@@ -139,7 +139,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-19T19:46:52Z",
+ "modified": "2024-02-16T08:21:19Z",
"published": "2024-01-05T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-j225-cvw7-qrx7",
@@ -367,7 +367,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:13:39Z",
+ "modified": "2024-02-16T08:10:31Z",
"published": "2023-10-17T20:15:25Z",
"schema_version": "1.6.0",
"id": "GHSA-g4mx-q9vg-27p4",
diff --git a/audits/openai-whisper-requirements.audit.json b/audits/openai-whisper-requirements.audit.json
index 8627c791..1aa313cf 100644
--- a/audits/openai-whisper-requirements.audit.json
+++ b/audits/openai-whisper-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-14T05:32:56Z",
+ "modified": "2024-02-16T08:18:43Z",
"published": "2024-01-11T15:20:48Z",
"schema_version": "1.6.0",
"id": "GHSA-h5c8-rqwp-cp95",
diff --git a/audits/pdfalyzer-requirements.audit.json b/audits/pdfalyzer-requirements.audit.json
index faed0b9c..8431a40d 100644
--- a/audits/pdfalyzer-requirements.audit.json
+++ b/audits/pdfalyzer-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-11T05:19:21Z",
+ "modified": "2024-02-16T08:11:47Z",
"published": "2023-06-30T20:33:57Z",
"schema_version": "1.6.0",
"id": "GHSA-4vvm-4w3v-6mr8",
diff --git a/audits/pgcli-requirements.audit.json b/audits/pgcli-requirements.audit.json
index 9c153622..f82aa158 100644
--- a/audits/pgcli-requirements.audit.json
+++ b/audits/pgcli-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
diff --git a/audits/platformio-requirements.audit.json b/audits/platformio-requirements.audit.json
index 7bb4dafa..f9892d20 100644
--- a/audits/platformio-requirements.audit.json
+++ b/audits/platformio-requirements.audit.json
@@ -10,13 +10,265 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-05T17:18:11Z",
- "published": "2024-02-05T17:01:19Z",
+ "modified": "2024-02-17T06:26:40Z",
+ "published": "2024-02-12T17:28:12Z",
"schema_version": "1.6.0",
- "id": "GHSA-93gm-qmq6-w238",
- "summary": "Starlette Content-Type Header ReDoS",
- "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a Starlette app that uses form data. To reproduce it it's not even necessary to create a Starlette app, just using the `Request` is enough:\n\n```Python\n# main.py\nfrom starlette.requests import Request\nfrom starlette.responses import JSONResponse\n\n\nasync def app(scope, receive, send):\n assert scope[\"type\"] == \"http\"\n request = Request(scope, receive)\n data = await request.form()\n response_data = {}\n for key in data:\n print(key, data.getlist(key))\n response_data[key] = data.getlist(key)\n response = JSONResponse(response_data)\n await response(scope, receive, send)\n```\n\nThen start it with:\n\n```console\n$ uvicorn main:app\n\nINFO: Started server process [50601]\nINFO: Waiting for application startup.\nINFO: ASGI 'lifespan' protocol appears unsupported.\nINFO: Application startup complete.\nINFO: Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/'\n```\n\n#### Stopping it\n\nBecause that holds the main loop consuming the CPU non-stop, it's not possible to simply kill Uvicorn with `Ctrl+C` as it can't handle the signal.\n\nTo stop it, first check the process ID running Uvicorn:\n\n```console\n$ ps -fA | grep uvicorn\n\n 501 59461 24785 0 4:28PM ttys004 0:00.13 /Users/user/code/starlette/env3.10/bin/python /Users/user/code/starlette/env3.10/bin/uvicorn redos_starlette:app\n 501 59466 99935 0 4:28PM ttys010 0:00.00 grep uvicorn\n```\n\nIn this case, the process ID was `59461`, then you can kill it (forcefully, with `-9`) with:\n\n```console\n$ kill -9 59461\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n\nOriginal report to FastAPI
\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n ",
+ "id": "GHSA-2jv5-9r88-3w3p",
+ "aliases": [
+ "CVE-2024-24762",
+ "GHSA-93gm-qmq6-w238",
+ "GHSA-qf9m-vfgh-m389",
+ "PYSEC-2024-38"
+ ],
+ "summary": "python-multipart vulnerable to Content-Type Header ReDoS",
+ "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a simple WSGI application, that just parses the `Content-Type`, and run it with `python main.py`:\n\n```Python\n# main.py\nfrom wsgiref.simple_server import make_server\nfrom wsgiref.validate import validator\n\nfrom multipart.multipart import parse_options_header\n\n\ndef simple_app(environ, start_response):\n _, _ = parse_options_header(environ[\"CONTENT_TYPE\"])\n\n start_response(\"200 OK\", [(\"Content-type\", \"text/plain\")])\n return [b\"Ok\"]\n\n\nhttpd = make_server(\"\", 8123, validator(simple_app))\nprint(\"Serving on port 8123...\")\nhttpd.serve_forever()\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8123/'\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n\nOriginal report to FastAPI
\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n ",
"affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "python-multipart",
+ "purl": "pkg:pypi/python-multipart"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.7"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.0.1",
+ "0.0.2",
+ "0.0.3",
+ "0.0.4",
+ "0.0.5",
+ "0.0.6"
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "<= 0.0.6",
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2jv5-9r88-3w3p/GHSA-2jv5-9r88-3w3p.json"
+ }
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "fastapi",
+ "purl": "pkg:pypi/fastapi"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.109.1"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.1.0",
+ "0.1.10",
+ "0.1.11",
+ "0.1.12",
+ "0.1.13",
+ "0.1.14",
+ "0.1.15",
+ "0.1.16",
+ "0.1.17",
+ "0.1.18",
+ "0.1.19",
+ "0.1.2",
+ "0.1.3",
+ "0.1.4",
+ "0.1.5",
+ "0.1.6",
+ "0.1.7",
+ "0.1.8",
+ "0.1.9",
+ "0.10.0",
+ "0.10.1",
+ "0.10.2",
+ "0.100.0",
+ "0.100.0b1",
+ "0.100.0b2",
+ "0.100.0b3",
+ "0.100.1",
+ "0.101.0",
+ "0.101.1",
+ "0.102.0",
+ "0.103.0",
+ "0.103.1",
+ "0.103.2",
+ "0.104.0",
+ "0.104.1",
+ "0.105.0",
+ "0.106.0",
+ "0.107.0",
+ "0.108.0",
+ "0.109.0",
+ "0.11.0",
+ "0.12.0",
+ "0.12.1",
+ "0.13.0",
+ "0.14.0",
+ "0.15.0",
+ "0.16.0",
+ "0.17.0",
+ "0.18.0",
+ "0.19.0",
+ "0.2.0",
+ "0.2.1",
+ "0.20.0",
+ "0.20.1",
+ "0.21.0",
+ "0.22.0",
+ "0.23.0",
+ "0.24.0",
+ "0.25.0",
+ "0.26.0",
+ "0.27.0",
+ "0.27.1",
+ "0.27.2",
+ "0.28.0",
+ "0.29.0",
+ "0.29.1",
+ "0.3.0",
+ "0.30.0",
+ "0.30.1",
+ "0.31.0",
+ "0.32.0",
+ "0.33.0",
+ "0.34.0",
+ "0.35.0",
+ "0.36.0",
+ "0.37.0",
+ "0.38.0",
+ "0.38.1",
+ "0.39.0",
+ "0.4.0",
+ "0.40.0",
+ "0.41.0",
+ "0.42.0",
+ "0.43.0",
+ "0.44.0",
+ "0.44.1",
+ "0.45.0",
+ "0.46.0",
+ "0.47.0",
+ "0.47.1",
+ "0.48.0",
+ "0.49.0",
+ "0.49.1",
+ "0.49.2",
+ "0.5.0",
+ "0.5.1",
+ "0.50.0",
+ "0.51.0",
+ "0.52.0",
+ "0.53.0",
+ "0.53.1",
+ "0.53.2",
+ "0.54.0",
+ "0.54.1",
+ "0.54.2",
+ "0.55.0",
+ "0.55.1",
+ "0.56.0",
+ "0.56.1",
+ "0.57.0",
+ "0.58.0",
+ "0.58.1",
+ "0.59.0",
+ "0.6.0",
+ "0.6.1",
+ "0.6.2",
+ "0.6.3",
+ "0.6.4",
+ "0.60.0",
+ "0.60.1",
+ "0.60.2",
+ "0.61.0",
+ "0.61.1",
+ "0.61.2",
+ "0.62.0",
+ "0.63.0",
+ "0.64.0",
+ "0.65.0",
+ "0.65.1",
+ "0.65.2",
+ "0.65.3",
+ "0.66.0",
+ "0.66.1",
+ "0.67.0",
+ "0.68.0",
+ "0.68.1",
+ "0.68.2",
+ "0.69.0",
+ "0.7.0",
+ "0.7.1",
+ "0.70.0",
+ "0.70.1",
+ "0.71.0",
+ "0.72.0",
+ "0.73.0",
+ "0.74.0",
+ "0.74.1",
+ "0.75.0",
+ "0.75.1",
+ "0.75.2",
+ "0.76.0",
+ "0.77.0",
+ "0.77.1",
+ "0.78.0",
+ "0.79.0",
+ "0.79.1",
+ "0.8.0",
+ "0.80.0",
+ "0.81.0",
+ "0.82.0",
+ "0.83.0",
+ "0.84.0",
+ "0.85.0",
+ "0.85.1",
+ "0.85.2",
+ "0.86.0",
+ "0.87.0",
+ "0.88.0",
+ "0.89.0",
+ "0.89.1",
+ "0.9.0",
+ "0.9.1",
+ "0.90.0",
+ "0.90.1",
+ "0.91.0",
+ "0.92.0",
+ "0.93.0",
+ "0.94.0",
+ "0.94.1",
+ "0.95.0",
+ "0.95.1",
+ "0.95.2",
+ "0.96.0",
+ "0.96.1",
+ "0.97.0",
+ "0.98.0",
+ "0.99.0",
+ "0.99.1"
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "<= 0.109.0",
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2jv5-9r88-3w3p/GHSA-2jv5-9r88-3w3p.json"
+ }
+ },
{
"package": {
"ecosystem": "PyPI",
@@ -186,7 +438,7 @@
],
"database_specific": {
"last_known_affected_version_range": "<= 0.36.1",
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-93gm-qmq6-w238/GHSA-93gm-qmq6-w238.json"
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2jv5-9r88-3w3p/GHSA-2jv5-9r88-3w3p.json"
}
}
],
@@ -197,21 +449,49 @@
}
],
"references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
+ },
{
"type": "WEB",
"url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24762"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
+ },
{
"type": "WEB",
"url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
},
{
"type": "WEB",
- "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
+ "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
},
{
"type": "PACKAGE",
- "url": "https://github.com/encode/starlette"
+ "url": "https://github.com/Kludex/python-multipart"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/fastapi/PYSEC-2024-38.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
}
],
"database_specific": {
@@ -219,7 +499,7 @@
"CWE-400"
],
"github_reviewed": true,
- "github_reviewed_at": "2024-02-05T17:01:19Z",
+ "github_reviewed_at": "2024-02-12T17:28:12Z",
"nvd_published_at": null,
"severity": "HIGH"
}
@@ -228,10 +508,14 @@
"groups": [
{
"ids": [
- "GHSA-93gm-qmq6-w238"
+ "GHSA-2jv5-9r88-3w3p"
],
"aliases": [
- "GHSA-93gm-qmq6-w238"
+ "CVE-2024-24762",
+ "GHSA-2jv5-9r88-3w3p",
+ "GHSA-93gm-qmq6-w238",
+ "GHSA-qf9m-vfgh-m389",
+ "PYSEC-2024-38"
]
}
]
diff --git a/audits/pocsuite3-requirements.audit.json b/audits/pocsuite3-requirements.audit.json
index 63acdfbe..76e6f6a7 100644
--- a/audits/pocsuite3-requirements.audit.json
+++ b/audits/pocsuite3-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-19T19:46:52Z",
+ "modified": "2024-02-16T08:21:19Z",
"published": "2024-01-05T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-j225-cvw7-qrx7",
diff --git a/audits/psutils-requirements.audit.json b/audits/psutils-requirements.audit.json
index 38316fcf..6876c69b 100644
--- a/audits/psutils-requirements.audit.json
+++ b/audits/psutils-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-09T05:29:46Z",
+ "modified": "2024-02-16T08:11:59Z",
"published": "2023-10-31T22:22:50Z",
"schema_version": "1.6.0",
"id": "GHSA-wjcc-cq79-p63f",
diff --git a/audits/pypy-requirements.audit.json b/audits/pypy-requirements.audit.json
index 69415550..38da009d 100644
--- a/audits/pypy-requirements.audit.json
+++ b/audits/pypy-requirements.audit.json
@@ -205,7 +205,7 @@
}
},
{
- "modified": "2023-12-06T01:03:17Z",
+ "modified": "2024-02-16T08:16:40Z",
"published": "2023-10-25T18:32:26Z",
"schema_version": "1.6.0",
"id": "GHSA-mq26-g339-26xf",
diff --git a/audits/recon-ng-requirements.audit.json b/audits/recon-ng-requirements.audit.json
index d3918731..025c79c5 100644
--- a/audits/recon-ng-requirements.audit.json
+++ b/audits/recon-ng-requirements.audit.json
@@ -357,7 +357,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-14T05:32:56Z",
+ "modified": "2024-02-16T08:18:43Z",
"published": "2024-01-11T15:20:48Z",
"schema_version": "1.6.0",
"id": "GHSA-h5c8-rqwp-cp95",
@@ -519,7 +519,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:12:15Z",
+ "modified": "2024-02-16T08:24:33Z",
"published": "2023-03-26T21:30:23Z",
"schema_version": "1.6.0",
"id": "GHSA-24wv-mv5m-xv4h",
@@ -688,7 +688,7 @@
}
},
{
- "modified": "2023-11-08T04:12:15Z",
+ "modified": "2024-02-16T08:08:55Z",
"published": "2023-03-26T21:30:23Z",
"schema_version": "1.6.0",
"id": "GHSA-8fww-64cx-x8p5",
@@ -1052,7 +1052,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-16T05:20:39Z",
+ "modified": "2024-02-16T08:09:04Z",
"published": "2023-05-22T20:36:32Z",
"schema_version": "1.6.0",
"id": "GHSA-j8r2-6x86-q33q",
@@ -1378,7 +1378,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:13:39Z",
+ "modified": "2024-02-16T08:10:31Z",
"published": "2023-10-17T20:15:25Z",
"schema_version": "1.6.0",
"id": "GHSA-g4mx-q9vg-27p4",
@@ -2175,7 +2175,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-24T09:49:21Z",
+ "modified": "2024-02-16T08:12:37Z",
"published": "2023-10-25T14:22:59Z",
"schema_version": "1.6.0",
"id": "GHSA-hrfv-mqp8-q5rw",
@@ -2389,7 +2389,7 @@
}
},
{
- "modified": "2023-11-08T04:11:43Z",
+ "modified": "2024-02-17T05:35:00Z",
"published": "2023-02-15T15:37:03Z",
"schema_version": "1.6.0",
"id": "GHSA-px8h-6qxv-m22q",
@@ -2540,7 +2540,7 @@
},
{
"type": "WEB",
- "url": "https://security.netapp.com/advisory/ntap-20230818-0003/"
+ "url": "https://security.netapp.com/advisory/ntap-20230818-0003"
},
{
"type": "WEB",
@@ -2558,7 +2558,7 @@
}
},
{
- "modified": "2024-02-16T08:03:26Z",
+ "modified": "2024-02-17T05:16:27Z",
"published": "2023-02-15T15:36:26Z",
"schema_version": "1.6.0",
"id": "GHSA-xg9f-g7g7-2323",
@@ -2709,7 +2709,7 @@
},
{
"type": "WEB",
- "url": "https://security.netapp.com/advisory/ntap-20230818-0003/"
+ "url": "https://security.netapp.com/advisory/ntap-20230818-0003"
},
{
"type": "WEB",
diff --git a/audits/scoutsuite-requirements.audit.json b/audits/scoutsuite-requirements.audit.json
index d786a28d..56b27e80 100644
--- a/audits/scoutsuite-requirements.audit.json
+++ b/audits/scoutsuite-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-19T19:46:52Z",
+ "modified": "2024-02-16T08:21:19Z",
"published": "2024-01-05T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-j225-cvw7-qrx7",
diff --git a/audits/sickchill-requirements.audit.json b/audits/sickchill-requirements.audit.json
index 1d737874..41acfaa9 100644
--- a/audits/sickchill-requirements.audit.json
+++ b/audits/sickchill-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
diff --git a/audits/sigstore-requirements.audit.json b/audits/sigstore-requirements.audit.json
new file mode 100644
index 00000000..ccd420a0
--- /dev/null
+++ b/audits/sigstore-requirements.audit.json
@@ -0,0 +1,92 @@
+[
+ {
+ "package": {
+ "name": "tuf",
+ "version": "3.1.0",
+ "ecosystem": "PyPI"
+ },
+ "dependency_groups": [
+ "sigstore-requirements"
+ ],
+ "vulnerabilities": [
+ {
+ "modified": "2024-02-17T00:21:02Z",
+ "published": "2024-02-16T23:35:39Z",
+ "schema_version": "1.6.0",
+ "id": "GHSA-77hh-43cm-v8j6",
+ "summary": "tuf's Metadata API: Targets.get_delegated_role() is missing input validation",
+ "details": "The security of both a TUF client and repository implementations depend on the concept of trusted Metadata objects verifying the signatures over other Metadata that it delegates to. This verification process uses `Targets.get_delegated_role(delegated_role: str)` to find the delegation information.\n\n`tuf.api.metadata.Targets.get_delegated_role()` should ensure that the given `delegated_rolename` is actually a name of a role that is delegated by that Targets, but in the case of \"succinct delegation\" this does not happen.\n\n`tuf.ngclient` users are **not** impacted but direct users of `tuf.api.metadata` could be impacted.\n\n### Impact\n\nIf an attacker can make a Metadata API user run `Targets.get_delegated_role()` so that \n1. the `Targets` uses succinct delegation\n1. the `delegated_role` argument is not actually delegated by the `Targets`\n\nthe result will be incorrect.\n\nThis also means that if an attacker can make a Metadata API user run `Targets.verify_delegate()` or `Targets.get_verification_result()` so that\n1. the delegating `Targets` uses a succinct delegation\n1. the `delegated_role` argument is the name of some unrelated Metadata\n1. that other Metadata is correctly signed by the keys defined in the succinct delegation\n\nthe result would be a successful verification even though the `Targets` in question does not actually delegate to `delegated_role`.\n\nThe impact is estimated to be low for following reasons:\n\n* This cannot impact a TUF client that implements the client workflow as specified since the delegated role name is not an input but is collected from the (trusted) delegating Targets itself\n* Actual signature verification is not bypassed: The verified metadata _must_ still be correctly signed by the keys specified in the delegating role.\n* The described situations are somewhat hypothetical: there does not seem to be any reason for a python-tuf user (whether client or a repository) to use `tuf.api.metadata` in this way.\n\nAll users of `tuf.ngclient` are specifically **not** impacted. Users of `tuf.api.metadata` could be impacted if they use succinct delegations in a way described above.\n\n### Patches\n\nA fix is available in python-tuf 3.1.1 as commit 77cb66bc and in later releases as commit eb4834d9._\n\n### Workarounds\n\n`tuf.api.metadata` users should only call `Targets.get_delegated_role()`, `Targets.verify_delegate()` or `Targets.get_verification_result()` with `delegated_role` argument that is known to be delegated by the `Targets` in question.\n",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "tuf",
+ "purl": "pkg:pypi/tuf"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.0.0"
+ },
+ {
+ "fixed": "3.1.1"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "2.0.0",
+ "2.1.0",
+ "3.0.0",
+ "3.1.0"
+ ],
+ "database_specific": {
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-77hh-43cm-v8j6/GHSA-77hh-43cm-v8j6.json"
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-77hh-43cm-v8j6"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/theupdateframework/python-tuf/commit/77cb66bc879d108c449ba4c46dfb0e3a9e57a785"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/theupdateframework/python-tuf/commit/eb4834d9205d07ae164bc6c5b97787585c0acfdc"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/theupdateframework/python-tuf"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/theupdateframework/python-tuf/releases/tag/v3.1.1"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [],
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-02-16T23:35:39Z",
+ "nvd_published_at": null,
+ "severity": "LOW"
+ }
+ }
+ ],
+ "groups": [
+ {
+ "ids": [
+ "GHSA-77hh-43cm-v8j6"
+ ],
+ "aliases": [
+ "GHSA-77hh-43cm-v8j6"
+ ]
+ }
+ ]
+ }
+]
\ No newline at end of file
diff --git a/audits/snapcraft-requirements.audit.json b/audits/snapcraft-requirements.audit.json
index 8ecc5a01..08907193 100644
--- a/audits/snapcraft-requirements.audit.json
+++ b/audits/snapcraft-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:13:39Z",
+ "modified": "2024-02-16T08:10:31Z",
"published": "2023-10-17T20:15:25Z",
"schema_version": "1.6.0",
"id": "GHSA-g4mx-q9vg-27p4",
diff --git a/audits/ssh-mitm-requirements.audit.json b/audits/ssh-mitm-requirements.audit.json
index 6b553012..1b494f3d 100644
--- a/audits/ssh-mitm-requirements.audit.json
+++ b/audits/ssh-mitm-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-23T00:46:00Z",
+ "modified": "2024-02-16T08:13:36Z",
"published": "2024-01-22T21:35:27Z",
"schema_version": "1.6.0",
"id": "GHSA-wj6h-64fc-37mp",
@@ -139,7 +139,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-15T05:29:30Z",
+ "modified": "2024-02-16T08:04:59Z",
"published": "2023-12-18T19:22:09Z",
"schema_version": "1.6.0",
"id": "GHSA-45x7-px36-x8w8",
diff --git a/audits/terminator-requirements.audit.json b/audits/terminator-requirements.audit.json
index ca5df89b..3b795136 100644
--- a/audits/terminator-requirements.audit.json
+++ b/audits/terminator-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:11:58Z",
+ "modified": "2024-02-16T08:11:38Z",
"published": "2023-04-03T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-c33w-24p9-8m24",
diff --git a/audits/tern-requirements.audit.json b/audits/tern-requirements.audit.json
index e952a8da..9b4e5b5c 100644
--- a/audits/tern-requirements.audit.json
+++ b/audits/tern-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-19T16:45:30Z",
+ "modified": "2024-02-16T08:14:20Z",
"published": "2024-01-10T15:46:00Z",
"schema_version": "1.6.0",
"id": "GHSA-2mqj-m65w-jghx",
@@ -183,7 +183,7 @@
}
},
{
- "modified": "2023-11-08T04:13:23Z",
+ "modified": "2024-02-16T08:22:24Z",
"published": "2023-08-30T20:09:36Z",
"schema_version": "1.6.0",
"id": "GHSA-cwvm-v4w8-q58c",
@@ -366,7 +366,7 @@
}
},
{
- "modified": "2023-11-08T04:13:22Z",
+ "modified": "2024-02-16T08:22:01Z",
"published": "2023-08-29T23:33:53Z",
"schema_version": "1.6.0",
"id": "GHSA-wfm5-v35h-vwf4",
@@ -1037,7 +1037,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:13:39Z",
+ "modified": "2024-02-16T08:10:31Z",
"published": "2023-10-17T20:15:25Z",
"schema_version": "1.6.0",
"id": "GHSA-g4mx-q9vg-27p4",
diff --git a/audits/theharvester-requirements.audit.json b/audits/theharvester-requirements.audit.json
index c20cdd92..19a47808 100644
--- a/audits/theharvester-requirements.audit.json
+++ b/audits/theharvester-requirements.audit.json
@@ -10,16 +10,833 @@
],
"vulnerabilities": [
{
- "modified": "2024-02-05T17:28:33Z",
- "published": "2024-02-05T17:01:54Z",
+ "modified": "2024-02-17T06:26:40Z",
+ "published": "2024-02-12T17:28:12Z",
"schema_version": "1.6.0",
- "id": "GHSA-qf9m-vfgh-m389",
+ "id": "GHSA-2jv5-9r88-3w3p",
"aliases": [
- "CVE-2024-24762"
+ "CVE-2024-24762",
+ "GHSA-93gm-qmq6-w238",
+ "GHSA-qf9m-vfgh-m389",
+ "PYSEC-2024-38"
+ ],
+ "summary": "python-multipart vulnerable to Content-Type Header ReDoS",
+ "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a simple WSGI application, that just parses the `Content-Type`, and run it with `python main.py`:\n\n```Python\n# main.py\nfrom wsgiref.simple_server import make_server\nfrom wsgiref.validate import validator\n\nfrom multipart.multipart import parse_options_header\n\n\ndef simple_app(environ, start_response):\n _, _ = parse_options_header(environ[\"CONTENT_TYPE\"])\n\n start_response(\"200 OK\", [(\"Content-type\", \"text/plain\")])\n return [b\"Ok\"]\n\n\nhttpd = make_server(\"\", 8123, validator(simple_app))\nprint(\"Serving on port 8123...\")\nhttpd.serve_forever()\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8123/'\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n\nOriginal report to FastAPI
\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n ",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "python-multipart",
+ "purl": "pkg:pypi/python-multipart"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.7"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.0.1",
+ "0.0.2",
+ "0.0.3",
+ "0.0.4",
+ "0.0.5",
+ "0.0.6"
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "<= 0.0.6",
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2jv5-9r88-3w3p/GHSA-2jv5-9r88-3w3p.json"
+ }
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "fastapi",
+ "purl": "pkg:pypi/fastapi"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.109.1"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.1.0",
+ "0.1.10",
+ "0.1.11",
+ "0.1.12",
+ "0.1.13",
+ "0.1.14",
+ "0.1.15",
+ "0.1.16",
+ "0.1.17",
+ "0.1.18",
+ "0.1.19",
+ "0.1.2",
+ "0.1.3",
+ "0.1.4",
+ "0.1.5",
+ "0.1.6",
+ "0.1.7",
+ "0.1.8",
+ "0.1.9",
+ "0.10.0",
+ "0.10.1",
+ "0.10.2",
+ "0.100.0",
+ "0.100.0b1",
+ "0.100.0b2",
+ "0.100.0b3",
+ "0.100.1",
+ "0.101.0",
+ "0.101.1",
+ "0.102.0",
+ "0.103.0",
+ "0.103.1",
+ "0.103.2",
+ "0.104.0",
+ "0.104.1",
+ "0.105.0",
+ "0.106.0",
+ "0.107.0",
+ "0.108.0",
+ "0.109.0",
+ "0.11.0",
+ "0.12.0",
+ "0.12.1",
+ "0.13.0",
+ "0.14.0",
+ "0.15.0",
+ "0.16.0",
+ "0.17.0",
+ "0.18.0",
+ "0.19.0",
+ "0.2.0",
+ "0.2.1",
+ "0.20.0",
+ "0.20.1",
+ "0.21.0",
+ "0.22.0",
+ "0.23.0",
+ "0.24.0",
+ "0.25.0",
+ "0.26.0",
+ "0.27.0",
+ "0.27.1",
+ "0.27.2",
+ "0.28.0",
+ "0.29.0",
+ "0.29.1",
+ "0.3.0",
+ "0.30.0",
+ "0.30.1",
+ "0.31.0",
+ "0.32.0",
+ "0.33.0",
+ "0.34.0",
+ "0.35.0",
+ "0.36.0",
+ "0.37.0",
+ "0.38.0",
+ "0.38.1",
+ "0.39.0",
+ "0.4.0",
+ "0.40.0",
+ "0.41.0",
+ "0.42.0",
+ "0.43.0",
+ "0.44.0",
+ "0.44.1",
+ "0.45.0",
+ "0.46.0",
+ "0.47.0",
+ "0.47.1",
+ "0.48.0",
+ "0.49.0",
+ "0.49.1",
+ "0.49.2",
+ "0.5.0",
+ "0.5.1",
+ "0.50.0",
+ "0.51.0",
+ "0.52.0",
+ "0.53.0",
+ "0.53.1",
+ "0.53.2",
+ "0.54.0",
+ "0.54.1",
+ "0.54.2",
+ "0.55.0",
+ "0.55.1",
+ "0.56.0",
+ "0.56.1",
+ "0.57.0",
+ "0.58.0",
+ "0.58.1",
+ "0.59.0",
+ "0.6.0",
+ "0.6.1",
+ "0.6.2",
+ "0.6.3",
+ "0.6.4",
+ "0.60.0",
+ "0.60.1",
+ "0.60.2",
+ "0.61.0",
+ "0.61.1",
+ "0.61.2",
+ "0.62.0",
+ "0.63.0",
+ "0.64.0",
+ "0.65.0",
+ "0.65.1",
+ "0.65.2",
+ "0.65.3",
+ "0.66.0",
+ "0.66.1",
+ "0.67.0",
+ "0.68.0",
+ "0.68.1",
+ "0.68.2",
+ "0.69.0",
+ "0.7.0",
+ "0.7.1",
+ "0.70.0",
+ "0.70.1",
+ "0.71.0",
+ "0.72.0",
+ "0.73.0",
+ "0.74.0",
+ "0.74.1",
+ "0.75.0",
+ "0.75.1",
+ "0.75.2",
+ "0.76.0",
+ "0.77.0",
+ "0.77.1",
+ "0.78.0",
+ "0.79.0",
+ "0.79.1",
+ "0.8.0",
+ "0.80.0",
+ "0.81.0",
+ "0.82.0",
+ "0.83.0",
+ "0.84.0",
+ "0.85.0",
+ "0.85.1",
+ "0.85.2",
+ "0.86.0",
+ "0.87.0",
+ "0.88.0",
+ "0.89.0",
+ "0.89.1",
+ "0.9.0",
+ "0.9.1",
+ "0.90.0",
+ "0.90.1",
+ "0.91.0",
+ "0.92.0",
+ "0.93.0",
+ "0.94.0",
+ "0.94.1",
+ "0.95.0",
+ "0.95.1",
+ "0.95.2",
+ "0.96.0",
+ "0.96.1",
+ "0.97.0",
+ "0.98.0",
+ "0.99.0",
+ "0.99.1"
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "<= 0.109.0",
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2jv5-9r88-3w3p/GHSA-2jv5-9r88-3w3p.json"
+ }
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "starlette",
+ "purl": "pkg:pypi/starlette"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.36.2"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.1.0",
+ "0.1.1",
+ "0.1.10",
+ "0.1.11",
+ "0.1.12",
+ "0.1.13",
+ "0.1.14",
+ "0.1.15",
+ "0.1.16",
+ "0.1.17",
+ "0.1.2",
+ "0.1.3",
+ "0.1.4",
+ "0.1.5",
+ "0.1.6",
+ "0.1.7",
+ "0.1.8",
+ "0.1.9",
+ "0.10.0",
+ "0.10.1",
+ "0.10.2",
+ "0.10.3",
+ "0.10.4",
+ "0.10.5",
+ "0.10.6",
+ "0.10.7",
+ "0.11.0",
+ "0.11.1",
+ "0.11.2",
+ "0.11.3",
+ "0.11.4",
+ "0.12.0",
+ "0.12.0b1",
+ "0.12.0b2",
+ "0.12.0b3",
+ "0.12.1",
+ "0.12.10",
+ "0.12.11",
+ "0.12.12",
+ "0.12.13",
+ "0.12.2",
+ "0.12.3",
+ "0.12.4",
+ "0.12.5",
+ "0.12.6",
+ "0.12.7",
+ "0.12.8",
+ "0.12.9",
+ "0.13.0",
+ "0.13.1",
+ "0.13.2",
+ "0.13.3",
+ "0.13.4",
+ "0.13.5",
+ "0.13.6",
+ "0.13.7",
+ "0.13.8",
+ "0.14.0",
+ "0.14.1",
+ "0.14.2",
+ "0.15.0",
+ "0.16.0",
+ "0.17.0",
+ "0.17.1",
+ "0.18.0",
+ "0.19.0",
+ "0.19.1",
+ "0.2.0",
+ "0.2.1",
+ "0.2.2",
+ "0.2.3",
+ "0.20.0",
+ "0.20.1",
+ "0.20.2",
+ "0.20.3",
+ "0.20.4",
+ "0.21.0",
+ "0.22.0",
+ "0.23.0",
+ "0.23.1",
+ "0.24.0",
+ "0.25.0",
+ "0.26.0",
+ "0.26.0.post1",
+ "0.26.1",
+ "0.27.0",
+ "0.28.0",
+ "0.29.0",
+ "0.3.0",
+ "0.3.1",
+ "0.3.2",
+ "0.3.3",
+ "0.3.4",
+ "0.3.5",
+ "0.3.6",
+ "0.3.7",
+ "0.30.0",
+ "0.31.0",
+ "0.31.1",
+ "0.32.0",
+ "0.32.0.post1",
+ "0.33.0",
+ "0.34.0",
+ "0.35.0",
+ "0.35.1",
+ "0.36.0",
+ "0.36.1",
+ "0.4.0",
+ "0.4.1",
+ "0.4.2",
+ "0.5.0",
+ "0.5.1",
+ "0.5.2",
+ "0.5.3",
+ "0.5.4",
+ "0.5.5",
+ "0.6.0",
+ "0.6.1",
+ "0.6.2",
+ "0.6.3",
+ "0.7.0",
+ "0.7.1",
+ "0.7.2",
+ "0.7.3",
+ "0.7.4",
+ "0.8.0",
+ "0.8.1",
+ "0.8.2",
+ "0.8.3",
+ "0.8.4",
+ "0.8.5",
+ "0.8.6",
+ "0.8.7",
+ "0.8.8",
+ "0.9.0",
+ "0.9.1",
+ "0.9.10",
+ "0.9.11",
+ "0.9.2",
+ "0.9.3",
+ "0.9.4",
+ "0.9.5",
+ "0.9.6",
+ "0.9.7",
+ "0.9.8",
+ "0.9.9"
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "<= 0.36.1",
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2jv5-9r88-3w3p/GHSA-2jv5-9r88-3w3p.json"
+ }
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24762"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/Kludex/python-multipart"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/fastapi/PYSEC-2024-38.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-400"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-02-12T17:28:12Z",
+ "nvd_published_at": null,
+ "severity": "HIGH"
+ }
+ },
+ {
+ "modified": "2024-02-17T06:26:40Z",
+ "published": "2024-02-05T15:15:00Z",
+ "schema_version": "1.6.0",
+ "id": "PYSEC-2024-38",
+ "aliases": [
+ "CVE-2024-24762",
+ "GHSA-2jv5-9r88-3w3p",
+ "GHSA-93gm-qmq6-w238",
+ "GHSA-qf9m-vfgh-m389"
+ ],
+ "details": "FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.1.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "fastapi",
+ "purl": "pkg:pypi/fastapi"
+ },
+ "ranges": [
+ {
+ "type": "GIT",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
+ }
+ ],
+ "repo": "https://github.com/tiangolo/fastapi"
+ },
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.109.1"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.1.0",
+ "0.1.10",
+ "0.1.11",
+ "0.1.12",
+ "0.1.13",
+ "0.1.14",
+ "0.1.15",
+ "0.1.16",
+ "0.1.17",
+ "0.1.18",
+ "0.1.19",
+ "0.1.2",
+ "0.1.3",
+ "0.1.4",
+ "0.1.5",
+ "0.1.6",
+ "0.1.7",
+ "0.1.8",
+ "0.1.9",
+ "0.10.0",
+ "0.10.1",
+ "0.10.2",
+ "0.100.0",
+ "0.100.0b1",
+ "0.100.0b2",
+ "0.100.0b3",
+ "0.100.1",
+ "0.101.0",
+ "0.101.1",
+ "0.102.0",
+ "0.103.0",
+ "0.103.1",
+ "0.103.2",
+ "0.104.0",
+ "0.104.1",
+ "0.105.0",
+ "0.106.0",
+ "0.107.0",
+ "0.108.0",
+ "0.109.0",
+ "0.11.0",
+ "0.12.0",
+ "0.12.1",
+ "0.13.0",
+ "0.14.0",
+ "0.15.0",
+ "0.16.0",
+ "0.17.0",
+ "0.18.0",
+ "0.19.0",
+ "0.2.0",
+ "0.2.1",
+ "0.20.0",
+ "0.20.1",
+ "0.21.0",
+ "0.22.0",
+ "0.23.0",
+ "0.24.0",
+ "0.25.0",
+ "0.26.0",
+ "0.27.0",
+ "0.27.1",
+ "0.27.2",
+ "0.28.0",
+ "0.29.0",
+ "0.29.1",
+ "0.3.0",
+ "0.30.0",
+ "0.30.1",
+ "0.31.0",
+ "0.32.0",
+ "0.33.0",
+ "0.34.0",
+ "0.35.0",
+ "0.36.0",
+ "0.37.0",
+ "0.38.0",
+ "0.38.1",
+ "0.39.0",
+ "0.4.0",
+ "0.40.0",
+ "0.41.0",
+ "0.42.0",
+ "0.43.0",
+ "0.44.0",
+ "0.44.1",
+ "0.45.0",
+ "0.46.0",
+ "0.47.0",
+ "0.47.1",
+ "0.48.0",
+ "0.49.0",
+ "0.49.1",
+ "0.49.2",
+ "0.5.0",
+ "0.5.1",
+ "0.50.0",
+ "0.51.0",
+ "0.52.0",
+ "0.53.0",
+ "0.53.1",
+ "0.53.2",
+ "0.54.0",
+ "0.54.1",
+ "0.54.2",
+ "0.55.0",
+ "0.55.1",
+ "0.56.0",
+ "0.56.1",
+ "0.57.0",
+ "0.58.0",
+ "0.58.1",
+ "0.59.0",
+ "0.6.0",
+ "0.6.1",
+ "0.6.2",
+ "0.6.3",
+ "0.6.4",
+ "0.60.0",
+ "0.60.1",
+ "0.60.2",
+ "0.61.0",
+ "0.61.1",
+ "0.61.2",
+ "0.62.0",
+ "0.63.0",
+ "0.64.0",
+ "0.65.0",
+ "0.65.1",
+ "0.65.2",
+ "0.65.3",
+ "0.66.0",
+ "0.66.1",
+ "0.67.0",
+ "0.68.0",
+ "0.68.1",
+ "0.68.2",
+ "0.69.0",
+ "0.7.0",
+ "0.7.1",
+ "0.70.0",
+ "0.70.1",
+ "0.71.0",
+ "0.72.0",
+ "0.73.0",
+ "0.74.0",
+ "0.74.1",
+ "0.75.0",
+ "0.75.1",
+ "0.75.2",
+ "0.76.0",
+ "0.77.0",
+ "0.77.1",
+ "0.78.0",
+ "0.79.0",
+ "0.79.1",
+ "0.8.0",
+ "0.80.0",
+ "0.81.0",
+ "0.82.0",
+ "0.83.0",
+ "0.84.0",
+ "0.85.0",
+ "0.85.1",
+ "0.85.2",
+ "0.86.0",
+ "0.87.0",
+ "0.88.0",
+ "0.89.0",
+ "0.89.1",
+ "0.9.0",
+ "0.9.1",
+ "0.90.0",
+ "0.90.1",
+ "0.91.0",
+ "0.92.0",
+ "0.93.0",
+ "0.94.0",
+ "0.94.1",
+ "0.95.0",
+ "0.95.1",
+ "0.95.2",
+ "0.96.0",
+ "0.96.1",
+ "0.97.0",
+ "0.98.0",
+ "0.99.0",
+ "0.99.1"
+ ],
+ "database_specific": {
+ "source": "https://github.com/pypa/advisory-database/blob/main/vulns/fastapi/PYSEC-2024-38.yaml"
+ }
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
+ }
+ ]
+ }
+ ],
+ "groups": [
+ {
+ "ids": [
+ "GHSA-2jv5-9r88-3w3p",
+ "PYSEC-2024-38"
+ ],
+ "aliases": [
+ "CVE-2024-24762",
+ "GHSA-2jv5-9r88-3w3p",
+ "GHSA-93gm-qmq6-w238",
+ "GHSA-qf9m-vfgh-m389",
+ "PYSEC-2024-38"
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "name": "starlette",
+ "version": "0.35.1",
+ "ecosystem": "PyPI"
+ },
+ "dependency_groups": [
+ "theharvester-requirements"
+ ],
+ "vulnerabilities": [
+ {
+ "modified": "2024-02-17T06:26:40Z",
+ "published": "2024-02-12T17:28:12Z",
+ "schema_version": "1.6.0",
+ "id": "GHSA-2jv5-9r88-3w3p",
+ "aliases": [
+ "CVE-2024-24762",
+ "GHSA-93gm-qmq6-w238",
+ "GHSA-qf9m-vfgh-m389",
+ "PYSEC-2024-38"
],
- "summary": "FastAPI Content-Type Header ReDoS",
- "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\nThis is also reported to Starlette at: https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238\n\n### PoC\n\nCreate a FastAPI app that uses form data:\n\n```Python\n# main.py\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nThen start it with:\n\n```console\n$ uvicorn main:app\n\nINFO: Started server process [50601]\nINFO: Waiting for application startup.\nINFO: ASGI 'lifespan' protocol appears unsupported.\nINFO: Application startup complete.\nINFO: Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\n#### Stopping it\n\nBecause that holds the main loop consuming the CPU non-stop, it's not possible to simply kill Uvicorn with `Ctrl+C` as it can't handle the signal.\n\nTo stop it, first check the process ID running Uvicorn:\n\n```console\n$ ps -fA | grep uvicorn\n\n 501 59461 24785 0 4:28PM ttys004 0:00.13 /Users/user/code/starlette/env3.10/bin/python /Users/user/code/starlette/env3.10/bin/uvicorn redos_starlette:app\n 501 59466 99935 0 4:28PM ttys010 0:00.00 grep uvicorn\n```\n\nIn this case, the process ID was `59461`, then you can kill it (forcefully, with `-9`) with:\n\n```console\n$ kill -9 59461\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n\nOriginal report to FastAPI
\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n ",
+ "summary": "python-multipart vulnerable to Content-Type Header ReDoS",
+ "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a simple WSGI application, that just parses the `Content-Type`, and run it with `python main.py`:\n\n```Python\n# main.py\nfrom wsgiref.simple_server import make_server\nfrom wsgiref.validate import validator\n\nfrom multipart.multipart import parse_options_header\n\n\ndef simple_app(environ, start_response):\n _, _ = parse_options_header(environ[\"CONTENT_TYPE\"])\n\n start_response(\"200 OK\", [(\"Content-type\", \"text/plain\")])\n return [b\"Ok\"]\n\n\nhttpd = make_server(\"\", 8123, validator(simple_app))\nprint(\"Serving on port 8123...\")\nhttpd.serve_forever()\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8123/'\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n\nOriginal report to FastAPI
\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n ",
"affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "python-multipart",
+ "purl": "pkg:pypi/python-multipart"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.7"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.0.1",
+ "0.0.2",
+ "0.0.3",
+ "0.0.4",
+ "0.0.5",
+ "0.0.6"
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "<= 0.0.6",
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2jv5-9r88-3w3p/GHSA-2jv5-9r88-3w3p.json"
+ }
+ },
{
"package": {
"ecosystem": "PyPI",
@@ -231,79 +1048,9 @@
],
"database_specific": {
"last_known_affected_version_range": "<= 0.109.0",
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-qf9m-vfgh-m389/GHSA-qf9m-vfgh-m389.json"
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2jv5-9r88-3w3p/GHSA-2jv5-9r88-3w3p.json"
}
- }
- ],
- "severity": [
- {
- "type": "CVSS_V3",
- "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
- }
- ],
- "references": [
- {
- "type": "WEB",
- "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
- },
- {
- "type": "ADVISORY",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24762"
- },
- {
- "type": "WEB",
- "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
- },
- {
- "type": "PACKAGE",
- "url": "https://github.com/tiangolo/fastapi"
},
- {
- "type": "WEB",
- "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
- }
- ],
- "database_specific": {
- "cwe_ids": [
- "CWE-400"
- ],
- "github_reviewed": true,
- "github_reviewed_at": "2024-02-05T17:01:54Z",
- "nvd_published_at": "2024-02-05T15:15:09Z",
- "severity": "HIGH"
- }
- }
- ],
- "groups": [
- {
- "ids": [
- "GHSA-qf9m-vfgh-m389"
- ],
- "aliases": [
- "CVE-2024-24762",
- "GHSA-qf9m-vfgh-m389"
- ]
- }
- ]
- },
- {
- "package": {
- "name": "starlette",
- "version": "0.35.1",
- "ecosystem": "PyPI"
- },
- "dependency_groups": [
- "theharvester-requirements"
- ],
- "vulnerabilities": [
- {
- "modified": "2024-02-05T17:18:11Z",
- "published": "2024-02-05T17:01:19Z",
- "schema_version": "1.6.0",
- "id": "GHSA-93gm-qmq6-w238",
- "summary": "Starlette Content-Type Header ReDoS",
- "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a Starlette app that uses form data. To reproduce it it's not even necessary to create a Starlette app, just using the `Request` is enough:\n\n```Python\n# main.py\nfrom starlette.requests import Request\nfrom starlette.responses import JSONResponse\n\n\nasync def app(scope, receive, send):\n assert scope[\"type\"] == \"http\"\n request = Request(scope, receive)\n data = await request.form()\n response_data = {}\n for key in data:\n print(key, data.getlist(key))\n response_data[key] = data.getlist(key)\n response = JSONResponse(response_data)\n await response(scope, receive, send)\n```\n\nThen start it with:\n\n```console\n$ uvicorn main:app\n\nINFO: Started server process [50601]\nINFO: Waiting for application startup.\nINFO: ASGI 'lifespan' protocol appears unsupported.\nINFO: Application startup complete.\nINFO: Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/'\n```\n\n#### Stopping it\n\nBecause that holds the main loop consuming the CPU non-stop, it's not possible to simply kill Uvicorn with `Ctrl+C` as it can't handle the signal.\n\nTo stop it, first check the process ID running Uvicorn:\n\n```console\n$ ps -fA | grep uvicorn\n\n 501 59461 24785 0 4:28PM ttys004 0:00.13 /Users/user/code/starlette/env3.10/bin/python /Users/user/code/starlette/env3.10/bin/uvicorn redos_starlette:app\n 501 59466 99935 0 4:28PM ttys010 0:00.00 grep uvicorn\n```\n\nIn this case, the process ID was `59461`, then you can kill it (forcefully, with `-9`) with:\n\n```console\n$ kill -9 59461\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n\nOriginal report to FastAPI
\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n ",
- "affected": [
{
"package": {
"ecosystem": "PyPI",
@@ -473,7 +1220,7 @@
],
"database_specific": {
"last_known_affected_version_range": "<= 0.36.1",
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-93gm-qmq6-w238/GHSA-93gm-qmq6-w238.json"
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2jv5-9r88-3w3p/GHSA-2jv5-9r88-3w3p.json"
}
}
],
@@ -484,21 +1231,49 @@
}
],
"references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
+ },
{
"type": "WEB",
"url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24762"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
+ },
{
"type": "WEB",
"url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
},
{
"type": "WEB",
- "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
+ "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
},
{
"type": "PACKAGE",
- "url": "https://github.com/encode/starlette"
+ "url": "https://github.com/Kludex/python-multipart"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/fastapi/PYSEC-2024-38.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
}
],
"database_specific": {
@@ -506,7 +1281,7 @@
"CWE-400"
],
"github_reviewed": true,
- "github_reviewed_at": "2024-02-05T17:01:19Z",
+ "github_reviewed_at": "2024-02-12T17:28:12Z",
"nvd_published_at": null,
"severity": "HIGH"
}
@@ -515,10 +1290,14 @@
"groups": [
{
"ids": [
- "GHSA-93gm-qmq6-w238"
+ "GHSA-2jv5-9r88-3w3p"
],
"aliases": [
- "GHSA-93gm-qmq6-w238"
+ "CVE-2024-24762",
+ "GHSA-2jv5-9r88-3w3p",
+ "GHSA-93gm-qmq6-w238",
+ "GHSA-qf9m-vfgh-m389",
+ "PYSEC-2024-38"
]
}
]
diff --git a/audits/torchvision-requirements.audit.json b/audits/torchvision-requirements.audit.json
index 90de9bc4..5439f2b3 100644
--- a/audits/torchvision-requirements.audit.json
+++ b/audits/torchvision-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2023-11-08T04:13:39Z",
+ "modified": "2024-02-16T08:10:31Z",
"published": "2023-10-17T20:15:25Z",
"schema_version": "1.6.0",
"id": "GHSA-g4mx-q9vg-27p4",
diff --git a/audits/trezor-agent-requirements.audit.json b/audits/trezor-agent-requirements.audit.json
index f05bd42e..b7ba61f1 100644
--- a/audits/trezor-agent-requirements.audit.json
+++ b/audits/trezor-agent-requirements.audit.json
@@ -10,7 +10,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-23T00:46:00Z",
+ "modified": "2024-02-16T08:13:36Z",
"published": "2024-01-22T21:35:27Z",
"schema_version": "1.6.0",
"id": "GHSA-wj6h-64fc-37mp",
@@ -139,7 +139,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-19T19:46:52Z",
+ "modified": "2024-02-16T08:21:19Z",
"published": "2024-01-05T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-j225-cvw7-qrx7",
@@ -367,7 +367,7 @@
],
"vulnerabilities": [
{
- "modified": "2024-01-19T19:46:52Z",
+ "modified": "2024-02-16T08:21:19Z",
"published": "2024-01-05T06:30:19Z",
"schema_version": "1.6.0",
"id": "GHSA-j225-cvw7-qrx7",
diff --git a/requirements/alot-requirements.txt b/requirements/alot-requirements.txt
index c99f986d..335713c2 100644
--- a/requirements/alot-requirements.txt
+++ b/requirements/alot-requirements.txt
@@ -7,7 +7,10 @@ idna==3.4
incremental==22.10.0
mock==5.1.0
python-magic==0.4.27
+setuptools==69.1.0
+six==1.16.0
twisted==23.8.0
+typing-extensions==4.9.0
urwid==2.2.3
urwidtrees==1.0.3
zope-interface==6.1
diff --git a/requirements/awsume-requirements.txt b/requirements/awsume-requirements.txt
index d96db2b0..f710c0b0 100644
--- a/requirements/awsume-requirements.txt
+++ b/requirements/awsume-requirements.txt
@@ -3,6 +3,9 @@ botocore==1.34.14
colorama==0.4.6
jmespath==1.0.1
pluggy==1.3.0
+psutil==5.9.8
python-dateutil==2.8.2
+pyyaml==6.0.1
s3transfer==0.10.0
+six==1.16.0
urllib3==2.0.7
diff --git a/requirements/breezy-requirements.txt b/requirements/breezy-requirements.txt
index d9bf6637..c7d32b3d 100644
--- a/requirements/breezy-requirements.txt
+++ b/requirements/breezy-requirements.txt
@@ -3,4 +3,6 @@ dulwich==0.21.6
fastbencode==0.2
merge3==0.0.14
patiencediff==0.2.14
+pyyaml==6.0.1
+six==1.16.0
urllib3==2.0.7
diff --git a/requirements/cfn-flip-requirements.txt b/requirements/cfn-flip-requirements.txt
new file mode 100644
index 00000000..b1b4d7b0
--- /dev/null
+++ b/requirements/cfn-flip-requirements.txt
@@ -0,0 +1,4 @@
+click==8.1.7
+pyyaml==6.0.1
+setuptools==69.1.0
+six==1.16.0
diff --git a/requirements/cfn-lint-requirements.txt b/requirements/cfn-lint-requirements.txt
index bf1b9d6c..7836aeed 100644
--- a/requirements/cfn-lint-requirements.txt
+++ b/requirements/cfn-lint-requirements.txt
@@ -1,7 +1,7 @@
annotated-types==0.6.0
-aws-sam-translator==1.84.0
-boto3==1.34.39
-botocore==1.34.39
+aws-sam-translator==1.85.0
+boto3==1.34.43
+botocore==1.34.43
jmespath==1.0.1
jschema-to-python==1.2.3
jsonpatch==1.33
@@ -14,6 +14,6 @@ pydantic==2.6.1
pydantic-core==2.16.2
referencing==0.33.0
regex==2023.12.25
-rpds-py==0.17.1
+rpds-py==0.18.0
s3transfer==0.10.0
sarif-om==1.0.4
diff --git a/requirements/datasette-requirements.txt b/requirements/datasette-requirements.txt
index ad3e43db..02bc3db1 100644
--- a/requirements/datasette-requirements.txt
+++ b/requirements/datasette-requirements.txt
@@ -2,6 +2,7 @@ aiofiles==23.2.1
anyio==4.2.0
asgi-csrf==0.9
asgiref==3.7.2
+click==8.1.7
click-default-group==1.2.4
httpcore==1.0.2
httpx==0.26.0
@@ -10,9 +11,13 @@ idna==3.6
itsdangerous==2.1.2
janus==1.0.0
jinja2==3.1.3
+markupsafe==2.1.5
mergedeep==1.3.4
pint==0.23
pluggy==1.4.0
python-multipart==0.0.9
+pyyaml==6.0.1
setuptools==69.1.0
+six==1.16.0
sniffio==1.3.0
+typing-extensions==4.9.0
diff --git a/requirements/rawdog-requirements.txt b/requirements/rawdog-requirements.txt
new file mode 100644
index 00000000..27feabe4
--- /dev/null
+++ b/requirements/rawdog-requirements.txt
@@ -0,0 +1,38 @@
+aiohttp==3.9.3
+aiosignal==1.3.1
+annotated-types==0.6.0
+anyio==4.2.0
+attrs==23.2.0
+certifi==2024.2.2
+charset-normalizer==3.3.2
+click==8.1.7
+distro==1.9.0
+filelock==3.13.1
+frozenlist==1.4.1
+fsspec==2024.2.0
+h11==0.14.0
+httpcore==1.0.3
+httpx==0.26.0
+huggingface-hub==0.20.3
+idna==3.6
+importlib-metadata==7.0.1
+jinja2==3.1.3
+litellm==1.24.3
+markupsafe==2.1.5
+multidict==6.0.5
+openai==1.12.0
+packaging==23.2
+pydantic==2.6.1
+pydantic-core==2.16.2
+python-dotenv==1.0.1
+pyyaml==6.0.1
+regex==2023.12.25
+requests==2.31.0
+sniffio==1.3.0
+tiktoken==0.6.0
+tokenizers==0.15.2
+tqdm==4.66.2
+typing-extensions==4.9.0
+urllib3==2.2.0
+yarl==1.9.4
+zipp==3.17.0
diff --git a/requirements/streamlink-requirements.txt b/requirements/streamlink-requirements.txt
index 2667a2cc..8326568e 100644
--- a/requirements/streamlink-requirements.txt
+++ b/requirements/streamlink-requirements.txt
@@ -13,6 +13,6 @@ sniffio==1.3.0
sortedcontainers==2.4.0
trio==0.24.0
trio-websocket==0.11.1
-urllib3==2.1.0
+urllib3==2.2.0
websocket-client==1.7.0
wsproto==1.2.0
diff --git a/requirements/tmuxp-requirements.txt b/requirements/tmuxp-requirements.txt
index 6722431b..eb459394 100644
--- a/requirements/tmuxp-requirements.txt
+++ b/requirements/tmuxp-requirements.txt
@@ -1,2 +1,2 @@
colorama==0.4.6
-libtmux==0.28.1
+libtmux==0.30.1
diff --git a/requirements/tox-requirements.txt b/requirements/tox-requirements.txt
index 74fe55a7..465d2727 100644
--- a/requirements/tox-requirements.txt
+++ b/requirements/tox-requirements.txt
@@ -3,7 +3,7 @@ chardet==5.2.0
colorama==0.4.6
distlib==0.3.8
filelock==3.13.1
-platformdirs==4.1.0
-pluggy==1.3.0
+platformdirs==4.2.0
+pluggy==1.4.0
pyproject-api==1.6.1
virtualenv==20.25.0