From d41032f1a26417f3a06cc95a3d075ae3bf89f3e5 Mon Sep 17 00:00:00 2001 From: "github.actions" Date: Sun, 26 Nov 2023 08:08:23 +0000 Subject: [PATCH] Latest data: Sun Nov 26 08:08:23 UTC 2023 --- audits/buku-requirements.audit.json | 785 --------------------- audits/dxpy-requirements.audit.json | 321 --------- requirements/abi3audit-requirements.txt | 12 +- requirements/airshare-requirements.txt | 8 +- requirements/aws-sam-cli-requirements.txt | 59 +- requirements/buku-requirements.txt | 7 +- requirements/cookiecutter-requirements.txt | 6 - requirements/dxpy-requirements.txt | 6 - requirements/gallery-dl-requirements.txt | 4 - requirements/git-review-requirements.txt | 4 - requirements/goolabs-requirements.txt | 4 - requirements/instaloader-requirements.txt | 4 - requirements/ipython-requirements.txt | 5 +- requirements/jupyterlab-requirements.txt | 7 +- requirements/virtualenv-requirements.txt | 3 - requirements/waybackpy-requirements.txt | 4 - requirements/zabbix-cli-requirements.txt | 4 - 17 files changed, 19 insertions(+), 1224 deletions(-) delete mode 100644 audits/dxpy-requirements.audit.json delete mode 100644 requirements/dxpy-requirements.txt delete mode 100644 requirements/gallery-dl-requirements.txt delete mode 100644 requirements/git-review-requirements.txt delete mode 100644 requirements/goolabs-requirements.txt delete mode 100644 requirements/instaloader-requirements.txt delete mode 100644 requirements/virtualenv-requirements.txt delete mode 100644 requirements/waybackpy-requirements.txt delete mode 100644 requirements/zabbix-cli-requirements.txt diff --git a/audits/buku-requirements.audit.json b/audits/buku-requirements.audit.json index c98229ca..461e5818 100644 --- a/audits/buku-requirements.audit.json +++ b/audits/buku-requirements.audit.json @@ -1,789 +1,4 @@ [ - { - "package": { - "name": "urllib3", - "version": "2.0.3", - "ecosystem": "PyPI", - "commit": "" - }, - "vulnerabilities": [ - { - "modified": "2023-11-08T04:13:39Z", - "published": "2023-10-17T20:15:25Z", - "schema_version": "1.6.0", - "id": "GHSA-g4mx-q9vg-27p4", - "aliases": [ - "CVE-2023-45803", - "PYSEC-2023-212" - ], - "summary": "urllib3's request body not stripped after redirect from 303 status changes request method to GET", - "details": "urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 \"See Other\" after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers.\n\nFrom [RFC 9110 Section 9.3.1](https://www.rfc-editor.org/rfc/rfc9110.html#name-get):\n\n> A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.\n\n## Affected usages\n\nBecause the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable.\n\nBoth of the following conditions must be true to be affected by this vulnerability:\n\n* If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON)\n* The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.\n\n## Remediation\n\nYou can remediate this vulnerability with any of the following steps:\n\n* Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7)\n* Disable redirects for services that you aren't expecting to respond with redirects with `redirects=False`.\n* Disable automatic redirects with `redirects=False` and handle 303 redirects manually by stripping the HTTP request body.\n", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.7" - } - ] - } - ], - "versions": [ - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.26.18" - } - ] - } - ], - "versions": [ - "0.2", - "0.3", - "0.3.1", - "0.4.0", - "0.4.1", - "1.0", - "1.0.1", - "1.0.2", - "1.1", - "1.10", - "1.10.1", - "1.10.2", - "1.10.3", - "1.10.4", - "1.11", - "1.12", - "1.13", - "1.13.1", - "1.14", - "1.15", - "1.15.1", - "1.16", - "1.17", - "1.18", - "1.18.1", - "1.19", - "1.19.1", - "1.2", - "1.2.1", - "1.2.2", - "1.20", - "1.21", - "1.21.1", - "1.22", - "1.23", - "1.24", - "1.24.1", - "1.24.2", - "1.24.3", - "1.25", - "1.25.1", - "1.25.10", - "1.25.11", - "1.25.2", - "1.25.3", - "1.25.4", - "1.25.5", - "1.25.6", - "1.25.7", - "1.25.8", - "1.25.9", - "1.26.0", - "1.26.1", - "1.26.10", - "1.26.11", - "1.26.12", - "1.26.13", - "1.26.14", - "1.26.15", - "1.26.16", - "1.26.17", - "1.26.2", - "1.26.3", - "1.26.4", - "1.26.5", - "1.26.6", - "1.26.7", - "1.26.8", - "1.26.9", - "1.3", - "1.4", - "1.5", - "1.6", - "1.7", - "1.7.1", - "1.8", - "1.8.2", - "1.8.3", - "1.9", - "1.9.1" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36" - }, - { - "type": "WEB", - "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml" - }, - { - "type": "PACKAGE", - "url": "https://github.com/urllib3/urllib3" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/releases/tag/1.26.18" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/releases/tag/2.0.7" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/" - }, - { - "type": "WEB", - "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "github_reviewed": true, - "github_reviewed_at": "2023-10-17T20:15:25Z", - "nvd_published_at": "2023-10-17T20:15:10Z", - "severity": "MODERATE" - } - }, - { - "modified": "2023-11-08T04:13:33Z", - "published": "2023-10-02T23:27:05Z", - "schema_version": "1.6.0", - "id": "GHSA-v845-jxx5-vc9f", - "aliases": [ - "CVE-2023-43804", - "PYSEC-2023-192" - ], - "summary": "`Cookie` HTTP header isn't stripped on cross-origin redirects", - "details": "urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.\n\nUsers **must** handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the `Cookie` header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.\n\n## Affected usages\n\nWe believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:\n\n* Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6)\n* Using the `Cookie` header on requests, which is mostly typical for impersonating a browser.\n* Not disabling HTTP redirects\n* Either not using HTTPS or for the origin server to redirect to a malicious origin.\n\n## Remediation\n\n* Upgrading to at least urllib3 v1.26.17 or v2.0.6\n* Disabling HTTP redirects using `redirects=False` when sending requests.\n* Not using the `Cookie` header.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.6" - } - ] - } - ], - "versions": [ - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-v845-jxx5-vc9f/GHSA-v845-jxx5-vc9f.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.26.17" - } - ] - } - ], - "versions": [ - "0.2", - "0.3", - "0.3.1", - "0.4.0", - "0.4.1", - "1.0", - "1.0.1", - "1.0.2", - "1.1", - "1.10", - "1.10.1", - "1.10.2", - "1.10.3", - "1.10.4", - "1.11", - "1.12", - "1.13", - "1.13.1", - "1.14", - "1.15", - "1.15.1", - "1.16", - "1.17", - "1.18", - "1.18.1", - "1.19", - "1.19.1", - "1.2", - "1.2.1", - "1.2.2", - "1.20", - "1.21", - "1.21.1", - "1.22", - "1.23", - "1.24", - "1.24.1", - "1.24.2", - "1.24.3", - "1.25", - "1.25.1", - "1.25.10", - "1.25.11", - "1.25.2", - "1.25.3", - "1.25.4", - "1.25.5", - "1.25.6", - "1.25.7", - "1.25.8", - "1.25.9", - "1.26.0", - "1.26.1", - "1.26.10", - "1.26.11", - "1.26.12", - "1.26.13", - "1.26.14", - "1.26.15", - "1.26.16", - "1.26.2", - "1.26.3", - "1.26.4", - "1.26.5", - "1.26.6", - "1.26.7", - "1.26.8", - "1.26.9", - "1.3", - "1.4", - "1.5", - "1.6", - "1.7", - "1.7.1", - "1.8", - "1.8.2", - "1.8.3", - "1.9", - "1.9.1" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-v845-jxx5-vc9f/GHSA-v845-jxx5-vc9f.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d" - }, - { - "type": "WEB", - "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml" - }, - { - "type": "PACKAGE", - "url": "https://github.com/urllib3/urllib3" - }, - { - "type": "WEB", - "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "github_reviewed": true, - "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": "2023-10-04T17:15:10Z", - "severity": "MODERATE" - } - }, - { - "modified": "2023-11-08T04:13:33Z", - "published": "2023-10-04T17:15:00Z", - "schema_version": "1.6.0", - "id": "PYSEC-2023-192", - "aliases": [ - "CVE-2023-43804", - "GHSA-v845-jxx5-vc9f" - ], - "details": "urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "GIT", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "644124ecd0b6e417c527191f866daa05a5a2056d" - }, - { - "fixed": "01220354d389cd05474713f8c982d05c9b17aafb" - } - ], - "repo": "https://github.com/urllib3/urllib3" - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.6" - }, - { - "introduced": "0" - }, - { - "fixed": "1.26.17" - } - ] - } - ], - "versions": [ - "0.2", - "0.3", - "0.3.1", - "0.4.0", - "0.4.1", - "1.0", - "1.0.1", - "1.0.2", - "1.1", - "1.10", - "1.10.1", - "1.10.2", - "1.10.3", - "1.10.4", - "1.11", - "1.12", - "1.13", - "1.13.1", - "1.14", - "1.15", - "1.15.1", - "1.16", - "1.17", - "1.18", - "1.18.1", - "1.19", - "1.19.1", - "1.2", - "1.2.1", - "1.2.2", - "1.20", - "1.21", - "1.21.1", - "1.22", - "1.23", - "1.24", - "1.24.1", - "1.24.2", - "1.24.3", - "1.25", - "1.25.1", - "1.25.10", - "1.25.11", - "1.25.2", - "1.25.3", - "1.25.4", - "1.25.5", - "1.25.6", - "1.25.7", - "1.25.8", - "1.25.9", - "1.26.0", - "1.26.1", - "1.26.10", - "1.26.11", - "1.26.12", - "1.26.13", - "1.26.14", - "1.26.15", - "1.26.16", - "1.26.2", - "1.26.3", - "1.26.4", - "1.26.5", - "1.26.6", - "1.26.7", - "1.26.8", - "1.26.9", - "1.3", - "1.4", - "1.5", - "1.6", - "1.7", - "1.7.1", - "1.8", - "1.8.2", - "1.8.3", - "1.9", - "1.9.1", - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5" - ], - "database_specific": { - "source": "https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-192.yaml" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d" - }, - { - "type": "ADVISORY", - "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f" - }, - { - "type": "FIX", - "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb" - }, - { - "type": "WEB", - "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" - } - ] - }, - { - "modified": "2023-11-08T04:13:39Z", - "published": "2023-10-17T20:15:00Z", - "schema_version": "1.6.0", - "id": "PYSEC-2023-212", - "aliases": [ - "CVE-2023-45803", - "GHSA-g4mx-q9vg-27p4" - ], - "details": "urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "GIT", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "4e98d57809dacab1cbe625fddeec1a290c478ea9" - } - ], - "repo": "https://github.com/urllib3/urllib3" - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.7" - }, - { - "introduced": "0" - }, - { - "fixed": "1.26.18" - } - ] - } - ], - "versions": [ - "0.2", - "0.3", - "0.3.1", - "0.4.0", - "0.4.1", - "1.0", - "1.0.1", - "1.0.2", - "1.1", - "1.10", - "1.10.1", - "1.10.2", - "1.10.3", - "1.10.4", - "1.11", - "1.12", - "1.13", - "1.13.1", - "1.14", - "1.15", - "1.15.1", - "1.16", - "1.17", - "1.18", - "1.18.1", - "1.19", - "1.19.1", - "1.2", - "1.2.1", - "1.2.2", - "1.20", - "1.21", - "1.21.1", - "1.22", - "1.23", - "1.24", - "1.24.1", - "1.24.2", - "1.24.3", - "1.25", - "1.25.1", - "1.25.10", - "1.25.11", - "1.25.2", - "1.25.3", - "1.25.4", - "1.25.5", - "1.25.6", - "1.25.7", - "1.25.8", - "1.25.9", - "1.26.0", - "1.26.1", - "1.26.10", - "1.26.11", - "1.26.12", - "1.26.13", - "1.26.14", - "1.26.15", - "1.26.16", - "1.26.17", - "1.26.2", - "1.26.3", - "1.26.4", - "1.26.5", - "1.26.6", - "1.26.7", - "1.26.8", - "1.26.9", - "1.3", - "1.4", - "1.5", - "1.6", - "1.7", - "1.7.1", - "1.8", - "1.8.2", - "1.8.3", - "1.9", - "1.9.1", - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6" - ], - "database_specific": { - "source": "https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-212.yaml" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4" - }, - { - "type": "WEB", - "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get" - }, - { - "type": "FIX", - "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9" - }, - { - "type": "ARTICLE", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/" - } - ] - } - ], - "groups": [ - { - "ids": [ - "GHSA-g4mx-q9vg-27p4", - "PYSEC-2023-212" - ] - }, - { - "ids": [ - "GHSA-v845-jxx5-vc9f", - "PYSEC-2023-192" - ] - } - ] - }, { "package": { "name": "werkzeug", diff --git a/audits/dxpy-requirements.audit.json b/audits/dxpy-requirements.audit.json deleted file mode 100644 index a79f8061..00000000 --- a/audits/dxpy-requirements.audit.json +++ /dev/null @@ -1,321 +0,0 @@ -[ - { - "package": { - "name": "requests", - "version": "2.28.2", - "ecosystem": "PyPI", - "commit": "" - }, - "vulnerabilities": [ - { - "modified": "2023-11-11T05:29:19Z", - "published": "2023-05-22T20:36:32Z", - "schema_version": "1.6.0", - "id": "GHSA-j8r2-6x86-q33q", - "aliases": [ - "CVE-2023-32681", - "PYSEC-2023-74" - ], - "summary": "Unintended leak of Proxy-Authorization header in requests", - "details": "### Impact\n\nSince Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`).\n\n**Current vulnerable behavior(s):**\n\n1. HTTP \u2192 HTTPS: **leak**\n2. HTTPS \u2192 HTTP: **no leak**\n3. HTTPS \u2192 HTTPS: **leak**\n4. HTTP \u2192 HTTP: **no leak**\n\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\n\nThe reason this currently works for HTTPS connections in Requests is the `Proxy-Authorization` header is also handled by urllib3 with our usage of the ProxyManager in adapters.py with [`proxy_manager_for`](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235). This will compute the required proxy headers in `proxy_headers` and pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.\n\n### Patches\nStarting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.\n\nFor users with custom adapters, this _may_ be potentially breaking if you were already working around this behavior. The previous functionality of `rebuild_proxies` doesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.\n\n### Workarounds\nFor users who are not able to update Requests immediately, there is one potential workaround.\n\nYou may disable redirects by setting `allow_redirects` to `False` on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.\n```\nimport requests\nr = requests.get('http://github.com/', allow_redirects=False)\n```\n\n### Credits\n\nThis vulnerability was discovered and disclosed by the following individuals.\n\nDennis Brinkrolf, Haxolot (https://haxolot.com/)\nTobias Funke, (tobiasfunke93@gmail.com)", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "requests", - "purl": "pkg:pypi/requests" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.3.0" - }, - { - "fixed": "2.31.0" - } - ] - } - ], - "versions": [ - "2.10.0", - "2.11.0", - "2.11.1", - "2.12.0", - "2.12.1", - "2.12.2", - "2.12.3", - "2.12.4", - "2.12.5", - "2.13.0", - "2.14.0", - "2.14.1", - "2.14.2", - "2.15.0", - "2.15.1", - "2.16.0", - "2.16.1", - "2.16.2", - "2.16.3", - "2.16.4", - "2.16.5", - "2.17.0", - "2.17.1", - "2.17.2", - "2.17.3", - "2.18.0", - "2.18.1", - "2.18.2", - "2.18.3", - "2.18.4", - "2.19.0", - "2.19.1", - "2.20.0", - "2.20.1", - "2.21.0", - "2.22.0", - "2.23.0", - "2.24.0", - "2.25.0", - "2.25.1", - "2.26.0", - "2.27.0", - "2.27.1", - "2.28.0", - "2.28.1", - "2.28.2", - "2.29.0", - "2.3.0", - "2.30.0", - "2.4.0", - "2.4.1", - "2.4.2", - "2.4.3", - "2.5.0", - "2.5.1", - "2.5.2", - "2.5.3", - "2.6.0", - "2.6.1", - "2.6.2", - "2.7.0", - "2.8.0", - "2.8.1", - "2.9.0", - "2.9.1", - "2.9.2" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-j8r2-6x86-q33q/GHSA-j8r2-6x86-q33q.json" - }, - "ecosystem_specific": { - "affected_functions": [ - "requests.sessions.SessionRedirectMixin.rebuild_proxies" - ] - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681" - }, - { - "type": "WEB", - "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" - }, - { - "type": "PACKAGE", - "url": "https://github.com/psf/requests" - }, - { - "type": "WEB", - "url": "https://github.com/psf/requests/releases/tag/v2.31.0" - }, - { - "type": "WEB", - "url": "https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml" - }, - { - "type": "WEB", - "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/" - }, - { - "type": "WEB", - "url": "https://security.gentoo.org/glsa/202309-08" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "github_reviewed": true, - "github_reviewed_at": "2023-05-22T20:36:32Z", - "nvd_published_at": "2023-05-26T18:15:14Z", - "severity": "MODERATE" - } - }, - { - "modified": "2023-11-08T04:12:35Z", - "published": "2023-05-26T18:15:00Z", - "schema_version": "1.6.0", - "id": "PYSEC-2023-74", - "aliases": [ - "CVE-2023-32681", - "GHSA-j8r2-6x86-q33q" - ], - "details": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "requests", - "purl": "pkg:pypi/requests" - }, - "ranges": [ - { - "type": "GIT", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" - } - ], - "repo": "https://github.com/psf/requests" - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.3.0" - }, - { - "fixed": "2.31.0" - } - ] - } - ], - "versions": [ - "2.10.0", - "2.11.0", - "2.11.1", - "2.12.0", - "2.12.1", - "2.12.2", - "2.12.3", - "2.12.4", - "2.12.5", - "2.13.0", - "2.14.0", - "2.14.1", - "2.14.2", - "2.15.0", - "2.15.1", - "2.16.0", - "2.16.1", - "2.16.2", - "2.16.3", - "2.16.4", - "2.16.5", - "2.17.0", - "2.17.1", - "2.17.2", - "2.17.3", - "2.18.0", - "2.18.1", - "2.18.2", - "2.18.3", - "2.18.4", - "2.19.0", - "2.19.1", - "2.20.0", - "2.20.1", - "2.21.0", - "2.22.0", - "2.23.0", - "2.24.0", - "2.25.0", - "2.25.1", - "2.26.0", - "2.27.0", - "2.27.1", - "2.28.0", - "2.28.1", - "2.28.2", - "2.29.0", - "2.3.0", - "2.30.0", - "2.4.0", - "2.4.1", - "2.4.2", - "2.4.3", - "2.5.0", - "2.5.1", - "2.5.2", - "2.5.3", - "2.6.0", - "2.6.1", - "2.6.2", - "2.7.0", - "2.8.0", - "2.8.1", - "2.9.0", - "2.9.1", - "2.9.2" - ], - "database_specific": { - "source": "https://github.com/pypa/advisory-database/blob/main/vulns/requests/PYSEC-2023-74.yaml" - } - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q" - }, - { - "type": "WEB", - "url": "https://github.com/psf/requests/releases/tag/v2.31.0" - }, - { - "type": "FIX", - "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/" - } - ] - } - ], - "groups": [ - { - "ids": [ - "GHSA-j8r2-6x86-q33q", - "PYSEC-2023-74" - ] - } - ] - } -] \ No newline at end of file diff --git a/requirements/abi3audit-requirements.txt b/requirements/abi3audit-requirements.txt index e15a54c0..735b0113 100644 --- a/requirements/abi3audit-requirements.txt +++ b/requirements/abi3audit-requirements.txt @@ -1,16 +1,8 @@ abi3info==2023.10.22 attrs==23.1.0 -cattrs==23.1.2 -charset-normalizer==3.3.1 -idna==3.4 +cattrs==23.2.2 kaitaistruct==0.10 -markdown-it-py==3.0.0 -mdurl==0.1.2 pefile==2023.2.7 -platformdirs==3.11.0 pyelftools==0.30 -requests==2.31.0 -requests-cache==1.1.0 -rich==13.6.0 +requests-cache==1.1.1 url-normalize==1.4.3 -urllib3==2.0.7 diff --git a/requirements/airshare-requirements.txt b/requirements/airshare-requirements.txt index d9627b96..e0618724 100644 --- a/requirements/airshare-requirements.txt +++ b/requirements/airshare-requirements.txt @@ -2,18 +2,14 @@ aiohttp==3.9.0 aiosignal==1.3.1 asyncio==3.4.3 attrs==23.1.0 -charset-normalizer==3.3.2 colorama==0.4.6 frozenlist==1.4.0 -humanize==4.8.0 -idna==3.4 +humanize==4.9.0 ifaddr==0.2.0 multidict==6.0.4 pyperclip==1.8.2 -requests==2.31.0 requests-toolbelt==1.0.0 termcolor==2.3.0 tqdm==4.66.1 -urllib3==2.1.0 -yarl==1.9.2 +yarl==1.9.3 zeroconf==0.127.0 diff --git a/requirements/aws-sam-cli-requirements.txt b/requirements/aws-sam-cli-requirements.txt index 2132d88b..593e625f 100644 --- a/requirements/aws-sam-cli-requirements.txt +++ b/requirements/aws-sam-cli-requirements.txt @@ -1,76 +1,33 @@ -annotated-types==0.6.0 -arrow==1.3.0 -attrs==23.1.0 aws-lambda-builders==1.42.0 -aws-sam-translator==1.80.0 -binaryornot==0.4.4 blinker==1.7.0 -boto3==1.29.2 boto3-stubs==1.29.0 -botocore==1.32.2 -botocore-stubs==1.32.2 -cfn-lint==0.83.3 -chardet==5.2.0 -charset-normalizer==3.3.2 +botocore-stubs==1.32.6 chevron==0.14.0 -click==8.1.7 -cookiecutter==2.4.0 -dateparser==1.1.8 +dateparser==1.2.0 docker==6.1.3 flask==3.0.0 -idna==3.4 itsdangerous==2.1.2 -jinja2==3.1.2 -jmespath==1.0.1 -jschema-to-python==1.2.3 -jsonpatch==1.33 -jsonpickle==3.0.2 -jsonpointer==2.4 -jsonschema==4.19.2 -jsonschema-specifications==2023.11.1 -junit-xml==1.9 -markdown-it-py==3.0.0 -markupsafe==2.1.3 -mdurl==0.1.2 -mpmath==1.3.0 mypy-boto3-apigateway==1.29.0 -mypy-boto3-cloudformation==1.29.0 -mypy-boto3-ecr==1.29.0 +mypy-boto3-cloudformation==1.29.3 +mypy-boto3-ecr==1.29.3 mypy-boto3-iam==1.29.0 -mypy-boto3-kinesis==1.29.0 +mypy-boto3-kinesis==1.29.6 mypy-boto3-lambda==1.29.2 -mypy-boto3-s3==1.29.0 +mypy-boto3-s3==1.29.5 mypy-boto3-schemas==1.29.0 mypy-boto3-secretsmanager==1.29.0 mypy-boto3-signer==1.29.0 mypy-boto3-sqs==1.29.0 mypy-boto3-stepfunctions==1.29.0 -mypy-boto3-sts==1.29.0 +mypy-boto3-sts==1.29.3 mypy-boto3-xray==1.29.0 -networkx==3.2.1 -pbr==6.0.0 -pydantic==2.5.1 -pydantic-core==2.14.3 pyopenssl==23.3.0 -python-dateutil==2.8.2 -python-slugify==8.0.1 -referencing==0.31.0 -regex==2023.10.3 -requests==2.31.0 -rich==13.6.0 -rpds-py==0.13.0 ruamel-yaml==0.18.5 ruamel-yaml-clib==0.2.8 -s3transfer==0.7.0 -sarif-om==1.0.4 -sympy==1.12 -text-unidecode==1.3 tomlkit==0.12.2 -types-awscrt==0.19.12 -types-python-dateutil==2.8.19.14 +types-awscrt==0.19.13 types-s3transfer==0.7.0 tzlocal==5.2 -urllib3==2.0.7 watchdog==3.0.0 websocket-client==1.6.4 werkzeug==3.0.1 diff --git a/requirements/buku-requirements.txt b/requirements/buku-requirements.txt index e05863c3..c020fa6d 100644 --- a/requirements/buku-requirements.txt +++ b/requirements/buku-requirements.txt @@ -1,7 +1,6 @@ arrow==1.2.3 beautifulsoup4==4.12.2 -click==8.1.3 -dominate==2.8.0 +dominate==2.9.0 Flask==2.2.5 Flask-Admin==1.6.1 Flask-API==3.1 @@ -10,11 +9,7 @@ flask-paginate==2022.1.8 Flask-WTF==1.1.1 html5lib==1.1 itsdangerous==2.1.2 -Jinja2==3.1.2 -MarkupSafe==2.1.3 -python-dateutil==2.8.2 soupsieve==2.4.1 -urllib3==2.0.3 visitor==0.1.3 webencodings==0.5.1 Werkzeug==2.3.6 diff --git a/requirements/cookiecutter-requirements.txt b/requirements/cookiecutter-requirements.txt index dba6497e..4998fd51 100644 --- a/requirements/cookiecutter-requirements.txt +++ b/requirements/cookiecutter-requirements.txt @@ -1,15 +1,9 @@ arrow==1.3.0 binaryornot==0.4.4 chardet==5.2.0 -charset-normalizer==3.3.2 -idna==3.4 -jinja2==3.1.2 markdown-it-py==3.0.0 mdurl==0.1.2 -python-dateutil==2.8.2 python-slugify==8.0.1 -requests==2.31.0 rich==13.7.0 text-unidecode==1.3 types-python-dateutil==2.8.19.14 -urllib3==2.1.0 diff --git a/requirements/dxpy-requirements.txt b/requirements/dxpy-requirements.txt deleted file mode 100644 index 07e97d34..00000000 --- a/requirements/dxpy-requirements.txt +++ /dev/null @@ -1,6 +0,0 @@ -charset-normalizer==3.3.2 -idna==3.4 -python-dateutil==2.8.2 -requests==2.28.2 -urllib3==1.26.18 -websocket-client==0.54.0 diff --git a/requirements/gallery-dl-requirements.txt b/requirements/gallery-dl-requirements.txt deleted file mode 100644 index cf7f16b3..00000000 --- a/requirements/gallery-dl-requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -charset-normalizer==3.3.2 -idna==3.4 -requests==2.31.0 -urllib3==2.0.7 diff --git a/requirements/git-review-requirements.txt b/requirements/git-review-requirements.txt deleted file mode 100644 index dfd8475a..00000000 --- a/requirements/git-review-requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -charset-normalizer==3.3.0 -idna==3.4 -requests==2.31.0 -urllib3==2.0.7 diff --git a/requirements/goolabs-requirements.txt b/requirements/goolabs-requirements.txt deleted file mode 100644 index dfd8475a..00000000 --- a/requirements/goolabs-requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -charset-normalizer==3.3.0 -idna==3.4 -requests==2.31.0 -urllib3==2.0.7 diff --git a/requirements/instaloader-requirements.txt b/requirements/instaloader-requirements.txt deleted file mode 100644 index 6f7e284c..00000000 --- a/requirements/instaloader-requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -charset-normalizer==3.3.2 -idna==3.4 -requests==2.31.0 -urllib3==2.1.0 diff --git a/requirements/ipython-requirements.txt b/requirements/ipython-requirements.txt index 6e2e3fc5..e7bb80b5 100644 --- a/requirements/ipython-requirements.txt +++ b/requirements/ipython-requirements.txt @@ -1,4 +1,3 @@ -appnope==0.1.3 asttokens==2.4.1 decorator==5.1.1 executing==2.0.1 @@ -6,9 +5,9 @@ jedi==0.19.1 matplotlib-inline==0.1.6 parso==0.8.3 pexpect==4.8.0 -prompt-toolkit==3.0.39 +prompt-toolkit==3.0.41 ptyprocess==0.7.0 pure-eval==0.2.2 stack-data==0.6.3 traitlets==5.13.0 -wcwidth==0.2.9 +wcwidth==0.2.12 diff --git a/requirements/jupyterlab-requirements.txt b/requirements/jupyterlab-requirements.txt index c72f1c95..f3106766 100644 --- a/requirements/jupyterlab-requirements.txt +++ b/requirements/jupyterlab-requirements.txt @@ -1,4 +1,5 @@ -anyio==4.0.0 +anyio==4.1.0 +appnope==0.1.3 argon2-cffi==23.1.0 argon2-cffi-bindings==21.2.0 arrow==1.3.0 @@ -37,13 +38,13 @@ notebook-shim==0.2.3 overrides==7.4.0 pandocfilters==1.5.0 platformdirs==4.0.0 -prometheus-client==0.18.0 +prometheus-client==0.19.0 python-json-logger==2.0.7 pyzmq==25.1.1 referencing==0.31.0 rfc3339-validator==0.1.4 rfc3986-validator==0.1.1 -rpds-py==0.13.0 +rpds-py==0.13.1 send2trash==1.8.2 sniffio==1.3.0 soupsieve==2.5 diff --git a/requirements/virtualenv-requirements.txt b/requirements/virtualenv-requirements.txt deleted file mode 100644 index 2f9fc2da..00000000 --- a/requirements/virtualenv-requirements.txt +++ /dev/null @@ -1,3 +0,0 @@ -distlib==0.3.7 -filelock==3.13.1 -platformdirs==4.0.0 diff --git a/requirements/waybackpy-requirements.txt b/requirements/waybackpy-requirements.txt deleted file mode 100644 index dfd8475a..00000000 --- a/requirements/waybackpy-requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -charset-normalizer==3.3.0 -idna==3.4 -requests==2.31.0 -urllib3==2.0.7 diff --git a/requirements/zabbix-cli-requirements.txt b/requirements/zabbix-cli-requirements.txt deleted file mode 100644 index dfd8475a..00000000 --- a/requirements/zabbix-cli-requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -charset-normalizer==3.3.0 -idna==3.4 -requests==2.31.0 -urllib3==2.0.7