diff --git a/audits/airshare-requirements.audit.json b/audits/airshare-requirements.audit.json deleted file mode 100644 index 003ca9f1..00000000 --- a/audits/airshare-requirements.audit.json +++ /dev/null @@ -1,336 +0,0 @@ -[ - { - "package": { - "name": "aiohttp", - "version": "3.9.5", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "airshare-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - } -] \ No newline at end of file diff --git a/audits/black-requirements.audit.json b/audits/black-requirements.audit.json deleted file mode 100644 index f81f82c8..00000000 --- a/audits/black-requirements.audit.json +++ /dev/null @@ -1,336 +0,0 @@ -[ - { - "package": { - "name": "aiohttp", - "version": "3.10.0", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "black-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - } -] \ No newline at end of file diff --git a/audits/bzt-requirements.audit.json b/audits/bzt-requirements.audit.json index 0677adea..b89a2b47 100644 --- a/audits/bzt-requirements.audit.json +++ b/audits/bzt-requirements.audit.json @@ -1,338 +1,4 @@ [ - { - "package": { - "name": "aiohttp", - "version": "3.9.5", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "bzt-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - }, { "package": { "name": "urllib3", diff --git a/audits/checkov-requirements.audit.json b/audits/checkov-requirements.audit.json index b551e758..12aa4120 100644 --- a/audits/checkov-requirements.audit.json +++ b/audits/checkov-requirements.audit.json @@ -1,338 +1,4 @@ [ - { - "package": { - "name": "aiohttp", - "version": "3.9.5", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "checkov-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - }, { "package": { "name": "urllib3", diff --git a/audits/codelimit-requirements.audit.json b/audits/codelimit-requirements.audit.json deleted file mode 100644 index 8ca90245..00000000 --- a/audits/codelimit-requirements.audit.json +++ /dev/null @@ -1,336 +0,0 @@ -[ - { - "package": { - "name": "aiohttp", - "version": "3.10.1", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "codelimit-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - } -] \ No newline at end of file diff --git a/audits/dnstwist-requirements.audit.json b/audits/dnstwist-requirements.audit.json deleted file mode 100644 index a85ae0d9..00000000 --- a/audits/dnstwist-requirements.audit.json +++ /dev/null @@ -1,336 +0,0 @@ -[ - { - "package": { - "name": "aiohttp", - "version": "3.9.5", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "dnstwist-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - } -] \ No newline at end of file diff --git a/audits/dstack-requirements.audit.json b/audits/dstack-requirements.audit.json deleted file mode 100644 index 24ed826d..00000000 --- a/audits/dstack-requirements.audit.json +++ /dev/null @@ -1,336 +0,0 @@ -[ - { - "package": { - "name": "aiohttp", - "version": "3.10.1", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "dstack-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - } -] \ No newline at end of file diff --git a/audits/gimme-aws-creds-requirements.audit.json b/audits/gimme-aws-creds-requirements.audit.json deleted file mode 100644 index 914642f3..00000000 --- a/audits/gimme-aws-creds-requirements.audit.json +++ /dev/null @@ -1,336 +0,0 @@ -[ - { - "package": { - "name": "aiohttp", - "version": "3.9.5", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "gimme-aws-creds-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - } -] \ No newline at end of file diff --git a/audits/homeassistant-cli-requirements.audit.json b/audits/homeassistant-cli-requirements.audit.json deleted file mode 100644 index bf993ffa..00000000 --- a/audits/homeassistant-cli-requirements.audit.json +++ /dev/null @@ -1,336 +0,0 @@ -[ - { - "package": { - "name": "aiohttp", - "version": "3.9.5", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "homeassistant-cli-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - } -] \ No newline at end of file diff --git a/audits/parsedmarc-requirements.audit.json b/audits/parsedmarc-requirements.audit.json deleted file mode 100644 index 0b266d24..00000000 --- a/audits/parsedmarc-requirements.audit.json +++ /dev/null @@ -1,336 +0,0 @@ -[ - { - "package": { - "name": "aiohttp", - "version": "3.10.1", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "parsedmarc-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - } -] \ No newline at end of file diff --git a/audits/pferd-requirements.audit.json b/audits/pferd-requirements.audit.json deleted file mode 100644 index 552a2b89..00000000 --- a/audits/pferd-requirements.audit.json +++ /dev/null @@ -1,336 +0,0 @@ -[ - { - "package": { - "name": "aiohttp", - "version": "3.9.4", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "pferd-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - } -] \ No newline at end of file diff --git a/audits/rawdog-requirements.audit.json b/audits/rawdog-requirements.audit.json deleted file mode 100644 index 7b3401ad..00000000 --- a/audits/rawdog-requirements.audit.json +++ /dev/null @@ -1,336 +0,0 @@ -[ - { - "package": { - "name": "aiohttp", - "version": "3.9.5", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "rawdog-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - } -] \ No newline at end of file diff --git a/audits/slither-analyzer-requirements.audit.json b/audits/slither-analyzer-requirements.audit.json deleted file mode 100644 index 7cfb1849..00000000 --- a/audits/slither-analyzer-requirements.audit.json +++ /dev/null @@ -1,336 +0,0 @@ -[ - { - "package": { - "name": "aiohttp", - "version": "3.9.5", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "slither-analyzer-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - } -] \ No newline at end of file diff --git a/audits/tmt-requirements.audit.json b/audits/tmt-requirements.audit.json new file mode 100644 index 00000000..5288a708 --- /dev/null +++ b/audits/tmt-requirements.audit.json @@ -0,0 +1,2211 @@ +[ + { + "package": { + "name": "idna", + "version": "3.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "tmt-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-07-11T18:46:06Z", + "published": "2024-04-11T21:32:40Z", + "schema_version": "1.6.0", + "id": "GHSA-jjg7-2v4v-x38h", + "aliases": [ + "CVE-2024-3651", + "PYSEC-2024-60" + ], + "related": [ + "CGA-4vmg-xwqh-6xfw", + "CGA-4w25-8r45-gxwf", + "CGA-6445-8x27-cghw", + "CGA-7cvw-824f-57qj", + "CGA-7xfm-q24p-px8c", + "CGA-85gv-65g3-483h", + "CGA-9fj4-pj3g-gm6q", + "CGA-ccwr-5f2w-9q24", + "CGA-fgmr-v3f3-pxpw", + "CGA-hph5-hcwv-q9mm", + "CGA-mcgj-mc29-crgj", + "CGA-mq4p-ggpx-5vxw", + "CGA-q4wf-4rwg-334h", + "CGA-rmvf-7794-q3gg", + "CGA-v584-967x-qgpm", + "CGA-v6qx-945c-jj8w", + "CGA-xpcj-g2x8-wcc9" + ], + "summary": "Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode", + "details": "### Impact\nA specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.\n\n### Patches\nThe function has been refined to reject such strings without the associated resource consumption in version 3.7.\n\n### Workarounds\nDomain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.\n\n### References\n* https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "idna", + "purl": "pkg:pypi/idna" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.7" + } + ] + } + ], + "versions": [ + "0.1", + "0.2", + "0.3", + "0.4", + "0.5", + "0.6", + "0.7", + "0.8", + "0.9", + "1.0", + "1.1", + "2.0", + "2.1", + "2.10", + "2.2", + "2.3", + "2.4", + "2.5", + "2.6", + "2.7", + "2.8", + "2.9", + "3.0", + "3.1", + "3.2", + "3.3", + "3.4", + "3.5", + "3.6" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-jjg7-2v4v-x38h/GHSA-jjg7-2v4v-x38h.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651" + }, + { + "type": "WEB", + "url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d" + }, + { + "type": "PACKAGE", + "url": "https://github.com/kjd/idna" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-04-11T21:32:40Z", + "nvd_published_at": "2024-07-07T18:15:09Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-07-11T17:42:33Z", + "published": "2024-07-07T18:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2024-60", + "aliases": [ + "CVE-2024-3651", + "GHSA-jjg7-2v4v-x38h" + ], + "details": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "idna", + "purl": "pkg:pypi/idna" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1d365e17e10d72d0b7876316fc7b9ca0eebdd38d" + } + ], + "repo": "https://github.com/kjd/idna" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.1" + }, + { + "fixed": "3.7" + } + ] + } + ], + "versions": [ + "0.1", + "0.2", + "0.3", + "0.4", + "0.5", + "0.6", + "0.7", + "0.8", + "0.9", + "1.0", + "1.1", + "2.0", + "2.1", + "2.10", + "2.2", + "2.3", + "2.4", + "2.5", + "2.6", + "2.7", + "2.8", + "2.9", + "3.0", + "3.1", + "3.2", + "3.3", + "3.4", + "3.5", + "3.6" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/idna/PYSEC-2024-60.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "FIX", + "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb" + }, + { + "type": "FIX", + "url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-jjg7-2v4v-x38h", + "PYSEC-2024-60" + ], + "aliases": [ + "CVE-2024-3651", + "GHSA-jjg7-2v4v-x38h", + "PYSEC-2024-60" + ], + "max_severity": "7.5" + } + ] + }, + { + "package": { + "name": "jinja2", + "version": "3.1.2", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "tmt-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-16T08:18:43Z", + "published": "2024-01-11T15:20:48Z", + "schema_version": "1.6.0", + "id": "GHSA-h5c8-rqwp-cp95", + "aliases": [ + "CVE-2024-22195" + ], + "related": [ + "CGA-f27q-c9f6-2v7h", + "CGA-hgvf-wwm9-3343" + ], + "summary": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter", + "details": "The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "jinja2", + "purl": "pkg:pypi/jinja2" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.3" + } + ] + } + ], + "versions": [ + "2.0", + "2.0rc1", + "2.1", + "2.1.1", + "2.10", + "2.10.1", + "2.10.2", + "2.10.3", + "2.11.0", + "2.11.1", + "2.11.2", + "2.11.3", + "2.2", + "2.2.1", + "2.3", + "2.3.1", + "2.4", + "2.4.1", + "2.5", + "2.5.1", + "2.5.2", + "2.5.3", + "2.5.4", + "2.5.5", + "2.6", + "2.7", + "2.7.1", + "2.7.2", + "2.7.3", + "2.8", + "2.8.1", + "2.9", + "2.9.1", + "2.9.2", + "2.9.3", + "2.9.4", + "2.9.5", + "2.9.6", + "3.0.0", + "3.0.0a1", + "3.0.0rc1", + "3.0.0rc2", + "3.0.1", + "3.0.2", + "3.0.3", + "3.1.0", + "3.1.1", + "3.1.2" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-h5c8-rqwp-cp95/GHSA-h5c8-rqwp-cp95.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/jinja/commit/716795349a41d4983a9a4771f7d883c96ea17be7" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/jinja" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/jinja/releases/tag/3.1.3" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-01-11T15:20:48Z", + "nvd_published_at": "2024-01-11T03:15:11Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-06-10T19:01:19Z", + "published": "2024-05-06T14:20:59Z", + "schema_version": "1.6.0", + "id": "GHSA-h75v-3vvj-5mfj", + "aliases": [ + "CVE-2024-34064" + ], + "related": [ + "CGA-3h69-x6cf-g5c9", + "CGA-8hp4-mxq9-cfjp", + "CGA-j4qq-j23r-522f", + "CGA-ph4r-hmw2-vp9r", + "CGA-rwrm-vm7r-mrmj", + "CGA-w4rq-c3cf-82f3", + "CGA-x9j2-vg55-h4p4" + ], + "summary": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter", + "details": "The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.\n\nAccepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "jinja2", + "purl": "pkg:pypi/jinja2" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.4" + } + ] + } + ], + "versions": [ + "2.0", + "2.0rc1", + "2.1", + "2.1.1", + "2.10", + "2.10.1", + "2.10.2", + "2.10.3", + "2.11.0", + "2.11.1", + "2.11.2", + "2.11.3", + "2.2", + "2.2.1", + "2.3", + "2.3.1", + "2.4", + "2.4.1", + "2.5", + "2.5.1", + "2.5.2", + "2.5.3", + "2.5.4", + "2.5.5", + "2.6", + "2.7", + "2.7.1", + "2.7.2", + "2.7.3", + "2.8", + "2.8.1", + "2.9", + "2.9.1", + "2.9.2", + "2.9.3", + "2.9.4", + "2.9.5", + "2.9.6", + "3.0.0", + "3.0.0a1", + "3.0.0rc1", + "3.0.0rc2", + "3.0.1", + "3.0.2", + "3.0.3", + "3.1.0", + "3.1.1", + "3.1.2", + "3.1.3" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-h75v-3vvj-5mfj/GHSA-h75v-3vvj-5mfj.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/jinja" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-05-06T14:20:59Z", + "nvd_published_at": "2024-05-06T15:15:23Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-h5c8-rqwp-cp95" + ], + "aliases": [ + "CVE-2024-22195", + "GHSA-h5c8-rqwp-cp95" + ], + "max_severity": "5.4" + }, + { + "ids": [ + "GHSA-h75v-3vvj-5mfj" + ], + "aliases": [ + "CVE-2024-34064", + "GHSA-h75v-3vvj-5mfj" + ], + "max_severity": "5.4" + } + ] + }, + { + "package": { + "name": "requests", + "version": "2.28.1", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "tmt-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-07-15T22:12:27Z", + "published": "2024-05-20T20:15:00Z", + "schema_version": "1.6.0", + "id": "GHSA-9wx4-h78v-vm56", + "aliases": [ + "CVE-2024-35195" + ], + "related": [ + "CGA-2qh2-jp77-wp2x", + "CGA-32qh-xq5g-9xq4", + "CGA-432x-3phh-56c7", + "CGA-4354-v6cq-3f5f", + "CGA-4xx2-v3vc-q5x8", + "CGA-6rf6-59qq-87jc", + "CGA-6v4c-f9mw-8ghc", + "CGA-74xp-46xv-7q3v", + "CGA-77h5-pgh2-r2fg", + "CGA-8mx8-8v5r-99xg", + "CGA-hf9v-fwg4-2jvw", + "CGA-hhrg-5mf5-r2p5", + "CGA-jcgc-jpw2-xpqq", + "CGA-p79x-5pxg-f77m", + "CGA-rrq3-6489-25cv", + "CGA-v263-vf6g-w8hh", + "CGA-v542-whj6-7mj4", + "CGA-whqq-jwxh-vf92", + "CGA-x395-8f45-7j43" + ], + "summary": "Requests `Session` object does not verify requests after making first request with verify=False", + "details": "When making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool.\n\n### Remediation\nAny of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.\n\n* Upgrade to `requests>=2.32.0`.\n* For `requests<2.32.0`, avoid setting `verify=False` for the first request to a host while using a Requests Session.\n* For `requests<2.32.0`, call `close()` on `Session` objects to clear existing connections if `verify=False` is used.\n\n### Related Links\n* https://github.com/psf/requests/pull/6655", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "requests", + "purl": "pkg:pypi/requests" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.32.0" + } + ] + } + ], + "versions": [ + "0.0.1", + "0.10.0", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.10.6", + "0.10.7", + "0.10.8", + "0.11.1", + "0.11.2", + "0.12.0", + "0.12.01", + "0.12.1", + "0.13.0", + "0.13.1", + "0.13.2", + "0.13.3", + "0.13.4", + "0.13.5", + "0.13.6", + "0.13.7", + "0.13.8", + "0.13.9", + "0.14.0", + "0.14.1", + "0.14.2", + "0.2.0", + "0.2.1", + "0.2.2", + "0.2.3", + "0.2.4", + "0.3.0", + "0.3.1", + "0.3.2", + "0.3.3", + "0.3.4", + "0.4.0", + "0.4.1", + "0.5.0", + "0.5.1", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.6.6", + "0.7.0", + "0.7.1", + "0.7.2", + "0.7.3", + "0.7.4", + "0.7.5", + "0.7.6", + "0.8.0", + "0.8.1", + "0.8.2", + "0.8.3", + "0.8.4", + "0.8.5", + "0.8.6", + "0.8.7", + "0.8.8", + "0.8.9", + "0.9.0", + "0.9.1", + "0.9.2", + "0.9.3", + "1.0.0", + "1.0.1", + "1.0.2", + "1.0.3", + "1.0.4", + "1.1.0", + "1.2.0", + "1.2.1", + "1.2.2", + "1.2.3", + "2.0.0", + "2.0.1", + "2.1.0", + "2.10.0", + "2.11.0", + "2.11.1", + "2.12.0", + "2.12.1", + "2.12.2", + "2.12.3", + "2.12.4", + "2.12.5", + "2.13.0", + "2.14.0", + "2.14.1", + "2.14.2", + "2.15.0", + "2.15.1", + "2.16.0", + "2.16.1", + "2.16.2", + "2.16.3", + "2.16.4", + "2.16.5", + "2.17.0", + "2.17.1", + "2.17.2", + "2.17.3", + "2.18.0", + "2.18.1", + "2.18.2", + "2.18.3", + "2.18.4", + "2.19.0", + "2.19.1", + "2.2.0", + "2.2.1", + "2.20.0", + "2.20.1", + "2.21.0", + "2.22.0", + "2.23.0", + "2.24.0", + "2.25.0", + "2.25.1", + "2.26.0", + "2.27.0", + "2.27.1", + "2.28.0", + "2.28.1", + "2.28.2", + "2.29.0", + "2.3.0", + "2.30.0", + "2.31.0", + "2.4.0", + "2.4.1", + "2.4.2", + "2.4.3", + "2.5.0", + "2.5.1", + "2.5.2", + "2.5.3", + "2.6.0", + "2.6.1", + "2.6.2", + "2.7.0", + "2.8.0", + "2.8.1", + "2.9.0", + "2.9.1", + "2.9.2" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-9wx4-h78v-vm56/GHSA-9wx4-h78v-vm56.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195" + }, + { + "type": "WEB", + "url": "https://github.com/psf/requests/pull/6655" + }, + { + "type": "WEB", + "url": "https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac" + }, + { + "type": "PACKAGE", + "url": "https://github.com/psf/requests" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-670" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-05-20T20:15:00Z", + "nvd_published_at": "2024-05-20T21:15:09Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-03-12T17:19:15Z", + "published": "2023-05-22T20:36:32Z", + "schema_version": "1.6.0", + "id": "GHSA-j8r2-6x86-q33q", + "aliases": [ + "CVE-2023-32681", + "PYSEC-2023-74" + ], + "related": [ + "CGA-jw5m-ghm3-2mhw" + ], + "summary": "Unintended leak of Proxy-Authorization header in requests", + "details": "### Impact\n\nSince Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`).\n\n**Current vulnerable behavior(s):**\n\n1. HTTP \u2192 HTTPS: **leak**\n2. HTTPS \u2192 HTTP: **no leak**\n3. HTTPS \u2192 HTTPS: **leak**\n4. HTTP \u2192 HTTP: **no leak**\n\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\n\nThe reason this currently works for HTTPS connections in Requests is the `Proxy-Authorization` header is also handled by urllib3 with our usage of the ProxyManager in adapters.py with [`proxy_manager_for`](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235). This will compute the required proxy headers in `proxy_headers` and pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.\n\n### Patches\nStarting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.\n\nFor users with custom adapters, this _may_ be potentially breaking if you were already working around this behavior. The previous functionality of `rebuild_proxies` doesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.\n\n### Workarounds\nFor users who are not able to update Requests immediately, there is one potential workaround.\n\nYou may disable redirects by setting `allow_redirects` to `False` on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.\n```\nimport requests\nr = requests.get('http://github.com/', allow_redirects=False)\n```\n\n### Credits\n\nThis vulnerability was discovered and disclosed by the following individuals.\n\nDennis Brinkrolf, Haxolot (https://haxolot.com/)\nTobias Funke, (tobiasfunke93@gmail.com)", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "requests", + "purl": "pkg:pypi/requests" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.31.0" + } + ] + } + ], + "versions": [ + "2.10.0", + "2.11.0", + "2.11.1", + "2.12.0", + "2.12.1", + "2.12.2", + "2.12.3", + "2.12.4", + "2.12.5", + "2.13.0", + "2.14.0", + "2.14.1", + "2.14.2", + "2.15.0", + "2.15.1", + "2.16.0", + "2.16.1", + "2.16.2", + "2.16.3", + "2.16.4", + "2.16.5", + "2.17.0", + "2.17.1", + "2.17.2", + "2.17.3", + "2.18.0", + "2.18.1", + "2.18.2", + "2.18.3", + "2.18.4", + "2.19.0", + "2.19.1", + "2.20.0", + "2.20.1", + "2.21.0", + "2.22.0", + "2.23.0", + "2.24.0", + "2.25.0", + "2.25.1", + "2.26.0", + "2.27.0", + "2.27.1", + "2.28.0", + "2.28.1", + "2.28.2", + "2.29.0", + "2.3.0", + "2.30.0", + "2.4.0", + "2.4.1", + "2.4.2", + "2.4.3", + "2.5.0", + "2.5.1", + "2.5.2", + "2.5.3", + "2.6.0", + "2.6.1", + "2.6.2", + "2.7.0", + "2.8.0", + "2.8.1", + "2.9.0", + "2.9.1", + "2.9.2" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-j8r2-6x86-q33q/GHSA-j8r2-6x86-q33q.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "requests.sessions.SessionRedirectMixin.rebuild_proxies" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681" + }, + { + "type": "WEB", + "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" + }, + { + "type": "PACKAGE", + "url": "https://github.com/psf/requests" + }, + { + "type": "WEB", + "url": "https://github.com/psf/requests/releases/tag/v2.31.0" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202309-08" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-05-22T20:36:32Z", + "nvd_published_at": "2023-05-26T18:15:14Z", + "severity": "MODERATE" + } + }, + { + "modified": "2023-11-08T04:12:35Z", + "published": "2023-05-26T18:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-74", + "aliases": [ + "CVE-2023-32681", + "GHSA-j8r2-6x86-q33q" + ], + "details": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "requests", + "purl": "pkg:pypi/requests" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" + } + ], + "repo": "https://github.com/psf/requests" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.31.0" + } + ] + } + ], + "versions": [ + "2.10.0", + "2.11.0", + "2.11.1", + "2.12.0", + "2.12.1", + "2.12.2", + "2.12.3", + "2.12.4", + "2.12.5", + "2.13.0", + "2.14.0", + "2.14.1", + "2.14.2", + "2.15.0", + "2.15.1", + "2.16.0", + "2.16.1", + "2.16.2", + "2.16.3", + "2.16.4", + "2.16.5", + "2.17.0", + "2.17.1", + "2.17.2", + "2.17.3", + "2.18.0", + "2.18.1", + "2.18.2", + "2.18.3", + "2.18.4", + "2.19.0", + "2.19.1", + "2.20.0", + "2.20.1", + "2.21.0", + "2.22.0", + "2.23.0", + "2.24.0", + "2.25.0", + "2.25.1", + "2.26.0", + "2.27.0", + "2.27.1", + "2.28.0", + "2.28.1", + "2.28.2", + "2.29.0", + "2.3.0", + "2.30.0", + "2.4.0", + "2.4.1", + "2.4.2", + "2.4.3", + "2.5.0", + "2.5.1", + "2.5.2", + "2.5.3", + "2.6.0", + "2.6.1", + "2.6.2", + "2.7.0", + "2.8.0", + "2.8.1", + "2.9.0", + "2.9.1", + "2.9.2" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/requests/PYSEC-2023-74.yaml" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q" + }, + { + "type": "WEB", + "url": "https://github.com/psf/requests/releases/tag/v2.31.0" + }, + { + "type": "FIX", + "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-9wx4-h78v-vm56" + ], + "aliases": [ + "CVE-2024-35195", + "GHSA-9wx4-h78v-vm56" + ], + "max_severity": "5.6" + }, + { + "ids": [ + "GHSA-j8r2-6x86-q33q", + "PYSEC-2023-74" + ], + "aliases": [ + "CVE-2023-32681", + "GHSA-j8r2-6x86-q33q", + "PYSEC-2023-74" + ], + "max_severity": "6.1" + } + ] + }, + { + "package": { + "name": "urllib3", + "version": "1.26.14", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "tmt-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-07-15T22:12:28Z", + "published": "2024-06-17T21:37:20Z", + "schema_version": "1.6.0", + "id": "GHSA-34jh-p97f-mpxf", + "aliases": [ + "CVE-2024-37891" + ], + "related": [ + "CGA-2vvm-h2g8-jrwc", + "CGA-32mf-hm7c-cqmg", + "CGA-37xg-qrch-w8h8", + "CGA-3ggr-w55x-hf5j", + "CGA-5v3j-934q-gj4m", + "CGA-64rf-gm8h-pg8g", + "CGA-69g4-mv22-46cq", + "CGA-8f64-fgpv-jxj2", + "CGA-8hq8-2689-rc8h", + "CGA-grjq-jh3q-2p7g", + "CGA-gwpm-7fhq-3wh2", + "CGA-h28r-8q2c-xq96", + "CGA-j235-35vq-wrm8", + "CGA-jqq5-p5w5-hr5j", + "CGA-m9q6-p3c8-wp58", + "CGA-mrr8-97mj-749q", + "CGA-rqhm-766h-p289", + "CGA-vgvj-86h2-mvw3", + "CGA-w3h9-h7jv-6q22" + ], + "summary": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects ", + "details": "When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected.\n\nHowever, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects.\n\nBecause this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident.\n\nUsers should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach.\n\n## Affected usages\n\nWe believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:\n\n* Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support.\n* Not disabling HTTP redirects.\n* Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin.\n\n## Remediation\n\n* Using the `Proxy-Authorization` header with urllib3's `ProxyManager`.\n* Disabling HTTP redirects using `redirects=False` when sending requests.\n* Not using the `Proxy-Authorization` header.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3", + "purl": "pkg:pypi/urllib3" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.26.19" + } + ] + } + ], + "versions": [ + "0.2", + "0.3", + "0.3.1", + "0.4.0", + "0.4.1", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.10", + "1.10.1", + "1.10.2", + "1.10.3", + "1.10.4", + "1.11", + "1.12", + "1.13", + "1.13.1", + "1.14", + "1.15", + "1.15.1", + "1.16", + "1.17", + "1.18", + "1.18.1", + "1.19", + "1.19.1", + "1.2", + "1.2.1", + "1.2.2", + "1.20", + "1.21", + "1.21.1", + "1.22", + "1.23", + "1.24", + "1.24.1", + "1.24.2", + "1.24.3", + "1.25", + "1.25.1", + "1.25.10", + "1.25.11", + "1.25.2", + "1.25.3", + "1.25.4", + "1.25.5", + "1.25.6", + "1.25.7", + "1.25.8", + "1.25.9", + "1.26.0", + "1.26.1", + "1.26.10", + "1.26.11", + "1.26.12", + "1.26.13", + "1.26.14", + "1.26.15", + "1.26.16", + "1.26.17", + "1.26.18", + "1.26.2", + "1.26.3", + "1.26.4", + "1.26.5", + "1.26.6", + "1.26.7", + "1.26.8", + "1.26.9", + "1.3", + "1.4", + "1.5", + "1.6", + "1.7", + "1.7.1", + "1.8", + "1.8.2", + "1.8.3", + "1.9", + "1.9.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-34jh-p97f-mpxf/GHSA-34jh-p97f-mpxf.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3", + "purl": "pkg:pypi/urllib3" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.2.2" + } + ] + } + ], + "versions": [ + "2.0.0", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6", + "2.0.7", + "2.1.0", + "2.2.0", + "2.2.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-34jh-p97f-mpxf/GHSA-34jh-p97f-mpxf.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e" + }, + { + "type": "PACKAGE", + "url": "https://github.com/urllib3/urllib3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-669" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-06-17T21:37:20Z", + "nvd_published_at": "2024-06-17T20:15:13Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-02-21T05:25:29Z", + "published": "2023-10-17T20:15:25Z", + "schema_version": "1.6.0", + "id": "GHSA-g4mx-q9vg-27p4", + "aliases": [ + "CVE-2023-45803", + "PYSEC-2023-212" + ], + "related": [ + "CGA-2mh2-vjwv-24h5", + "CGA-9mxq-c62w-h5rv", + "CGA-cjqx-w66g-47qw", + "CGA-mvfr-2q7x-4qfj", + "CGA-qmpr-qhrc-f7m6", + "CGA-vrf3-m7hm-2jfq" + ], + "summary": "urllib3's request body not stripped after redirect from 303 status changes request method to GET", + "details": "urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 \"See Other\" after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers.\n\nFrom [RFC 9110 Section 9.3.1](https://www.rfc-editor.org/rfc/rfc9110.html#name-get):\n\n> A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.\n\n## Affected usages\n\nBecause the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable.\n\nBoth of the following conditions must be true to be affected by this vulnerability:\n\n* If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON)\n* The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.\n\n## Remediation\n\nYou can remediate this vulnerability with any of the following steps:\n\n* Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7)\n* Disable redirects for services that you aren't expecting to respond with redirects with `redirects=False`.\n* Disable automatic redirects with `redirects=False` and handle 303 redirects manually by stripping the HTTP request body.\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3", + "purl": "pkg:pypi/urllib3" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.7" + } + ] + } + ], + "versions": [ + "2.0.0", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3", + "purl": "pkg:pypi/urllib3" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.26.18" + } + ] + } + ], + "versions": [ + "0.2", + "0.3", + "0.3.1", + "0.4.0", + "0.4.1", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.10", + "1.10.1", + "1.10.2", + "1.10.3", + "1.10.4", + "1.11", + "1.12", + "1.13", + "1.13.1", + "1.14", + "1.15", + "1.15.1", + "1.16", + "1.17", + "1.18", + "1.18.1", + "1.19", + "1.19.1", + "1.2", + "1.2.1", + "1.2.2", + "1.20", + "1.21", + "1.21.1", + "1.22", + "1.23", + "1.24", + "1.24.1", + "1.24.2", + "1.24.3", + "1.25", + "1.25.1", + "1.25.10", + "1.25.11", + "1.25.2", + "1.25.3", + "1.25.4", + "1.25.5", + "1.25.6", + "1.25.7", + "1.25.8", + "1.25.9", + "1.26.0", + "1.26.1", + "1.26.10", + "1.26.11", + "1.26.12", + "1.26.13", + "1.26.14", + "1.26.15", + "1.26.16", + "1.26.17", + "1.26.2", + "1.26.3", + "1.26.4", + "1.26.5", + "1.26.6", + "1.26.7", + "1.26.8", + "1.26.9", + "1.3", + "1.4", + "1.5", + "1.6", + "1.7", + "1.7.1", + "1.8", + "1.8.2", + "1.8.3", + "1.9", + "1.9.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/urllib3/urllib3" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/releases/tag/1.26.18" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/releases/tag/2.0.7" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX" + }, + { + "type": "WEB", + "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-10-17T20:15:25Z", + "nvd_published_at": "2023-10-17T20:15:10Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-02-18T05:30:37Z", + "published": "2023-10-02T23:27:05Z", + "schema_version": "1.6.0", + "id": "GHSA-v845-jxx5-vc9f", + "aliases": [ + "CVE-2023-43804", + "PYSEC-2023-192" + ], + "related": [ + "CGA-56g7-689g-xp6r", + "CGA-7c9w-c64m-rwq2", + "CGA-f5jj-vcxx-v8m8", + "CGA-h89x-4j9m-pw85", + "CGA-hwhv-g3qw-gfgp", + "CGA-jj8v-vhq7-m6wh", + "CGA-mqx7-jxgh-vrfr" + ], + "summary": "`Cookie` HTTP header isn't stripped on cross-origin redirects", + "details": "urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.\n\nUsers **must** handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the `Cookie` header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.\n\n## Affected usages\n\nWe believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:\n\n* Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6)\n* Using the `Cookie` header on requests, which is mostly typical for impersonating a browser.\n* Not disabling HTTP redirects\n* Either not using HTTPS or for the origin server to redirect to a malicious origin.\n\n## Remediation\n\n* Upgrading to at least urllib3 v1.26.17 or v2.0.6\n* Disabling HTTP redirects using `redirects=False` when sending requests.\n* Not using the `Cookie` header.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3", + "purl": "pkg:pypi/urllib3" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.6" + } + ] + } + ], + "versions": [ + "2.0.0", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-v845-jxx5-vc9f/GHSA-v845-jxx5-vc9f.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3", + "purl": "pkg:pypi/urllib3" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.26.17" + } + ] + } + ], + "versions": [ + "0.2", + "0.3", + "0.3.1", + "0.4.0", + "0.4.1", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.10", + "1.10.1", + "1.10.2", + "1.10.3", + "1.10.4", + "1.11", + "1.12", + "1.13", + "1.13.1", + "1.14", + "1.15", + "1.15.1", + "1.16", + "1.17", + "1.18", + "1.18.1", + "1.19", + "1.19.1", + "1.2", + "1.2.1", + "1.2.2", + "1.20", + "1.21", + "1.21.1", + "1.22", + "1.23", + "1.24", + "1.24.1", + "1.24.2", + "1.24.3", + "1.25", + "1.25.1", + "1.25.10", + "1.25.11", + "1.25.2", + "1.25.3", + "1.25.4", + "1.25.5", + "1.25.6", + "1.25.7", + "1.25.8", + "1.25.9", + "1.26.0", + "1.26.1", + "1.26.10", + "1.26.11", + "1.26.12", + "1.26.13", + "1.26.14", + "1.26.15", + "1.26.16", + "1.26.2", + "1.26.3", + "1.26.4", + "1.26.5", + "1.26.6", + "1.26.7", + "1.26.8", + "1.26.9", + "1.3", + "1.4", + "1.5", + "1.6", + "1.7", + "1.7.1", + "1.8", + "1.8.2", + "1.8.3", + "1.9", + "1.9.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-v845-jxx5-vc9f/GHSA-v845-jxx5-vc9f.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/urllib3/urllib3" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-10-02T23:27:05Z", + "nvd_published_at": "2023-10-04T17:15:10Z", + "severity": "MODERATE" + } + }, + { + "modified": "2023-11-08T04:13:33Z", + "published": "2023-10-04T17:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-192", + "aliases": [ + "CVE-2023-43804", + "GHSA-v845-jxx5-vc9f" + ], + "details": "urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3", + "purl": "pkg:pypi/urllib3" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "644124ecd0b6e417c527191f866daa05a5a2056d" + }, + { + "fixed": "01220354d389cd05474713f8c982d05c9b17aafb" + } + ], + "repo": "https://github.com/urllib3/urllib3" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.6" + }, + { + "introduced": "0" + }, + { + "fixed": "1.26.17" + } + ] + } + ], + "versions": [ + "0.2", + "0.3", + "0.3.1", + "0.4.0", + "0.4.1", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.10", + "1.10.1", + "1.10.2", + "1.10.3", + "1.10.4", + "1.11", + "1.12", + "1.13", + "1.13.1", + "1.14", + "1.15", + "1.15.1", + "1.16", + "1.17", + "1.18", + "1.18.1", + "1.19", + "1.19.1", + "1.2", + "1.2.1", + "1.2.2", + "1.20", + "1.21", + "1.21.1", + "1.22", + "1.23", + "1.24", + "1.24.1", + "1.24.2", + "1.24.3", + "1.25", + "1.25.1", + "1.25.10", + "1.25.11", + "1.25.2", + "1.25.3", + "1.25.4", + "1.25.5", + "1.25.6", + "1.25.7", + "1.25.8", + "1.25.9", + "1.26.0", + "1.26.1", + "1.26.10", + "1.26.11", + "1.26.12", + "1.26.13", + "1.26.14", + "1.26.15", + "1.26.16", + "1.26.2", + "1.26.3", + "1.26.4", + "1.26.5", + "1.26.6", + "1.26.7", + "1.26.8", + "1.26.9", + "1.3", + "1.4", + "1.5", + "1.6", + "1.7", + "1.7.1", + "1.8", + "1.8.2", + "1.8.3", + "1.9", + "1.9.1", + "2.0.0", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-192.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d" + }, + { + "type": "ADVISORY", + "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f" + }, + { + "type": "FIX", + "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" + } + ] + }, + { + "modified": "2023-11-08T04:13:39Z", + "published": "2023-10-17T20:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-212", + "aliases": [ + "CVE-2023-45803", + "GHSA-g4mx-q9vg-27p4" + ], + "details": "urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3", + "purl": "pkg:pypi/urllib3" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4e98d57809dacab1cbe625fddeec1a290c478ea9" + } + ], + "repo": "https://github.com/urllib3/urllib3" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.7" + }, + { + "introduced": "0" + }, + { + "fixed": "1.26.18" + } + ] + } + ], + "versions": [ + "0.2", + "0.3", + "0.3.1", + "0.4.0", + "0.4.1", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.10", + "1.10.1", + "1.10.2", + "1.10.3", + "1.10.4", + "1.11", + "1.12", + "1.13", + "1.13.1", + "1.14", + "1.15", + "1.15.1", + "1.16", + "1.17", + "1.18", + "1.18.1", + "1.19", + "1.19.1", + "1.2", + "1.2.1", + "1.2.2", + "1.20", + "1.21", + "1.21.1", + "1.22", + "1.23", + "1.24", + "1.24.1", + "1.24.2", + "1.24.3", + "1.25", + "1.25.1", + "1.25.10", + "1.25.11", + "1.25.2", + "1.25.3", + "1.25.4", + "1.25.5", + "1.25.6", + "1.25.7", + "1.25.8", + "1.25.9", + "1.26.0", + "1.26.1", + "1.26.10", + "1.26.11", + "1.26.12", + "1.26.13", + "1.26.14", + "1.26.15", + "1.26.16", + "1.26.17", + "1.26.2", + "1.26.3", + "1.26.4", + "1.26.5", + "1.26.6", + "1.26.7", + "1.26.8", + "1.26.9", + "1.3", + "1.4", + "1.5", + "1.6", + "1.7", + "1.7.1", + "1.8", + "1.8.2", + "1.8.3", + "1.9", + "1.9.1", + "2.0.0", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-212.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4" + }, + { + "type": "WEB", + "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get" + }, + { + "type": "FIX", + "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9" + }, + { + "type": "ARTICLE", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-34jh-p97f-mpxf" + ], + "aliases": [ + "CVE-2024-37891", + "GHSA-34jh-p97f-mpxf" + ], + "max_severity": "4.4" + }, + { + "ids": [ + "GHSA-g4mx-q9vg-27p4", + "PYSEC-2023-212" + ], + "aliases": [ + "CVE-2023-45803", + "GHSA-g4mx-q9vg-27p4", + "PYSEC-2023-212" + ], + "max_severity": "4.2" + }, + { + "ids": [ + "GHSA-v845-jxx5-vc9f", + "PYSEC-2023-192" + ], + "aliases": [ + "CVE-2023-43804", + "GHSA-v845-jxx5-vc9f", + "PYSEC-2023-192" + ], + "max_severity": "8.1" + } + ] + } +] \ No newline at end of file diff --git a/audits/twtxt-requirements.audit.json b/audits/twtxt-requirements.audit.json deleted file mode 100644 index b02fb4f5..00000000 --- a/audits/twtxt-requirements.audit.json +++ /dev/null @@ -1,336 +0,0 @@ -[ - { - "package": { - "name": "aiohttp", - "version": "3.9.5", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "twtxt-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - } -] \ No newline at end of file diff --git a/audits/vdirsyncer-requirements.audit.json b/audits/vdirsyncer-requirements.audit.json deleted file mode 100644 index 90e70b21..00000000 --- a/audits/vdirsyncer-requirements.audit.json +++ /dev/null @@ -1,336 +0,0 @@ -[ - { - "package": { - "name": "aiohttp", - "version": "3.9.5", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "vdirsyncer-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-09T17:26:57Z", - "published": "2024-08-09T16:49:58Z", - "schema_version": "1.6.0", - "id": "GHSA-jwhx-xcg6-8xhj", - "aliases": [ - "CVE-2024-42367" - ], - "summary": "In aiohttp, compressed files as symlinks are not protected from path traversal", - "details": "### Summary\nStatic routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.\n\n### Details\nThe server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file.\n\n### Impact\nServers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8653/files", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.10.2" - } - ] - } - ], - "versions": [ - "0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.16.6", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.21.0", - "0.21.1", - "0.21.2", - "0.21.4", - "0.21.5", - "0.21.6", - "0.22.0", - "0.22.0a0", - "0.22.0b0", - "0.22.0b1", - "0.22.0b2", - "0.22.0b3", - "0.22.0b4", - "0.22.0b5", - "0.22.0b6", - "0.22.1", - "0.22.2", - "0.22.3", - "0.22.4", - "0.22.5", - "0.3", - "0.4", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.5", - "1.1.0", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.2.0", - "1.3.0", - "1.3.1", - "1.3.2", - "1.3.3", - "1.3.4", - "1.3.5", - "2.0.0", - "2.0.0rc1", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1", - "2.2.2", - "2.2.3", - "2.2.4", - "2.2.5", - "2.3.0", - "2.3.0a1", - "2.3.0a2", - "2.3.0a3", - "2.3.0a4", - "2.3.1", - "2.3.10", - "2.3.1a1", - "2.3.2", - "2.3.2b2", - "2.3.2b3", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "2.3.9", - "3.0.0", - "3.0.0b0", - "3.0.0b1", - "3.0.0b2", - "3.0.0b3", - "3.0.0b4", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.10.0", - "3.10.0b1", - "3.10.0rc0", - "3.10.1", - "3.2.0", - "3.2.1", - "3.3.0", - "3.3.0a0", - "3.3.1", - "3.3.2", - "3.3.2a0", - "3.4.0", - "3.4.0a0", - "3.4.0a3", - "3.4.0b1", - "3.4.0b2", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5.0", - "3.5.0a1", - "3.5.0b1", - "3.5.0b2", - "3.5.0b3", - "3.5.1", - "3.5.2", - "3.5.3", - "3.5.4", - "3.6.0", - "3.6.0a0", - "3.6.0a1", - "3.6.0a11", - "3.6.0a12", - "3.6.0a2", - "3.6.0a3", - "3.6.0a4", - "3.6.0a5", - "3.6.0a6", - "3.6.0a7", - "3.6.0a8", - "3.6.0a9", - "3.6.0b0", - "3.6.1", - "3.6.1b3", - "3.6.1b4", - "3.6.2", - "3.6.2a0", - "3.6.2a1", - "3.6.2a2", - "3.6.3", - "3.7.0", - "3.7.0b0", - "3.7.0b1", - "3.7.1", - "3.7.2", - "3.7.3", - "3.7.4", - "3.7.4.post0", - "3.8.0", - "3.8.0a7", - "3.8.0b0", - "3.8.1", - "3.8.2", - "3.8.3", - "3.8.4", - "3.8.5", - "3.8.6", - "3.9.0", - "3.9.0b0", - "3.9.0b1", - "3.9.0rc0", - "3.9.1", - "3.9.2", - "3.9.3", - "3.9.4", - "3.9.4rc0", - "3.9.5" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jwhx-xcg6-8xhj/GHSA-jwhx-xcg6-8xhj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/pull/8653" - }, - { - "type": "WEB", - "url": "https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/aio-libs/aiohttp" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-61" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-08-09T16:49:58Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-jwhx-xcg6-8xhj" - ], - "aliases": [ - "CVE-2024-42367", - "GHSA-jwhx-xcg6-8xhj" - ], - "max_severity": "6.3" - } - ] - } -] \ No newline at end of file diff --git a/requirements/airshare-requirements.txt b/requirements/airshare-requirements.txt index d0b9b8e2..1c6d0f0a 100644 --- a/requirements/airshare-requirements.txt +++ b/requirements/airshare-requirements.txt @@ -1,13 +1,14 @@ -aiohttp==3.9.5 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiosignal==1.3.1 asyncio==3.4.3 -attrs==23.2.0 +attrs==24.2.0 certifi==2024.7.4 charset-normalizer==3.3.2 click==8.1.7 colorama==0.4.6 frozenlist==1.4.1 -humanize==4.9.0 +humanize==4.10.0 idna==3.7 ifaddr==0.2.0 multidict==6.0.5 @@ -15,7 +16,7 @@ pyperclip==1.9.0 requests==2.32.3 requests-toolbelt==1.0.0 termcolor==2.4.0 -tqdm==4.66.4 +tqdm==4.66.5 urllib3==2.2.2 yarl==1.9.4 zeroconf==0.132.2 diff --git a/requirements/black-requirements.txt b/requirements/black-requirements.txt index c7215f90..d71c122c 100644 --- a/requirements/black-requirements.txt +++ b/requirements/black-requirements.txt @@ -1,7 +1,7 @@ -aiohappyeyeballs==2.3.4 -aiohttp==3.10.0 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiosignal==1.3.1 -attrs==23.2.0 +attrs==24.2.0 click==8.1.7 frozenlist==1.4.1 idna==3.7 diff --git a/requirements/bzt-requirements.txt b/requirements/bzt-requirements.txt index 796be103..217e70f6 100644 --- a/requirements/bzt-requirements.txt +++ b/requirements/bzt-requirements.txt @@ -1,19 +1,20 @@ aiodogstatsd==0.16.0.post0 -aiohttp==3.9.5 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiosignal==1.3.1 astunparse==1.6.3 -attrs==23.2.0 +attrs==24.2.0 bidict==0.23.1 charset-normalizer==3.3.2 colorlog==6.8.2 cssselect==1.2.0 -cython==3.0.10 +cython==3.0.11 dill==0.3.8 frozenlist==1.4.1 fuzzyset2==0.2.4 h11==0.14.0 hdrpy==0.3.3 -humanize==4.9.0 +humanize==4.10.0 idna==3.7 influxdb==5.3.2 lxml==5.2.2 @@ -29,10 +30,10 @@ python-engineio==4.9.1 python-socketio==5.11.3 pytz==2024.1 pyvirtualdisplay==3.0 -pyyaml==6.0.1 -rapidfuzz==3.9.3 +pyyaml==6.0.2 +rapidfuzz==3.9.6 requests==2.32.3 -setuptools==70.1.0 +setuptools==72.1.0 simple-websocket==1.0.0 six==1.16.0 terminaltables==3.1.10 @@ -40,6 +41,6 @@ urllib3==1.26.17 urwid==2.1.2 wcwidth==0.2.13 websocket-client==1.8.0 -wheel==0.43.0 +wheel==0.44.0 wsproto==1.2.0 yarl==1.9.4 diff --git a/requirements/checkov-requirements.txt b/requirements/checkov-requirements.txt index c4d3541e..9e46903b 100644 --- a/requirements/checkov-requirements.txt +++ b/requirements/checkov-requirements.txt @@ -1,10 +1,11 @@ aiodns==3.2.0 -aiohttp==3.9.5 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiomultiprocess==0.9.1 aiosignal==1.3.1 annotated-types==0.7.0 -argcomplete==3.4.0 -attrs==23.2.0 +argcomplete==3.5.0 +attrs==24.2.0 bc-detect-secrets==1.5.15 bc-jsonpath-ng==1.6.1 bc-python-hcl2==0.4.2 @@ -15,7 +16,7 @@ boto3==1.34.25 botocore==1.34.25 cached-property==1.5.2 cachetools==5.4.0 -cffi==1.16.0 +cffi==1.17.0 charset-normalizer==3.3.2 click==8.1.7 click-option-group==0.5.6 @@ -60,12 +61,12 @@ pydantic==2.8.2 pydantic-core==2.20.1 pyparsing==3.1.2 python-dateutil==2.9.0.post0 -pyyaml==6.0.1 +pyyaml==6.0.2 rdflib==7.0.0 referencing==0.35.1 regex==2024.7.24 requests==2.32.3 -rpds-py==0.19.1 +rpds-py==0.20.0 rustworkx==0.13.2 s3transfer==0.10.2 schema==0.7.5 @@ -77,7 +78,7 @@ soupsieve==2.5 spdx-tools==0.8.2 tabulate==0.9.0 termcolor==2.3.0 -tqdm==4.66.4 +tqdm==4.66.5 typing-extensions==4.12.2 unidiff==0.7.5 uritools==4.0.3 diff --git a/requirements/codelimit-requirements.txt b/requirements/codelimit-requirements.txt index 8c819a5d..e9797030 100644 --- a/requirements/codelimit-requirements.txt +++ b/requirements/codelimit-requirements.txt @@ -1,5 +1,5 @@ aiohappyeyeballs==2.3.5 -aiohttp==3.10.1 +aiohttp==3.10.2 aiosignal==1.3.1 attrs==24.2.0 charset-normalizer==3.3.2 diff --git a/requirements/dnstwist-requirements.txt b/requirements/dnstwist-requirements.txt index 9cba7875..a33aac95 100644 --- a/requirements/dnstwist-requirements.txt +++ b/requirements/dnstwist-requirements.txt @@ -1,6 +1,7 @@ -aiohttp==3.9.5 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiosignal==1.3.1 -attrs==23.2.0 +attrs==24.2.0 charset-normalizer==3.3.2 dnspython==2.6.1 frozenlist==1.4.1 @@ -11,7 +12,7 @@ multidict==6.0.5 ppdeep==20200505 py-tlsh==4.7.2 requests==2.32.3 -setuptools==70.0.0 +setuptools==72.1.0 tld==0.13 urllib3==2.2.2 yarl==1.9.4 diff --git a/requirements/dstack-requirements.txt b/requirements/dstack-requirements.txt index 137a1578..606cf67c 100644 --- a/requirements/dstack-requirements.txt +++ b/requirements/dstack-requirements.txt @@ -1,5 +1,5 @@ -aiohappyeyeballs==2.3.4 -aiohttp==3.10.1 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiorwlock==1.4.0 aiosignal==1.3.1 aiosqlite==0.20.0 @@ -19,8 +19,8 @@ azure-mgmt-network==26.0.0 azure-mgmt-resource==23.1.1 azure-mgmt-subscription==3.1.1 bcrypt==4.2.0 -boto3==1.34.155 -botocore==1.34.155 +boto3==1.34.158 +botocore==1.34.158 cached-classproperty==1.0.1 cachetools==5.4.0 charset-normalizer==3.3.2 @@ -44,10 +44,10 @@ google-cloud-billing==1.13.6 google-cloud-compute==1.19.2 google-cloud-core==2.4.1 google-cloud-logging==3.11.1 -google-cloud-storage==2.18.1 +google-cloud-storage==2.18.2 google-cloud-tpu==1.18.5 google-crc32c==1.5.0 -google-resumable-media==2.7.1 +google-resumable-media==2.7.2 googleapis-common-protos==1.63.2 gpuhunt==0.0.12 greenlet==3.0.3 diff --git a/requirements/gimme-aws-creds-requirements.txt b/requirements/gimme-aws-creds-requirements.txt index 6cfac39a..53a83f6d 100644 --- a/requirements/gimme-aws-creds-requirements.txt +++ b/requirements/gimme-aws-creds-requirements.txt @@ -1,10 +1,11 @@ aenum==3.1.11 -aiohttp==3.9.5 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiosignal==1.3.1 -attrs==23.2.0 +attrs==24.2.0 beautifulsoup4==4.12.3 -boto3==1.34.128 -botocore==1.34.128 +boto3==1.34.158 +botocore==1.34.158 charset-normalizer==3.3.2 ctap-keyring-device==1.0.6 fido2==0.9.3 @@ -15,25 +16,25 @@ html5lib==1.1 idna==3.7 jaraco-classes==3.4.0 jaraco-context==5.3.0 -jaraco-functools==4.0.1 +jaraco-functools==4.0.2 jmespath==1.0.1 jwcrypto==1.5.6 -keyring==25.2.1 -more-itertools==10.3.0 +keyring==25.3.0 +more-itertools==10.4.0 multidict==6.0.5 -okta==2.9.7 +okta==2.9.8 orderedmultidict==1.0.1 pycryptodomex==3.20.0 -pydash==8.0.1 -pyjwt==2.8.0 +pydash==8.0.3 +pyjwt==2.9.0 pyobjc-core==10.3.1 pyobjc-framework-cocoa==10.3.1 pyobjc-framework-localauthentication==10.3.1 pyobjc-framework-security==10.3.1 python-dateutil==2.9.0.post0 -pyyaml==6.0.1 +pyyaml==6.0.2 requests==2.32.3 -s3transfer==0.10.1 +s3transfer==0.10.2 six==1.16.0 soupsieve==2.5 typing-extensions==4.12.2 diff --git a/requirements/homeassistant-cli-requirements.txt b/requirements/homeassistant-cli-requirements.txt index 74850247..4d945a36 100644 --- a/requirements/homeassistant-cli-requirements.txt +++ b/requirements/homeassistant-cli-requirements.txt @@ -1,6 +1,7 @@ -aiohttp==3.9.5 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiosignal==1.3.1 -attrs==23.2.0 +attrs==24.2.0 certifi==2024.7.4 charset-normalizer==3.3.2 click==8.1.7 @@ -17,7 +18,7 @@ netdisco==3.0.0 ply==3.11 python-dateutil==2.9.0.post0 pytz==2024.1 -regex==2024.5.15 +regex==2024.7.24 requests==2.32.3 ruamel-yaml==0.17.40 ruamel-yaml-clib==0.2.8 diff --git a/requirements/parsedmarc-requirements.txt b/requirements/parsedmarc-requirements.txt index 870e82cd..71b77570 100644 --- a/requirements/parsedmarc-requirements.txt +++ b/requirements/parsedmarc-requirements.txt @@ -1,12 +1,12 @@ -aiohappyeyeballs==2.3.4 -aiohttp==3.10.1 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiosignal==1.3.1 -attrs==24.1.0 +attrs==24.2.0 azure-core==1.30.2 azure-identity==1.17.1 azure-monitor-ingestion==1.0.4 -boto3==1.34.153 -botocore==1.34.153 +boto3==1.34.158 +botocore==1.34.158 cachetools==5.4.0 charset-normalizer==3.3.2 dateparser==1.2.0 @@ -18,8 +18,8 @@ expiringdict==1.2.2 frozenlist==1.4.1 geoip2==4.8.0 google-api-core==2.19.1 -google-api-python-client==2.139.0 -google-auth==2.32.0 +google-api-python-client==2.140.0 +google-auth==2.33.0 google-auth-httplib2==0.2.0 google-auth-oauthlib==1.2.1 googleapis-common-protos==1.63.2 @@ -44,7 +44,7 @@ portalocker==2.10.1 proto-plus==1.24.0 protobuf==5.27.3 publicsuffix2==2.20191221 -publicsuffixlist==1.0.2.20240805 +publicsuffixlist==1.0.2.20240810 pyasn1==0.6.0 pyasn1-modules==0.4.0 pyjwt==2.9.0 diff --git a/requirements/pferd-requirements.txt b/requirements/pferd-requirements.txt index 4e768949..c8601f02 100644 --- a/requirements/pferd-requirements.txt +++ b/requirements/pferd-requirements.txt @@ -1,18 +1,19 @@ -aiohttp==3.9.4 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiosignal==1.3.1 -attrs==23.2.0 +attrs==24.2.0 beautifulsoup4==4.12.3 frozenlist==1.4.1 idna==3.7 jaraco-classes==3.4.0 jaraco-context==5.3.0 -jaraco-functools==4.0.0 -keyring==25.1.0 +jaraco-functools==4.0.2 +keyring==25.3.0 markdown-it-py==3.0.0 mdurl==0.1.2 -more-itertools==10.2.0 +more-itertools==10.4.0 multidict==6.0.5 -pygments==2.17.2 +pygments==2.18.0 rich==13.7.1 soupsieve==2.5 yarl==1.9.4 diff --git a/requirements/pyinstaller-requirements.txt b/requirements/pyinstaller-requirements.txt index bce03972..50b96103 100644 --- a/requirements/pyinstaller-requirements.txt +++ b/requirements/pyinstaller-requirements.txt @@ -1,5 +1,5 @@ altgraph==0.17.4 macholib==1.16.3 packaging==24.1 -pyinstaller-hooks-contrib==2024.7 -setuptools==70.2.0 +pyinstaller-hooks-contrib==2024.8 +setuptools==72.1.0 diff --git a/requirements/rawdog-requirements.txt b/requirements/rawdog-requirements.txt index 19ee643d..c3846b2d 100644 --- a/requirements/rawdog-requirements.txt +++ b/requirements/rawdog-requirements.txt @@ -1,37 +1,42 @@ -aiohttp==3.9.5 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiosignal==1.3.1 annotated-types==0.7.0 anyio==4.4.0 -attrs==23.2.0 +attrs==24.2.0 charset-normalizer==3.3.2 click==8.1.7 distro==1.9.0 -filelock==3.15.1 +filelock==3.15.4 frozenlist==1.4.1 -fsspec==2024.6.0 +fsspec==2024.6.1 h11==0.14.0 httpcore==1.0.5 httpx==0.27.0 -huggingface-hub==0.23.4 +huggingface-hub==0.24.5 idna==3.7 -ijson==3.3.0 -importlib-metadata==7.1.0 +importlib-metadata==8.2.0 jinja2==3.1.4 -litellm==1.40.16 +jiter==0.5.0 +jsonschema==4.23.0 +jsonschema-specifications==2023.12.1 +litellm==1.43.6 markupsafe==2.1.5 multidict==6.0.5 -openai==1.34.0 +openai==1.40.3 packaging==24.1 -pydantic==2.7.4 -pydantic-core==2.18.4 +pydantic==2.8.2 +pydantic-core==2.20.1 python-dotenv==1.0.1 -pyyaml==6.0.1 -regex==2024.5.15 +pyyaml==6.0.2 +referencing==0.35.1 +regex==2024.7.24 requests==2.32.3 +rpds-py==0.20.0 sniffio==1.3.1 tiktoken==0.7.0 -tokenizers==0.19.1 -tqdm==4.66.4 +tokenizers==0.20.0 +tqdm==4.66.5 typing-extensions==4.12.2 urllib3==2.2.2 yarl==1.9.4 diff --git a/requirements/slither-analyzer-requirements.txt b/requirements/slither-analyzer-requirements.txt index 2552430e..e8d46abd 100644 --- a/requirements/slither-analyzer-requirements.txt +++ b/requirements/slither-analyzer-requirements.txt @@ -1,6 +1,7 @@ -aiohttp==3.9.5 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiosignal==1.3.1 -attrs==23.2.0 +attrs==24.2.0 bitarray==2.9.2 cbor2==5.6.4 charset-normalizer==3.3.2 @@ -13,31 +14,31 @@ eth-hash==0.7.0 eth-keyfile==0.8.1 eth-keys==0.5.1 eth-rlp==1.0.1 -eth-typing==4.3.1 +eth-typing==4.4.0 eth-utils==4.1.1 frozenlist==1.4.1 hexbytes==0.3.1 idna==3.7 -jsonschema==4.22.0 +jsonschema==4.23.0 jsonschema-specifications==2023.12.1 lru-dict==1.2.0 multidict==6.0.5 packaging==24.1 parsimonious==0.10.0 -prettytable==3.10.0 -protobuf==5.27.1 +prettytable==3.10.2 +protobuf==5.27.3 pycryptodome==3.20.0 pyunormalize==15.1.0 referencing==0.35.1 -regex==2024.5.15 +regex==2024.7.24 requests==2.32.3 rlp==4.0.1 -rpds-py==0.18.1 +rpds-py==0.20.0 solc-select==1.0.4 toolz==0.12.1 typing-extensions==4.12.2 urllib3==2.2.2 wcwidth==0.2.13 -web3==6.19.0 +web3==6.20.1 websockets==12.0 yarl==1.9.4 diff --git a/requirements/tmt-requirements.txt b/requirements/tmt-requirements.txt index a98c3a6d..c182c02c 100644 --- a/requirements/tmt-requirements.txt +++ b/requirements/tmt-requirements.txt @@ -1,18 +1,25 @@ +appdirs==1.4.4 attrs==23.2.0 -charset-normalizer==3.3.2 -click==8.1.7 +charset-normalizer==2.1.1 +click==8.1.3 docutils==0.21.2 -filelock==3.15.3 -idna==3.7 -jinja2==3.1.4 -jsonschema==4.22.0 +filelock==3.15.4 +flexcache==0.3 +flexparser==0.3.1 +idna==3.4 +jinja2==3.1.2 +jsonschema==4.17.3 jsonschema-specifications==2023.12.1 markupSafe==2.1.5 -pint==0.19.2 +packaging==21.3 +pint==0.24.3 pygments==2.18.0 +pyparsing==3.1.2 +pyrsistent==0.18.1 referencing==0.35.1 -requests==2.32.3 -rpds-py==0.18.1 +requests==2.28.1 +rpds-py==0.20.0 ruamel-yaml==0.18.6 ruamel-yaml-clib==0.2.8 -urllib3==2.2.2 +typing-extensions==4.12.0 +urllib3==1.26.14 diff --git a/requirements/twtxt-requirements.txt b/requirements/twtxt-requirements.txt index 1c6cd3f7..aaeba035 100644 --- a/requirements/twtxt-requirements.txt +++ b/requirements/twtxt-requirements.txt @@ -1,9 +1,10 @@ -aiohttp==3.9.5 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiosignal==1.3.1 -attrs==23.2.0 +attrs==24.2.0 click==8.1.7 frozenlist==1.4.1 -humanize==4.9.0 +humanize==4.10.0 idna==3.7 multidict==6.0.5 python-dateutil==2.9.0.post0 diff --git a/requirements/vdirsyncer-requirements.txt b/requirements/vdirsyncer-requirements.txt index e677913a..31cd8eae 100644 --- a/requirements/vdirsyncer-requirements.txt +++ b/requirements/vdirsyncer-requirements.txt @@ -1,9 +1,10 @@ -aiohttp==3.9.5 +aiohappyeyeballs==2.3.5 +aiohttp==3.10.2 aiohttp-oauthlib==0.1.0 aiosignal==1.3.1 aiostream==0.4.5 atomicwrites==1.4.1 -attrs==23.2.0 +attrs==24.2.0 charset-normalizer==3.3.2 click==8.1.7 click-log==0.4.0