diff --git a/.github/actions/Dockerfile b/.github/actions/Dockerfile
index b862e6ad..df1f3569 100644
--- a/.github/actions/Dockerfile
+++ b/.github/actions/Dockerfile
@@ -2,7 +2,7 @@ FROM anthonypjshaw/pycharm-security:latest
COPY action.sh /action.sh
COPY parse.py /code/parse.py
COPY project.iml /code/project.iml
-COPY jdk.table.xml /root/.config/JetBrains/PyCharm2021.2/jdk.table.xml
+COPY jdk.table.xml /root/.config/JetBrains/PyCharm2021.3/jdk.table.xml
RUN apt-get -y update && apt-get -y install python3 python3-pip python3-venv && python3 -m pip install setuptools
RUN ["chmod", "+x", "/action.sh"]
ENTRYPOINT ["/action.sh"]
diff --git a/.github/actions/jdk.table.xml b/.github/actions/jdk.table.xml
index 2b9856e7..81f56a66 100644
--- a/.github/actions/jdk.table.xml
+++ b/.github/actions/jdk.table.xml
@@ -12,7 +12,7 @@
-
+
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e5635ebc..a726f399 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,7 +7,7 @@ jobs:
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
- pycharm-version: ['2021.2']
+ pycharm-version: ['2021.3']
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v1
@@ -27,7 +27,7 @@ jobs:
java-version: 11
- uses: eskatos/gradle-command-action@v1
with:
- arguments: jacocoTestReport -PintellijPublishToken=FAKE_TOKEN -PintellijVersion=2021.2
+ arguments: jacocoTestReport -PintellijPublishToken=FAKE_TOKEN -PintellijVersion=2021.3
- name: Codecov
uses: codecov/codecov-action@v1.0.7
with:
diff --git a/Dockerfile b/Dockerfile
index 1be5e74b..d881f3e3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-ARG PYCHARM_VERSION=2021.2
+ARG PYCHARM_VERSION=2021.3
FROM ubuntu:18.04
ARG PYCHARM_VERSION
RUN echo "Building PyCharm $PYCHARM_VERSION with python-security"
diff --git a/HISTORY.md b/HISTORY.md
index 0388678a..15323db9 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,5 +1,11 @@
# Release History
+## 1.25.0
+
+* Added a PyPi API option for package security checking that uses the new PyPI vulnerability API
+* Support for 2021.3
+* Update safety DB to december
+
## 1.24.3
* Update safety db to october 2021
diff --git a/README.md b/README.md
index de440811..c10944c0 100644
--- a/README.md
+++ b/README.md
@@ -42,6 +42,10 @@ This plugin will check the installed packages in your Python projects against th
+## PyPi vulnerability API
+
+This plugin will check the installed packages in your Python projects against the OSV database in PyPi and raise a warning for any vulnerabilities.
+
## Current checks
See [Supported Checks](https://pycharm-security.readthedocs.io/en/latest/checks/index.html) for a current list.
diff --git a/build.gradle b/build.gradle
index c55ff9c5..763789f3 100644
--- a/build.gradle
+++ b/build.gradle
@@ -7,7 +7,7 @@ plugins {
}
group 'org.tonybaloney.security'
-version '1.24.3'
+version '1.25.0'
def ktor_version = "1.6.6"
def kotlin_version = "1.6.0"
@@ -21,9 +21,9 @@ repositories {
dependencies {
testCompile group: 'org.junit.jupiter', name: 'junit-jupiter', version: '5.8.2'
- testImplementation "com.nhaarman.mockitokotlin2:mockito-kotlin:2.2.0"
- testImplementation "net.bytebuddy:byte-buddy:1.12.2"
- testImplementation "net.bytebuddy:byte-buddy-agent:1.12.2"
+ testImplementation "org.mockito.kotlin:mockito-kotlin:4.0.0"
+ testImplementation 'net.bytebuddy:byte-buddy:1.12.2'
+ testImplementation 'net.bytebuddy:byte-buddy-agent:1.12.2'
implementation "org.jetbrains.kotlin:kotlin-stdlib:$kotlin_version"
implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
compile "io.ktor:ktor-client-core:$ktor_version"
@@ -39,7 +39,7 @@ test {
// See https://github.com/JetBrains/gradle-intellij-plugin/
// Make the intellij version overridable on the command line to support multiple build versions..
-def intellijversion = project.hasProperty('intellijVersion') ? project.getProperty('intellijVersion') : '2021.2'
+def intellijversion = project.hasProperty('intellijVersion') ? project.getProperty('intellijVersion') : '2021.3'
intellij {
type = 'PC'
@@ -50,9 +50,11 @@ intellij {
patchPluginXml {
changeNotes = """
- 1.24.3
+ 1.25.0
- - Safety db update
+ - Added a PyPi API option for package security checking that uses the new PyPI vulnerability API
+ - Support for 2021.3
+ - Update safety DB to december
"""
}
diff --git a/src/main/java/security/fixes/FixUtil.kt b/src/main/java/security/fixes/FixUtil.kt
index 844f1c24..a8d5373c 100644
--- a/src/main/java/security/fixes/FixUtil.kt
+++ b/src/main/java/security/fixes/FixUtil.kt
@@ -8,19 +8,19 @@ import com.jetbrains.python.psi.*
fun getPyExpressionAtCaret(file: PsiFile, editor: Editor): PyExpression? {
- return PsiTreeUtil.getParentOfType(file.findElementAt(editor.caretModel.offset), PyExpression::class.java) ?: return null
+ return PsiTreeUtil.getParentOfType(file.findElementAt(editor.caretModel.offset), PyExpression::class.java)
}
fun getPyCallExpressionAtCaret(file: PsiFile, editor: Editor): PyCallExpression? {
- return PsiTreeUtil.getTopmostParentOfType(file.findElementAt(editor.caretModel.offset), PyCallExpression::class.java) ?: return null
+ return PsiTreeUtil.getTopmostParentOfType(file.findElementAt(editor.caretModel.offset), PyCallExpression::class.java)
}
fun getListLiteralExpressionAtCaret(file: PsiFile, editor: Editor): PyListLiteralExpression? {
- return PsiTreeUtil.getParentOfType(file.findElementAt(editor.caretModel.offset), PyListLiteralExpression::class.java) ?: return null
+ return PsiTreeUtil.getParentOfType(file.findElementAt(editor.caretModel.offset), PyListLiteralExpression::class.java)
}
fun getBinaryExpressionElementAtCaret(file: PsiFile, editor: Editor): PyBinaryExpression? {
- return PsiTreeUtil.getParentOfType(file.findElementAt(editor.caretModel.offset), PyBinaryExpression::class.java) ?: return null
+ return PsiTreeUtil.getParentOfType(file.findElementAt(editor.caretModel.offset), PyBinaryExpression::class.java)
}
fun getNewCallExpressiontAtCaret(file: PsiFile, editor: Editor, project: Project, old: String, new: String): PyCallExpression ? {
diff --git a/src/main/java/security/fixes/ShellEscapeFixer.kt b/src/main/java/security/fixes/ShellEscapeFixer.kt
index 95ad3121..4625439a 100644
--- a/src/main/java/security/fixes/ShellEscapeFixer.kt
+++ b/src/main/java/security/fixes/ShellEscapeFixer.kt
@@ -11,6 +11,7 @@ import com.intellij.psi.PsiElement
import com.intellij.psi.PsiFile
import com.intellij.util.IncorrectOperationException
import com.jetbrains.python.psi.*
+import com.jetbrains.python.psi.types.TypeEvalContext
import security.helpers.QualifiedNameHelpers.getQualifiedName
@@ -56,11 +57,11 @@ class ShellEscapeFixer : LocalQuickFix, IntentionAction, HighPriorityAction {
val list = elementGenerator.createListLiteral()
for (item in oldElement.elements){
if (item is PyReferenceExpression){
- list.add(getNewEscapedExpression(file, project, item) as @org.jetbrains.annotations.NotNull PsiElement)
+ list.add(getNewEscapedExpression(file, project, item) as PsiElement)
continue
} else if (item is PyCallExpression) {
- if (getQualifiedName(item) != "shlex.quote") {
- list.add(getNewEscapedExpression(file, project, item) as @org.jetbrains.annotations.NotNull PsiElement)
+ if (getQualifiedName(item, TypeEvalContext.codeAnalysis(project, file)) != "shlex.quote") {
+ list.add(getNewEscapedExpression(file, project, item) as PsiElement)
continue
}
}
diff --git a/src/main/java/security/helpers/InspectionVisitorExtensions.kt b/src/main/java/security/helpers/InspectionVisitorExtensions.kt
index 5b63077a..2ec9e13d 100644
--- a/src/main/java/security/helpers/InspectionVisitorExtensions.kt
+++ b/src/main/java/security/helpers/InspectionVisitorExtensions.kt
@@ -3,10 +3,17 @@ package security.helpers
import com.intellij.codeInspection.LocalInspectionToolSession
import com.intellij.codeInspection.ProblemsHolder
import com.jetbrains.python.inspections.PyInspectionVisitor
+import com.jetbrains.python.psi.types.TypeEvalContext
+import security.helpers.TypeEvalContextHelper.getTypeEvalContext
-open class SecurityVisitor(holder: ProblemsHolder, session: LocalInspectionToolSession) : PyInspectionVisitor(holder, session) {
+open class SecurityVisitor(holder: ProblemsHolder, val session: LocalInspectionToolSession) : PyInspectionVisitor(holder, getTypeEvalContext(session)) {
override fun getHolder(): ProblemsHolder {
return super.getHolder()!!
}
+
+ val typeEvalContext: TypeEvalContext
+ get() {
+ return getTypeEvalContext(session)
+ }
}
\ No newline at end of file
diff --git a/src/main/java/security/helpers/QualifiedNameHelpers.kt b/src/main/java/security/helpers/QualifiedNameHelpers.kt
index bf120147..99e8a4c7 100644
--- a/src/main/java/security/helpers/QualifiedNameHelpers.kt
+++ b/src/main/java/security/helpers/QualifiedNameHelpers.kt
@@ -4,12 +4,14 @@ import com.intellij.psi.PsiInvalidElementAccessException
import com.jetbrains.python.psi.PyCallExpression
import com.jetbrains.python.psi.PyReferenceExpression
import com.jetbrains.python.psi.resolve.PyResolveContext
+import com.jetbrains.python.psi.types.TypeEvalContext
object QualifiedNameHelpers {
- var resolveContext: PyResolveContext = PyResolveContext.defaultContext()
- fun getQualifiedName(callExpression: PyCallExpression): String? {
+
+ fun getQualifiedName(callExpression: PyCallExpression, typeContext: TypeEvalContext): String? {
try {
+ val resolveContext: PyResolveContext = PyResolveContext.defaultContext(typeContext)
val resolved = callExpression.multiResolveCallee(resolveContext)
if (resolved.isEmpty()) {
val firstChild = callExpression.firstChild ?: return null
@@ -24,22 +26,22 @@ object QualifiedNameHelpers {
}
}
-fun qualifiedNameMatches(node: PyCallExpression, potential: Array) : Boolean {
- val qualifiedName = QualifiedNameHelpers.getQualifiedName(node) ?: return false
+fun qualifiedNameMatches(node: PyCallExpression, potential: Array, typeContext: TypeEvalContext) : Boolean {
+ val qualifiedName = QualifiedNameHelpers.getQualifiedName(node, typeContext) ?: return false
return listOf(*potential).contains(qualifiedName)
}
-fun qualifiedNameMatches(node: PyCallExpression, potential: String) : Boolean {
- val qualifiedName = QualifiedNameHelpers.getQualifiedName(node) ?: return false
- return (qualifiedName.equals(potential))
+fun qualifiedNameMatches(node: PyCallExpression, potential: String, typeContext: TypeEvalContext) : Boolean {
+ val qualifiedName = QualifiedNameHelpers.getQualifiedName(node, typeContext) ?: return false
+ return (qualifiedName == potential)
}
-fun qualifiedNameStartsWith(node: PyCallExpression, potential: String) : Boolean {
- val qualifiedName = QualifiedNameHelpers.getQualifiedName(node) ?: return false
+fun qualifiedNameStartsWith(node: PyCallExpression, potential: String, typeContext: TypeEvalContext) : Boolean {
+ val qualifiedName = QualifiedNameHelpers.getQualifiedName(node, typeContext) ?: return false
return (qualifiedName.startsWith(potential))
}
-fun qualifiedNameStartsWith(node: PyCallExpression, potential: Array) : Boolean {
- val qualifiedName = QualifiedNameHelpers.getQualifiedName(node) ?: return false
+fun qualifiedNameStartsWith(node: PyCallExpression, potential: Array, typeContext: TypeEvalContext) : Boolean {
+ val qualifiedName = QualifiedNameHelpers.getQualifiedName(node, typeContext) ?: return false
return potential.any { qualifiedName.startsWith(it) }
}
\ No newline at end of file
diff --git a/src/main/java/security/helpers/TypeEvalContextHelper.kt b/src/main/java/security/helpers/TypeEvalContextHelper.kt
new file mode 100644
index 00000000..9b6d1feb
--- /dev/null
+++ b/src/main/java/security/helpers/TypeEvalContextHelper.kt
@@ -0,0 +1,10 @@
+package security.helpers
+
+import com.intellij.codeInspection.LocalInspectionToolSession
+import com.jetbrains.python.psi.types.TypeEvalContext
+
+object TypeEvalContextHelper {
+ fun getTypeEvalContext(session: LocalInspectionToolSession): TypeEvalContext {
+ return TypeEvalContext.codeAnalysis(session.file.project, session.file)
+ }
+}
\ No newline at end of file
diff --git a/src/main/java/security/packaging/PyPackageSecurityScan.kt b/src/main/java/security/packaging/PyPackageSecurityScan.kt
index 02fd2d16..02f33c07 100644
--- a/src/main/java/security/packaging/PyPackageSecurityScan.kt
+++ b/src/main/java/security/packaging/PyPackageSecurityScan.kt
@@ -31,6 +31,7 @@ object PyPackageSecurityScan {
SecuritySettings.SafetyDbType.Api -> checkPackagesInSdks(pythonSdks, project, SafetyDbChecker(SecuritySettings.instance.pyupApiKey, SecuritySettings.instance.pyupApiUrl))
SecuritySettings.SafetyDbType.Custom -> checkPackagesInSdks(pythonSdks, project, SafetyDbChecker("", SecuritySettings.instance.pyupCustomUrl))
SecuritySettings.SafetyDbType.Snyk -> checkPackagesInSdks(pythonSdks, project, SnykChecker(SecuritySettings.instance.snykApiKey, SecuritySettings.instance.snykOrgId))
+ SecuritySettings.SafetyDbType.Pypi -> checkPackagesInSdks(pythonSdks, project, PypiChecker())
}
return true
} catch (ex: PackageCheckerLoadException){
diff --git a/src/main/java/security/packaging/PypiChecker.kt b/src/main/java/security/packaging/PypiChecker.kt
new file mode 100644
index 00000000..9e77258f
--- /dev/null
+++ b/src/main/java/security/packaging/PypiChecker.kt
@@ -0,0 +1,87 @@
+package security.packaging
+
+import com.jetbrains.python.packaging.PyPackage
+import io.ktor.client.*
+import io.ktor.client.engine.apache.*
+import io.ktor.client.features.*
+import io.ktor.client.features.json.*
+import io.ktor.client.request.*
+import io.ktor.http.*
+import kotlinx.coroutines.TimeoutCancellationException
+import java.net.SocketTimeoutException
+
+
+class PypiChecker : BasePackageChecker() {
+ var baseUrl = "https://pypi.org"
+
+ class PyPiIssue (val record: VulnerabilityRecord, pyPackage: PyPackage): PackageIssue(pyPackage = pyPackage) {
+ override fun getMessage(): String {
+ return "${record.id} found in ${pyPackage.name} impacting version ${pyPackage.version}.
See ${record.link} for details"
+ }
+ }
+
+ data class VulnerabilityRecord (
+ val id: String,
+ val aliases: List?,
+ val details: String,
+ val fixed_in: List?,
+ val link: String,
+ val source: String
+ )
+
+ data class PyPiPackageApiResponse(
+ val info: Any,
+ val last_serial: Int,
+ val releases: Any,
+ val urls: Any,
+ val vulnerabilities: List?
+ )
+
+ private suspend fun load(packageName: String, packageVersion: String): PyPiPackageApiResponse? {
+ val client = HttpClient(Apache) {
+ install(JsonFeature) {
+ serializer = GsonSerializer{
+ serializeNulls()
+ disableHtmlEscaping()
+ }
+ }
+ defaultRequest {
+ headers {
+ header("Content-Type", "application/json; charset=utf-8")
+ }
+ }
+ engine {
+ connectTimeout = 60_000
+ connectionRequestTimeout = 60_000
+ socketTimeout = 60_000
+ }
+ }
+
+ try {
+ return client.get(Url("$baseUrl/pypi/$packageName/$packageVersion/json"))
+ } catch (t: TimeoutCancellationException){
+ throw PackageCheckerLoadException("Timeout connecting to PyPi API.")
+ } catch (t: SocketTimeoutException){
+ throw PackageCheckerLoadException("Timeout on socket.")
+ } catch (t: ServerResponseException){
+ throw PackageCheckerLoadException("Server error on PyPi API.")
+ }
+ }
+
+ override fun hasMatch(pythonPackage: PyPackage?): Boolean {
+ return true // Hardcode to prevent it being called twice
+ }
+
+ override suspend fun getMatches (pythonPackage: PyPackage?): List {
+ if (pythonPackage==null) return listOf()
+ val records: ArrayList = ArrayList()
+ val data = load(pythonPackage.name.lowercase(), pythonPackage.version) ?: return records
+ if (data.vulnerabilities == null) return records
+
+ data.vulnerabilities.forEach { issue ->
+ records.add(PyPiIssue(issue, pythonPackage))
+ }
+
+ return records
+ }
+}
\ No newline at end of file
diff --git a/src/main/java/security/settings/SecuritySettings.kt b/src/main/java/security/settings/SecuritySettings.kt
index 7e93ace3..06afb814 100644
--- a/src/main/java/security/settings/SecuritySettings.kt
+++ b/src/main/java/security/settings/SecuritySettings.kt
@@ -1,7 +1,7 @@
package security.settings
+import com.intellij.openapi.application.ApplicationManager
import com.intellij.openapi.components.PersistentStateComponent
-import com.intellij.openapi.components.ServiceManager
import com.intellij.openapi.components.State
import com.intellij.openapi.components.Storage
import com.intellij.util.xmlb.XmlSerializerUtil
@@ -75,12 +75,13 @@ class SecuritySettings : PersistentStateComponent {
Bundled,
Api,
Custom,
- Snyk
+ Snyk,
+ Pypi
}
companion object {
@JvmStatic
val instance: SecuritySettings
- get() = ServiceManager.getService(SecuritySettings::class.java)
+ get() = ApplicationManager.getApplication().getService(SecuritySettings::class.java)
}
}
\ No newline at end of file
diff --git a/src/main/java/security/settings/SecuritySettingsPane.form b/src/main/java/security/settings/SecuritySettingsPane.form
index e52b2a7a..e04c2756 100644
--- a/src/main/java/security/settings/SecuritySettingsPane.form
+++ b/src/main/java/security/settings/SecuritySettingsPane.form
@@ -1,16 +1,16 @@
diff --git a/src/main/java/security/settings/SecuritySettingsPane.java b/src/main/java/security/settings/SecuritySettingsPane.java
index 993d2739..d75b9050 100644
--- a/src/main/java/security/settings/SecuritySettingsPane.java
+++ b/src/main/java/security/settings/SecuritySettingsPane.java
@@ -18,6 +18,7 @@ public class SecuritySettingsPane implements ItemListener{
private JRadioButton radioButton5;
private JTextField snykApiTextField;
private JTextField snykOrgIdTextField;
+ private JRadioButton pyPiVulnerabilityAPIRadioButton;
private ButtonGroup safetyButtonGroup;
@@ -64,6 +65,8 @@ else if (settings.getSafetyDbMode() == SecuritySettings.SafetyDbType.Custom)
radioButton4.setSelected(true);
else if (settings.getSafetyDbMode() == SecuritySettings.SafetyDbType.Snyk)
radioButton5.setSelected(true);
+ else if (settings.getSafetyDbMode() == SecuritySettings.SafetyDbType.Pypi)
+ pyPiVulnerabilityAPIRadioButton.setSelected(true);
else
radioButton1.setSelected(true);
}
@@ -79,6 +82,8 @@ else if (radioButton4.isSelected())
return SecuritySettings.SafetyDbType.Custom;
else if (radioButton5.isSelected())
return SecuritySettings.SafetyDbType.Snyk;
+ else if (pyPiVulnerabilityAPIRadioButton.isSelected())
+ return SecuritySettings.SafetyDbType.Pypi;
else
return SecuritySettings.SafetyDbType.Bundled;
}
@@ -95,7 +100,7 @@ public void itemStateChanged(ItemEvent itemEvent) {
snykOrgIdTextField.setEnabled(false);
snykApiTextField.setEnabled(false);
}
- } else if (itemEvent.getSource() == radioButton1 || itemEvent.getSource() == radioButton2) { // Disabled or Bundled
+ } else if (itemEvent.getSource() == radioButton1 || itemEvent.getSource() == radioButton2 || itemEvent.getSource() == pyPiVulnerabilityAPIRadioButton) { // Disabled or Bundled
if (itemEvent.getStateChange() == ItemEvent.SELECTED) {
apiKeyField.setEnabled(false);
apiUrlField.setEnabled(false);
@@ -133,5 +138,7 @@ private void createUIComponents() {
radioButton4.addItemListener(this);
radioButton5 = new JRadioButton();
radioButton5.addItemListener(this);
+ pyPiVulnerabilityAPIRadioButton = new JRadioButton();
+ pyPiVulnerabilityAPIRadioButton.addItemListener(this);
}
}
diff --git a/src/main/java/security/validators/BuiltinExecInspection.kt b/src/main/java/security/validators/BuiltinExecInspection.kt
index a22ee41c..bf44204d 100644
--- a/src/main/java/security/validators/BuiltinExecInspection.kt
+++ b/src/main/java/security/validators/BuiltinExecInspection.kt
@@ -27,7 +27,7 @@ class BuiltinExecInspection : PyInspection() {
override fun visitPyCallExpression(node: PyCallExpression) {
if (skipDocstring(node)) return
if (!calleeMatches(node, "exec")) return
- if (!qualifiedNameMatches(node, "exec")) return
+ if (!qualifiedNameMatches(node, "exec", typeEvalContext)) return
// First argument as a string literal is ok
if (node.arguments.isNullOrEmpty()) return
diff --git a/src/main/java/security/validators/DjangoExpressionInspection.kt b/src/main/java/security/validators/DjangoExpressionInspection.kt
index 3bd532a7..d0115665 100644
--- a/src/main/java/security/validators/DjangoExpressionInspection.kt
+++ b/src/main/java/security/validators/DjangoExpressionInspection.kt
@@ -32,7 +32,7 @@ class DjangoExpressionInspection : PyInspection() {
override fun visitPyCallExpression(node: PyCallExpression) {
if (skipDocstring(node)) return
if (!calleeMatches(node, expressionTypes + extraMethods)) return
- if (!qualifiedNameStartsWith(node, namespace)) return
+ if (!qualifiedNameStartsWith(node, namespace, typeEvalContext)) return
if (node.arguments.isNullOrEmpty()) return
val templateStatement = node.getKeywordArgument("template") ?: return
diff --git a/src/main/java/security/validators/DjangoExtraSqlInspection.kt b/src/main/java/security/validators/DjangoExtraSqlInspection.kt
index 3e2d359f..65f2ebcb 100644
--- a/src/main/java/security/validators/DjangoExtraSqlInspection.kt
+++ b/src/main/java/security/validators/DjangoExtraSqlInspection.kt
@@ -26,7 +26,7 @@ class DjangoExtraSqlInspection : PyInspection() {
override fun visitPyCallExpression(node: PyCallExpression) {
if (skipDocstring(node)) return
if (!calleeMatches(node, "extra")) return
- if (!qualifiedNameMatches(node, "django.db.models.query.QuerySet.extra")) return
+ if (!qualifiedNameMatches(node, "django.db.models.query.QuerySet.extra", typeEvalContext)) return
val keywordArgumentsToInspect = arrayOf("where", "select", "tables", "order_by", "params")
keywordArgumentsToInspect
diff --git a/src/main/java/security/validators/DjangoSafeStringInspection.kt b/src/main/java/security/validators/DjangoSafeStringInspection.kt
index 051b623b..e6a337f0 100644
--- a/src/main/java/security/validators/DjangoSafeStringInspection.kt
+++ b/src/main/java/security/validators/DjangoSafeStringInspection.kt
@@ -32,7 +32,7 @@ class DjangoSafeStringInspection : PyInspection() {
if (node.arguments.isEmpty()) return
if (skipDocstring(node)) return
if (!calleeMatches(node, methodNames)) return
- if (!qualifiedNameStartsWith(node, arrayOf("django.utils.safestring", "jinja2.filters"))) return
+ if (!qualifiedNameStartsWith(node, arrayOf("django.utils.safestring", "jinja2.filters"), typeEvalContext)) return
var arg = node.arguments[0]
if (arg is PyKeywordArgument){
if(!methodKwargs.containsKey(node.callee?.name)) return
diff --git a/src/main/java/security/validators/HardcodedTempFileInspection.kt b/src/main/java/security/validators/HardcodedTempFileInspection.kt
index e27f6d5a..b8b133dd 100644
--- a/src/main/java/security/validators/HardcodedTempFileInspection.kt
+++ b/src/main/java/security/validators/HardcodedTempFileInspection.kt
@@ -13,7 +13,7 @@ import security.helpers.qualifiedNameMatches
import security.helpers.skipDocstring
class HardcodedTempFileInspection : PyInspection() {
- val check = Checks.HardcodedTempFileCheck;
+ val check = Checks.HardcodedTempFileCheck
override fun getStaticDescription(): String? {
return check.getStaticDescription()
@@ -28,7 +28,7 @@ class HardcodedTempFileInspection : PyInspection() {
if (skipDocstring(node)) return
val possibleTempPaths = arrayOf("/tmp", "/var/tmp", "/dev/shm")
if (!calleeMatches(node, "open")) return
- if (!qualifiedNameMatches(node, "open")) return
+ if (!qualifiedNameMatches(node, "open", typeEvalContext)) return
if (node.arguments.isNullOrEmpty()) return
if (node.arguments.first() !is PyStringLiteralExpression) return
val path = (node.arguments.first() as PyStringLiteralExpression).stringValue
diff --git a/src/main/java/security/validators/HttpxNoVerifyInspection.kt b/src/main/java/security/validators/HttpxNoVerifyInspection.kt
index 294d7005..e0851493 100644
--- a/src/main/java/security/validators/HttpxNoVerifyInspection.kt
+++ b/src/main/java/security/validators/HttpxNoVerifyInspection.kt
@@ -28,7 +28,7 @@ class HttpxNoVerifyInspection : PyInspection() {
if (skipDocstring(node)) return
val requestsMethodNames = arrayOf("get", "post", "options", "delete", "put", "patch", "head")
if (!calleeMatches(node, requestsMethodNames)) return
- if (!qualifiedNameStartsWith(node, "httpx.")) return
+ if (!qualifiedNameStartsWith(node, "httpx.", typeEvalContext)) return
val verifyArgument = node.getKeywordArgument("verify") ?: return
if (verifyArgument !is PyBoolLiteralExpression) return
if (verifyArgument.value) return
diff --git a/src/main/java/security/validators/InsecureHashInspection.kt b/src/main/java/security/validators/InsecureHashInspection.kt
index 68a3be8e..5e1fefba 100644
--- a/src/main/java/security/validators/InsecureHashInspection.kt
+++ b/src/main/java/security/validators/InsecureHashInspection.kt
@@ -38,7 +38,7 @@ class InsecureHashInspection : PyInspection() {
fun checkHashAlgorithmsByNew(node: PyCallExpression, algorithms: Array, check: Checks.CheckType) {
if (!calleeMatches(node, "new")) return
- if (!qualifiedNameStartsWith(node, "hashlib.")) return
+ if (!qualifiedNameStartsWith(node, "hashlib.", typeEvalContext)) return
if (node.arguments.isEmpty()) return
val nameKwArg = node.getKeywordArgument("name")
val firstArg = node.arguments[0]
@@ -53,7 +53,7 @@ class InsecureHashInspection : PyInspection() {
fun checkHashAlgorithmsByImport(node: PyCallExpression, algorithms: Array, check: Checks.CheckType) {
if (!calleeMatches(node, algorithms)) return
- if (qualifiedNameStartsWith(node, "hashlib."))
+ if (qualifiedNameStartsWith(node, "hashlib.", typeEvalContext))
holder.registerProblem(node, check.getDescription())
}
}
diff --git a/src/main/java/security/validators/JinjaAutoinspectInspection.kt b/src/main/java/security/validators/JinjaAutoinspectInspection.kt
index e59fd6b9..2271fe27 100644
--- a/src/main/java/security/validators/JinjaAutoinspectInspection.kt
+++ b/src/main/java/security/validators/JinjaAutoinspectInspection.kt
@@ -28,7 +28,7 @@ class JinjaAutoinspectInspection : PyInspection() {
override fun visitPyCallExpression(node: PyCallExpression) {
if (skipDocstring(node)) return
if (!calleeMatches(node, arrayOf("Environment", "Template"))) return
- if (!qualifiedNameStartsWith(node, "jinja2.")) return
+ if (!qualifiedNameStartsWith(node, "jinja2.", typeEvalContext)) return
val autoescapeArgument = node.getKeywordArgument("autoescape")
if (autoescapeArgument == null)
{
diff --git a/src/main/java/security/validators/MakoTemplateInspection.kt b/src/main/java/security/validators/MakoTemplateInspection.kt
index 659f4283..3487bced 100644
--- a/src/main/java/security/validators/MakoTemplateInspection.kt
+++ b/src/main/java/security/validators/MakoTemplateInspection.kt
@@ -27,7 +27,7 @@ class MakoTemplateInspection : PyInspection() {
override fun visitPyCallExpression(node: PyCallExpression) {
if (skipDocstring(node)) return
if (!calleeMatches(node, "Template")) return
- if (!qualifiedNameStartsWith(node, "mako.")) return
+ if (!qualifiedNameStartsWith(node, "mako.", typeEvalContext)) return
val defaultFiltersArgument = node.getKeywordArgument("default_filters")
if (defaultFiltersArgument == null)
{
diff --git a/src/main/java/security/validators/PickleLoadInspection.kt b/src/main/java/security/validators/PickleLoadInspection.kt
index 8fb40ec3..ea13f436 100644
--- a/src/main/java/security/validators/PickleLoadInspection.kt
+++ b/src/main/java/security/validators/PickleLoadInspection.kt
@@ -25,7 +25,7 @@ class PickleLoadInspection : PyInspection() {
override fun visitPyCallExpression(node: PyCallExpression) {
if (skipDocstring(node)) return
val pickleLoadNames = arrayOf("pickle.load", "pickle.loads", "cPickle.load", "cPickle.loads", "pickle._load", "pickle._loads", "cPickle._load", "cPickle._loads")
- if (qualifiedNameMatches(node, pickleLoadNames))
+ if (qualifiedNameMatches(node, pickleLoadNames, typeEvalContext))
holder.registerProblem(node, Checks.PickleLoadCheck.getDescription())
}
}
diff --git a/src/main/java/security/validators/PyyamlLoadInspection.kt b/src/main/java/security/validators/PyyamlLoadInspection.kt
index ce3e5f71..f785d973 100644
--- a/src/main/java/security/validators/PyyamlLoadInspection.kt
+++ b/src/main/java/security/validators/PyyamlLoadInspection.kt
@@ -28,7 +28,7 @@ class PyyamlLoadInspection : PyInspection() {
override fun visitPyCallExpression(node: PyCallExpression) {
if (skipDocstring(node)) return
if (!calleeMatches(node, "load")) return
- if (!qualifiedNameMatches(node, "yaml.load")) return
+ if (!qualifiedNameMatches(node, "yaml.load", typeEvalContext)) return
// Inspect loader kwarg
val loaderArg = node.getKeywordArgument("Loader")
if (loaderArg != null && loaderArg is PyReferenceExpression)
diff --git a/src/main/java/security/validators/RequestsNoVerifyInspection.kt b/src/main/java/security/validators/RequestsNoVerifyInspection.kt
index 030eeb86..f88ca4ca 100644
--- a/src/main/java/security/validators/RequestsNoVerifyInspection.kt
+++ b/src/main/java/security/validators/RequestsNoVerifyInspection.kt
@@ -28,7 +28,7 @@ class RequestsNoVerifyInspection : PyInspection() {
if (skipDocstring(node)) return
val requestsMethodNames = arrayOf("get", "post", "options", "delete", "put", "patch", "head")
if (!calleeMatches(node, requestsMethodNames)) return
- if (!qualifiedNameStartsWith(node, "requests.")) return
+ if (!qualifiedNameStartsWith(node, "requests.", typeEvalContext)) return
val verifyArgument = node.getKeywordArgument("verify") ?: return
if (verifyArgument !is PyBoolLiteralExpression) return
if (verifyArgument.value) return
diff --git a/src/main/java/security/validators/SpawnShellInjectionInspection.kt b/src/main/java/security/validators/SpawnShellInjectionInspection.kt
index 4f4e9c7e..ae4c8adf 100644
--- a/src/main/java/security/validators/SpawnShellInjectionInspection.kt
+++ b/src/main/java/security/validators/SpawnShellInjectionInspection.kt
@@ -25,7 +25,7 @@ class SpawnShellInjectionInspection : PyInspection() {
private class Visitor(holder: ProblemsHolder, session: LocalInspectionToolSession) : SecurityVisitor(holder, session) {
override fun visitPyCallExpression(node: PyCallExpression) {
if (skipDocstring(node)) return
- if (!qualifiedNameMatches(node, SpawnShellApis)) return
+ if (!qualifiedNameMatches(node, SpawnShellApis, typeEvalContext)) return
if (node.arguments.isNullOrEmpty()) return
holder.registerProblem(node, Checks.SpawnShellInjectionCheck.getDescription(), ProblemHighlightType.WEAK_WARNING)
}
diff --git a/src/main/java/security/validators/SslWrapSocketInspection.kt b/src/main/java/security/validators/SslWrapSocketInspection.kt
index 0c361f23..778c9999 100644
--- a/src/main/java/security/validators/SslWrapSocketInspection.kt
+++ b/src/main/java/security/validators/SslWrapSocketInspection.kt
@@ -26,7 +26,7 @@ class SslWrapSocketInspection : PyInspection() {
override fun visitPyCallExpression(node: PyCallExpression) {
if (skipDocstring(node)) return
if (!calleeMatches(node, "wrap_socket")) return
- if (!qualifiedNameMatches(node, "ssl.wrap_socket")) return
+ if (!qualifiedNameMatches(node, "ssl.wrap_socket", typeEvalContext)) return
if (node.arguments.isNullOrEmpty())
holder.registerProblem(node, Checks.SslWrapSocketNoVersionCheck.getDescription())
diff --git a/src/main/java/security/validators/StandardShellInjectionInspection.kt b/src/main/java/security/validators/StandardShellInjectionInspection.kt
index 3d0540eb..5e720e21 100644
--- a/src/main/java/security/validators/StandardShellInjectionInspection.kt
+++ b/src/main/java/security/validators/StandardShellInjectionInspection.kt
@@ -28,7 +28,7 @@ class StandardShellInjectionInspection : PyInspection() {
override fun visitPyCallExpression(node: PyCallExpression) {
if (skipDocstring(node)) return
- if (!qualifiedNameMatches(node, ShellApis)) return
+ if (!qualifiedNameMatches(node, ShellApis, typeEvalContext)) return
if (node.arguments.isNullOrEmpty()) return
diff --git a/src/main/java/security/validators/SubprocessShellModeInspection.kt b/src/main/java/security/validators/SubprocessShellModeInspection.kt
index 92a6e2c2..c1e8db19 100644
--- a/src/main/java/security/validators/SubprocessShellModeInspection.kt
+++ b/src/main/java/security/validators/SubprocessShellModeInspection.kt
@@ -33,7 +33,7 @@ class SubprocessShellModeInspection : PyInspection() {
val shellMethodNames = arrayOf("call", "run", "Popen", "check_call", "check_output")
// Check this is an import from the subprocess module
- if (!qualifiedNameStartsWith(node, "subprocess.")) return
+ if (!qualifiedNameStartsWith(node, "subprocess.", typeEvalContext)) return
if (node.arguments.isNullOrEmpty()) return
// Match the method name against one of shellMethodNames
diff --git a/src/main/java/security/validators/TempfileMktempInspection.kt b/src/main/java/security/validators/TempfileMktempInspection.kt
index fcefc1df..ab90c358 100644
--- a/src/main/java/security/validators/TempfileMktempInspection.kt
+++ b/src/main/java/security/validators/TempfileMktempInspection.kt
@@ -28,7 +28,7 @@ class TempfileMktempInspection : PyInspection() {
if (skipDocstring(node)) return
if (!calleeMatches(node, "mktemp")) return
- if (!qualifiedNameMatches(node, "tempfile.mktemp")) return
+ if (!qualifiedNameMatches(node, "tempfile.mktemp", typeEvalContext)) return
holder.registerProblem(node, Checks.TempfileMktempCheck.getDescription(), TempfileMksFixer())
}
}
diff --git a/src/main/resources/META-INF/plugin.xml b/src/main/resources/META-INF/plugin.xml
index 837b748a..dafe0dc3 100644
--- a/src/main/resources/META-INF/plugin.xml
+++ b/src/main/resources/META-INF/plugin.xml
@@ -22,7 +22,7 @@
Scan code in your CI/CD using Docker
]]>
-
+
diff --git a/src/main/resources/safety-db/insecure.json b/src/main/resources/safety-db/insecure.json
index faf79ef6..8a1ab6df 100644
--- a/src/main/resources/safety-db/insecure.json
+++ b/src/main/resources/safety-db/insecure.json
@@ -6,7 +6,9 @@
"<0.0.4"
],
"accesscontrol": [
+ ">=4.0,<4.3",
">=4.0.0,<4.3.0",
+ ">=5.0,<5.2",
">=5.0.0,<5.2.0"
],
"acqusition": [
@@ -50,7 +52,8 @@
],
"aiohttp": [
"<0.16.3",
- "<3.7.4"
+ "<3.7.4",
+ "<3.8.0"
],
"aiohttp-auth-autz": [
"<0.2.0"
@@ -85,8 +88,8 @@
"aiosolr": [
"<3.3.2"
],
- "airtable": [
- "<0.4.4"
+ "aioxmpp": [
+ "<=0.10.2"
],
"ajsonrpc": [
"<1.1.0"
@@ -95,6 +98,10 @@
"<1.8.10.1",
"<1.8.18.1"
],
+ "alerta-server": [
+ "<7.5.7",
+ ">=8.0.0,<8.1.0"
+ ],
"alex-ber-utils": [
"<0.6.3"
],
@@ -132,6 +139,8 @@
"<0.11.2"
],
"ansible": [
+ "<1.2.1",
+ "<1.2.2",
"<1.2.3",
"<1.5.4",
"<1.5.5",
@@ -144,12 +153,62 @@
"<1.9.2",
"<1.9.6",
"<2.0.2",
- "<2.2.1",
- "<2.3.1"
+ "<2.1.4.0",
+ "<2.2.0",
+ "<2.3",
+ "<2.3.1",
+ "<2.8.19",
+ "<2.9.18",
+ "<2.9.23",
+ "<3.0.0",
+ ">0",
+ ">2.1.4.0,<2.2.1.0",
+ ">=2.10.0a1,<2.10.7",
+ ">=2.3.0,<2.3.3",
+ ">=2.4.0,<2.4.1",
+ ">=2.5.0a0,<2.5.14",
+ ">=2.5.0a0,<2.5.15",
+ ">=2.6.0a0,<2.6.11",
+ ">=2.6.0a0,<2.6.14",
+ ">=2.6.0a0,<2.6.18",
+ ">=2.6.0a0,<2.6.19",
+ ">=2.6.0a0,<2.6.20",
+ ">=2.7.0a0,<2.7.12",
+ ">=2.7.0a0,<2.7.13",
+ ">=2.7.0a0,<2.7.14",
+ ">=2.7.0a0,<2.7.15",
+ ">=2.7.0a0,<2.7.16",
+ ">=2.7.0a0,<2.7.17",
+ ">=2.7.0a0,<2.7.18",
+ ">=2.7.0a0,<2.7.5",
+ ">=2.7.0a0,<2.7.8",
+ ">=2.8.0a0,<2.8.11",
+ ">=2.8.0a0,<2.8.12",
+ ">=2.8.0a0,<2.8.2",
+ ">=2.8.0a0,<2.8.4",
+ ">=2.8.0a0,<2.8.6",
+ ">=2.8.0a0,<2.8.7",
+ ">=2.8.0a0,<2.8.8",
+ ">=2.8.0a0,<2.8.9",
+ ">=2.9.0a0,<2.9.1",
+ ">=2.9.0a0,<2.9.3",
+ ">=2.9.0a0,<2.9.6",
+ ">=2.9.0a0,<2.9.7",
+ ">=2.9.0a0,<2.9.9",
+ ">=2.9.0b1,<2.9.18"
],
"ansible-runner": [
"<1.3.1"
],
+ "ansible-tower-cli": [
+ "<3.3.5",
+ "<3.4.5",
+ "<3.6.4",
+ "<3.7",
+ "<3.8",
+ "<3.8.2",
+ ">=3.0.0,<3.1.0"
+ ],
"ansible-vault": [
"<1.0.5"
],
@@ -162,8 +221,12 @@
"anymotion-sdk": [
"<1.2.5"
],
+ "ao3-poster": [
+ "<0.0.6"
+ ],
"apache-airflow": [
"<1.10.0",
+ "<1.10.12",
"<1.10.13",
"<2.1.2",
">=1.0.0a1,<1.10.15",
@@ -178,10 +241,8 @@
"<8.0.0"
],
"apache-superset": [
- "<0.11.0",
"<0.14.0",
"<0.17.5",
- "<0.19.1",
"<0.23.0",
"<0.25.0",
"<0.28.0rc5",
@@ -205,6 +266,12 @@
"<0",
">0"
],
+ "apispec": [
+ "<1.0.0b2"
+ ],
+ "apkleaks": [
+ "<2.0.3"
+ ],
"appdaemon": [
"<3.0.4"
],
@@ -242,6 +309,9 @@
"async-search-client": [
"<0.5.1"
],
+ "asyncpg": [
+ "<0.21.0"
+ ],
"asyncssh": [
"<2.5.0"
],
@@ -267,6 +337,9 @@
"<0.6.4",
"<20.12.3"
],
+ "autocrop": [
+ "<1.1.1"
+ ],
"avocado-framework": [
"<0.17.0"
],
@@ -276,12 +349,37 @@
"aws-analytics-reference-architecture": [
"<1.1.1"
],
+ "aws-encryption-sdk": [
+ "<1.9.0",
+ ">=2.0.0,<2.2.0"
+ ],
+ "aws-encryption-sdk-cli": [
+ "<1.9.0",
+ "<4.0.0",
+ "<4.1.0",
+ ">=2.0.0,<2.2.0"
+ ],
+ "aws-glue-schema-registry": [
+ "<1.1.5"
+ ],
"aws-parallelcluster": [
"<2.4.0"
],
+ "aws-v4signer": [
+ "<0.6"
+ ],
"awscli": [
"<1.11.83"
],
+ "awsiotsdk": [
+ "<1.6.1"
+ ],
+ "awxkit": [
+ "<5.0.0"
+ ],
+ "babel": [
+ "<2.9.1"
+ ],
"backend.ai": [
"<19.03.0b1",
"<19.03.0rc1",
@@ -309,6 +407,9 @@
"<4.2.2",
"<4.2.3"
],
+ "basxconnect": [
+ "<0.3.54"
+ ],
"bbcode": [
"<1.0.9"
],
@@ -317,8 +418,12 @@
"<1.6.4",
"<=1.11.0"
],
+ "beets": [
+ "<1.6.0"
+ ],
"benchexec": [
- "<2.2"
+ "<2.2",
+ "==2.1"
],
"bento-lib": [
"<3.0.1"
@@ -348,9 +453,6 @@
"birdhousebuilder-recipe-nginx": [
"<0.1.5"
],
- "birdhousebuilder.recipe.nginx": [
- "<0.1.5"
- ],
"bise.theme": [
"<2.4"
],
@@ -371,9 +473,8 @@
],
"bleach": [
"<2.1",
- "<3.1.1",
+ "<3.1.2",
"<=3.1.0",
- "<=3.1.1",
"<=3.1.3",
">=2.1,<2.1.3"
],
@@ -392,18 +493,17 @@
],
"bodhi": [
"<2.2.0",
- "<2.9.1"
+ "<2.9.1",
+ "<=2.9.0"
],
"bodhi-server": [
"<2.2.0"
],
- "bok-choy": [
- "<0.5.1"
- ],
"bokeh": [
"<1.0.4",
"<1.1.0",
- "<1.2.0"
+ "<1.2.0",
+ "<2.4.2"
],
"boss-cli": [
"<1.0.0a20",
@@ -424,15 +524,24 @@
"boussole": [
"<1.5.0"
],
+ "bpython-django": [
+ "<0.15"
+ ],
"brasil.gov.portal": [
"<1.5.1"
],
+ "brotli": [
+ "<1.0.8"
+ ],
"brume": [
"<2.0.2"
],
"bsblan": [
"<0.27"
],
+ "bsdiff4": [
+ "<1.2.0"
+ ],
"buildbot": [
"<1.3.0",
"<1.8.2",
@@ -463,15 +572,28 @@
"calcwave": [
"<1.2.6"
],
+ "calibreweb": [
+ "==0.6.6"
+ ],
"candig-server": [
"<0.9.0",
"<0.9.2",
"<1.0.2",
"<1.4.0"
],
+ "carla": [
+ "<0.9.9"
+ ],
"cartridge-braintree": [
"<1.2.2"
],
+ "cassandra-medusa": [
+ "<0.9.1"
+ ],
+ "castle-cms": [
+ "<2.6.1",
+ "<2.6.2"
+ ],
"catboost": [
"<0.26"
],
@@ -481,7 +603,15 @@
"ccf": [
"<0.7"
],
+ "cdk-ecr-deployment": [
+ "<0.0.60"
+ ],
+ "cedar-backup3": [
+ "<1.10",
+ "<3.6.0"
+ ],
"celery": [
+ "<5.2.0",
">=4.0,<4.0.1"
],
"cellxgene": [
@@ -491,6 +621,9 @@
"centrifuge": [
"<0.3.8"
],
+ "ceph-deploy": [
+ "<1.5.23"
+ ],
"certbot": [
"<0.34.0",
"<=0.34.0"
@@ -502,8 +635,7 @@
"<1.0.3"
],
"cfscrape": [
- ">=1.6.6,<1.7.1",
- ">=1.6.6,<=1.8"
+ ">=1.6.6,<1.8.0"
],
"cfstacks": [
"<0.4.4"
@@ -520,6 +652,9 @@
"chaosloader": [
"<1.0.0"
],
+ "charm-crypto": [
+ "==0.43"
+ ],
"charm-tools": [
"<2.6.0"
],
@@ -546,11 +681,15 @@
"cherrymusic": [
"<0.36.0"
],
+ "cherrypy": [
+ "<2.1.1"
+ ],
"chia": [
"<2.4.0"
],
"chia-blockchain": [
"<1.0b19",
+ "<1.0b27",
"<1.0beta10",
"<1.0beta14",
"<1.0beta8",
@@ -597,6 +736,12 @@
"clearsilver": [
"<0.10.5"
],
+ "cliboa": [
+ "<2.0.0beta"
+ ],
+ "clickhouse-driver": [
+ "<0.1.5"
+ ],
"client-sdk-python": [
"<4.7.0"
],
@@ -607,9 +752,6 @@
"<1.10.0",
"<1.9.3"
],
- "cloudinary": [
- "<1.0.21"
- ],
"cloudmarker": [
"<0.0.5"
],
@@ -623,11 +765,17 @@
"<4.1.0"
],
"cmsplugin-filer": [
- "<1.0.0"
+ "<0.10.2"
],
"cnx-publishing": [
"<0.17.6"
],
+ "coapthon": [
+ "==3.1",
+ "==4.0.0",
+ "==4.0.1",
+ "==4.0.2"
+ ],
"cobbler": [
">0"
],
@@ -639,6 +787,9 @@
"<0.5.12",
"<0.5.33"
],
+ "code42cli": [
+ "<1.3.0"
+ ],
"codecov": [
"<2.0.16",
"<2.0.17"
@@ -646,6 +797,10 @@
"codeforcesapipy": [
"<2.0.8"
],
+ "cohen3": [
+ "<0.8.3",
+ "<0.9.1"
+ ],
"coinbasepro": [
"<0.1.0"
],
@@ -656,11 +811,18 @@
"<5.2.1"
],
"colander": [
- "<1.7.0"
+ "<1.7.0",
+ "<=1.6"
],
"collective-contact-core": [
"<1.10"
],
+ "collective-easyform": [
+ "<3.0.5"
+ ],
+ "collective-indexing": [
+ "<2.1"
+ ],
"collective-noticeboard": [
"<0.7.1"
],
@@ -695,7 +857,8 @@
"<0.2.0"
],
"compliance-trestle": [
- "<0.15.0"
+ "<0.15.0",
+ "<0.26.0"
],
"concrete-datastore": [
"<1.22.0",
@@ -728,6 +891,7 @@
],
"container-service-extension": [
"<1.2.5",
+ "<1.2.7",
"<2.5.0b1"
],
"contentful": [
@@ -765,6 +929,9 @@
"coveralls": [
"<0.1.1"
],
+ "covert": [
+ "<0.2.1"
+ ],
"cplay-ng": [
"<1.50"
],
@@ -789,6 +956,9 @@
"<0.6.4",
"<20.12.3"
],
+ "croud": [
+ "<0.3.0"
+ ],
"crypt": [
"<0",
">0"
@@ -825,11 +995,16 @@
"cupy": [
"<7.0.0b2"
],
+ "cutty": [
+ "<0.14.0",
+ "<0.3.0"
+ ],
"dact": [
"<1.1.1"
],
"dash": [
- "<1.20.0"
+ "<1.20.0",
+ "<1.21.0"
],
"dash-bio": [
"<0.5.1"
@@ -840,12 +1015,18 @@
"dash-table": [
"<4.7.0"
],
+ "dask": [
+ "<2021.10.0"
+ ],
"database-sanitizer": [
"<1.1.0"
],
"datacube": [
"<1.6.2"
],
+ "datacube-ows": [
+ "<1.8.8"
+ ],
"datagristle": [
"<0.1.7"
],
@@ -853,6 +1034,8 @@
"<0.6.0"
],
"datasette": [
+ "<0.29.1",
+ "<0.44",
"<0.46",
"<0.55",
"<0.56.1",
@@ -880,7 +1063,7 @@
"==0.1a0"
],
"dateable-chronos": [
- "<0.7.2"
+ "<0.8"
],
"dateable.chronos": [
"<0.7.2"
@@ -888,10 +1071,22 @@
"datera-cinder": [
"<2018.10.30.0"
],
+ "datumaro": [
+ "<0.1.10"
+ ],
"dawgie": [
"<1.2.3",
"<1.2.9"
],
+ "dbcat": [
+ "<0.3.1"
+ ],
+ "dbt-core": [
+ "<0.20.0rc1"
+ ],
+ "dbtos3": [
+ "<0.0.2a0"
+ ],
"ddtrace": [
"<0.11.0"
],
@@ -945,7 +1140,11 @@
"<0.12.7",
"<0.14.0",
"<0.16.0.dev0",
- "<0.16.4"
+ "<0.16.4",
+ "<0.17.0rc0"
+ ],
+ "devito": [
+ "<4.3-beta"
],
"devpi-ldap": [
"<2.0.0"
@@ -1004,6 +1203,7 @@
"<1.2.7",
"<1.3.2",
"<1.3.4",
+ "<1.4.14",
"<1.4.18",
"<1.4.20",
"<1.7.11",
@@ -1030,7 +1230,6 @@
"==2.1.8",
"==2.2.1",
"==2.2.17",
- "==2.2.18",
"==2.2.2",
"==2.2.23",
"==2.2.3",
@@ -1039,16 +1238,16 @@
"==2.2.9",
"==3.0",
"==3.0.11",
- "==3.0.12",
"==3.0.2",
"==3.1.11",
"==3.1.5",
- "==3.1.6",
"==3.2.3",
+ ">1.6,<1.6b2",
">=1.1,<1.1.1",
">=1.10,<1.10.3",
">=1.10,<1.10.7",
">=1.10,<1.10rc1",
+ ">=1.10.0a1,<1.10.7",
">=1.10.7,<1.10.8",
">=1.11,<1.11.28",
">=1.11,<1.11.5",
@@ -1068,35 +1267,43 @@
">=1.4,<1.4.21",
">=1.4,<1.4.22",
">=1.4,<1.4.4",
+ ">=1.4,<1.4.6",
">=1.4,<1.4.8",
">=1.5,<1.5.1",
+ ">=1.5,<1.5.2",
">=1.5,<1.5.4",
+ ">=1.5,<1.5.9",
">=1.5,<1.6",
">=1.5,<1.7",
">=1.6,<1.6-beta-4",
">=1.6,<1.6.10",
">=1.6,<1.6.11",
+ ">=1.6,<1.6.6",
+ ">=1.6,<1.6b2",
">=1.7,<1.7.10",
">=1.7,<1.7.3",
">=1.7,<1.7.7",
">=1.7,<1.7.9",
+ ">=1.7,<1.7rc3",
">=1.8,<1.8.16",
- ">=1.8,<1.8.18",
">=1.8,<1.8.2",
">=1.8,<1.8.3",
">=1.8,<1.8.4",
">=1.8,<1.8.7",
">=1.8,<1.8b2",
">=1.8,<1.8c1",
+ ">=1.8.0,<1.8.18",
+ ">=1.8.0a1,<1.8.18",
">=1.8a1 ,<1.8.19",
">=1.8a1,<1.8c1",
">=1.9,<1.9.10",
">=1.9,<1.9.11",
- ">=1.9,<1.9.13",
">=1.9,<1.9.2",
">=1.9,<1.9.3",
">=1.9,<1.9.8",
">=1.9,<1.9rc2",
+ ">=1.9.0,<1.9.13",
+ ">=1.9.0a1,<1.9.13",
">=2.0a1,<2.0.10",
">=2.0a1,<2.0.11",
">=2.0a1,<2.0.2",
@@ -1106,6 +1313,7 @@
">=2.1,<2.1.15",
">=2.1,<2.1.9",
">=2.1.0,<2.1.11",
+ ">=2.1a0,<2.1.9",
">=2.1a1,<2.1.5",
">=2.2,<2.2.10",
">=2.2,<2.2.18",
@@ -1115,7 +1323,9 @@
">=2.2.0,<2.2.11",
">=2.2.0,<2.2.4",
">=2.2.0a1,<2.2.24",
+ ">=2.2a0,<2.2.2",
">=2.2a1,<2.2.13",
+ ">=2.2a1,<2.2.19",
">=2.2a1,<2.2.20",
">=2.2a1,<2.2.22",
">=3.0,<3.0.12",
@@ -1123,12 +1333,14 @@
">=3.0.0,<3.0.4",
">=3.0.0a1,<3.1.12",
">=3.0a1,<3.0.1",
+ ">=3.0a1,<3.0.13",
">=3.0a1,<3.0.14",
">=3.0a1,<3.0.7",
">=3.0a1,<3.1.12",
">=3.1,<3.1.13",
">=3.1,<3.1.6",
">=3.1a1,<3.1.10",
+ ">=3.1a1,<3.1.7",
">=3.1a1,<3.1.8",
">=3.1a1,<3.1.9",
">=3.2,<3.2.1",
@@ -1149,6 +1361,9 @@
"django-airplane": [
"<0.3"
],
+ "django-ajax-datatable": [
+ "<4.1.4"
+ ],
"django-allauth": [
"<0.28.0",
"<0.34.0",
@@ -1160,9 +1375,6 @@
"django-anonymizer": [
"<0.4"
],
- "django-anonymizer-compat": [
- "<0.4"
- ],
"django-anymail": [
"<1.4",
">=0.2,<1.4"
@@ -1186,6 +1398,7 @@
"django-ca": [
"<1.10.0",
"<1.17.0",
+ "<1.19.0",
"<1.9.0"
],
"django-celery-results": [
@@ -1219,16 +1432,10 @@
"django-crispy-forms": [
"<1.1.4"
],
- "django-crispy-forms-ng": [
- "<0.9.0"
- ],
"django-crm": [
"<=0.2",
"==0.2.1"
],
- "django-dajaxice-me": [
- "<0.1.7"
- ],
"django-dajaxice-ng": [
"<0.1.7"
],
@@ -1258,9 +1465,6 @@
"django-fiber": [
"<0.9.9.1"
],
- "django-filebrowser-no-grappelli-staff": [
- "<3.4.2"
- ],
"django-filter": [
"<2.4.0"
],
@@ -1289,6 +1493,10 @@
"django-heartbeat": [
"<2.0.3"
],
+ "django-helpdesk": [
+ "<0.3.1",
+ "<0.3.2"
+ ],
"django-hijack": [
"<1.0.7"
],
@@ -1327,6 +1535,9 @@
"django-lfs": [
"<0.6.9"
],
+ "django-magiclink": [
+ "<1.0.4"
+ ],
"django-mail-auth": [
"<0.1.3"
],
@@ -1344,12 +1555,6 @@
"<0.9.0",
"<1.5.1"
],
- "django-material-orange": [
- "<0.9.0"
- ],
- "django-material-saldoo": [
- "<0.9.0"
- ],
"django-modern-rpc": [
"<0.8.1"
],
@@ -1381,6 +1586,17 @@
"<0.1.13",
"<0.1.18"
],
+ "django-pagetree": [
+ "<1.0.4",
+ "<1.0.7",
+ "<1.1.8"
+ ],
+ "django-patchwork": [
+ "==2.1.0:rc1",
+ "==2.1.0:rc2",
+ ">=1.1,<2.0.4",
+ ">=2.1.0,<2.1.4"
+ ],
"django-perms-provisioner": [
"<0.0.4"
],
@@ -1442,6 +1658,10 @@
"django-session-security": [
"<2.4.0"
],
+ "django-silk": [
+ "<0.4",
+ "<4.0.0"
+ ],
"django-smart-lists": [
"<1.0.26"
],
@@ -1470,6 +1690,9 @@
"django-tastypie": [
"<0.9.10"
],
+ "django-trench": [
+ "<0.2.3"
+ ],
"django-triggers": [
"<2.0.13"
],
@@ -1482,6 +1705,11 @@
"django-uni-form": [
"<0.9.0"
],
+ "django-unicorn": [
+ "<0.29.0",
+ "<0.36.0",
+ "<0.36.1"
+ ],
"django-urlconf-export": [
"<1.1.1"
],
@@ -1537,6 +1765,9 @@
"<1.3.2",
"<1.5.1"
],
+ "djem": [
+ "<0.6"
+ ],
"djoser": [
"<0.7.0",
"<1.3.2",
@@ -1564,6 +1795,7 @@
"<1.2.65"
],
"doccano": [
+ "<1.0.1",
"<1.0.3"
],
"docker": [
@@ -1608,6 +1840,9 @@
"drf-jwt": [
">=1.15.0,<1.15.1"
],
+ "drf-renderer-xlsx": [
+ "<0.4.1"
+ ],
"drf-tracking": [
"<1.3.0"
],
@@ -1624,12 +1859,21 @@
"dulwich": [
"<0.9.920150320"
],
+ "dynamixel-sdk": [
+ "<=3.7.11"
+ ],
"dynamo-release": [
"<0.99"
],
"easy-install": [
"<0.7"
],
+ "easy-xml": [
+ "==0.5.0"
+ ],
+ "ebookmaker": [
+ "<0.11.14"
+ ],
"ec2-metadata": [
"<2.2.0"
],
@@ -1640,12 +1884,18 @@
"edapy": [
"<0.3.0"
],
+ "edrn-sync": [
+ "<1.0.5"
+ ],
"edrnsite.policy": [
"<1.0.5"
],
"edx-ecommerce-worker": [
"==0.8.2"
],
+ "edx-proctoring": [
+ "<4.1.0"
+ ],
"egon": [
"<0.4.1"
],
@@ -1656,9 +1906,15 @@
"elastic-apm": [
"<5.1.0"
],
+ "electrumsv-secp256k1": [
+ "<8.0.0"
+ ],
"electrumx": [
"<1.4.1"
],
+ "elkm1": [
+ "<1.0.0"
+ ],
"elyra": [
"<2.2.3",
"<2.3.0b0",
@@ -1667,6 +1923,9 @@
"emcache": [
"<1.3.6"
],
+ "emesene": [
+ "<1.6.2"
+ ],
"emitter-io": [
"<2.704"
],
@@ -1680,6 +1939,9 @@
"<3.1.2",
"<3.1.4"
],
+ "enrocrypt": [
+ "<1.1.4"
+ ],
"entente": [
"<0.11.0"
],
@@ -1703,7 +1965,8 @@
"<1.50"
],
"esphome": [
- "<1.15.0b1"
+ "<1.15.0b1",
+ "<=2021.9.1"
],
"esptool": [
"<2.5.0"
@@ -1765,6 +2028,9 @@
"<14.0.0",
"<16.0.0"
],
+ "extractor": [
+ "<0.5.13"
+ ],
"eyed3": [
"<0.6.18"
],
@@ -1797,6 +2063,7 @@
"<0.3.1"
],
"fastecdsa": [
+ "<2.1.2",
"<2.1.5"
],
"featureserver": [
@@ -1851,8 +2118,6 @@
],
"flask-admin": [
"<1.3.0",
- "<1.5.2",
- "<1.5.3",
"<=1.5.2"
],
"flask-api-tools": [
@@ -1866,6 +2131,7 @@
"<1.9.3",
"<2.2.2",
"<2.2.4",
+ "<3.1.1",
"<3.2.2",
"<=3.2.3"
],
@@ -1924,7 +2190,7 @@
"<1.8.1"
],
"flask-security-too": [
- ">0.0.1a1",
+ ">0",
">=3.3.0rc1,<3.4.5"
],
"flask-sieve": [
@@ -1943,6 +2209,10 @@
"flask-user": [
"<=1.0.2.2"
],
+ "flask-wtf": [
+ "<0.9.3",
+ "<0.9.5"
+ ],
"flatplan": [
"<1.2.0"
],
@@ -2014,11 +2284,18 @@
"galaxy-importer": [
"<0.2.15"
],
+ "gallery-dl": [
+ "<1.5.3"
+ ],
"gandi.cli": [
"<0.10"
],
"gdal": [
- "<3.1.0"
+ "<1.10.0",
+ "<1.11.0",
+ "<2.3.0",
+ "<3.1.0",
+ "<3.3.3"
],
"gds-django-jet": [
"<1.0.4"
@@ -2056,6 +2333,9 @@
"geventhttpclient": [
"<1.2.0"
],
+ "gimpformats": [
+ "<2021"
+ ],
"gino-quart": [
"<0.1.1b2",
"<0.1.1b4"
@@ -2067,6 +2347,9 @@
"<2.2.0",
"<2.5.0"
],
+ "git-big-picture": [
+ "<1.0.0"
+ ],
"git-portfolio": [
"<0.10.1"
],
@@ -2078,7 +2361,8 @@
],
"glances": [
"<3.2.0",
- "<3.2.1"
+ "<3.2.1",
+ "<3.2.4"
],
"glooey": [
"<0.3.5"
@@ -2089,6 +2373,9 @@
"gns3-gui": [
"<1.5.1"
],
+ "gns3-server": [
+ "<2.1.17"
+ ],
"gnupg": [
"<0.3.5",
"==0.3.5",
@@ -2127,6 +2414,9 @@
"graphrepo": [
"<0.1.8"
],
+ "graphscope": [
+ "<0.7.0"
+ ],
"graphtransliterator": [
"<1.1.2"
],
@@ -2138,7 +2428,8 @@
],
"gsutil": [
"<3.41",
- "<5.0"
+ "<5.0",
+ "<5.2"
],
"guillotina": [
"<4.5.8",
@@ -2166,6 +2457,9 @@
"hashers": [
"<0.2.11"
],
+ "hassmart-homeassistant": [
+ "<0.67.0"
+ ],
"heedy": [
"<0.3.0a1"
],
@@ -2175,6 +2469,9 @@
"hhpy": [
"<0.1.8"
],
+ "hisock": [
+ "<1.0"
+ ],
"hivemind": [
"<0.9.5"
],
@@ -2189,6 +2486,9 @@
">=0.56,<0.73.2",
">=0.98,<0.98.5"
],
+ "hooktest": [
+ "<1.3.1"
+ ],
"horizon": [
"<15.3.2",
">=16.0.0.0b1,<16.2.1",
@@ -2208,12 +2508,15 @@
"<1.0",
"<1.4"
],
+ "html-to-csv": [
+ ">0"
+ ],
"html5": [
"<0.99999999"
],
"html5lib": [
"<0.99999999",
- ">1.0,<1.0b8"
+ ">=1.0b1,<1.0b9"
],
"httpauth": [
"<0.2"
@@ -2236,8 +2539,8 @@
"httpsig-cffi": [
"<1.0.0"
],
- "httpx-gssapi": [
- "<0.6"
+ "httpx-socks": [
+ "<0.7.2"
],
"hub": [
"<0.9.0"
@@ -2262,6 +2565,9 @@
"hyper-kube-config": [
"<0.6.1"
],
+ "hyperkitty": [
+ "<1.3.4"
+ ],
"hypothesis": [
"<3.69.8"
],
@@ -2271,9 +2577,16 @@
"idchecker": [
"<1.1.1"
],
+ "ihatemoney": [
+ "<4.1.5",
+ "<5.0.0"
+ ],
"im": [
"<1.5.0"
],
+ "imageedit": [
+ "<2021"
+ ],
"imageio": [
"<2.6.0"
],
@@ -2283,6 +2596,9 @@
"impalacli": [
"<0.1.6"
],
+ "in-toto": [
+ "<1.0.1"
+ ],
"indico": [
"<2.0.2",
"<2.2.8",
@@ -2297,7 +2613,12 @@
">=2.2.0,<2.2.3",
">=2.2.0,<2.2.4"
],
+ "indy-node": [
+ "==1.12.2"
+ ],
"influx-prompt": [
+ "<0.0.3",
+ "<0.1.0",
"<1.0.1"
],
"infracheck": [
@@ -2318,6 +2639,9 @@
"intelmq": [
"<=2.1.1"
],
+ "intelmq-manager": [
+ ">=1.1.0,<2.1.1"
+ ],
"interpret-community": [
"<0.12.1"
],
@@ -2327,8 +2651,7 @@
"<1.0.2",
"<1.1.2",
"<2.0.5",
- ">=2.0.0,<2.0.6",
- ">=2.1.0,<2.1.1"
+ "<2.0.6"
],
"invenio-admin": [
"<1.0.1",
@@ -2341,8 +2664,15 @@
"invenio-app-ils": [
"<1.0.0a28"
],
+ "invenio-communities": [
+ "<1.0.0a20"
+ ],
+ "invenio-previewer": [
+ "<1.0.0a12"
+ ],
"invenio-records": [
- "<1.0.2"
+ "<1.0.2",
+ "<1.2.2"
],
"invenio-search": [
"<0.1.3"
@@ -2422,6 +2752,12 @@
"<2.7.2",
"<2.7.3"
],
+ "jinjafx": [
+ "<1.3.4",
+ "<1.5.0",
+ "<1.6.1",
+ "<1.7.0"
+ ],
"jnitrace": [
"<1.0.6",
"<2.2.1",
@@ -2433,6 +2769,10 @@
"js-videojs": [
"<4.12.5"
],
+ "json2xml": [
+ "<3.0.0",
+ "<3.8.0"
+ ],
"jsoneditor": [
"<2.2.2",
"<9.0.2"
@@ -2463,7 +2803,10 @@
"<0.2.0",
"<1.0.6",
"<1.1.0",
- "<1.10.2"
+ "<1.1.1",
+ "<1.10.2",
+ "<1.12.0",
+ "<1.6.2"
],
"jupyterhub": [
"<=0.2"
@@ -2488,6 +2831,9 @@
"<1.0.2",
"<2.0.1"
],
+ "jupyterquiz": [
+ "<1.7.5"
+ ],
"jupytext": [
"<1.10.3",
"<1.11.3",
@@ -2497,6 +2843,9 @@
"jw.util": [
"<2.3"
],
+ "jwcrypto": [
+ "<0.3.2"
+ ],
"jwql": [
"<0.16.0"
],
@@ -2510,6 +2859,9 @@
"kalliope": [
"<0.5.3"
],
+ "kandinsky": [
+ "<1.4"
+ ],
"karlovic": [
"<0.1.3beta"
],
@@ -2534,12 +2886,21 @@
"<3.0.0",
"<3.3.0"
],
+ "keepkey": [
+ "<6.6.0"
+ ],
"keplergl": [
- "<2.4.0"
+ "<0.3.1"
],
"keras": [
"<2.6.0rc3"
],
+ "kerberos": [
+ ">0"
+ ],
+ "kerko": [
+ ">=0.7,<0.7.1"
+ ],
"keyring": [
"<0.10",
"<0.9.1",
@@ -2554,10 +2915,15 @@
">0"
],
"keystonemiddleware": [
+ "<0.11.0",
"<1.5.4",
"<1.6.0",
+ ">=1.0.0,<1.2.0",
">=2.0,<2.3.3"
],
+ "kglab": [
+ "<0.4.1"
+ ],
"khoros": [
"<2.2.0",
"<3.5.0",
@@ -2606,6 +2972,9 @@
"knowledge-repo": [
"<0.8.0"
],
+ "kombu": [
+ "<5.2.1"
+ ],
"kotti": [
"<1.3.2"
],
@@ -2636,6 +3005,9 @@
"kytos-utils": [
"<2019.1b3"
],
+ "ladon": [
+ "==0.6.1"
+ ],
"lambda-tools": [
"<0.1.2"
],
@@ -2672,8 +3044,11 @@
"<2.4"
],
"lemur": [
- "<0.1.5",
- "<0.9.0"
+ "<0.9.0",
+ "==0.1.4"
+ ],
+ "lg-rez": [
+ "<2.1.4"
],
"libhxl": [
"<4.21.3"
@@ -2681,11 +3056,17 @@
"libtaxii": [
"<1.1.105"
],
+ "lief": [
+ "<0.11.4"
+ ],
"lifx-control-panel": [
"<1.5.4",
"<1.6.3",
"<1.7.6"
],
+ "limnoria": [
+ "<2019.11.09"
+ ],
"lin-cms": [
"<0.2.0b1"
],
@@ -2703,7 +3084,10 @@
"<2.0.3"
],
"localstack": [
- "<0.12.15"
+ "<0.12.14",
+ "<0.12.15",
+ "<0.12.17",
+ ">0"
],
"locopy": [
"<0.3.8"
@@ -2748,7 +3132,6 @@
"<2.1.14rc1",
"<2.1.20",
"<2.1.28",
- "<2.1.31",
"<=2.1.26"
],
"mako": [
@@ -2767,7 +3150,6 @@
],
"markdown2": [
"<1.0.1.14",
- "<1.0.1.15",
"<2.3.5",
"<=2.3.8",
">=1.0.1.18,<2.4.0"
@@ -2799,10 +3181,15 @@
"<0.7.1"
],
"matrix-sydent": [
- "<1.0.2"
+ "<1.0.2",
+ "<2.3.0"
],
"matrix-synapse": [
- "<1.33.2"
+ "<1.28.0",
+ "<1.33.2",
+ "<1.47.1",
+ ">0.24.0,<1.28.0",
+ ">=0.17.0,<1.28.0"
],
"matrixctl": [
"<0.10.0"
@@ -2820,6 +3207,9 @@
"<3.0.2",
"<3.0.3"
],
+ "md4c": [
+ "<1.0.0"
+ ],
"mdbackup": [
"<0.2.0"
],
@@ -2832,6 +3222,9 @@
"megalib": [
"<0.9.5alpha"
],
+ "mei2volpiano": [
+ "<0.8.0"
+ ],
"meinheld": [
"<1.0.2"
],
@@ -2842,19 +3235,21 @@
"<1.1.1"
],
"metpx-sarracenia": [
- "<2.20.04b2"
+ "<2.20.4b2"
],
"metron-tagger": [
"<1.0.7"
],
"mezzanine": [
+ "<0.10.5",
+ "<0.5.2",
+ "<1.4.8",
"<4.3.0"
],
"mgp2pdf": [
"<0.10"
],
"mi": [
- "<0.1",
"<0.2",
"<0.4.2",
"<1.0a3",
@@ -2886,6 +3281,9 @@
"miniwdl": [
"<0.6.0"
],
+ "mirahezebot-plugins": [
+ ">=9.0.0,<9.0.2"
+ ],
"misago": [
"<0.19.4"
],
@@ -2911,9 +3309,12 @@
],
"mitmproxy": [
"<0.17",
+ "<4.0.0",
"<4.0.3",
"<4.0.4",
- "<5.0"
+ "<5.0",
+ "<5.0.0",
+ "<7.0.3"
],
"mitogen": [
"<0.2.8"
@@ -2925,15 +3326,15 @@
"<1.0.0",
"<7.0.6"
],
- "mkdocs-table-reader-plugin": [
- "<0.2"
- ],
"ml-versioning-tools": [
"<2.0.1"
],
"mlalchemy": [
"<0.2.2"
],
+ "mlconjug3": [
+ "<3.7.16"
+ ],
"mlf-core": [
"<1.10.0"
],
@@ -2944,13 +3345,21 @@
"<2.1.3"
],
"moin": [
+ "<1.1",
"<1.6.1",
+ "<1.8.7",
"<1.9.10",
- "<2.2.2"
+ "<1.9.3",
+ "==1.9.8",
+ ">1.8.7,<1.9.2",
+ ">=1.9.0,<1.9.1"
],
"mollie-api-python": [
"<2.0.4"
],
+ "money-to-prisoners-common": [
+ "<12.0.1"
+ ],
"monoshape": [
"<1.2"
],
@@ -2966,6 +3375,9 @@
"mosql": [
"<0.10"
],
+ "motionblinds": [
+ "<0.5.7"
+ ],
"moto": [
"<1.3.7"
],
@@ -2998,6 +3410,9 @@
"msticpy": [
"<1.1.0"
],
+ "mstr-rest-requests": [
+ "<0.12.4"
+ ],
"mtga": [
"<2.0.0beta"
],
@@ -3019,6 +3434,9 @@
"mxnet": [
"<1.0.0"
],
+ "mypwd": [
+ "<0.4.0"
+ ],
"mysql-connector": [
"<2.1.3"
],
@@ -3089,6 +3507,9 @@
"netviel": [
"<0.2"
],
+ "neuromynerva": [
+ "<0.2.12"
+ ],
"neutron": [
"<16.4.1",
"==18.0.0",
@@ -3123,6 +3544,9 @@
"nimview": [
"<0.1.2"
],
+ "nipyapi": [
+ "<0.16.2"
+ ],
"njmls": [
"<0.0.3"
],
@@ -3152,12 +3576,17 @@
"<0.1.1",
"<0.1.2"
],
+ "nornir": [
+ "<3.2.0"
+ ],
"notable": [
"<0.0.6"
],
"notebook": [
"<4.0.5",
"<5.4.1",
+ "<5.7.1",
+ "<5.7.2",
"<5.7.3",
"<5.7.6",
"<5.7.8",
@@ -3184,9 +3613,6 @@
"nox-poetry": [
"<0.8.2"
],
- "nrel-rex": [
- "<0.2.16"
- ],
"nsupdate": [
"<0.3.0",
"<0.8.0",
@@ -3198,6 +3624,11 @@
"nukikata": [
"<1.4.0"
],
+ "null": [
+ "<2.4.4",
+ ">=2.5.0rc0,<2.5.2",
+ ">=2.6.0rc0,<2.6.1"
+ ],
"numba": [
"<0.49.0"
],
@@ -3253,7 +3684,14 @@
"oic": [
"<1.2.1"
],
+ "okdata-cli": [
+ "<0.12.1"
+ ],
+ "omero-figure": [
+ "<4.4.1"
+ ],
"omero-web": [
+ "<5.11.0",
"<5.9.0"
],
"omnizart": [
@@ -3261,7 +3699,8 @@
],
"onefuzz": [
"<2.5.0",
- "<2.7.0"
+ "<2.7.0",
+ ">=2.12.0,<2.31.0"
],
"onegov.form": [
"<0.16.1"
@@ -3281,6 +3720,9 @@
"ooniprobe": [
"<1.0.2"
],
+ "opacus": [
+ "<0.12.0"
+ ],
"openapi-core": [
"<0.13.0"
],
@@ -3306,7 +3748,10 @@
],
"openvino": [
"<2020.3.1",
- "<2021.2"
+ "<2021.2",
+ "<2021.3",
+ "<2021.4.0",
+ "<2022.1"
],
"openxc": [
"<0.15.0"
@@ -3353,6 +3798,9 @@
"owslib": [
"==0.24.1"
],
+ "paco-models": [
+ "<7.8.5"
+ ],
"pact-python": [
"<1.3.6",
"<1.3.7"
@@ -3429,7 +3877,9 @@
"<1.3.3"
],
"pcp": [
- "<2.1.911"
+ "<2.1.911",
+ "<4.3.4",
+ "<5.2.2"
],
"pdfextract": [
"<0.0.2"
@@ -3444,12 +3894,18 @@
"peewee": [
"<2.10.0"
],
+ "pelutils": [
+ "<0.6.0"
+ ],
"peppercorn": [
"<0.5"
],
"persephone": [
"<0.4.0"
],
+ "petl": [
+ "<1.6.8"
+ ],
"pex": [
"<0.5.6",
"<0.8.0"
@@ -3475,9 +3931,6 @@
"pi-mqtt-gpio": [
"<0.5.2"
],
- "pib-cli": [
- "<0.0.9"
- ],
"piccolo": [
"<0.13.1",
"<0.2",
@@ -3520,6 +3973,7 @@
"<8.3.0",
"<=7.0.0",
">6.0,<6.2.2",
+ ">=2.5.0,<2.5.2",
">=5.2.0,<8.3.2",
">=7.0.0,<7.0.1",
">=7.1.0,<8.3.2"
@@ -3552,15 +4006,24 @@
"pipenv": [
"<2020.5.28"
],
+ "pipenv-setup": [
+ "<3.1.4"
+ ],
"pirate-get": [
"<0.2.8"
],
+ "pirxcypinger": [
+ "<3.2"
+ ],
"pkgcore": [
"<0.4.7.12"
],
"platformio": [
"<4.1.0"
],
+ "plex-mpv-shim": [
+ "<1.10.01"
+ ],
"plomino": [
"<1.18",
"<1.5.3"
@@ -3598,6 +4061,7 @@
">=4.3,<=4.3.2",
">=4.3,<=5.2.0",
">=4.3,<=5.2.1",
+ ">=4.3a1,<4.3b1",
">=5.0,<5.1rc1",
">=5.0,<=5.2.1",
">=5.0.0,<=5.2.4",
@@ -3607,7 +4071,8 @@
"<1.1.7"
],
"plone-app-contenttypes": [
- "<1.2.15"
+ "<1.2.15",
+ "<2.1.6"
],
"plone-app-discussion": [
"<2.4.14"
@@ -3615,22 +4080,38 @@
"plone-app-event": [
"<3.0"
],
+ "plone-app-layout": [
+ "<2.5.1",
+ "<3.4.1",
+ "<4.0.0a2"
+ ],
+ "plone-app-linkintegrity": [
+ "<1.0.2"
+ ],
"plone-app-theming": [
- "<4.1.6",
- "<5.0.0a1"
+ "<4.1.6"
],
"plone-app-users": [
"<1.0.5"
],
+ "plone-app-z3cform": [
+ "<0.5.4"
+ ],
"plone-dexterity": [
"<2.3.0"
],
"plone-portlet-static": [
"<1.2"
],
+ "plone-restapi": [
+ "<8.4.0"
+ ],
"plone-supermodel": [
"<1.6.3"
],
+ "plone-testing": [
+ "<6.1.0"
+ ],
"plone.app.content": [
"<3.3.1",
"<3.8.1",
@@ -3663,9 +4144,6 @@
"plone.app.linkintegrity": [
"<1.0.2"
],
- "plone.app.theming": [
- "<4.1.6"
- ],
"plone.dexterity": [
"<2.3.0"
],
@@ -3710,32 +4188,31 @@
"<4.2.1",
"<4.2.2"
],
+ "plumpy": [
+ "<0.20.0"
+ ],
"plusminus": [
"<0.3.0"
],
+ "pm4py": [
+ "<2.2.13.1",
+ "<2.2.4"
+ ],
"pmr2.oauth": [
"<0.4.2"
],
"podder-task-base": [
"<0.4.0"
],
- "podman": [
- "<0.11.1",
- "<0.12.1.1",
- "<3.0.0"
- ],
- "podman-py": [
- "<0.11.1",
- "<0.12.1.1",
- "<1.9.0rc2",
- "<3.0.0"
- ],
"pokedex.py": [
"<1.1.2"
],
"polemarch": [
"<1.2.1"
],
+ "pollbot": [
+ "<1.4.4"
+ ],
"polyaxon": [
"<0.4.1",
"<0.4.3",
@@ -3752,22 +4229,30 @@
"pootle": [
"<2.8.0rc5",
"<2.8.0rc6",
- ">=2.6,<2.7.3"
+ ">=2.7.0,<2.7.3"
],
"portray": [
"<1.6.0"
],
"postfix-mta-sts-resolver": [
+ "<0.5.1",
"<0.6.1"
],
+ "postorius": [
+ "<1.3.5"
+ ],
"posty": [
"<2.1.0"
],
"ppgan": [
"<0.1.3"
],
+ "predictionio": [
+ "<0.12.1"
+ ],
"prefect": [
"<0.12.6",
+ "<0.15.8",
"<0.5.1"
],
"press": [
@@ -3786,12 +4271,18 @@
"<3.4.1",
"<3.6"
],
+ "products-btreefolder2": [
+ "<2.13.4"
+ ],
"products-cmfcore": [
"<2.1.0beta2"
],
"products-ploneformgen": [
"<1.8.1"
],
+ "products-plonepas": [
+ "<3.9"
+ ],
"products-zopetree": [
"<1.3"
],
@@ -3803,9 +4294,14 @@
"<2.3.0beta"
],
"products.cmfplone": [
+ "<4.3.20",
"<5.1b1",
"<5.2.2",
- "<5.2.2rc1"
+ "<5.2.2rc1",
+ "<5.2.5",
+ ">4.3.20,<5.1.7",
+ ">5.1.7,<5.2.5",
+ ">5.2.5,<6.0.0a1.dev0"
],
"products.cmfquickinstallertool": [
"<3.0.14"
@@ -3824,10 +4320,11 @@
],
"products.ldapuserfolder": [
"<2.19",
- "==2.9"
+ "<2.20"
],
"products.ploneformgen": [
- "<1.8.1"
+ "<1.7.19",
+ ">=1.8.0.alpha1,<1.8.1"
],
"products.plonepas": [
">3.2.2,<3.9"
@@ -3850,16 +4347,26 @@
"<0.8.0",
"<0.9.0"
],
+ "proxy.py": [
+ "<2.3.1"
+ ],
"psd-tools": [
"<1.8.31",
+ "<1.9.4",
">=1.8.37,<=1.9.3"
],
+ "psd-tools3": [
+ "<1.9.1"
+ ],
"psiz": [
"<0.4.1"
],
"psutil": [
"<=5.6.5"
],
+ "psycopg": [
+ "<3.0.4"
+ ],
"ptah": [
"<0.3.3"
],
@@ -3868,6 +4375,7 @@
],
"pulpcore": [
"<3.11.0",
+ "<3.14.6",
"<3.15.0"
],
"pulumi-kubernetes": [
@@ -3917,35 +4425,40 @@
"py-espeak-ng": [
"<1.49.0"
],
+ "py-evm": [
+ "<0.2.0a33"
+ ],
"py-gfm": [
"<0.28.3.gfm.12"
],
"py-hiverunner": [
"<5.0.0"
],
+ "py-mini-racer": [
+ "<0.3.0"
+ ],
"py-mon": [
"<1.18.7"
],
"py-ms": [
"<1.0.1"
],
- "py-nightscout": [
- "<0.10.2",
- "<0.10.3",
- "<0.11.0",
- "<0.11.1",
- "<0.12.0",
- "<13.0.0"
- ],
"py-rate": [
"<0.3.0"
],
"py-steamcmd-wrapper": [
"<1.0.6"
],
+ "py42": [
+ "<1.17.0",
+ "<1.5.1"
+ ],
"pyamf": [
"<0.8"
],
+ "pyanchor": [
+ "<0.5.2"
+ ],
"pyanyapi": [
"<0.6.1"
],
@@ -3953,7 +4466,12 @@
"<4.5.0"
],
"pyarmor": [
- "<5.1.2"
+ "<5.1.2",
+ "<6.3.0",
+ "<6.3.4",
+ "<6.4.0",
+ "<6.6.2",
+ "<6.7.0"
],
"pybald": [
"<0.5.6"
@@ -3964,6 +4482,12 @@
"pybible-cli": [
"<1.1.2"
],
+ "pybluemonday": [
+ "<0.0.8"
+ ],
+ "pyboolector": [
+ "<3.0.0"
+ ],
"pyca": [
"<3.3"
],
@@ -4004,6 +4528,7 @@
],
"pycryptodome": [
"<3.10.3",
+ "<3.11.0",
"<3.6.6"
],
"pycsw": [
@@ -4029,6 +4554,9 @@
"pyforce": [
"<1.8.0"
],
+ "pyfribidi": [
+ "<0.11.0"
+ ],
"pyfrost": [
"<0.2.1"
],
@@ -4037,9 +4565,6 @@
"<0.5.1",
"<0.5.2"
],
- "pygopherd": [
- "<0.9.0"
- ],
"pygresql": [
"<4.0"
],
@@ -4058,7 +4583,8 @@
],
"pyjwt": [
"<1.0.0",
- "<1.5.1"
+ "<1.5.1",
+ "<=1.5.0"
],
"pykarotz": [
"==12.07.19.00"
@@ -4066,6 +4592,9 @@
"pykechain": [
"<2.5.4"
],
+ "pykmip": [
+ "<0.8.0"
+ ],
"pylabnet": [
"<0.3.0"
],
@@ -4141,7 +4670,8 @@
],
"pypiserver": [
"<1.1.7",
- "<1.2.6"
+ "<1.2.6",
+ "<=1.2.5"
],
"pyplanet": [
"<0.6.2",
@@ -4158,7 +4688,8 @@
">=0.0.0"
],
"pyrad": [
- "<0.6"
+ "<0.6",
+ "<2.1"
],
"pyradiomics": [
"<1.1.1"
@@ -4173,6 +4704,9 @@
"<1.6a1",
"<1.6a2"
],
+ "pyramid-ldap3": [
+ "<0.3.2"
+ ],
"pyramid-odesk": [
"<1.1.2"
],
@@ -4183,6 +4717,7 @@
"<3.15"
],
"pyro4": [
+ "<4.62",
"<4.72"
],
"pyrocko": [
@@ -4219,10 +4754,8 @@
"<2.0.1"
],
"pysstv": [
- "<0.5"
- ],
- "pysys": [
- "<2.0"
+ "<0.5",
+ "<0.5.2"
],
"pytablewriter": [
"<0.47.0"
@@ -4261,35 +4794,165 @@
"<0.1.2"
],
"python": [
+ "<2.4.6",
"<2.5.2",
"<2.5.3",
+ "<2.5.5",
"<2.5.6c1",
+ "<2.6",
+ "<2.6.6",
+ "<2.6.7",
"<2.6.8",
+ "<2.6.9",
+ "<2.7.10",
"<2.7.12",
+ "<2.7.13",
+ "<2.7.14",
+ "<2.7.15",
+ "<2.7.16",
+ "<2.7.17",
+ "<2.7.18",
+ "<2.7.18rc1",
+ "<2.7.3",
+ "<2.7.7",
+ "<2.7.8",
+ "<2.7.9",
+ "<3.2.5",
+ "<3.4.0",
+ "<3.5.10",
+ "<3.5.10rc1",
+ "<3.6.10",
"<3.6.13",
- "<3.8.9",
- "<3.9.5",
+ "<3.6.14",
+ "<3.6.15",
+ "<3.6.7",
+ "<3.6.8",
+ "<3.8.4",
+ "<=3.4.7",
+ ">0",
+ ">=2.5.0a0,<2.5.2",
">=2.6,<2.6.7",
">=2.6,<3.3",
+ ">=2.6.0a0,<2.6.4",
">=2.7,<2.7.2",
">=2.7,<2.7.3",
+ ">=2.7.0a0,<2.7.0",
+ ">=2.7.0a0,<2.7.2",
+ ">=2.7.0a0,<2.7.7",
">=3.0,<3.1.5",
">=3.0,<3.4.5",
- ">=3.0.0,<=3.9.1",
+ ">=3.0.0a0,<3.1",
+ ">=3.0.0a0,<3.1.3",
+ ">=3.0.0a0,<3.1.4",
+ ">=3.0.0a0,<3.1.5",
+ ">=3.0.0a0,<3.2.6",
+ ">=3.0.0a0,<3.3.3",
+ ">=3.0.0a0,<3.3.4rc1",
+ ">=3.0.0a0,<3.3.7",
+ ">=3.0.0a0,<3.4.10",
+ ">=3.0.0a0,<3.4.3",
+ ">=3.0.0a0,<3.4.7",
+ ">=3.0.0a0,<3.4.8",
+ ">=3.0.0a0,<3.4.9",
+ ">=3.0.0a0,<3.5.10",
+ ">=3.0.0a0,<3.5.10rc1",
+ ">=3.0.0a0,<3.5.7",
+ ">=3.0.0a0,<3.5.8",
+ ">=3.0.0a0,<3.6.12",
+ ">=3.0.0a0,<3.6.8",
">=3.1,<3.1.5",
">=3.1,<3.4",
">=3.10.0,<3.10.0a7",
+ ">=3.10.0a0,<3.10.0a4",
+ ">=3.10.0a0,<3.10.0a7",
+ ">=3.10.0a0,<3.10.0b2",
+ ">=3.10.0a0,<3.10.0rc2",
">=3.2,<3.2.1",
">=3.2,<3.2.3",
+ ">=3.2.0a0,<3.2.0",
+ ">=3.2.0a0,<3.2.5",
+ ">=3.2.0a0,<3.2.6",
+ ">=3.3.0a0,<3.3.3",
+ ">=3.3.0a0,<3.3.4",
+ ">=3.3.0a0,<3.3.6",
+ ">=3.4.0a0,<3.4.0",
+ ">=3.4.0a0,<3.4.1",
+ ">=3.4.0a0,<3.4.2",
+ ">=3.4.0a0,<3.4.3",
+ ">=3.4.0a0,<3.4.4",
+ ">=3.4.0a0,<3.4.6",
+ ">=3.4.0a0,<3.4.7",
">=3.5,<3.5.2",
+ ">=3.5.0a0,<3.5.0",
+ ">=3.5.0a0,<3.5.3",
+ ">=3.5.0a0,<3.5.4",
+ ">=3.5.0a0,<3.5.5",
+ ">=3.5.0a0,<3.5.6",
+ ">=3.5.0a0,<3.5.6rc1",
+ ">=3.5.0a0,<3.5.7",
+ ">=3.6.0,<3.6.13",
+ ">=3.6.0a0,<3.6.10",
+ ">=3.6.0a0,<3.6.11",
+ ">=3.6.0a0,<3.6.11rc1",
+ ">=3.6.0a0,<3.6.12",
+ ">=3.6.0a0,<3.6.2",
+ ">=3.6.0a0,<3.6.3",
+ ">=3.6.0a0,<3.6.5",
+ ">=3.6.0a0,<3.6.5rc1",
+ ">=3.6.0a0,<3.6.7",
+ ">=3.6.0a0,<3.6.8",
+ ">=3.6.0a0,<3.6.9",
">=3.7.0,<3.7.10",
+ ">=3.7.0a0,<3.7.0",
+ ">=3.7.0a0,<3.7.0b3",
+ ">=3.7.0a0,<3.7.1",
+ ">=3.7.0a0,<3.7.10",
+ ">=3.7.0a0,<3.7.11",
+ ">=3.7.0a0,<3.7.12",
+ ">=3.7.0a0,<3.7.2",
+ ">=3.7.0a0,<3.7.3",
+ ">=3.7.0a0,<3.7.4",
+ ">=3.7.0a0,<3.7.5",
+ ">=3.7.0a0,<3.7.6",
+ ">=3.7.0a0,<3.7.7",
+ ">=3.7.0a0,<3.7.8",
+ ">=3.7.0a0,<3.7.8rc1",
+ ">=3.7.0a0,<3.7.9",
+ ">=3.8.0,<3.8.12",
">=3.8.0,<3.8.8",
+ ">=3.8.0,<3.8.9",
+ ">=3.8.0a0,<3.8.0",
+ ">=3.8.0a0,<3.8.0b2",
+ ">=3.8.0a0,<3.8.1",
+ ">=3.8.0a0,<3.8.11",
+ ">=3.8.0a0,<3.8.12",
+ ">=3.8.0a0,<3.8.2",
+ ">=3.8.0a0,<3.8.3rc1",
+ ">=3.8.0a0,<3.8.4",
+ ">=3.8.0a0,<3.8.5",
+ ">=3.8.0a0,<3.8.6",
+ ">=3.8.0a0,<3.8.7",
+ ">=3.8.0a0,<3.8.9",
">=3.9.0,<3.9.2",
- ">=3.9.0,<3.9.3"
+ ">=3.9.0,<3.9.3",
+ ">=3.9.0,<3.9.5",
+ ">=3.9.0a0,<3.9.0a6",
+ ">=3.9.0a0,<3.9.0b4",
+ ">=3.9.0a0,<3.9.0b5",
+ ">=3.9.0a0,<3.9.2",
+ ">=3.9.0a0,<3.9.3",
+ ">=3.9.0a0,<3.9.6",
+ ">=3.9.0a0,<3.9.7"
],
"python-augeas": [
"<1.0.0"
],
+ "python-bareos": [
+ "<=19.2.8"
+ ],
+ "python-base-app": [
+ "<0.2.25"
+ ],
"python-bugzilla": [
"<0.9.0"
],
@@ -4317,6 +4980,10 @@
"<=0.8.0"
],
"python-framework": [
+ "<0.2.194",
+ "<0.2.195",
+ "<0.2.198",
+ "<0.2.214",
"<0.2.5"
],
"python-gnupg": [
@@ -4328,14 +4995,18 @@
"python-jss": [
"<2.1.0"
],
+ "python-jwt": [
+ "<1.0.0"
+ ],
"python-keystoneclient": [
+ "<0.11.0",
"<1.4.0",
"<1.5.4",
">=0.2.3,<=0.2.5",
+ ">=1.0.0,<1.2.0",
">=2.0,<2.3.3"
],
"python-libnmap": [
- "<0.6.3",
"<0.7.2"
],
"python-libtorrent": [
@@ -4364,6 +5035,9 @@
"python-pptx": [
"<0.6.12"
],
+ "python-pycraft": [
+ "<0.8"
+ ],
"python-saml": [
"<2.1.6",
"<2.1.9",
@@ -4415,6 +5089,9 @@
"pytsite": [
"<1.2"
],
+ "pyttman": [
+ "<1.1.7"
+ ],
"pyu4v": [
"<9.1.2.0"
],
@@ -4428,18 +5105,21 @@
"pyvisa": [
"<0.9"
],
+ "pywb": [
+ "<2.6.0"
+ ],
"pywbem": [
"<0.13.0",
"<0.14.3",
"<0.17.0",
- "<1.0.0",
- "<1.0.0b1",
- "<1.2.0",
"<1.2.0.dev1"
],
"pywbemtools": [
"<0.6.0"
],
+ "pywebdav": [
+ "<0.9.4.1"
+ ],
"pywebsite": [
"<0.1.14pre",
"<0.1.9pre"
@@ -4470,6 +5150,9 @@
"<5.4",
">=5.1,<=5.1.2"
],
+ "qctrl-open-controls": [
+ "<8.5.0"
+ ],
"qi-jabberhelpdesk": [
"<0.30"
],
@@ -4495,6 +5178,9 @@
"quintagroup.seoptimizer": [
"<3.0.4"
],
+ "quokka": [
+ "==0.4.0"
+ ],
"qurro": [
"<0.4.0"
],
@@ -4537,7 +5223,10 @@
"rasa": [
"<1.10.0",
"<2.1.0",
- "<2.8.5"
+ "<2.8.10",
+ "<2.8.5",
+ "<2.8.9",
+ "<3.0.0"
],
"rasa-sdk": [
"<1.10.0"
@@ -4545,6 +5234,9 @@
"rauth": [
"<0.7.0"
],
+ "ray": [
+ "<1.8.0"
+ ],
"raylib": [
"<1.1.1",
"<1.2"
@@ -4567,9 +5259,21 @@
"recurly": [
"<=2.6.2"
],
+ "red-dashboard": [
+ "<0.1.7a0"
+ ],
+ "rediswrapper": [
+ "<0.3.0"
+ ],
"refitt": [
"<0.16.5"
],
+ "regex4ocr": [
+ "<1.0.2"
+ ],
+ "rejected": [
+ "<3.20.7"
+ ],
"remme": [
"<0.2.1alpha",
"<0.5.0-alpha"
@@ -4592,9 +5296,15 @@
"<1.3.2",
"<2.0.2"
],
+ "repobee-junit4": [
+ "<0.4.0"
+ ],
+ "repomate-junit4": [
+ "<0.4.0"
+ ],
"reportlab": [
"<=3.5.26",
- ">=0.0"
+ ">=0"
],
"requests": [
"<2.3.0",
@@ -4690,6 +5400,9 @@
"rss2email": [
"<3.10"
],
+ "rtmplite3": [
+ "<0.3.5"
+ ],
"rtslib-fb": [
"<2.1.73"
],
@@ -4699,17 +5412,24 @@
"rubicon-ml": [
"<0.2.6"
],
+ "rubrix": [
+ "<0.7.0"
+ ],
"ruffruffs": [
"<2.6.0"
],
"runway": [
"<1.16.0"
],
+ "s3scanner": [
+ "<2.0.2"
+ ],
"s4": [
"<0.4.2"
],
"safety": [
- "<1.8.4"
+ "<1.8.4",
+ "<=1.8.6"
],
"sagemaker-containers": [
"<2.8.2"
@@ -4718,19 +5438,48 @@
"<1.4.1"
],
"salt": [
+ "<2015.8.10",
"<3000.4",
"<3001.1",
+ "<3001.8",
+ "<3002.7",
+ "<3003.2",
"<=3002",
+ "==2016.11.4",
+ "==2016.3.5",
+ "==2016.3.7",
+ ">3001.8,<3002.7",
+ ">3002.7,<3003.3",
+ ">=2015.8.11,<2015.8.13",
+ ">=2016.11.7,<2016.11.10",
+ ">=2016.3.0rc0,<2016.3.4",
+ ">=2016.3.9,<2016.11.3",
+ ">=2016.9,<=3002.6",
+ ">=2017.5.0,<2017.7.8",
+ ">=2018.2.0,<=2018.3.5",
+ ">=2019.2.0rc0,<2019.2.5",
+ ">=2019.2.6,<2019.2.8",
+ ">=3000.0.0rc0,<3000.6",
">=3001,<3001.2",
- ">=3002,<3002.1"
+ ">=3001rc1,<3001.4",
+ ">=3002,<3002.1",
+ ">=3002rc0,<3002.5"
],
"salted": [
"<0.5.4"
],
+ "sanic": [
+ "<0.8.0",
+ "<19.9.0"
+ ],
"sanic-oauthlib": [
"<0.5.0",
"<0.9.1"
],
+ "sanic-security": [
+ "<0.6.8.1",
+ "<0.8.0"
+ ],
"sapsan": [
"<0.4.0"
],
@@ -4756,12 +5505,19 @@
"sceptre": [
"<2.3.0"
],
+ "schemachange": [
+ "<3.3.2"
+ ],
"scons": [
"<4.0.0"
],
"scrape": [
"<0.10.2"
],
+ "scrapy": [
+ "<1.8.1",
+ ">=2.0.0,<2.5.1"
+ ],
"scrapydd": [
"<0.6.3"
],
@@ -4774,11 +5530,15 @@
"secrets2env": [
"<0.1.4"
],
+ "security-monkey": [
+ "<0.8.0"
+ ],
"seed-auth-api": [
"<0.9.3"
],
"seed-control-interface": [
- "<0.9.16"
+ "<0.9.16",
+ "<0.9.18"
],
"seed-control-interface-service": [
"<0.9.6"
@@ -4819,23 +5579,34 @@
"semversioner": [
"<0.13.0"
],
+ "senaite-core": [
+ "<1.3.0"
+ ],
"senaite-queue": [
"<1.0.3"
],
+ "sendgrid": [
+ "<6.9.1"
+ ],
"sentry": [
- "<0.12.2",
- "<5.7.0",
+ "<10.0.0",
+ "<20.6.0",
+ "<21.2.0",
+ "<21.3.1",
+ "<21.6.0",
+ "<21.6.2",
+ "<21.9.0",
"<6.1.1",
"<7.4.0",
- "<7.5.5",
- "<7.6.1",
+ "<7.7.0",
"<8.1.4",
"<8.1.5",
"<8.2.2",
"<8.2.4",
"<8.2.5",
"<8.3.3",
- "<8.8"
+ "<8.8",
+ "<9.0.0rc1"
],
"sequoia-client-sdk": [
"<1.2.0",
@@ -4844,6 +5615,9 @@
"serpscrap": [
"<0.13.0"
],
+ "serverlla": [
+ "<1.23"
+ ],
"sesame": [
"<0.3.0"
],
@@ -4852,6 +5626,7 @@
">0"
],
"setuptools": [
+ "<0.7",
"<0.9.5",
"<1.3",
"<3.0"
@@ -4873,7 +5648,8 @@
"<0.9.3"
],
"shuup": [
- "<2.11.0"
+ ">=0.4.2,<2.11.0",
+ ">=1.6.0,<2.11.0"
],
"simple-swagger": [
"<0.1.0",
@@ -4889,7 +5665,8 @@
"<3.0.7"
],
"skill-sdk": [
- "<0.10.5"
+ "<0.10.5",
+ "<1.0.6"
],
"slackeventsapi": [
"<2.1.0"
@@ -4899,7 +5676,8 @@
"<1.0.10a5"
],
"smbprotocol": [
- "<1.4.0"
+ "<1.4.0",
+ "<1.8.0"
],
"smeagol": [
"<0.1.0"
@@ -4907,18 +5685,27 @@
"smqtk": [
"<0.11.0"
],
+ "smqtk-detection": [
+ "<0.17.0"
+ ],
"smtpdfix": [
"<0.2.9"
],
"snakemake": [
"<5.28.0"
],
+ "snapcraft": [
+ "<4.4.4"
+ ],
"snappass": [
"<1.4.1"
],
"sncli": [
"<0.4.0"
],
+ "snudown": [
+ "<1.7.0"
+ ],
"soapfish": [
"<0.6.0"
],
@@ -4936,6 +5723,14 @@
"<4.4.0",
"<6.3.0"
],
+ "sopel-plugins-channelmgnt": [
+ "<1.0.3",
+ "<2.0.1"
+ ],
+ "sosreport": [
+ "==3.2",
+ ">=3.0,<3.3"
+ ],
"spacepy-x": [
"<1.0.1"
],
@@ -4948,9 +5743,15 @@
"sphinx": [
"<3.0.4"
],
+ "sphinx-bulma": [
+ "<0.1.0"
+ ],
"sphinx-paragraph-extractor": [
"<1.0.4"
],
+ "sphinx-typo3-theme": [
+ "<4.3.0"
+ ],
"sphinx-wagtail-theme": [
"<4.3.0"
],
@@ -4982,6 +5783,9 @@
"spyse-python": [
"<2.0.0"
],
+ "sqla-yaml-fixtures": [
+ "==0.9.1"
+ ],
"sqlalchemy": [
"<=1.2.17",
"==1.2.17",
@@ -4990,6 +5794,9 @@
"sqlalchemy-cockroachdb": [
"<0.3.2"
],
+ "sqlalchemy-utils": [
+ ">=0.27.0"
+ ],
"sqlathanor": [
"<0.5.0"
],
@@ -5000,7 +5807,7 @@
">=0"
],
"sqlparse": [
- "<0.4.2"
+ ">=0.4.0,<0.4.2"
],
"ssh-audit": [
"<2.2.0"
@@ -5023,6 +5830,9 @@
"stargate": [
"<0.4"
],
+ "starkbank-ecdsa": [
+ "<2.0.1"
+ ],
"staty": [
"<1.2.3"
],
@@ -5071,21 +5881,15 @@
"<2.0.2"
],
"superset": [
- "<0.11.0a",
+ "<0.11.0",
"<0.14.0a",
- "<0.19.1a",
+ "<0.19.1",
"<0.23.0a",
"<0.29.0rc8a",
"<0.32.0rc2.dev2a",
"<0.33.0rc1a",
"<0.34.0a"
],
- "superset-hand": [
- "<0.11.0"
- ],
- "superset-tddv": [
- "<0.11.0"
- ],
"supervisor": [
"<3.0.1",
">=3.1,<3.1.4",
@@ -5099,13 +5903,13 @@
"<0.2.3"
],
"swauth": [
- "<1.1.0"
+ "<1.1.0",
+ "<1.3.0"
],
"swift": [
"<2.6.0",
"<=2.10.1",
"==2.14.0",
- ">=1.0.2,<2.15.2",
">=2.11.0,<=2.13.0"
],
"swifter": [
@@ -5115,14 +5919,23 @@
"<0.2.3",
"<0.2.3.a1"
],
+ "symphony-bdk-python": [
+ "<1.3.5",
+ "<2.0b3"
+ ],
+ "synadm": [
+ "<0.13.1"
+ ],
"synapse": [
- "<1.25.0",
- "<1.27.0",
- "<1.28.0"
+ "<0.0.47",
+ "<1.25.0"
],
"synapse-downloader": [
"<0.0.5"
],
+ "synapseml": [
+ "<1.0.0rc4"
+ ],
"synology-api": [
"<0.2.1"
],
@@ -5146,6 +5959,11 @@
"tapipy": [
"<0.3.10"
],
+ "targetcli-fb": [
+ "<=2.1.52",
+ "==2.1.50",
+ "==2.1.51"
+ ],
"tartufo": [
"<2.5.0"
],
@@ -5166,6 +5984,9 @@
"telemeta": [
"<1.4.31"
],
+ "telemeter": [
+ "<3.0.4"
+ ],
"teleserver": [
"<2.2.0"
],
@@ -5173,6 +5994,9 @@
"<0",
">0"
],
+ "tenable-jira-cloud": [
+ "<1.1.21"
+ ],
"tendenci": [
"<11.0.1",
"<11.0.4",
@@ -5187,12 +6011,14 @@
"<12.3.2",
"<12.4.13",
"<12.4.8",
- "<7.4.0"
+ "<7.4.0",
+ "==12.0.10"
],
"teneto": [
"<0.4.5"
],
"tensorflow": [
+ " >=2.6.0rc0,<2.6.1",
"<1.10.0",
"<1.12.2",
"<1.15",
@@ -5206,6 +6032,7 @@
"<1.7.0a1",
"<1.7.1",
"<2.4.0",
+ "<2.4.4",
"<=1.7",
">=1.15.0rc0,<1.15.4",
">=2.0.0a0,<2.0.1",
@@ -5222,7 +6049,6 @@
">=2.2.0rc0,<2.2.2",
">=2.2.0rc0,<2.2.3",
">=2.3.0a0,<2.3.1",
- ">=2.3.0rc0,<2.3.0",
">=2.3.0rc0,<2.3.1",
">=2.3.0rc0,<2.3.2",
">=2.3.0rc0,<2.3.3",
@@ -5234,9 +6060,12 @@
">=2.4.0rc0,<2.4.3rc0",
">=2.5.0rc0,<2.5.0",
">=2.5.0rc0,<2.5.1",
+ ">=2.5.0rc0,<2.5.2",
">=2.5.0rc0,<=2.5.0",
">=2.6.0a1,<2.6.0",
- ">=2.6.0rc0,<2.6.0"
+ ">=2.6.0rc0,<2.6.0",
+ ">=2.6.0rc0,<2.6.1",
+ ">=2.7.0rc0,<2.7.0"
],
"tensorflow-directml": [
"<1.10.0",
@@ -5245,8 +6074,7 @@
"<1.15.2",
"<1.15.3",
"<1.15.4",
- "<1.15.5",
- ">=1.15.0,<1.15.5"
+ "<1.15.5"
],
"tensorpy": [
"<1.5.0"
@@ -5258,6 +6086,9 @@
"tern": [
"<2.5.0"
],
+ "textattack": [
+ "<0.3.4"
+ ],
"textract": [
"<1.5.0"
],
@@ -5272,9 +6103,6 @@
"tftpy": [
"<0.4.6"
],
- "tfx": [
- "<0.30.0"
- ],
"tg": [
"<0.1.3"
],
@@ -5316,6 +6144,9 @@
"tinydb": [
"<2.0.0"
],
+ "tiramisu-brulee": [
+ "<0.1.30"
+ ],
"tksvg": [
"<0.6"
],
@@ -5326,15 +6157,15 @@
"<0.7.6",
">=0.8.0-alpha1,<0.8.0-alpha39"
],
- "tmc": [
- "<0.3.5"
- ],
"tmt": [
"<0.19"
],
"toggl-to-sqlite": [
"<0.3.1"
],
+ "tomcatmanager": [
+ "<5.0.0"
+ ],
"tomtoolkit": [
"<1.6.1",
"<1.6.1alpha.1"
@@ -5344,7 +6175,7 @@
],
"tortoise-orm": [
"<0.15.23",
- "<0.16.6"
+ ">=0.16.0,<0.16.6"
],
"tqdm": [
"<4.11.2"
@@ -5353,8 +6184,7 @@
"<0.4.4"
],
"trackthenews": [
- "<0.1.10",
- ">=0.1.10,<=0.1.11a4"
+ "<0.1.10"
],
"transformers": [
"<4.5.0"
@@ -5387,7 +6217,8 @@
],
"tuf": [
"<0.11.1",
- "<0.12.dev0"
+ "<0.12.0",
+ "<0.19.0"
],
"tutor": [
"<10.0.5",
@@ -5405,6 +6236,7 @@
"<11.2.2",
"<11.2.7",
"<12.0.4",
+ "<12.1.7",
"<3.12.3",
"<3.3.5",
"<3.5.2",
@@ -5439,6 +6271,9 @@
"twodolib": [
"<0.5.1"
],
+ "txaws": [
+ ">0"
+ ],
"typed-ast": [
"==1.3.0",
"==1.3.1"
@@ -5456,6 +6291,9 @@
"<1.6.16",
"<2.0.2"
],
+ "udata-front": [
+ "<1.1.0"
+ ],
"ugoira": [
"<0.5.0"
],
@@ -5480,7 +6318,6 @@
],
"urllib": [
"<0",
- "<=3.7.2",
">0"
],
"urllib3": [
@@ -5547,6 +6384,12 @@
"vresutils": [
"<0.3.1"
],
+ "vyper": [
+ "<0.3.0"
+ ],
+ "wafer": [
+ "<0.11.0"
+ ],
"wagtail": [
"<2.11.8",
"<2.7.2",
@@ -5573,7 +6416,9 @@
"<1.4.0",
"<1.4.1",
"<1.4.2",
- "<1.4.3"
+ "<1.4.3",
+ "<=1.3.1",
+ "==1.4.2"
],
"wandb": [
"<0.8.0",
@@ -5586,7 +6431,10 @@
"<0.2.1"
],
"wasmtime": [
- "<0.27.0"
+ "<0.27.0",
+ "<0.30.0",
+ ">=0.19.0,<0.30.0",
+ ">=0.26.0,<0.30.0"
],
"watchmaker": [
"<0.14.0"
@@ -5618,6 +6466,9 @@
"webchanges": [
"<3.7.0"
],
+ "webcomix": [
+ "<3.5.1"
+ ],
"webp": [
"<0.1.2"
],
@@ -5628,7 +6479,8 @@
],
"websockets": [
"<5.0,>=4.0.0",
- "<9.1"
+ "<9.1",
+ ">=4.0.0,<5.0.0"
],
"werkzeug": [
"<0.11.11",
@@ -5639,6 +6491,7 @@
"<0.6.1",
"<0.8",
"<0.8.3",
+ "<2.0.2",
">=0.15.0,<0.15.5"
],
"whispers": [
@@ -5647,6 +6500,9 @@
"whitenoise": [
"<4.1.3"
],
+ "wiki": [
+ ">=0.0.20,<0.7.9"
+ ],
"wikibaseintegrator": [
"<0.10.1"
],
@@ -5668,6 +6524,9 @@
"wirepas-backend-client": [
"<1.2.0rc2"
],
+ "wolkenbrot": [
+ "<0.3"
+ ],
"wordops": [
"<1.16.0",
"<3.9.6",
@@ -5678,6 +6537,10 @@
"wpull": [
"<0.1006.1"
],
+ "wtforms": [
+ "<1.0",
+ "<3.0.0a1"
+ ],
"xdg": [
"<0.26",
"<=0.25"
@@ -5685,6 +6548,9 @@
"xmlschema-acue": [
"<0.9.27"
],
+ "xmpp-http-upload": [
+ "<0.4.0"
+ ],
"xontrib-output-search": [
"<0.0.2"
],
@@ -5698,6 +6564,14 @@
"xscrapers": [
"<127.0.0.150077"
],
+ "xstatic-lodash": [
+ "<4.17.11",
+ "<4.17.5"
+ ],
+ "xstatic-moment": [
+ "<2.11.2",
+ "<2.19.3"
+ ],
"xtea3": [
"<1.0.0"
],
@@ -5708,24 +6582,44 @@
"<0.4.0",
"<0.5.2"
],
+ "yamale": [
+ "<3.0.8",
+ "<4.0.0",
+ ">0"
+ ],
"yaml-mako": [
"<1.0.0"
],
"yamlconf": [
"<0.2.4"
],
+ "yandex2lightroom": [
+ "<1.0.9.2"
+ ],
"yasha": [
"<4.0"
],
"yaybu": [
"<0.1.14"
],
+ "yfpy": [
+ "<4.0.0"
+ ],
+ "ymlref": [
+ ">0"
+ ],
"yorm": [
"<1.6.1"
],
+ "yt2mp3": [
+ "<1.2.3"
+ ],
"yubiauth": [
"<0.2.3"
],
+ "yubikey-manager": [
+ "<0.4.6"
+ ],
"z3c.form": [
"<2.4.2"
],
@@ -5747,6 +6641,9 @@
">=3.8,<3.8.3",
">=3.9,<3.9.0c2"
],
+ "zodipy": [
+ "<0.2.2"
+ ],
"zope": [
"<2.13.1",
"<2.13.19",
diff --git a/src/main/resources/safety-db/insecure_full.json b/src/main/resources/safety-db/insecure_full.json
index 1c994761..2195ec80 100644
--- a/src/main/resources/safety-db/insecure_full.json
+++ b/src/main/resources/safety-db/insecure_full.json
@@ -22,6 +22,16 @@
}
],
"accesscontrol": [
+ {
+ "advisory": "Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope \"Manager\" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.",
+ "cve": "CVE-2021-32811",
+ "id": "pyup.io-42315",
+ "specs": [
+ ">=4.0,<4.3",
+ ">=5.0,<5.2"
+ ],
+ "v": ">=4.0,<4.3,>=5.0,<5.2"
+ },
{
"advisory": "The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl` severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python's `string` module. However, full access to the `string` module also allows access to the class `Formatter`, which can be overridden and extended within `Script (Python)` in a way that provides access to other unsafe Python libraries. Those unsafe Python libraries can be used for remote code execution. By default, you need to have the admin-level Zope \"Manager\" role to add or edit `Script (Python)` objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk. The problem has been fixed in AccessControl 4.3 and 5.2. Only AccessControl versions 4 and 5 are vulnerable, and only on Python 3, not Python 2.7. As a workaround, a site administrator can restrict adding/editing `Script (Python)` objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope. See: CVE-2021-32807.",
"cve": "CVE-2021-32807",
@@ -74,7 +84,7 @@
"v": "<1.7.1"
},
{
- "advisory": "Adversarial-robustness-toolbox version 1.8.0 updates its dependency \"Pillow\" to a secure version. See CVE-2021-23437.",
+ "advisory": "The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.",
"cve": "CVE-2021-23437",
"id": "pyup.io-41784",
"specs": [
@@ -107,14 +117,23 @@
],
"agraph-python": [
{
- "advisory": "Agraph-python 101.0.1 updates urllib3 from 1.22 to 1.23 and requests from 2.18.4 to 2.20.0 for security reasons.",
- "cve": "PVE-2021-38506",
+ "advisory": "Agraph-python 101.0.1 updates urllib3 from 1.22 to 1.23 for security reasons.",
+ "cve": "CVE-2018-20060",
"id": "pyup.io-38506",
"specs": [
"<101.0.1"
],
"v": "<101.0.1"
},
+ {
+ "advisory": "Agraph-python 101.0.1 updates requests from 2.18.4 to 2.20.0 for security reasons.",
+ "cve": "CVE-2018-18074",
+ "id": "pyup.io-42708",
+ "specs": [
+ "<101.0.1"
+ ],
+ "v": "<101.0.1"
+ },
{
"advisory": "Agraph-python before 101.0.3 updates numpy to 1.16.0 and urllib3 to 1.24.2 for security reasons.",
"cve": "PVE-2021-37085",
@@ -211,7 +230,7 @@
],
"aiohttp": [
{
- "advisory": "aiohttp 0.16.3 fixes a StaticRoute vulnerability to directory traversal attacks.",
+ "advisory": "Aiohttp 0.16.3 fixes a directory traversal vulnerability by making changes in StaticRoute class of web_urldispatcher.py.\r\nhttps://github.com/aio-libs/aiohttp/pull/383",
"cve": "PVE-2021-25613",
"id": "pyup.io-25613",
"specs": [
@@ -227,6 +246,15 @@
"<3.7.4"
],
"v": "<3.7.4"
+ },
+ {
+ "advisory": "Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection.\r\nhttps://github.com/aio-libs/aiohttp/issues/4818",
+ "cve": "PVE-2021-42692",
+ "id": "pyup.io-42692",
+ "specs": [
+ "<3.8.0"
+ ],
+ "v": "<3.8.0"
}
],
"aiohttp-auth-autz": [
@@ -430,15 +458,15 @@
"v": "<3.3.2"
}
],
- "airtable": [
+ "aioxmpp": [
{
- "advisory": "Airtable 0.4.4 updates 'request' dependency to 2.79.0 (it removes 'tough-cookie' vulnerability warning).",
- "cve": "PVE-2021-39517",
- "id": "pyup.io-39517",
+ "advisory": "aioxmpp version 0.10.2 and earlier contains a Improper Handling of Structural Elements vulnerability in Stanza Parser, rollback during error processing, aioxmpp.xso.model.guard function that can result in Denial of Service, Other. This attack appears to be exploitable via Remote. A crafted stanza can be sent to an application which uses the vulnerable components to either inject data in a different context or cause the application to reconnect (potentially losing data). This vulnerability appears to have been fixed in 0.10.3.",
+ "cve": "CVE-2019-1000007",
+ "id": "pyup.io-42257",
"specs": [
- "<0.4.4"
+ "<=0.10.2"
],
- "v": "<0.4.4"
+ "v": "<=0.10.2"
}
],
"ajsonrpc": [
@@ -472,6 +500,18 @@
"v": "<1.8.18.1"
}
],
+ "alerta-server": [
+ {
+ "advisory": "In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for anonymous authorization are affected. A fix has been implemented in version 8.1.0 that returns HTTP 401 Unauthorized response for any authentication attempts where the password field is empty. As a workaround LDAP administrators can disallow unauthenticated bind requests by clients.",
+ "cve": "CVE-2020-26214",
+ "id": "pyup.io-42286",
+ "specs": [
+ "<7.5.7",
+ ">=8.0.0,<8.1.0"
+ ],
+ "v": "<7.5.7,>=8.0.0,<8.1.0"
+ }
+ ],
"alex-ber-utils": [
{
"advisory": "Alex-ber-utils 0.6.3 changed the base docker image version to 0.1.0, because it has fix for a potential security risk: Git was changed not to store credential as plain text, but to keep them in memory for 1 hour, see .",
@@ -549,8 +589,8 @@
],
"ambient-api": [
{
- "advisory": "ambient-api 1.5.2 updates requirements.txt to use requests>=2.2.0 due to a security vulnerability.",
- "cve": "PVE-2021-36594",
+ "advisory": "Ambient-api 1.5.2 updates requirements.txt to use urllib3>=1.23 to include a security fix.",
+ "cve": "CVE-2018-20060",
"id": "pyup.io-36594",
"specs": [
"<1.5.2"
@@ -620,7 +660,7 @@
],
"annotator": [
{
- "advisory": "annotator 0.11.2 fixes a bug that allowed authenticated users to overwrite annotations on which they did not have permissions.",
+ "advisory": "Annotator 0.11.2 fixes a bug that allowed authenticated users to overwrite annotations on which they did not have permissions.\r\nhttps://github.com/openannotation/annotator-store/issues/82",
"cve": "PVE-2021-25615",
"id": "pyup.io-25615",
"specs": [
@@ -631,8 +671,26 @@
],
"ansible": [
{
- "advisory": "ansible 1.2.3 includes local security fixes for predictable file locations for ControlPersist and retry file paths on shared machines on operating systems without kernel symlink/hardlink protections.",
- "cve": "PVE-2021-25616",
+ "advisory": "Ansible 1.2.1 includes a fix for CVE-2013-2233: Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=980821",
+ "cve": "CVE-2013-2233",
+ "id": "pyup.io-42921",
+ "specs": [
+ "<1.2.1"
+ ],
+ "v": "<1.2.1"
+ },
+ {
+ "advisory": "Ansible 1.2.2 includes a fix for CVE-2021-3447: A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker could take advantage of this information to steal those credentials, provided it had access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1939349",
+ "cve": "CVE-2021-3447",
+ "id": "pyup.io-42860",
+ "specs": [
+ "<1.2.2"
+ ],
+ "v": "<1.2.2"
+ },
+ {
+ "advisory": "Ansible 1.2.3 includes local security fixes for predictable file locations for ControlPersist and retry file paths on shared machines on operating systems without kernel symlink/hardlink protections. See CVE-2013-4260.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=998227",
+ "cve": "CVE-2013-4260",
"id": "pyup.io-25616",
"specs": [
"<1.2.3"
@@ -640,8 +698,17 @@
"v": "<1.2.3"
},
{
- "advisory": "ansible 1.5.4 includes a security fix for safe_eval, which further hardens the checking of the evaluation function.",
- "cve": "PVE-2021-25617",
+ "advisory": "Ansible 1.2.3 includes a fix for CVE-2013-4259: runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/.",
+ "cve": "CVE-2013-4259",
+ "id": "pyup.io-42920",
+ "specs": [
+ "<1.2.3"
+ ],
+ "v": "<1.2.3"
+ },
+ {
+ "advisory": "Ansible 1.5.4 includes a fix for CVE-2014-4657: The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.",
+ "cve": "CVE-2014-4657",
"id": "pyup.io-25617",
"specs": [
"<1.5.4"
@@ -649,8 +716,17 @@
"v": "<1.5.4"
},
{
- "advisory": "ansible 1.5.5 includes a security fix for vault, to ensure the umask is set to a restrictive mode before creating/editing vault files.",
- "cve": "PVE-2021-25618",
+ "advisory": "Ansible 1.5.4 includes a fix for CVE-2014-2686: Ansible prior to 1.5.4 mishandles the evaluation of some strings.\r\nhttps://groups.google.com/forum/#!searchin/ansible-project/1.5.4/ansible-project/MUQxiKwSQDc/id6aVaawVboJ",
+ "cve": "CVE-2014-2686",
+ "id": "pyup.io-42919",
+ "specs": [
+ "<1.5.4"
+ ],
+ "v": "<1.5.4"
+ },
+ {
+ "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4658: The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.",
+ "cve": "CVE-2014-4658",
"id": "pyup.io-25618",
"specs": [
"<1.5.5"
@@ -658,8 +734,26 @@
"v": "<1.5.5"
},
{
- "advisory": "ansible includes 1.6.4 security updates related to evaluation of untrusted remote inputs.",
- "cve": "PVE-2021-25619",
+ "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4659: Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the \"deb http://user:pass@server:port/\" format.",
+ "cve": "CVE-2014-4659",
+ "id": "pyup.io-42854",
+ "specs": [
+ "<1.5.5"
+ ],
+ "v": "<1.5.5"
+ },
+ {
+ "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4660: Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the \"deb http://user:pass@server:port/\" format.\r\nhttps://www.openwall.com/lists/oss-security/2014/06/26/19",
+ "cve": "CVE-2014-4660",
+ "id": "pyup.io-42918",
+ "specs": [
+ "<1.5.5"
+ ],
+ "v": "<1.5.5"
+ },
+ {
+ "advisory": "Ansible 1.6.4 includes a fix for CVE-2014-4678: The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657.",
+ "cve": "CVE-2014-4678",
"id": "pyup.io-25619",
"specs": [
"<1.6.4"
@@ -667,14 +761,23 @@
"v": "<1.6.4"
},
{
- "advisory": "ansible 1.6.6 includes security updates to further protect against the incorrect execution of untrusted data.",
- "cve": "PVE-2021-25620",
+ "advisory": "Ansible 1.6.6 includes a fix for CVE-2014-3498: The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands.",
+ "cve": "CVE-2014-3498",
"id": "pyup.io-25620",
"specs": [
"<1.6.6"
],
"v": "<1.6.6"
},
+ {
+ "advisory": "Ansible before 1.6.7 does not prevent inventory data with \"{{\" and \"lookup\" substrings, and does not prevent remote data with \"{{\" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.",
+ "cve": "CVE-2014-4966",
+ "id": "pyup.io-42334",
+ "specs": [
+ "<1.6.7"
+ ],
+ "v": "<1.6.7"
+ },
{
"advisory": "ansible 1.6.7 contains two security fixes:\r\n * Strip lookup calls out of inventory variables and clean unsafe data\r\n returned from lookup plugins (CVE-2014-4966)\r\n * Make sure vars don't insert extra parameters into module args and prevent\r\n duplicate params from superseding previous params (CVE-2014-4967)",
"cve": "CVE-2014-4967",
@@ -720,6 +823,15 @@
],
"v": "<1.9.2"
},
+ {
+ "advisory": "Ansible 1.9.2 includes a fix for CVE-2015-6240: The chroot, jail, and zone connection plugins in Ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1243468",
+ "cve": "CVE-2015-6240",
+ "id": "pyup.io-42917",
+ "specs": [
+ "<1.9.2"
+ ],
+ "v": "<1.9.2"
+ },
{
"advisory": "The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.",
"cve": "CVE-2016-3096",
@@ -739,26241 +851,32898 @@
"v": "<2.0.2"
},
{
- "advisory": "ansible before 2.2.1 is vulnerable to arbitrary code execution. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server as the user and group Ansible is running as.",
- "cve": "PVE-2021-33286",
- "id": "pyup.io-33286",
+ "advisory": "Ansible versions 2.1.4 and 2.2.1 include a fix for CVE-2016-9587: Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.\r\nhttps://www.exploit-db.com/exploits/41013/",
+ "cve": "CVE-2016-9587",
+ "id": "pyup.io-33285",
"specs": [
- "<2.2.1"
+ "<2.1.4.0",
+ ">2.1.4.0,<2.2.1.0"
],
- "v": "<2.2.1"
+ "v": "<2.1.4.0,>2.1.4.0,<2.2.1.0"
},
{
- "advisory": "Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. See: CVE-2017-7481.",
- "cve": "CVE-2017-7481",
- "id": "pyup.io-34941",
+ "advisory": "Ansible 2.2.0 includes a fix for CVE-2016-8614: A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing a remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614",
+ "cve": "CVE-2016-8614",
+ "id": "pyup.io-42916",
"specs": [
- "<2.3.1"
+ "<2.2.0"
],
- "v": "<2.3.1"
- }
- ],
- "ansible-runner": [
+ "v": "<2.2.0"
+ },
{
- "advisory": "ansible-runner 1.3.1 adds fixes to make default file permissions much more secure, upgrading is recommended.",
- "cve": "PVE-2021-36995",
- "id": "pyup.io-36995",
+ "advisory": "Ansible 2.2.0 includes a fix for CVE-2016-8628: Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628",
+ "cve": "CVE-2016-8628",
+ "id": "pyup.io-42915",
"specs": [
- "<1.3.1"
+ "<2.2.0"
],
- "v": "<1.3.1"
- }
- ],
- "ansible-vault": [
+ "v": "<2.2.0"
+ },
{
- "advisory": "An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.",
- "cve": "CVE-2017-2809",
- "id": "pyup.io-35730",
+ "advisory": "Ansible 2.3 includes a fix for CVE-2017-7466: Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466",
+ "cve": "CVE-2017-7466",
+ "id": "pyup.io-42890",
"specs": [
- "<1.0.5"
+ "<2.3"
],
- "v": "<1.0.5"
- }
- ],
- "ansigenome": [
+ "v": "<2.3"
+ },
{
- "advisory": "ansigenome before 0.6.0 uses yaml.load instead of yaml.safe_load, allowing a code execution vulnerability.",
- "cve": "PVE-2021-34505",
- "id": "pyup.io-34505",
+ "advisory": "Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. See: CVE-2017-7481.",
+ "cve": "CVE-2017-7481",
+ "id": "pyup.io-34941",
"specs": [
- "<0.6.0"
+ "<2.3.1"
],
- "v": "<0.6.0"
- }
- ],
- "ansitoimg": [
+ "v": "<2.3.1"
+ },
{
- "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2021-27923: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.",
- "cve": "CVE-2021-27923",
- "id": "pyup.io-40607",
+ "advisory": "Ansible 2.8.19, 2.9.18 and 2.10.7 include a fix for CVE-2021-20191: Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1916813",
+ "cve": "CVE-2021-20191",
+ "id": "pyup.io-42856",
"specs": [
- "<2021.0.1"
+ "<2.8.19",
+ ">=2.9.0b1,<2.9.18",
+ ">=2.10.0a1,<2.10.7"
],
- "v": "<2021.0.1"
+ "v": "<2.8.19,>=2.9.0b1,<2.9.18,>=2.10.0a1,<2.10.7"
},
{
- "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.",
- "cve": "CVE-2021-27922",
- "id": "pyup.io-40612",
+ "advisory": "Ansible 2.9.18 includes a fix for CVE-2021-20178: A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1914774",
+ "cve": "CVE-2021-20178",
+ "id": "pyup.io-42858",
"specs": [
- "<2021.0.1"
+ "<2.9.18"
],
- "v": "<2021.0.1"
+ "v": "<2.9.18"
},
{
- "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2020-35654: In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.",
- "cve": "CVE-2020-35654",
- "id": "pyup.io-40996",
+ "advisory": "Ansible 2.9.23 includes a fix for CVE-2021-3583: A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1968412",
+ "cve": "CVE-2021-3583",
+ "id": "pyup.io-42924",
"specs": [
- "<2021.0.1"
+ "<2.9.23"
],
- "v": "<2021.0.1"
+ "v": "<2.9.23"
},
{
- "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2021-27923: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.",
- "cve": "CVE-2021-27923",
- "id": "pyup.io-40993",
+ "advisory": "Ansible 3.0.0 includes a fix for CVE-2021-3533: A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw also affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1956477",
+ "cve": "CVE-2021-3533",
+ "id": "pyup.io-42926",
"specs": [
- "<2021.0.1"
+ "<3.0.0"
],
- "v": "<2021.0.1"
+ "v": "<3.0.0"
},
{
- "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2020-35655: In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.",
- "cve": "CVE-2020-35655",
- "id": "pyup.io-40994",
+ "advisory": "Ansible is vulnerable to CVE-2021-3532: A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw also affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1956464",
+ "cve": "CVE-2021-3532",
+ "id": "pyup.io-42923",
"specs": [
- "<2021.0.1"
+ ">0"
],
- "v": "<2021.0.1"
+ "v": ">0"
},
{
- "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2020-35653: In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.",
- "cve": "CVE-2020-35653",
- "id": "pyup.io-40995",
+ "advisory": "Ansible 2.3.3 and 2.4.1 include a fix for CVE-2017-7550: A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the \"params\" argument, and noting this in the module documentation.\r\nhttps://github.com/ansible/ansible/issues/30874\r\nhttps://access.redhat.com/errata/RHSA-2017:2966",
+ "cve": "CVE-2017-7550",
+ "id": "pyup.io-42853",
"specs": [
- "<2021.0.1"
+ ">=2.3.0,<2.3.3",
+ ">=2.4.0,<2.4.1"
],
- "v": "<2021.0.1"
+ "v": ">=2.3.0,<2.3.3,>=2.4.0,<2.4.1"
},
{
- "advisory": "Ansitoimg 2021.0.1 updates the 'Pillow' dependency to >= 8.1.1 due to a high severity security vulnerability (CVE-2020-35654).",
- "cve": "CVE-2020-35654",
- "id": "pyup.io-40609",
+ "advisory": "Ansible 2.5.14, 2.6.11 and 2.7.5 include a fix for CVE-2018-16876: Ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16876",
+ "cve": "CVE-2018-16876",
+ "id": "pyup.io-42889",
"specs": [
- "<2021.0.1"
+ ">=2.5.0a0,<2.5.14",
+ ">=2.6.0a0,<2.6.11",
+ ">=2.7.0a0,<2.7.5"
],
- "v": "<2021.0.1"
+ "v": ">=2.5.0a0,<2.5.14,>=2.6.0a0,<2.6.11,>=2.7.0a0,<2.7.5"
},
{
- "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.",
- "cve": "CVE-2021-27921",
- "id": "pyup.io-40611",
+ "advisory": "Ansible 2.5.15, 2.6.14 and 2.7.8 include a fix for CVE-2019-3828: Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local Ansible controller host by not restricting an absolute path.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828",
+ "cve": "CVE-2019-3828",
+ "id": "pyup.io-42888",
"specs": [
- "<2021.0.1"
+ ">=2.5.0a0,<2.5.15",
+ ">=2.6.0a0,<2.6.14",
+ ">=2.7.0a0,<2.7.8"
],
- "v": "<2021.0.1"
- }
- ],
- "anymotion-sdk": [
+ "v": ">=2.5.0a0,<2.5.15,>=2.6.0a0,<2.6.14,>=2.7.0a0,<2.7.8"
+ },
{
- "advisory": "Anymotion-sdk 1.2.5 updates the 'urllib3' dependency and other packages for more security.",
- "cve": "PVE-2021-40842",
- "id": "pyup.io-40842",
+ "advisory": "Ansible versions 2.6.20, 2.7.14 and 2.8.6 include a fix for CVE-2019-14856: The fix for CVE-2019-10206 was found to be incomplete for the data disclosure flaw in Ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856",
+ "cve": "CVE-2019-14856",
+ "id": "pyup.io-42884",
"specs": [
- "<1.2.5"
+ ">=2.6.0a0,<2.6.20",
+ ">=2.7.0a0,<2.7.14",
+ ">=2.8.0a0,<2.8.6"
],
- "v": "<1.2.5"
- }
- ],
- "apache-airflow": [
+ "v": ">=2.6.0a0,<2.6.20,>=2.7.0a0,<2.7.14,>=2.8.0a0,<2.8.6"
+ },
{
- "advisory": "apache-airflow 1.10.0 fixes XSS vulnerability in Variable endpoint",
- "cve": "PVE-2021-36832",
- "id": "pyup.io-36832",
+ "advisory": "Ansible versions 2.7.15, 2.8.7 and 2.9.1 include a fix for CVE-2019-14864: Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, are not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used to send tasks results events to collectors. This would disclose and collect any sensitive data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864",
+ "cve": "CVE-2019-14864",
+ "id": "pyup.io-42882",
"specs": [
- "<1.10.0"
+ ">=2.7.0a0,<2.7.15",
+ ">=2.8.0a0,<2.8.7",
+ ">=2.9.0a0,<2.9.1"
],
- "v": "<1.10.0"
+ "v": ">=2.7.0a0,<2.7.15,>=2.8.0a0,<2.8.7,>=2.9.0a0,<2.9.1"
},
{
- "advisory": "In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. See CVE-2020-17513.",
- "cve": "CVE-2020-17513",
- "id": "pyup.io-39282",
+ "advisory": "Ansible versions 2.7.16, 2.8.8 and 2.9.3 include a fix for CVE-2019-14904: A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1776944",
+ "cve": "CVE-2019-14904",
+ "id": "pyup.io-42881",
"specs": [
- "<1.10.13"
+ ">=2.7.0a0,<2.7.16",
+ ">=2.8.0a0,<2.8.8",
+ ">=2.9.0a0,<2.9.3"
],
- "v": "<1.10.13"
+ "v": ">=2.7.0a0,<2.7.16,>=2.8.0a0,<2.8.8,>=2.9.0a0,<2.9.3"
},
{
- "advisory": "Apache Airflow version 2.1.2 includes a fix for CVE-2021-35936: \r\nIf remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. \r\nhttps://lists.apache.org/thread.html/r53d6bd7b0a66f92ddaf1313282f10fec802e71246606dd30c16536df%40%3Cusers.airflow.apache.org%3E",
- "cve": "CVE-2021-35936",
- "id": "pyup.io-41181",
+ "advisory": "Ansible versions 2.7.17, 2.8.11 and 2.9.7 include a fix for CVE-2020-1733: A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 && mkdir -p \"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc//cmdline'.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733",
+ "cve": "CVE-2020-1733",
+ "id": "pyup.io-42879",
"specs": [
- "<2.1.2"
+ ">=2.7.0a0,<2.7.17",
+ ">=2.8.0a0,<2.8.11",
+ ">=2.9.0a0,<2.9.7"
],
- "v": "<2.1.2"
+ "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.11,>=2.9.0a0,<2.9.7"
},
{
- "advisory": "The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336). See CVE-2021-28359.",
- "cve": "CVE-2021-28359",
- "id": "pyup.io-40341",
+ "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684",
+ "cve": "CVE-2020-10684",
+ "id": "pyup.io-42864",
"specs": [
- ">=1.0.0a1,<1.10.15",
- ">=2.0.0a1,<2.0.2"
+ ">=2.7.0a0,<2.7.17",
+ ">=2.8.0a0,<2.8.9",
+ ">=2.9.0a0,<2.9.6"
],
- "v": ">=1.0.0a1,<1.10.15,>=2.0.0a1,<2.0.2"
- }
- ],
- "apache-libcloud": [
+ "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6"
+ },
{
- "advisory": "Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.",
- "cve": "CVE-2012-3446",
- "id": "pyup.io-25628",
+ "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1738: A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738",
+ "cve": "CVE-2020-1738",
+ "id": "pyup.io-42873",
"specs": [
- "<0.11.1"
+ ">=2.7.0a0,<2.7.17",
+ ">=2.8.0a0,<2.8.9",
+ ">=2.9.0a0,<2.9.6"
],
- "v": "<0.11.1"
+ "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6"
},
{
- "advisory": "Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.",
- "cve": "CVE-2013-6480",
- "id": "pyup.io-25629",
+ "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1740: A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740",
+ "cve": "CVE-2020-1740",
+ "id": "pyup.io-42869",
"specs": [
- "<0.13.3"
+ ">=2.7.0a0,<2.7.17",
+ ">=2.8.0a0,<2.8.9",
+ ">=2.9.0a0,<2.9.6"
],
- "v": "<0.13.3"
+ "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6"
},
{
- "advisory": "libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack.",
- "cve": "CVE-2010-4340",
- "id": "pyup.io-35343",
+ "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1739: A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739",
+ "cve": "CVE-2020-1739",
+ "id": "pyup.io-42871",
"specs": [
- "<0.4.1"
+ ">=2.7.0a0,<2.7.17",
+ ">=2.8.0a0,<2.8.9",
+ ">=2.9.0a0,<2.9.6"
],
- "v": "<0.4.1"
- }
- ],
- "apache-skywalking": [
+ "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6"
+ },
{
- "advisory": "Apache-skywalking 8.0.0 includes:\r\n* Fix SQL Injection vulnerability in H2/MySQL implementation.\r\n* Upgrade Nacos to avoid the FastJson CVE-2017-18349 in high frequency.\r\n* Upgrade jasckson-databind to 2.9.10.",
- "cve": "CVE-2017-18349",
- "id": "pyup.io-38630",
+ "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1736: A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736",
+ "cve": "CVE-2020-1736",
+ "id": "pyup.io-42875",
"specs": [
- "<8.0.0"
+ ">=2.7.0a0,<2.7.17",
+ ">=2.8.0a0,<2.8.9",
+ ">=2.9.0a0,<2.9.6"
],
- "v": "<8.0.0"
- }
- ],
- "apache-superset": [
+ "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6"
+ },
{
- "advisory": "Apache-superset 0.11.0 allows for requesting access when denied on a dashboard view (#1192), allows to set static headers as configuration (#1126), and prevents XSS on FAB list views (#1125).",
- "cve": "PVE-2021-39495",
- "id": "pyup.io-39495",
+ "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1735: A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735",
+ "cve": "CVE-2020-1735",
+ "id": "pyup.io-42877",
"specs": [
- "<0.11.0"
+ ">=2.7.0a0,<2.7.17",
+ ">=2.8.0a0,<2.8.9",
+ ">=2.9.0a0,<2.9.6"
],
- "v": "<0.11.0"
+ "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6"
},
{
- "advisory": "Apache-superset 0.14.0 improves the security scheme (#1587).",
- "cve": "PVE-2021-39494",
- "id": "pyup.io-39494",
+ "advisory": "Ansible versions 2.7.18, 2.8.12 and 2.9.9 include a fix for CVE-2020-10744: The provided fix for CVE-2020-1733 was insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 and previous versions are affected. Also Ansible Tower 3.4.5, 3.5.6 and 3.6.4 and previous versions.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744",
+ "cve": "CVE-2020-10744",
+ "id": "pyup.io-42862",
"specs": [
- "<0.14.0"
+ ">=2.7.0a0,<2.7.18",
+ ">=2.8.0a0,<2.8.12",
+ ">=2.9.0a0,<2.9.9"
],
- "v": "<0.14.0"
+ "v": ">=2.7.0a0,<2.7.18,>=2.8.0a0,<2.8.12,>=2.9.0a0,<2.9.9"
},
{
- "advisory": "Apache-superset version 0.17.5 adds a csrf_token api endpoint.",
- "cve": "PVE-2021-41794",
- "id": "pyup.io-41794",
+ "advisory": "Ansible 2.6.18, 2.7.12 and 2.8.2 include a fix for CVE-2019-10156: A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156",
+ "cve": "CVE-2019-10156",
+ "id": "pyup.io-42887",
"specs": [
- "<0.17.5"
+ ">=2.8.0a0,<2.8.2",
+ ">=2.7.0a0,<2.7.12",
+ ">=2.6.0a0,<2.6.18"
],
- "v": "<0.17.5"
+ "v": ">=2.8.0a0,<2.8.2,>=2.7.0a0,<2.7.12,>=2.6.0a0,<2.6.18"
},
{
- "advisory": "Apache-superset 0.19.1 prevents XSS markup viz (#3211).",
- "cve": "PVE-2021-39491",
- "id": "pyup.io-39491",
+ "advisory": "Ansible 2.8.4 includes a fix for CVE-2019-10217: A flaw was found in Ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all GCP modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running Ansible playbooks.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217",
+ "cve": "CVE-2019-10217",
+ "id": "pyup.io-42885",
"specs": [
- "<0.19.1"
+ ">=2.8.0a0,<2.8.4"
],
- "v": "<0.19.1"
+ "v": ">=2.8.0a0,<2.8.4"
},
{
- "advisory": "Apache-superset 0.23.0 adds all derived FAB UserModelView views to admin only (#4180), fixes 4 security vulnerabilities (#4390), and bumps dependencies with security issues (#4427).",
- "cve": "PVE-2021-39490",
- "id": "pyup.io-39490",
+ "advisory": "Ansible 2.6.19, 2.7.13 and 2.8.4 include a fix for CVE-2019-10206: Ansible-playbook -k and Ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10206",
+ "cve": "CVE-2019-10206",
+ "id": "pyup.io-42886",
"specs": [
- "<0.23.0"
+ ">=2.8.0a0,<2.8.4",
+ ">=2.7.0a0,<2.7.13",
+ ">=2.6.0a0,<2.6.19"
],
- "v": "<0.23.0"
- },
+ "v": ">=2.8.0a0,<2.8.4,>=2.7.0a0,<2.7.13,>=2.6.0a0,<2.6.19"
+ }
+ ],
+ "ansible-runner": [
{
- "advisory": "Apache-superset 0.25.0 refactors security code into SupersetSecurityManager (#4565).",
- "cve": "PVE-2021-39488",
- "id": "pyup.io-39488",
- "specs": [
- "<0.25.0"
- ],
- "v": "<0.25.0"
- },
- {
- "advisory": "Apache-superset 0.28.0rc5 moves set/merge perm to security manager (#5684).",
- "cve": "PVE-2021-39485",
- "id": "pyup.io-39485",
- "specs": [
- "<0.28.0rc5"
- ],
- "v": "<0.28.0rc5"
- },
- {
- "advisory": "Apache-superset 0.29.0rc8 secures unsecured views and prevent regressions (#6553).",
- "cve": "PVE-2021-39484",
- "id": "pyup.io-39484",
+ "advisory": "ansible-runner 1.3.1 adds fixes to make default file permissions much more secure, upgrading is recommended.",
+ "cve": "PVE-2021-36995",
+ "id": "pyup.io-36995",
"specs": [
- "<0.29.0rc8"
+ "<1.3.1"
],
- "v": "<0.29.0rc8"
- },
+ "v": "<1.3.1"
+ }
+ ],
+ "ansible-tower-cli": [
{
- "advisory": "Apache-superset 0.31.0rc1 fixes dependencies with vulnerabilities (#6904).",
- "cve": "PVE-2021-39483",
- "id": "pyup.io-39483",
+ "advisory": "Ansible-tower-cli 3.3.5 includes a fix for CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684",
+ "cve": "CVE-2020-10684",
+ "id": "pyup.io-42865",
"specs": [
- "<0.31.0rc1"
+ "<3.3.5"
],
- "v": "<0.31.0rc1"
+ "v": "<3.3.5"
},
{
- "advisory": "Apache-superset 0.32.0rc1 makes it easier to redefine Alpha/Gamma (#7036) - this was a security concern. It also \r\nran 'npm audit fix' to address various vulnerabilities (#7263).",
- "cve": "PVE-2021-39482",
- "id": "pyup.io-39482",
+ "advisory": "Ansible-tower-cli is vulnerable to CVE-2020-10744: The provided fix for CVE-2020-1733 was insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 and previous versions are affected. Also Ansible Tower 3.4.5, 3.5.6 and 3.6.4 and previous versions.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744",
+ "cve": "CVE-2020-10744",
+ "id": "pyup.io-42863",
"specs": [
- "<0.32.0rc1"
+ "<3.4.5"
],
- "v": "<0.32.0rc1"
+ "v": "<3.4.5"
},
{
- "advisory": "Apache-superset 0.32.0rc2.dev2 updates merge_perm and fixes the FAB method (#7355). These were both security issues.",
- "cve": "PVE-2021-39480",
- "id": "pyup.io-39480",
+ "advisory": "Ansible-tower-cli 3.6.4 includes a fix for CVE-2020-1735: A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735",
+ "cve": "CVE-2020-1735",
+ "id": "pyup.io-42878",
"specs": [
- "<0.32.0rc2.dev2"
+ "<3.6.4"
],
- "v": "<0.32.0rc2.dev2"
+ "v": "<3.6.4"
},
{
- "advisory": "Apache-superset 0.33.0rc1 adds Flask-Talisman (#7443) for security reasons.",
- "cve": "PVE-2021-39481",
- "id": "pyup.io-39481",
+ "advisory": "Ansible-tower-cli 3.6.4 includes a fix for CVE-2020-1733: A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 && mkdir -p \"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc//cmdline'.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733",
+ "cve": "CVE-2020-1733",
+ "id": "pyup.io-42880",
"specs": [
- "<0.33.0rc1"
+ "<3.6.4"
],
- "v": "<0.33.0rc1"
+ "v": "<3.6.4"
},
{
- "advisory": "Apache-superset 0.34.0 includes various security improvements. It bumps python libs (#7550), it makes security views use superset's list widget (#7724), and it adds docstrings and type hints (#7952).",
- "cve": "PVE-2021-39479",
- "id": "pyup.io-39479",
+ "advisory": "Ansible-tower-cli 3.6.4 includes a fix for CVE-2020-1736: A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736",
+ "cve": "CVE-2020-1736",
+ "id": "pyup.io-42876",
"specs": [
- "<0.34.0"
+ "<3.6.4"
],
- "v": "<0.34.0"
+ "v": "<3.6.4"
},
{
- "advisory": "Apache-superset 0.35.0 adds security for restricted metrics (#8175).",
- "cve": "PVE-2021-39478",
- "id": "pyup.io-39478",
+ "advisory": "Ansible-tower-cli 3.6.4 includes a fix for CVE-2020-1740: A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740",
+ "cve": "CVE-2020-1740",
+ "id": "pyup.io-42870",
"specs": [
- "<0.35.0"
+ "<3.6.4"
],
- "v": "<0.35.0"
+ "v": "<3.6.4"
},
{
- "advisory": "Apache-superset 0.35.1 bumps the dompurify version because of a nasty xss bypass (#8498).",
- "cve": "PVE-2021-39477",
- "id": "pyup.io-39477",
+ "advisory": "Ansible-tower-cli 3.6.4 includes a fix for CVE-2020-1739: A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739",
+ "cve": "CVE-2020-1739",
+ "id": "pyup.io-42872",
"specs": [
- "<0.35.1"
+ "<3.6.4"
],
- "v": "<0.35.1"
+ "v": "<3.6.4"
},
{
- "advisory": "Apache-superset 0.35.2 bumps packages with security vulnerabilities (#8573), and bumps pyarrow to 0.15.1 due to CVE-2019-12408 (#8583).",
- "cve": "CVE-2019-12408",
- "id": "pyup.io-39476",
+ "advisory": "Ansible-tower-cli 3.6.4 includes a fix for CVE-2020-1738: A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738",
+ "cve": "CVE-2020-1738",
+ "id": "pyup.io-42874",
"specs": [
- "<0.35.2"
+ "<3.6.4"
],
- "v": "<0.35.2"
+ "v": "<3.6.4"
},
{
- "advisory": "Apache-superset 0.36.0 filters out markdown containing XSS (#9163), adds support for row-level security (#8699), and lets admins be able to reset user passwords on AUTH_DB (#9232). It also ran 'npm audit fix' to fix 2 vulnerabilities (#9106).",
- "cve": "PVE-2021-39475",
- "id": "pyup.io-39475",
+ "advisory": "Ansible-tower-cli 3.7 includes a fix for CVE-2021-3583: A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1968412",
+ "cve": "CVE-2021-3583",
+ "id": "pyup.io-42925",
"specs": [
- "<0.36.0"
+ "<3.7"
],
- "v": "<0.36.0"
+ "v": "<3.7"
},
{
- "advisory": "Apache-superset 0.37.0 includes various security-related improvements. It fixes regression in #9689 (9705), it fixes can_access with None because it crashed on builtin roles (#10039), it renames schemas_accessible_by_user (#10030), renames access methods (#10031), it updates assert logic (#10034), and it fixes the dbs/clusters perm (#10130).",
- "cve": "PVE-2021-39474",
- "id": "pyup.io-39474",
+ "advisory": "Ansible-tower-cli 3.8 includes a fix for CVE-2021-3532: A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw also affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1956464",
+ "cve": "CVE-2021-3532",
+ "id": "pyup.io-42922",
"specs": [
- "<0.37.0"
+ "<3.8"
],
- "v": "<0.37.0"
+ "v": "<3.8"
},
{
- "advisory": "While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python\u2019s `os` package in the web application process in versions < 0.37.1. It was thus possible for an authenticated user to list and access files, environment variables, and process information. Additionally it was possible to set environment variables for the current process, create and update files in folders writable by the web process, and execute arbitrary programs accessible by the web process. All other operations available to the `os` package in Python were also available, even if not explicitly enumerated in this CVE. See CVE-2020-13948.",
- "cve": "CVE-2020-13948",
- "id": "pyup.io-38793",
+ "advisory": "Ansible-tower-cli 3.8 includes a fix for CVE-2021-3533: A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw also affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1956477",
+ "cve": "CVE-2021-3533",
+ "id": "pyup.io-42927",
"specs": [
- "<0.37.1"
+ "<3.8"
],
- "v": "<0.37.1"
+ "v": "<3.8"
},
{
- "advisory": "Apache-superset 0.37.1 disallows uuid package on jinja1 (#10794). This is a security improvement.",
- "cve": "PVE-2021-39473",
- "id": "pyup.io-39473",
+ "advisory": "Ansible-tower-cli 3.8.2 includes a fix for CVE-2021-3447: A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker could take advantage of this information to steal those credentials, provided it had access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1939349",
+ "cve": "CVE-2021-3447",
+ "id": "pyup.io-42861",
"specs": [
- "<0.37.1"
+ "<3.8.2"
],
- "v": "<0.37.1"
+ "v": "<3.8.2"
},
{
- "advisory": "Apache-superset 0.9.1 improved its security: Gamma role sees only its objects, and only owners and Admins can alter objects.",
- "cve": "PVE-2021-38193",
- "id": "pyup.io-38193",
+ "advisory": "Ansible-tower-cli 3.1.0 includes a fix for CVE-2019-14864: Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, are not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used to send tasks results events to collectors. This would disclose and collect any sensitive data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864",
+ "cve": "CVE-2019-14864",
+ "id": "pyup.io-42883",
"specs": [
- "<0.9.1"
+ ">=3.0.0,<3.1.0"
],
- "v": "<0.9.1"
+ "v": ">=3.0.0,<3.1.0"
},
{
- "advisory": "Apache-superset 1.0.0 includes these fixes:\r\n- CSS injection order (https://github.com/apache/superset/pull/12353)\r\n- Security cleanup annotation and refresh permissions (https://github.com/apache/superset/pull/12119)\r\n- Apply owners security validation (https://github.com/apache/superset/pull/12035)\r\n- Security converge downgrade procedure (https://github.com/apache/superset/pull/11852)",
- "cve": "PVE-2021-41203",
- "id": "pyup.io-41203",
+ "advisory": "Ansible-tower-cli 3.1.0 includes a fix for CVE-2021-20178: A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1914774",
+ "cve": "CVE-2021-20178",
+ "id": "pyup.io-42859",
"specs": [
- "<1.0.0"
+ ">=3.0.0,<3.1.0"
],
- "v": "<1.0.0"
+ "v": ">=3.0.0,<3.1.0"
},
{
- "advisory": "Apache-superset 1.2.0 updates some npm packages for security fixes.\r\nhttps://github.com/apache/superset/pull/13367",
- "cve": "PVE-2021-41791",
- "id": "pyup.io-41791",
+ "advisory": "Ansible-tower-cli 3.1.0 includes a fix for CVE-2021-20191: Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1916813",
+ "cve": "CVE-2021-20191",
+ "id": "pyup.io-42857",
"specs": [
- "<1.2.0"
+ ">=3.0.0,<3.1.0"
],
- "v": "<1.2.0"
+ "v": ">=3.0.0,<3.1.0"
}
],
- "apidev-coop": [
+ "ansible-vault": [
{
- "advisory": "apidev-coop is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
- "cve": "PVE-2021-34979",
- "id": "pyup.io-34979",
+ "advisory": "An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.",
+ "cve": "CVE-2017-2809",
+ "id": "pyup.io-35730",
"specs": [
- ">0",
- "<0"
+ "<1.0.5"
],
- "v": ">0,<0"
+ "v": "<1.0.5"
}
],
- "appdaemon": [
+ "ansigenome": [
{
- "advisory": "Appdaemon 3.0.4 uses yaml.Safeloader to work around a known security issue with PyYaml.",
- "cve": "PVE-2021-37096",
- "id": "pyup.io-37096",
+ "advisory": "Ansigenome before 0.6.0 uses yaml.load instead of yaml.safe_load, allowing a code execution vulnerability.",
+ "cve": "CVE-2020-1747",
+ "id": "pyup.io-34505",
"specs": [
- "<3.0.4"
+ "<0.6.0"
],
- "v": "<3.0.4"
+ "v": "<0.6.0"
}
],
- "appdaemontestframework": [
+ "ansitoimg": [
{
- "advisory": "appdaemontestframework 2.0.1 updates dependencies to prevent security vulnerabilities",
- "cve": "PVE-2021-37908",
- "id": "pyup.io-37908",
+ "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.",
+ "cve": "CVE-2021-27922",
+ "id": "pyup.io-40612",
"specs": [
- "<2.0.1"
+ "<2021.0.1"
],
- "v": "<2.0.1"
+ "v": "<2021.0.1"
},
{
- "advisory": "appdaemontestframework 2.3.3 update dependencies to fix security vulnerability",
- "cve": "PVE-2021-37907",
- "id": "pyup.io-37907",
+ "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2021-27923: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.",
+ "cve": "CVE-2021-27923",
+ "id": "pyup.io-40607",
"specs": [
- "<2.3.3"
+ "<2021.0.1"
],
- "v": "<2.3.3"
- }
- ],
- "apphelpers": [
+ "v": "<2021.0.1"
+ },
{
- "advisory": "To secure the API access, apphelpers 0.9.2 adds the new options `groups_forbidden` and `groups_required`.",
- "cve": "PVE-2021-37151",
- "id": "pyup.io-37151",
+ "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2021-27923: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.",
+ "cve": "CVE-2021-27923",
+ "id": "pyup.io-40993",
"specs": [
- "<0.9.2"
+ "<2021.0.1"
],
- "v": "<0.9.2"
- }
- ],
- "appwrite": [
+ "v": "<2021.0.1"
+ },
{
- "advisory": "Appwrite (SDK for Python) version 0.2.0 adds support for appwrite 0.8.0. Appwrite 0.7.1 fixed an XSS vulnerability in the appwrite console.",
- "cve": "PVE-2021-40600",
- "id": "pyup.io-40600",
+ "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2020-35655: In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.",
+ "cve": "CVE-2020-35655",
+ "id": "pyup.io-40994",
"specs": [
- "<0.2.0"
+ "<2021.0.1"
],
- "v": "<0.2.0"
+ "v": "<2021.0.1"
},
{
- "advisory": "Appwrite (SDK for Python) version 0.4.0 adds support for appwrite 0.9.0. Appwrite 0.9.0 fixed a potential XSS injection on the console.",
- "cve": "PVE-2021-40934",
- "id": "pyup.io-40934",
+ "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2020-35653: In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.",
+ "cve": "CVE-2020-35653",
+ "id": "pyup.io-40995",
"specs": [
- "<0.4.0"
+ "<2021.0.1"
],
- "v": "<0.4.0"
+ "v": "<2021.0.1"
},
{
- "advisory": "Appwrite (SDK for Python) version 0.5.0 adds support for appwrite 0.10.0. Appwrite 0.9.4 fixed a security vulnerability that exposes project ID's from other admin users.",
- "cve": "PVE-2021-41261",
- "id": "pyup.io-41261",
+ "advisory": "Ansitoimg 2021.0.1 updates the 'Pillow' dependency to >= 8.1.1 due to a high severity security vulnerability (CVE-2020-35654).",
+ "cve": "CVE-2020-35654",
+ "id": "pyup.io-40609",
"specs": [
- "<0.5.0"
+ "<2021.0.1"
],
- "v": "<0.5.0"
- }
- ],
- "archi": [
+ "v": "<2021.0.1"
+ },
{
- "advisory": "Archi 0.2.2 is bundled with libarchive 3.4.2. However, libarchive before version 3.4.3 is known to not be secure. See: .",
- "cve": "PVE-2021-37702",
- "id": "pyup.io-37702",
+ "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.",
+ "cve": "CVE-2021-27921",
+ "id": "pyup.io-40611",
"specs": [
- "<=0.2.2"
+ "<2021.0.1"
],
- "v": "<=0.2.2"
- }
- ],
- "archmage": [
+ "v": "<2021.0.1"
+ },
{
- "advisory": "Directory traversal vulnerability in arCHMage 0.2.4 allows remote attackers to write to arbitrary files via a .. (dot dot) in a CHM file.",
- "cve": "CVE-2015-1589",
- "id": "pyup.io-25630",
+ "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2020-35654: In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.",
+ "cve": "CVE-2020-35654",
+ "id": "pyup.io-40996",
"specs": [
- "<0.3.1"
+ "<2021.0.1"
],
- "v": "<0.3.1"
+ "v": "<2021.0.1"
}
],
- "asciidoc": [
+ "anymotion-sdk": [
{
- "advisory": "Asciidoc 8.6.6 removes the use of 'eval()' on untrusted input to disallow malicious code execution.",
- "cve": "PVE-2021-39514",
- "id": "pyup.io-39514",
+ "advisory": "Anymotion-sdk 1.2.5 updates the 'urllib3' dependency and other packages for more security.",
+ "cve": "PVE-2021-40842",
+ "id": "pyup.io-40842",
"specs": [
- "<8.6.6"
+ "<1.2.5"
],
- "v": "<8.6.6"
+ "v": "<1.2.5"
}
],
- "asgi-csrf": [
+ "ao3-poster": [
{
- "advisory": "Cookie values in asgi-csrf 0.3 are now signed to prevent subdomain attacks. See also: .",
- "cve": "PVE-2021-38376",
- "id": "pyup.io-38376",
+ "advisory": "Ao3-poster version 0.0.6 updates dependencies to include security fixes.",
+ "cve": "PVE-2021-42030",
+ "id": "pyup.io-42030",
"specs": [
- "<0.3"
+ "<0.0.6"
],
- "v": "<0.3"
+ "v": "<0.0.6"
}
],
- "aspen": [
+ "apache-airflow": [
{
- "advisory": "aspen 0.39 fixes two security bugs related to CRLF injection - https://github.com/gratipay/security-qf35us/issues/1",
- "cve": "PVE-2021-36873",
- "id": "pyup.io-36873",
+ "advisory": "Apache-airflow 1.10.0 fixes XSS vulnerability in Variable endpoint.\r\nhttps://github.com/apache/airflow/commit/8f9bf94d82abc59336e642db64e575cee0cc5df0",
+ "cve": "PVE-2021-36832",
+ "id": "pyup.io-36832",
"specs": [
- "<0.39"
+ "<1.10.0"
],
- "v": "<0.39"
+ "v": "<1.10.0"
},
{
- "advisory": "aspen 0.42 protects against URL redirection attacks (#471)",
- "cve": "PVE-2021-36872",
- "id": "pyup.io-36872",
- "specs": [
- "<0.42"
- ],
- "v": "<0.42"
- }
- ],
- "astropy": [
- {
- "advisory": "astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.",
- "cve": "PVE-2021-35810",
- "id": "pyup.io-35810",
+ "advisory": "In Apache Airflow < 1.10.12, the \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.",
+ "cve": "CVE-2020-13944",
+ "id": "pyup.io-42325",
"specs": [
- "<3.0.1"
+ "<1.10.12"
],
- "v": "<3.0.1"
- }
- ],
- "async-search-client": [
+ "v": "<1.10.12"
+ },
{
- "advisory": "Async-search-client 0.5.1 updates the 'pydantic' dependency from 1.8.1 to 1.8.2 to fix a security vulnerability.",
- "cve": "PVE-2021-40437",
- "id": "pyup.io-40437",
+ "advisory": "In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. See CVE-2020-17513.",
+ "cve": "CVE-2020-17513",
+ "id": "pyup.io-39282",
"specs": [
- "<0.5.1"
+ "<1.10.13"
],
- "v": "<0.5.1"
- }
- ],
- "asyncssh": [
+ "v": "<1.10.13"
+ },
{
- "advisory": "Asyncssh 2.5.0 added a configurable maximum line length when the editor is in use to avoid potential denial-of-service attacks.",
- "cve": "PVE-2021-39350",
- "id": "pyup.io-39350",
+ "advisory": "The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.",
+ "cve": "CVE-2020-17515",
+ "id": "pyup.io-42326",
"specs": [
- "<2.5.0"
+ "<1.10.13"
],
- "v": "<2.5.0"
- }
- ],
- "att-iot-gateway": [
+ "v": "<1.10.13"
+ },
{
- "advisory": "Att-iot-gateway before 0.4.0 uses a insecure HTTP connection.",
- "cve": "PVE-2021-34257",
- "id": "pyup.io-34257",
+ "advisory": "Apache Airflow version 2.1.2 includes a fix for CVE-2021-35936: \r\nIf remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. \r\nhttps://lists.apache.org/thread.html/r53d6bd7b0a66f92ddaf1313282f10fec802e71246606dd30c16536df%40%3Cusers.airflow.apache.org%3E",
+ "cve": "CVE-2021-35936",
+ "id": "pyup.io-41181",
"specs": [
- "<0.4.0"
+ "<2.1.2"
],
- "v": "<0.4.0"
- }
- ],
- "auditree-framework": [
+ "v": "<2.1.2"
+ },
{
- "advisory": "Auditree-framework 1.19.0 fixes minor security issues found by the 'bandit'.",
- "cve": "PVE-2021-40445",
- "id": "pyup.io-40445",
+ "advisory": "The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336). See CVE-2021-28359.",
+ "cve": "CVE-2021-28359",
+ "id": "pyup.io-40341",
"specs": [
- "<1.19.0"
+ ">=1.0.0a1,<1.10.15",
+ ">=2.0.0a1,<2.0.2"
],
- "v": "<1.19.0"
+ "v": ">=1.0.0a1,<1.10.15,>=2.0.0a1,<2.0.2"
}
],
- "aumbry": [
+ "apache-libcloud": [
{
- "advisory": "Aumbry version 0.10.0 includes a security patch for the function 'parse' in 'aumbry/formats/yml.py'. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/pyarmory/aumbry/commit/5b1cd2e4296d3cfb10a6d1bd02cd5b4ecb0f0bcd",
- "cve": "CVE-2020-1747",
- "id": "pyup.io-41307",
+ "advisory": "Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.",
+ "cve": "CVE-2012-3446",
+ "id": "pyup.io-25628",
"specs": [
- "<0.10.0"
+ "<0.11.1"
],
- "v": "<0.10.0"
+ "v": "<0.11.1"
},
{
- "advisory": "A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.",
- "cve": "CVE-2020-14343",
- "id": "pyup.io-41759",
- "specs": [
- "==0.10.0"
- ],
- "v": "==0.10.0"
- }
- ],
- "authbwc": [
- {
- "advisory": "authbwc 0.1.4 fixes an issue with the way the HTTP session user permissions were loaded. This vulnerability made it possible for a user to gain the permissions of the user logged in previously. The user would have had to be sharing the same http session for this access to have been gained.",
- "cve": "PVE-2021-25631",
- "id": "pyup.io-25631",
+ "advisory": "Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.",
+ "cve": "CVE-2013-6480",
+ "id": "pyup.io-25629",
"specs": [
- "<0.1.4"
+ "<0.13.3"
],
- "v": "<0.1.4"
+ "v": "<0.13.3"
},
{
- "advisory": "authbwc before 0.3.1 has a vulnerability in the password reset process that allowed users to log in when inactive.",
- "cve": "PVE-2021-34836",
- "id": "pyup.io-34836",
+ "advisory": "libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack.",
+ "cve": "CVE-2010-4340",
+ "id": "pyup.io-35343",
"specs": [
- "<0.3.1"
+ "<0.4.1"
],
- "v": "<0.3.1"
+ "v": "<0.4.1"
}
],
- "auto-surprise": [
+ "apache-skywalking": [
{
- "advisory": "Auto-surprise 0.1.7 includes bot security version updates.",
- "cve": "PVE-2021-40146",
- "id": "pyup.io-40146",
+ "advisory": "Apache-skywalking 8.0.0 includes:\r\n* Fix SQL Injection vulnerability in H2/MySQL implementation.\r\n* Upgrade Nacos to avoid the FastJson CVE-2017-18349 in high frequency.\r\n* Upgrade jasckson-databind to 2.9.10.",
+ "cve": "CVE-2017-18349",
+ "id": "pyup.io-38630",
"specs": [
- "<0.1.7"
+ "<8.0.0"
],
- "v": "<0.1.7"
+ "v": "<8.0.0"
}
],
- "autobahn": [
+ "apache-superset": [
{
- "advisory": "In autobahn before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.",
- "cve": "PVE-2021-25632",
- "id": "pyup.io-25632",
+ "advisory": "Apache-superset 0.14.0 improves the security scheme (#1587).",
+ "cve": "PVE-2021-39494",
+ "id": "pyup.io-39494",
"specs": [
- "<0.15.0"
+ "<0.14.0"
],
- "v": "<0.15.0"
+ "v": "<0.14.0"
},
{
- "advisory": "autobahn 0.6.4 fixes a security issue related to a WAMP-CRA timing attack very, very unlikely to be exploitable.",
- "cve": "PVE-2021-25633",
- "id": "pyup.io-25633",
+ "advisory": "Apache-superset version 0.17.5 adds a csrf_token api endpoint.",
+ "cve": "PVE-2021-41794",
+ "id": "pyup.io-41794",
"specs": [
- "<0.6.4"
+ "<0.17.5"
],
- "v": "<0.6.4"
+ "v": "<0.17.5"
},
{
- "advisory": "Autobahn|Python before 20.12.3 allows redirect header injection. See CVE-2020-35678.",
- "cve": "CVE-2020-35678",
- "id": "pyup.io-39363",
+ "advisory": "Apache-superset 0.23.0 adds all derived FAB UserModelView views to admin only (#4180), fixes 4 security vulnerabilities (#4390), and bumps dependencies with security issues (#4427).",
+ "cve": "PVE-2021-39490",
+ "id": "pyup.io-39490",
"specs": [
- "<20.12.3"
+ "<0.23.0"
],
- "v": "<20.12.3"
- }
- ],
- "avocado-framework": [
+ "v": "<0.23.0"
+ },
{
- "advisory": "avocado-framework 0.17.0 fixes a temporary dir issue, that had potential security implications.",
- "cve": "PVE-2021-34679",
- "id": "pyup.io-34679",
+ "advisory": "Apache-superset 0.25.0 refactors security code into SupersetSecurityManager (#4565).",
+ "cve": "PVE-2021-39488",
+ "id": "pyup.io-39488",
"specs": [
- "<0.17.0"
+ "<0.25.0"
],
- "v": "<0.17.0"
- }
- ],
- "awkward": [
+ "v": "<0.25.0"
+ },
{
- "advisory": "Awkward 0.10.1 closes a security hole and backward incompatibility in `awkward.persist.whitelist` handling.",
- "cve": "PVE-2021-37154",
- "id": "pyup.io-37154",
+ "advisory": "Apache-superset 0.28.0rc5 moves set/merge perm to security manager (#5684).",
+ "cve": "PVE-2021-39485",
+ "id": "pyup.io-39485",
"specs": [
- "<0.10.1"
+ "<0.28.0rc5"
],
- "v": "<0.10.1"
- }
- ],
- "aws-analytics-reference-architecture": [
+ "v": "<0.28.0rc5"
+ },
{
- "advisory": "Aws-analytics-reference-architecture 1.1.1 includes a security update for xmldom (https://github.com/aws-samples/aws-analytics-reference-architecture/issues/97).",
- "cve": "PVE-2021-41196",
- "id": "pyup.io-41196",
+ "advisory": "Apache-superset 0.29.0rc8 secures unsecured views and prevent regressions (#6553).",
+ "cve": "PVE-2021-39484",
+ "id": "pyup.io-39484",
"specs": [
- "<1.1.1"
+ "<0.29.0rc8"
],
- "v": "<1.1.1"
- }
- ],
- "aws-parallelcluster": [
+ "v": "<0.29.0rc8"
+ },
{
- "advisory": "Aws-parallelcluster 2.4.0 removes AWS credentials from the ``parallelcluster`` config file for a better security posture. Credentials can now be set up following the canonical procedure used for the aws cli.",
- "cve": "PVE-2021-37211",
- "id": "pyup.io-37211",
+ "advisory": "Apache-superset 0.31.0rc1 fixes dependencies with vulnerabilities (#6904).",
+ "cve": "PVE-2021-39483",
+ "id": "pyup.io-39483",
"specs": [
- "<2.4.0"
+ "<0.31.0rc1"
],
- "v": "<2.4.0"
- }
- ],
- "awscli": [
+ "v": "<0.31.0rc1"
+ },
{
- "advisory": "awscli 1.11.83 fixes a possible security issue where files could be downloaded to a directory outside the destination directory if the key contained relative paths when downloading files recursively.",
- "cve": "PVE-2021-34627",
- "id": "pyup.io-34627",
+ "advisory": "Apache-superset 0.32.0rc1 makes it easier to redefine Alpha/Gamma (#7036) - this was a security concern. It also \r\nran 'npm audit fix' to address various vulnerabilities (#7263).",
+ "cve": "PVE-2021-39482",
+ "id": "pyup.io-39482",
"specs": [
- "<1.11.83"
+ "<0.32.0rc1"
],
- "v": "<1.11.83"
- }
- ],
- "backend.ai": [
+ "v": "<0.32.0rc1"
+ },
{
- "advisory": "Backend.ai 19.03.0b1 supports running multiple managers on the same host by randomizing internal IPC socket addresses. This also improves the security a little.",
- "cve": "PVE-2021-39087",
- "id": "pyup.io-39087",
+ "advisory": "Apache-superset 0.32.0rc2.dev2 updates merge_perm and fixes the FAB method (#7355). These were both security issues.",
+ "cve": "PVE-2021-39480",
+ "id": "pyup.io-39480",
"specs": [
- "<19.03.0b1"
+ "<0.32.0rc2.dev2"
],
- "v": "<19.03.0b1"
+ "v": "<0.32.0rc2.dev2"
},
{
- "advisory": "Backend.ai 19.03.0rc1 supports authentication with etcd and Redis for better security.",
- "cve": "PVE-2021-39086",
- "id": "pyup.io-39086",
+ "advisory": "Apache-superset 0.33.0rc1 adds Flask-Talisman (#7443) for security reasons.",
+ "cve": "PVE-2021-39481",
+ "id": "pyup.io-39481",
"specs": [
- "<19.03.0rc1"
+ "<0.33.0rc1"
],
- "v": "<19.03.0rc1"
+ "v": "<0.33.0rc1"
},
{
- "advisory": "Backend.ai 19.09.0rc4 includes image import. This is implemented on top of batch tasks, with some specialization to prevent security issues due to direct access to agent host's Docker daemon. Importing as service-port only image support will be added in future releases. Additionally, it includes a privilege escalation fix because domain-admins could run sessions on behalf of super-admins in the same domain.",
- "cve": "PVE-2021-38675",
- "id": "pyup.io-38675",
- "specs": [
- "<19.09.0rc4"
+ "advisory": "Apache-superset 0.34.0 includes various security improvements. It bumps python libs (#7550), it makes security views use superset's list widget (#7724), and it adds docstrings and type hints (#7952).",
+ "cve": "PVE-2021-39479",
+ "id": "pyup.io-39479",
+ "specs": [
+ "<0.34.0"
],
- "v": "<19.09.0rc4"
- }
- ],
- "backend.ai-client": [
+ "v": "<0.34.0"
+ },
{
- "advisory": "Backend.ai-client version 21.09.0a1 includes updates to dependencies to embrace security patches in PyYAML. https://github.com/lablup/backend.ai-client-py/issues/158",
- "cve": "PVE-2021-41219",
- "id": "pyup.io-41219",
+ "advisory": "Apache-superset 0.35.0 adds security for restricted metrics (#8175).",
+ "cve": "PVE-2021-39478",
+ "id": "pyup.io-39478",
"specs": [
- "<21.09.0a1"
+ "<0.35.0"
],
- "v": "<21.09.0a1"
- }
- ],
- "backend.ai-manager": [
+ "v": "<0.35.0"
+ },
{
- "advisory": "Backend.ai-manager 19.09.0rc4 fixes privilege escalation because domain-admins could run sessions on behalf of super-admins in the same domain. It also introduces Image import (171) - currently this is limited to import Python-based kernels only. This is implemented on top of batch tasks, with some specialization to prevent security issues due to direct access to agent host's Docker daemon. Importing as service-port only image support will be added in future releases.",
- "cve": "PVE-2021-37531",
- "id": "pyup.io-37531",
+ "advisory": "Apache-superset 0.35.1 updates its dependency 'dompurify' to v2.0.7 to include a security fix.",
+ "cve": "CVE-2020-26870",
+ "id": "pyup.io-39477",
"specs": [
- "<19.09.0rc4"
+ "<0.35.1"
],
- "v": "<19.09.0rc4"
- }
- ],
- "bakercm": [
+ "v": "<0.35.1"
+ },
{
- "advisory": "bakercm 0.4.4 updates pythoncryptodome after security issue #16",
- "cve": "PVE-2021-36651",
- "id": "pyup.io-36651",
+ "advisory": "Apache-superset 0.35.2 bumps packages with security vulnerabilities (#8573), and bumps pyarrow to 0.15.1 due to CVE-2019-12408 (#8583).",
+ "cve": "CVE-2019-12408",
+ "id": "pyup.io-39476",
"specs": [
- "<0.4.4"
+ "<0.35.2"
],
- "v": "<0.4.4"
- }
- ],
- "barman": [
+ "v": "<0.35.2"
+ },
{
- "advisory": "Barman 2.11 removes the strict superuser requirement for PG 10+. As of PostgreSQL 10 it is possible to execute \r\nbackups without superuser privileges, which is actually the recommended method for security reasons. Non-superuser backups need to grant some privileges to the user used by Barman to connect to PostgreSQL, as documented in the 21-preliminary_steps.en.md section.\r\n\r\nIt also ensures each postgres connection has an empty search_path. This is the only safe option when there is no information about how secure the search path is on the target database. This is done by appending \"options=-csearch_path=\" to any conninfo string.",
- "cve": "PVE-2021-38502",
- "id": "pyup.io-38502",
+ "advisory": "Apache-superset 0.36.0 filters out markdown containing XSS.\r\nhttps://github.com/apache/superset/pull/9163",
+ "cve": "PVE-2021-39475",
+ "id": "pyup.io-39475",
"specs": [
- "<2.11"
+ "<0.36.0"
],
- "v": "<2.11"
- }
- ],
- "baseplate": [
+ "v": "<0.36.0"
+ },
{
- "advisory": "Baseplate 0.19.0 includes support for fetching secrets in a secure, auditable, manner from Hashicorp Vault. A sidecar daemon manages the infrastructure-level authentication with Vault and fetches secrets to a file on disk. Helpers in Baseplate then allow your application to fetch these secrets efficiently from the sidecar daemon with some helpful conventions for versioning/key rotation. This is now the right way to get secret tokens into your application going forward. See: .",
- "cve": "PVE-2021-38349",
- "id": "pyup.io-38349",
+ "advisory": "Apache-superset 0.36.0 updates NPM dependencies to include security fixes.\r\nhttps://github.com/apache/superset/pull/9106/commits/788faad7f33e1b69afcee0f01c9fc7cdccb7f81f",
+ "cve": "PVE-2021-42732",
+ "id": "pyup.io-42732",
"specs": [
- "<0.19.0"
+ "<0.36.0"
],
- "v": "<0.19.0"
+ "v": "<0.36.0"
},
{
- "advisory": "Authentication tokens in baseplate 0.22.0 provided by the authentication service can now be automatically propagated between services when making Thrift calls. This allows internal services to securely and accurately understand on whose behalf a given request is being made so they can decide if the requester is authorized for a particular action. The context is passed implicitly, in request headers, so no extra parameters need be added to service IDLs. Baseplate provides APIs for validating and accessing the tokens from within request context and will automatically pass upstream credentials to downstream services without extra work.",
- "cve": "PVE-2021-38348",
- "id": "pyup.io-38348",
+ "advisory": "Apache-superset 0.37.0 includes various security-related improvements. It fixes regression in #9689 (9705), it fixes can_access with None because it crashed on builtin roles (#10039), it renames schemas_accessible_by_user (#10030), renames access methods (#10031), it updates assert logic (#10034), and it fixes the dbs/clusters perm (#10130).",
+ "cve": "PVE-2021-39474",
+ "id": "pyup.io-39474",
"specs": [
- "<0.22.0"
+ "<0.37.0"
],
- "v": "<0.22.0"
+ "v": "<0.37.0"
},
{
- "advisory": "Baseplate 0.24.0 includes a EdgeRequestContext/AuthenticationToken unification. This isn't a new addition, but a **breaking** rework of authentication context in Baseplate. Authentication token propagation and access is now fully integrated into the edge request context. Authentication tokens are propagated inside the edge context header and the API for applications built on Baseplate is unified. See below for details on how to use this.",
- "cve": "PVE-2021-38347",
- "id": "pyup.io-38347",
+ "advisory": "While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python\u2019s `os` package in the web application process in versions < 0.37.1. It was thus possible for an authenticated user to list and access files, environment variables, and process information. Additionally it was possible to set environment variables for the current process, create and update files in folders writable by the web process, and execute arbitrary programs accessible by the web process. All other operations available to the `os` package in Python were also available, even if not explicitly enumerated in this CVE. See CVE-2020-13948.",
+ "cve": "CVE-2020-13948",
+ "id": "pyup.io-38793",
"specs": [
- "<0.24.0"
+ "<0.37.1"
],
- "v": "<0.24.0"
+ "v": "<0.37.1"
},
{
- "advisory": "Services often need to securely store username/password pairs. Baseplate 0.30.0 has a convention for doing so called a credential secret. In addition, the sqlalchemy integration now uses this new credential type and you can expect other integrations to do so in the future. See also: .",
- "cve": "PVE-2021-38346",
- "id": "pyup.io-38346",
+ "advisory": "Apache-superset 0.37.1 disallows uuid package on jinja1 (#10794). This is a security improvement.",
+ "cve": "PVE-2021-39473",
+ "id": "pyup.io-39473",
"specs": [
- "<0.30.0"
+ "<0.37.1"
],
- "v": "<0.30.0"
- }
- ],
- "basketball-reference-web-scraper": [
+ "v": "<0.37.1"
+ },
{
- "advisory": "Basketball-reference-web-scraper 4.2.2 includes upgrades the `urllib3` library to `1.25.2` due to a security vulnerability with versions less than `1.24.2`.",
- "cve": "PVE-2021-37123",
- "id": "pyup.io-37123",
+ "advisory": "Apache-superset 0.9.1 improved its security: Gamma role sees only its objects, and only owners and Admins can alter objects.",
+ "cve": "PVE-2021-38193",
+ "id": "pyup.io-38193",
"specs": [
- "<4.2.2"
+ "<0.9.1"
],
- "v": "<4.2.2"
+ "v": "<0.9.1"
},
{
- "advisory": "Basketball-reference-web-scraper 4.2.3 updates urllib3 to 1.24.3 to avoid a security vulnerability. This also fulfills the requirement to update the `requests` version.",
- "cve": "PVE-2021-37195",
- "id": "pyup.io-37195",
+ "advisory": "Apache-superset 1.0.0 includes these fixes:\r\n- CSS injection order (https://github.com/apache/superset/pull/12353)\r\n- Security cleanup annotation and refresh permissions (https://github.com/apache/superset/pull/12119)\r\n- Apply owners security validation (https://github.com/apache/superset/pull/12035)\r\n- Security converge downgrade procedure (https://github.com/apache/superset/pull/11852)",
+ "cve": "PVE-2021-41203",
+ "id": "pyup.io-41203",
"specs": [
- "<4.2.3"
+ "<1.0.0"
],
- "v": "<4.2.3"
- }
- ],
- "bbcode": [
+ "v": "<1.0.0"
+ },
{
- "advisory": "bbcode 1.0.9 escapes quotes correctly to prevent XSS",
- "cve": "PVE-2021-25634",
- "id": "pyup.io-25634",
+ "advisory": "Apache-superset 1.2.0 updates some npm packages for security fixes.\r\nhttps://github.com/apache/superset/pull/13367",
+ "cve": "PVE-2021-41791",
+ "id": "pyup.io-41791",
"specs": [
- "<1.0.9"
+ "<1.2.0"
],
- "v": "<1.0.9"
+ "v": "<1.2.0"
}
],
- "beaker": [
- {
- "advisory": "beaker 0.9.4 fixes security issue with Beaker not properly removing directory escaping characters from the session ID when un-signed sessions are used.",
- "cve": "PVE-2021-25635",
- "id": "pyup.io-25635",
- "specs": [
- "<0.9.4"
- ],
- "v": "<0.9.4"
- },
+ "apidev-coop": [
{
- "advisory": "Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.",
- "cve": "CVE-2012-3458",
- "id": "pyup.io-25636",
+ "advisory": "apidev-coop is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
+ "cve": "PVE-2021-34979",
+ "id": "pyup.io-34979",
"specs": [
- "<1.6.4"
+ ">0",
+ "<0"
],
- "v": "<1.6.4"
- },
+ "v": ">0,<0"
+ }
+ ],
+ "apispec": [
{
- "advisory": "The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.",
- "cve": "CVE-2013-7489",
- "id": "pyup.io-38464",
+ "advisory": "In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.",
+ "cve": "CVE-2017-18342",
+ "id": "pyup.io-42246",
"specs": [
- "<=1.11.0"
+ "<1.0.0b2"
],
- "v": "<=1.11.0"
+ "v": "<1.0.0b2"
}
],
- "benchexec": [
+ "apkleaks": [
{
- "advisory": "Benchexec 2.2 fixes two security issues:\r\n- Since BenchExec 2.1, the setup of the container for the tool-info module (which was added in BenchExec 1.20) could silently fail, for example if user namespaces are disabled on the system. In this case the tool-info module would be executed outside of the container. Run execution was not affected.\r\n- The kernel offers a keyring feature for storage of keys related to features like Kerberos and ecryptfs. Before Linux 5.2, there existed one keyring per user, and BenchExec did not prevent access from the tool inside the container to the kernel keyring of the user who started BenchExec. Now such accesses are forbidden (on all kernel versions) using seccomp (http://man7.org/linux/man-pages/man2/seccomp.2.html) if libseccomp2 (https://github.com/seccomp/libseccomp) is installed, which should be the case on any standard distribution. Note that seccomp filters do have a slight performance impact and could prevent some binaries on exotic architectures from working. In such a case please file a bug report (https://github.com/sosy-lab/benchexec/issues/new).",
- "cve": "PVE-2021-37510",
- "id": "pyup.io-37510",
+ "advisory": "APKLeaks is an open-source project for scanning APK file for URIs, endpoints & secrets. APKLeaks prior to v2.0.3 allows remote attackers to execute arbitrary OS commands via package name inside application manifest. An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior through malicious package name. The problem is fixed in version v2.0.6-dev and above.",
+ "cve": "CVE-2021-21386",
+ "id": "pyup.io-42302",
"specs": [
- "<2.2"
+ "<2.0.3"
],
- "v": "<2.2"
+ "v": "<2.0.3"
}
],
- "bento-lib": [
+ "appdaemon": [
{
- "advisory": "Bento-lib 3.0.1 includes security fix to prevent data leak in error messages from data structure queries by default and adds 'secure_errors' param for data structure querying methods.",
- "cve": "PVE-2021-41035",
- "id": "pyup.io-41035",
+ "advisory": "Appdaemon 3.0.4 uses yaml.Safeloader to work around a known security issue with PyYaml.",
+ "cve": "PVE-2021-37096",
+ "id": "pyup.io-37096",
"specs": [
- "<3.0.1"
+ "<3.0.4"
],
- "v": "<3.0.1"
+ "v": "<3.0.4"
}
],
- "bepasty": [
+ "appdaemontestframework": [
{
- "advisory": "bepasty 0.3.0 contains two security fixes: \r\n- When showing potentially dangerous text/* types, force the\r\n content-type to be text/plain and also turn the browser's sniffer off.\r\n- Prevent disclosure of locked item's metadata",
- "cve": "PVE-2021-25637",
- "id": "pyup.io-25637",
+ "advisory": "appdaemontestframework 2.0.1 updates dependencies to prevent security vulnerabilities",
+ "cve": "PVE-2021-37908",
+ "id": "pyup.io-37908",
"specs": [
- "<0.3.0"
+ "<2.0.1"
],
- "v": "<0.3.0"
+ "v": "<2.0.1"
},
{
- "advisory": "Bepasty 0.6.0 invalidates old client-side cookies if PERMISSIONS in config are changed. This is a security fix.",
- "cve": "PVE-2021-39120",
- "id": "pyup.io-39120",
+ "advisory": "appdaemontestframework 2.3.3 update dependencies to fix security vulnerability",
+ "cve": "PVE-2021-37907",
+ "id": "pyup.io-37907",
"specs": [
- "<0.6.0"
+ "<2.3.3"
],
- "v": "<0.6.0"
+ "v": "<2.3.3"
}
],
- "berglas": [
+ "apphelpers": [
{
- "advisory": "Berglas 0.2.0 no longer trusts the environment variables.",
- "cve": "PVE-2021-37340",
- "id": "pyup.io-37340",
+ "advisory": "To secure the API access, apphelpers 0.9.2 adds the new options `groups_forbidden` and `groups_required`.",
+ "cve": "PVE-2021-37151",
+ "id": "pyup.io-37151",
"specs": [
- "<0.2.0"
+ "<0.9.2"
],
- "v": "<0.2.0"
+ "v": "<0.9.2"
}
],
- "bigchaindb": [
+ "appwrite": [
{
- "advisory": "Bigchaindb 2.2.2 updates several dependencies, including Flask, which had a vulnerability.",
- "cve": "PVE-2021-38832",
- "id": "pyup.io-38832",
+ "advisory": "Appwrite (SDK for Python) version 0.2.0 adds support for appwrite 0.8.0. Appwrite 0.7.1 fixed an XSS vulnerability in the appwrite console.",
+ "cve": "PVE-2021-40600",
+ "id": "pyup.io-40600",
"specs": [
- "<2.2.2"
+ "<0.2.0"
],
- "v": "<2.2.2"
- }
- ],
- "bigchaindb-driver": [
+ "v": "<0.2.0"
+ },
{
- "advisory": "Bigchaindb-driver 0.5.2 includes a fix for CVE-2018-10903: A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.",
- "cve": "CVE-2018-10903",
- "id": "pyup.io-36427",
+ "advisory": "Appwrite (SDK for Python) version 0.4.0 adds support for appwrite 0.9.0. Appwrite 0.9.0 fixed a potential XSS injection on the console.",
+ "cve": "PVE-2021-40934",
+ "id": "pyup.io-40934",
"specs": [
- "<0.5.2"
+ "<0.4.0"
],
- "v": "<0.5.2"
+ "v": "<0.4.0"
+ },
+ {
+ "advisory": "Appwrite (SDK for Python) version 0.5.0 adds support for appwrite 0.10.0. Appwrite 0.9.4 fixed a security vulnerability that exposes project ID's from other admin users.",
+ "cve": "PVE-2021-41261",
+ "id": "pyup.io-41261",
+ "specs": [
+ "<0.5.0"
+ ],
+ "v": "<0.5.0"
}
],
- "bigdl": [
+ "archi": [
{
- "advisory": "Bigdl 0.8.0 fixes the scala compiler security issue in 2.10 & 2.11",
- "cve": "PVE-2021-37576",
- "id": "pyup.io-37576",
+ "advisory": "Archi 0.2.2 is bundled with libarchive 3.4.2. However, libarchive before version 3.4.3 is known to not be secure. See: .",
+ "cve": "PVE-2021-37702",
+ "id": "pyup.io-37702",
"specs": [
- "<0.8.0"
+ "<=0.2.2"
],
- "v": "<0.8.0"
+ "v": "<=0.2.2"
}
],
- "bikeshed": [
- {
- "advisory": "Bikeshed version 3.0.0 includes a fix for CVE-2021-23422:\r\nWhen an untrusted source file containing Inline Tag Command metadata is processed or when an arbitrary OS command is executed, the command output would be included in the HTML output.\r\nhttps://github.com/tabatkins/bikeshed/commit/b2f668fca204260b1cad28d5078e93471cb6b2dd",
- "cve": "CVE-2021-23422",
- "id": "pyup.io-41179",
- "specs": [
- "<3.0.0"
- ],
- "v": "<3.0.0"
- },
+ "archmage": [
{
- "advisory": "Bikeshed version 3.0.0 includes a fix for CVE-2021-23423:\r\nWhen an untrusted source file containing include, include-code or include-raw block is processed, the contents of arbitrary files could be disclosed in the HTML output.\r\nhttps://github.com/tabatkins/bikeshed/commit/b2f668fca204260b1cad28d5078e93471cb6b2dd",
- "cve": "CVE-2021-23423",
- "id": "pyup.io-41180",
+ "advisory": "Directory traversal vulnerability in arCHMage 0.2.4 allows remote attackers to write to arbitrary files via a .. (dot dot) in a CHM file.",
+ "cve": "CVE-2015-1589",
+ "id": "pyup.io-25630",
"specs": [
- "<3.0.0"
+ "<0.3.1"
],
- "v": "<3.0.0"
+ "v": "<0.3.1"
}
],
- "bincrafters-envy": [
+ "asciidoc": [
{
- "advisory": "bincrafters-envy 0.1.3 updates the request module",
- "cve": "PVE-2021-36732",
- "id": "pyup.io-36732",
+ "advisory": "Asciidoc 8.6.6 removes the use of 'eval()' on untrusted input to disallow malicious code execution.",
+ "cve": "PVE-2021-39514",
+ "id": "pyup.io-39514",
"specs": [
- "<0.1.3"
+ "<8.6.6"
],
- "v": "<0.1.3"
+ "v": "<8.6.6"
}
],
- "birdhousebuilder-recipe-nginx": [
+ "asgi-csrf": [
{
- "advisory": "birdhousebuilder-recipe-nginx 0.1.5 disables the use of SSLv3 (poodle attack).",
- "cve": "PVE-2021-36135",
- "id": "pyup.io-36135",
+ "advisory": "Cookie values in asgi-csrf 0.3 are now signed to prevent subdomain attacks. See also: .",
+ "cve": "PVE-2021-38376",
+ "id": "pyup.io-38376",
"specs": [
- "<0.1.5"
+ "<0.3"
],
- "v": "<0.1.5"
+ "v": "<0.3"
}
],
- "birdhousebuilder.recipe.nginx": [
+ "aspen": [
{
- "advisory": "birdhousebuilder.recipe.nginx 0.1.5 disabled SSLv3 due to the poodle attack.",
- "cve": "PVE-2021-25638",
- "id": "pyup.io-25638",
+ "advisory": "aspen 0.39 fixes two security bugs related to CRLF injection - https://github.com/gratipay/security-qf35us/issues/1",
+ "cve": "PVE-2021-36873",
+ "id": "pyup.io-36873",
"specs": [
- "<0.1.5"
+ "<0.39"
],
- "v": "<0.1.5"
- }
- ],
- "bise.theme": [
+ "v": "<0.39"
+ },
{
- "advisory": "bise.theme 2.4 fixes a potential XSS issue with catalogue search.",
- "cve": "PVE-2021-25639",
- "id": "pyup.io-25639",
+ "advisory": "aspen 0.42 protects against URL redirection attacks (#471)",
+ "cve": "PVE-2021-36872",
+ "id": "pyup.io-36872",
"specs": [
- "<2.4"
+ "<0.42"
],
- "v": "<2.4"
+ "v": "<0.42"
}
],
- "bitbot": [
+ "astropy": [
{
- "advisory": "For security reasons, REST API only listens on localhost in Bitbot 1.12.0.",
- "cve": "PVE-2021-37551",
- "id": "pyup.io-37551",
+ "advisory": "astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.",
+ "cve": "PVE-2021-35810",
+ "id": "pyup.io-35810",
"specs": [
- "<1.12.0"
+ "<3.0.1"
],
- "v": "<1.12.0"
+ "v": "<3.0.1"
}
],
- "bjoern": [
+ "async-search-client": [
{
- "advisory": "bjoern before 1.4.2 uses a insecure Django release which is vulnerable to CVE-2015-0219, see https://www.djangoproject.com/weblog/2015/jan/13/security/.",
- "cve": "CVE-2015-0219",
- "id": "pyup.io-25640",
+ "advisory": "Async-search-client 0.5.1 updates the 'pydantic' dependency from 1.8.1 to 1.8.2 to fix a security vulnerability.",
+ "cve": "PVE-2021-40437",
+ "id": "pyup.io-40437",
"specs": [
- "<1.4.2"
+ "<0.5.1"
],
- "v": "<1.4.2"
+ "v": "<0.5.1"
}
],
- "blackduck": [
+ "asyncpg": [
{
- "advisory": "Synopsys hub-rest-api-python (aka blackduck on PyPI) version 0.0.25 - 0.0.52 does not validate SSL certificates in certain cases. See CVE-2020-27589.",
- "cve": "CVE-2020-27589",
- "id": "pyup.io-39070",
+ "advisory": "asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized pointer in the array data decoder.",
+ "cve": "CVE-2020-17446",
+ "id": "pyup.io-42281",
"specs": [
- ">=0.0.25,<=0.0.52"
+ "<0.21.0"
],
- "v": ">=0.0.25,<=0.0.52"
+ "v": "<0.21.0"
}
],
- "blask": [
+ "asyncssh": [
{
- "advisory": "Blask 0.2.2 fixes some vulnerabilities. See: .",
- "cve": "PVE-2021-39028",
- "id": "pyup.io-39028",
+ "advisory": "Asyncssh 2.5.0 added a configurable maximum line length when the editor is in use to avoid potential denial-of-service attacks.",
+ "cve": "PVE-2021-39350",
+ "id": "pyup.io-39350",
"specs": [
- "<0.2.2"
+ "<2.5.0"
],
- "v": "<0.2.2"
+ "v": "<2.5.0"
}
],
- "blazar": [
+ "att-iot-gateway": [
{
- "advisory": "An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2.0.0, and 3.0.0. A user allowed to access the Blazar dashboard in Horizon may trigger code execution on the Horizon host as the user the Horizon service runs under (because the Python eval function is used). This may result in Horizon host unauthorized access and further compromise of the Horizon service. All setups using the Horizon dashboard with the blazar-dashboard plugin are affected. See: CVE-2020-26943.",
- "cve": "CVE-2020-26943",
- "id": "pyup.io-38884",
+ "advisory": "Att-iot-gateway before 0.4.0 uses a insecure HTTP connection.",
+ "cve": "PVE-2021-34257",
+ "id": "pyup.io-34257",
"specs": [
- "<1.3.1"
+ "<0.4.0"
],
- "v": "<1.3.1"
+ "v": "<0.4.0"
}
],
- "bleach": [
- {
- "advisory": "bleach 2.1 converts control characters (backspace particularly) to \"?\" preventing malicious copy-and-paste situations.",
- "cve": "PVE-2021-34965",
- "id": "pyup.io-34965",
- "specs": [
- "<2.1"
- ],
- "v": "<2.1"
- },
+ "auditree-framework": [
{
- "advisory": "Calls to `bleach.clean` allowing `noscript` and one or more of the raw text tags (`title`, `textarea`, `script`, `style`, `noembed`, `noframes`, `iframe`, and `xmp`) in bleach before version 3.1.1 were vulnerable to a mutation XSS.\r\n\r\nAlso, the `bleach.clean` behavior parsing `noscript` tags in bleach before version 3.1.1 did not match browser behavior.\r\n\r\nThis security issue was confirmed in Bleach versions v2.1.4, v3.0.2, and v3.1.0. Earlier versions are probably affected too.",
- "cve": "PVE-2021-38546",
- "id": "pyup.io-38546",
+ "advisory": "Auditree-framework 1.19.0 fixes minor security issues found by the 'bandit'.",
+ "cve": "PVE-2021-40445",
+ "id": "pyup.io-40445",
"specs": [
- "<3.1.1"
+ "<1.19.0"
],
- "v": "<3.1.1"
- },
+ "v": "<1.19.0"
+ }
+ ],
+ "aumbry": [
{
- "advisory": "The ``bleach.clean`` behavior parsing ``noscript`` tags did not match browser behavior in Bleach versions v2.1.4, v3.0.2, and v3.1.0 (and probably earlier versions too). \r\n\r\nCalls to ``bleach.clean`` allowing ``noscript`` and one or more of the raw text tags (``title``, ``textarea``, ``script``, ``style``, ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable to a mutation XSS.\r\n\r\nSee: https://bugzilla.mozilla.org/show_bug.cgi?id=1615315",
- "cve": "PVE-2021-37910",
- "id": "pyup.io-37910",
+ "advisory": "Aumbry version 0.10.0 includes a security patch for the function 'parse' in 'aumbry/formats/yml.py'. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/pyarmory/aumbry/commit/5b1cd2e4296d3cfb10a6d1bd02cd5b4ecb0f0bcd",
+ "cve": "CVE-2020-1747",
+ "id": "pyup.io-41307",
"specs": [
- "<=3.1.0"
+ "<0.10.0"
],
- "v": "<=3.1.0"
+ "v": "<0.10.0"
},
{
- "advisory": "The ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags in Bleach versions <= 3.1.1 did not match browser behavior and could result in a mutation XSS.\r\n\r\nCalls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS.\r\n\r\nThis security issue was confirmed in Bleach version v3.1.1. Earlier versions are likely affected too.",
- "cve": "PVE-2021-38076",
- "id": "pyup.io-38076",
+ "advisory": "Aumbry version 0.10.0 is vulnerable to CVE-2020-14343 due to using \"yaml.full_load()\" and a vulnerable version of its dependency \"pyyaml\". See CVE-2020-14343.\r\nhttps://github.com/pyarmory/aumbry/commit/66241610e52a4b5e8c88cfa8196b19c339922266",
+ "cve": "CVE-2020-14343",
+ "id": "pyup.io-41759",
"specs": [
- "<=3.1.1"
+ "==0.10.0"
],
- "v": "<=3.1.1"
- },
+ "v": "==0.10.0"
+ }
+ ],
+ "authbwc": [
{
- "advisory": "The ``bleach.clean`` behavior parsing style attributes in bleach before 3.1.4 could result in a regular expression denial of service (ReDoS). Calls to ``bleach.clean`` with an allowed tag with an allowed ``style`` attribute were vulnerable to ReDoS. For example, ``bleach.clean(..., attributes={'a': ['style']})``. This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1, v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar regular expression and should be considered vulnerable too.",
- "cve": "PVE-2021-38107",
- "id": "pyup.io-38107",
+ "advisory": "Authbwc 0.1.4 fixes an issue with the way the HTTP session user permissions were loaded. This vulnerability made it possible for a user to gain the permissions of the user logged in previously. The user would have had to be sharing the same http session for this access to have been gained.",
+ "cve": "PVE-2021-25631",
+ "id": "pyup.io-25631",
"specs": [
- "<=3.1.3"
+ "<0.1.4"
],
- "v": "<=3.1.3"
+ "v": "<0.1.4"
},
{
- "advisory": "bleach 2.1.3 fixes a security issue. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.",
- "cve": "CVE-2018-7753",
- "id": "pyup.io-35792",
+ "advisory": "authbwc before 0.3.1 has a vulnerability in the password reset process that allowed users to log in when inactive.",
+ "cve": "PVE-2021-34836",
+ "id": "pyup.io-34836",
"specs": [
- ">=2.1,<2.1.3"
+ "<0.3.1"
],
- "v": ">=2.1,<2.1.3"
+ "v": "<0.3.1"
}
],
- "bleach-extras": [
+ "auto-surprise": [
{
- "advisory": "Bleach-extras 0.0.4 requires bleach version 3.2.1 to deal with security issues.",
- "cve": "PVE-2021-38875",
- "id": "pyup.io-38875",
+ "advisory": "Auto-surprise 0.1.7 includes bot security version updates.",
+ "cve": "PVE-2021-40146",
+ "id": "pyup.io-40146",
"specs": [
- "<0.0.4"
+ "<0.1.7"
],
- "v": "<0.0.4"
+ "v": "<0.1.7"
}
],
- "blinkpy": [
+ "autobahn": [
{
- "advisory": "blinkpy 0.10.2 sets minimum required version of the requests library to 2.20.0 due to vulnerability in earlier releases.",
- "cve": "PVE-2021-36596",
- "id": "pyup.io-36596",
+ "advisory": "In autobahn before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.",
+ "cve": "PVE-2021-25632",
+ "id": "pyup.io-25632",
"specs": [
- "<0.10.2"
+ "<0.15.0"
],
- "v": "<0.10.2"
- }
- ],
- "block-io": [
+ "v": "<0.15.0"
+ },
{
- "advisory": "block-io 1.1.7 includes a fix for CVE-2013-7459 - https://security-tracker.debian.org/tracker/CVE-2013-7459",
- "cve": "CVE-2013-7459",
- "id": "pyup.io-36442",
+ "advisory": "autobahn 0.6.4 fixes a security issue related to a WAMP-CRA timing attack very, very unlikely to be exploitable.",
+ "cve": "PVE-2021-25633",
+ "id": "pyup.io-25633",
"specs": [
- "<1.1.7"
+ "<0.6.4"
],
- "v": "<1.1.7"
+ "v": "<0.6.4"
},
{
- "advisory": "Block-io 1.1.9 includes a fix for Requests vulnerability. See CVE-2018-18074.",
- "cve": "CVE-2018-18074",
- "id": "pyup.io-36712",
+ "advisory": "Autobahn|Python before 20.12.3 allows redirect header injection. See CVE-2020-35678.",
+ "cve": "CVE-2020-35678",
+ "id": "pyup.io-39363",
"specs": [
- "<1.1.9"
+ "<20.12.3"
],
- "v": "<1.1.9"
+ "v": "<20.12.3"
}
],
- "boatswain": [
+ "autocrop": [
{
- "advisory": "Boatswain version 1.0.4 includes a security patch for the function 'main' in 'boatswain/cli.py'. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/NLeSC/boatswain/commit/1fc3f79b8f1f2affb407c7a147cca71c11f26d3c",
- "cve": "CVE-2020-1747",
- "id": "pyup.io-41308",
+ "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.",
+ "cve": "CVE-2020-5310",
+ "id": "pyup.io-42932",
"specs": [
- "<1.0.4"
+ "<1.1.1"
],
- "v": "<1.0.4"
- }
- ],
- "bodhi": [
+ "v": "<1.1.1"
+ },
{
- "advisory": "Bodhi 2.2.0 addresses CVE-2016-1000008 by disallowing the re-use of solved captchas. Additionally, the captcha is\r\nwarped to make it more difficult to solve through automation.\r\n\r\n- https://github.com/fedora-infra/bodhi/pull/857\r\n- https://github.com/fedora-infra/bodhi/commit/f0122855",
- "cve": "CVE-2016-1000008",
- "id": "pyup.io-34274",
+ "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.",
+ "cve": "CVE-2020-11538",
+ "id": "pyup.io-42934",
"specs": [
- "<2.2.0"
+ "<1.1.1"
],
- "v": "<2.2.0"
+ "v": "<1.1.1"
},
{
- "advisory": "In bodhi before 2.9.1 it is possible to inject JavaScript into Bodhi's web interface through Bugzilla ticket subjects.",
- "cve": "PVE-2021-35208",
- "id": "pyup.io-35208",
+ "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.",
+ "cve": "CVE-2020-10378",
+ "id": "pyup.io-42936",
"specs": [
- "<2.9.1"
+ "<1.1.1"
],
- "v": "<2.9.1"
- }
- ],
- "bodhi-server": [
+ "v": "<1.1.1"
+ },
{
- "advisory": "Bodhi-server 2.2.0 addresses CVE-2016-1000008 by disallowing the re-use of solved captchas. Additionally, the captcha is warped to make it more difficult to solve through automation.\r\n\r\nSee: https://github.com/fedora-infra/bodhi/pull/857\r\nAnd: https://github.com/fedora-infra/bodhi/commit/f0122855",
- "cve": "CVE-2016-1000008",
- "id": "pyup.io-34241",
+ "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.",
+ "cve": "CVE-2020-10994",
+ "id": "pyup.io-42937",
"specs": [
- "<2.2.0"
+ "<1.1.1"
],
- "v": "<2.2.0"
- }
- ],
- "bok-choy": [
+ "v": "<1.1.1"
+ },
{
- "advisory": "bok-choy 0.5.1 contains a fix to XSS vulnerability in the auditing feature.",
- "cve": "PVE-2021-25641",
- "id": "pyup.io-25641",
+ "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.",
+ "cve": "CVE-2020-35653",
+ "id": "pyup.io-42939",
"specs": [
- "<0.5.1"
+ "<1.1.1"
],
- "v": "<0.5.1"
- }
- ],
- "bokeh": [
+ "v": "<1.1.1"
+ },
{
- "advisory": "Bokeh before 1.0.4 used a Pyyaml version that was vulnerable to CVE-2017-18342.",
- "cve": "CVE-2017-18342",
- "id": "pyup.io-36780",
+ "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.",
+ "cve": "CVE-2020-35655",
+ "id": "pyup.io-42940",
"specs": [
- "<1.0.4"
+ "<1.1.1"
],
- "v": "<1.0.4"
+ "v": "<1.1.1"
},
{
- "advisory": "Bokeh before 1.1.0 includes a handlebars security vulnerability [components: bokehjs & build]. NPM won't install.",
- "cve": "PVE-2021-37031",
- "id": "pyup.io-37031",
+ "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.",
+ "cve": "CVE-2020-5313",
+ "id": "pyup.io-42933",
"specs": [
- "<1.1.0"
+ "<1.1.1"
],
- "v": "<1.1.0"
+ "v": "<1.1.1"
},
{
- "advisory": "Bokeh 1.2.0 fixes a security vulnerabilities reported by npm audit.",
- "cve": "PVE-2021-37170",
- "id": "pyup.io-37170",
+ "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.",
+ "cve": "CVE-2020-10379",
+ "id": "pyup.io-42935",
"specs": [
- "<1.2.0"
+ "<1.1.1"
],
- "v": "<1.2.0"
- }
- ],
- "boss-cli": [
+ "v": "<1.1.1"
+ },
{
- "advisory": "Boss-cli 1.0.0-alpha.20 fixes a CVE-2018-18074 vulnerability due to an issue with the `Requests` package.",
- "cve": "CVE-2018-18074",
- "id": "pyup.io-38521",
+ "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.",
+ "cve": "CVE-2020-35654",
+ "id": "pyup.io-42938",
"specs": [
- "<1.0.0a20"
+ "<1.1.1"
],
- "v": "<1.0.0a20"
+ "v": "<1.1.1"
},
{
- "advisory": "boss-cli 1.0.0alpha.18 fixes CVE-2018-7750 security vulnerability - https://github.com/kabirbaidhya/boss/pull/126",
- "cve": "CVE-2018-7750",
- "id": "pyup.io-36543",
+ "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.",
+ "cve": "CVE-2020-15999",
+ "id": "pyup.io-42851",
"specs": [
- "<1.0.0alpha.18"
+ "<1.1.1"
],
- "v": "<1.0.0alpha.18"
- },
+ "v": "<1.1.1"
+ }
+ ],
+ "avocado-framework": [
{
- "advisory": "Boss-cli 1.0.0alpha.20 fixes CVE-2018-18074 vulnerability due to `requests`.",
- "cve": "CVE-2018-18074",
- "id": "pyup.io-36595",
+ "advisory": "avocado-framework 0.17.0 fixes a temporary dir issue, that had potential security implications.",
+ "cve": "PVE-2021-34679",
+ "id": "pyup.io-34679",
"specs": [
- "<1.0.0alpha.20"
+ "<0.17.0"
],
- "v": "<1.0.0alpha.20"
- },
+ "v": "<0.17.0"
+ }
+ ],
+ "awkward": [
{
- "advisory": "Boss-cli 1.0.0beta.6 uses yaml.FullLoader for loading yaml config and upgrades the dependency pyyaml (CVE-2017-18342).",
- "cve": "CVE-2017-18342",
- "id": "pyup.io-37129",
+ "advisory": "Awkward 0.10.1 closes a security hole and backward incompatibility in `awkward.persist.whitelist` handling.",
+ "cve": "PVE-2021-37154",
+ "id": "pyup.io-37154",
"specs": [
- "<1.0.0beta.6"
+ "<0.10.1"
],
- "v": "<1.0.0beta.6"
+ "v": "<0.10.1"
}
],
- "boto3": [
+ "aws-analytics-reference-architecture": [
{
- "advisory": "Boto3 version 1.4.5 fixes an information exposure vulnerability:\r\nThe boto logger boto3.resources.action, which propagates to root logger, logs the entire uploaded bytes at INFO level.\r\nhttps://github.com/boto/boto3/issues/1017",
- "cve": "PVE-2021-41708",
- "id": "pyup.io-41708",
+ "advisory": "Aws-analytics-reference-architecture 1.1.1 includes a security update for xmldom (https://github.com/aws-samples/aws-analytics-reference-architecture/issues/97).",
+ "cve": "PVE-2021-41196",
+ "id": "pyup.io-41196",
"specs": [
- "<1.4.5"
+ "<1.1.1"
],
- "v": "<1.4.5"
+ "v": "<1.1.1"
}
],
- "bottle": [
+ "aws-encryption-sdk": [
{
- "advisory": "redirect() in bottle.py in bottle 0.12.10 doesn't filter a \"\\r\\n\" sequence, which leads to a CRLF attack, as demonstrated by a redirect(\"233\\r\\nSet-Cookie: name=salt\") call.",
- "cve": "CVE-2016-9964",
- "id": "pyup.io-25642",
+ "advisory": "Aws-encryption-sdk versions 1.9.0 and 2.2.0 improve the decryption process to handle signature and message validation vulnerabilities.\r\nhttps://github.com/aws/aws-encryption-sdk-python/security/advisories/GHSA-x5h4-9gqw-942j",
+ "cve": "PVE-2021-41848",
+ "id": "pyup.io-41848",
"specs": [
- "<0.12.10"
+ "<1.9.0",
+ ">=2.0.0,<2.2.0"
],
- "v": "<0.12.10"
+ "v": "<1.9.0,>=2.0.0,<2.2.0"
+ }
+ ],
+ "aws-encryption-sdk-cli": [
+ {
+ "advisory": "Aws-encryption-sdk-cli versions 1.9.0 and 2.2.0 address several low severity issues related to streaming signed messages and restricting processing of certain types of invalid messages. See https://github.com/aws/aws-encryption-sdk-cli/security/advisories/GHSA-89v2-g37m-g3ff",
+ "cve": "PVE-2021-42633",
+ "id": "pyup.io-42633",
+ "specs": [
+ "<1.9.0",
+ ">=2.0.0,<2.2.0"
+ ],
+ "v": "<1.9.0,>=2.0.0,<2.2.0"
},
{
- "advisory": "The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. See CVE-2020-28473.",
- "cve": "CVE-2020-28473",
- "id": "pyup.io-39461",
+ "advisory": "Aws-encryption-sdk-cli 4.0.0 no longer supports Python versions prior to 3.5. That Python releases don't receive security updates anymore.",
+ "cve": "PVE-2021-42632",
+ "id": "pyup.io-42632",
"specs": [
- "<0.12.19"
+ "<4.0.0"
],
- "v": "<0.12.19"
+ "v": "<4.0.0"
},
{
- "advisory": "Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.",
- "cve": "CVE-2014-3137",
- "id": "pyup.io-35548",
+ "advisory": "Aws-encryption-sdk-cli 4.1.0 no longer supports Python 3.5. The mentioned Python version doesn't receive security updates anymore.",
+ "cve": "PVE-2021-42631",
+ "id": "pyup.io-42631",
"specs": [
- ">=0.10,<0.10.12",
- ">=0.11,<0.11.7",
- ">=0.12,<0.12.6"
+ "<4.1.0"
],
- "v": ">=0.10,<0.10.12,>=0.11,<0.11.7,>=0.12,<0.12.6"
+ "v": "<4.1.0"
}
],
- "boussole": [
+ "aws-glue-schema-registry": [
{
- "advisory": "Boussole 1.5.0 fixes the PyYAML 'load()' deprecation warning. For a recent security issue, PyYAML has introduced a change to its ``load()`` method to be more safe. Boussole now uses the full loader mode so it does not trigger a warning anymore.",
- "cve": "PVE-2021-37147",
- "id": "pyup.io-37147",
+ "advisory": "Aws-glue-schema-registry fixes security vulnerability in transitive dependencies.",
+ "cve": "PVE-2021-42757",
+ "id": "pyup.io-42757",
"specs": [
- "<1.5.0"
+ "<1.1.5"
],
- "v": "<1.5.0"
+ "v": "<1.1.5"
}
],
- "brasil.gov.portal": [
+ "aws-parallelcluster": [
{
- "advisory": "brasil.gov.portal before 1.5.1 uses Plone <4.3.15 which is vulnerable to several XSS and redirect flaws, and a sandbox escape.",
- "cve": "PVE-2021-35086",
- "id": "pyup.io-35086",
+ "advisory": "Aws-parallelcluster 2.4.0 removes AWS credentials from the ``parallelcluster`` config file for a better security posture. Credentials can now be set up following the canonical procedure used for the aws cli.",
+ "cve": "PVE-2021-37211",
+ "id": "pyup.io-37211",
"specs": [
- "<1.5.1"
+ "<2.4.0"
],
- "v": "<1.5.1"
+ "v": "<2.4.0"
}
],
- "brume": [
+ "aws-v4signer": [
{
- "advisory": "Brume version 2.0.2 includes a security patch for the function 'load' in 'brume/config.py'. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/flou/brume/commit/9407537a4f24521b6d009a52a77b4f6deabb0b71#diff-db395031eb85fc2c76864f9a9e13ed341de029a79e0fc76a798090f50504fb6a",
- "cve": "CVE-2020-1747",
- "id": "pyup.io-41309",
+ "advisory": "Aws-v4signer version 0.6 updates dependencies to include security fixes.",
+ "cve": "PVE-2021-42019",
+ "id": "pyup.io-42019",
"specs": [
- "<2.0.2"
+ "<0.6"
],
- "v": "<2.0.2"
+ "v": "<0.6"
}
],
- "bsblan": [
+ "awscli": [
{
- "advisory": "Bsblan 0.27 sets the DEFAULT_FLAG in config to read-only for added level of security.",
- "cve": "PVE-2021-37697",
- "id": "pyup.io-37697",
+ "advisory": "awscli 1.11.83 fixes a possible security issue where files could be downloaded to a directory outside the destination directory if the key contained relative paths when downloading files recursively.",
+ "cve": "PVE-2021-34627",
+ "id": "pyup.io-34627",
"specs": [
- "<0.27"
+ "<1.11.83"
],
- "v": "<0.27"
+ "v": "<1.11.83"
}
],
- "buildbot": [
+ "awsiotsdk": [
{
- "advisory": "Buildbot before 1.3.0 did not use ``hmac.compare_digest()`` in GitHub hooks.",
- "cve": "PVE-2021-36320",
- "id": "pyup.io-36320",
+ "advisory": "Awsiotsdk 1.6.1 includes a fix for CVE-2021-40830: The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system\u2019s default trust-store. Attackers with access to a host\u2019s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to override the default trust store. This issue affects Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on Linux/Unix.",
+ "cve": "CVE-2021-40830",
+ "id": "pyup.io-42782",
"specs": [
- "<1.3.0"
+ "<1.6.1"
],
- "v": "<1.3.0"
- },
+ "v": "<1.6.1"
+ }
+ ],
+ "awxkit": [
{
- "advisory": "Buildbot 1.8.2 fixes a vulnerability in OAuth where user-submitted authorization tokens are used for authentication. See: .",
- "cve": "PVE-2021-37161",
- "id": "pyup.io-37161",
+ "advisory": "When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks could use this to gain administrative privileges.",
+ "cve": "CVE-2019-3869",
+ "id": "pyup.io-42339",
"specs": [
- "<1.8.2"
+ "<5.0.0"
],
- "v": "<1.8.2"
- },
+ "v": "<5.0.0"
+ }
+ ],
+ "babel": [
{
- "advisory": "buildbot 2.0.0 fixes CRLF injection vulnerability with validating user provided redirect parameters (https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code)",
- "cve": "PVE-2021-36865",
- "id": "pyup.io-36865",
+ "advisory": "Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.\r\nhttps://github.com/python-babel/babel/pull/782\r\nhttps://lists.debian.org/debian-lts/2021/10/msg00040.html\r\nhttps://www.tenable.com/security/research/tra-2021-14\r\nhttps://lists.debian.org/debian-lts-announce/2021/10/msg00018.html",
+ "cve": "CVE-2021-42771",
+ "id": "pyup.io-42203",
"specs": [
- "<2.0.0"
+ "<2.9.1"
],
- "v": "<2.0.0"
+ "v": "<2.9.1"
+ }
+ ],
+ "backend.ai": [
+ {
+ "advisory": "Backend.ai 19.03.0b1 supports running multiple managers on the same host by randomizing internal IPC socket addresses. This also improves the security a little.",
+ "cve": "PVE-2021-39087",
+ "id": "pyup.io-39087",
+ "specs": [
+ "<19.03.0b1"
+ ],
+ "v": "<19.03.0b1"
},
{
- "advisory": "Buildbot 2.3.1 fixes a vulnerability in OAuth where a user-submitted authorization token was used for authentication. See: .",
- "cve": "PVE-2021-37160",
- "id": "pyup.io-37160",
+ "advisory": "Backend.ai 19.03.0rc1 supports authentication with etcd and Redis for better security.",
+ "cve": "PVE-2021-39086",
+ "id": "pyup.io-39086",
"specs": [
- "<2.3.1"
+ "<19.03.0rc1"
],
- "v": "<2.3.1"
- }
- ],
- "byarse": [
+ "v": "<19.03.0rc1"
+ },
{
- "advisory": "Byarse 1.1.0 introduces 'Safe mode', which can be enabled to prevent unpickling Pickle type during deserialization. This prevents a big security vulnerability.",
- "cve": "PVE-2021-38754",
- "id": "pyup.io-38754",
+ "advisory": "Backend.ai 19.09.0rc4 includes image import. This is implemented on top of batch tasks, with some specialization to prevent security issues due to direct access to agent host's Docker daemon. Importing as service-port only image support will be added in future releases. Additionally, it includes a privilege escalation fix because domain-admins could run sessions on behalf of super-admins in the same domain.",
+ "cve": "PVE-2021-38675",
+ "id": "pyup.io-38675",
"specs": [
- "<1.1.0"
+ "<19.09.0rc4"
],
- "v": "<1.1.0"
+ "v": "<19.09.0rc4"
}
],
- "bzip": [
+ "backend.ai-client": [
{
- "advisory": "bzip is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
- "cve": "PVE-2021-34980",
- "id": "pyup.io-34980",
+ "advisory": "Backend.ai-client version 21.09.0a1 includes updates to dependencies to embrace security patches in PyYAML. https://github.com/lablup/backend.ai-client-py/issues/158",
+ "cve": "PVE-2021-41219",
+ "id": "pyup.io-41219",
"specs": [
- ">0",
- "<0"
+ "<21.09.0a1"
],
- "v": ">0,<0"
+ "v": "<21.09.0a1"
}
],
- "cabot": [
+ "backend.ai-manager": [
{
- "advisory": "In September 2020 it was reported that all versions of the cabot package are vulnerable to Cross-site Scripting (XSS) via the Endpoint column. The latest release of cabot at that date was version 0.11.7.",
- "cve": "CVE-2020-7734",
- "id": "pyup.io-38806",
+ "advisory": "Backend.ai-manager 19.09.0rc4 fixes privilege escalation because domain-admins could run sessions on behalf of super-admins in the same domain. It also introduces Image import (171) - currently this is limited to import Python-based kernels only. This is implemented on top of batch tasks, with some specialization to prevent security issues due to direct access to agent host's Docker daemon. Importing as service-port only image support will be added in future releases.",
+ "cve": "PVE-2021-37531",
+ "id": "pyup.io-37531",
"specs": [
- "<=0.11.7"
+ "<19.09.0rc4"
],
- "v": "<=0.11.7"
+ "v": "<19.09.0rc4"
}
],
- "cacophonyapi": [
+ "bakercm": [
{
- "advisory": "Cacophonyapi 4.13.0 addresses a security vulnerability. No details were given.",
- "cve": "PVE-2021-39127",
- "id": "pyup.io-39127",
+ "advisory": "bakercm 0.4.4 updates pythoncryptodome after security issue #16",
+ "cve": "PVE-2021-36651",
+ "id": "pyup.io-36651",
"specs": [
- "<4.13.0"
+ "<0.4.4"
],
- "v": "<4.13.0"
- },
+ "v": "<0.4.4"
+ }
+ ],
+ "barman": [
{
- "advisory": "Cacophonyapi 4.6.0 addresses a security vulnerability in eslint-utils.",
- "cve": "PVE-2021-39128",
- "id": "pyup.io-39128",
+ "advisory": "Barman 2.11 removes the strict superuser requirement for PG 10+. As of PostgreSQL 10 it is possible to execute \r\nbackups without superuser privileges, which is actually the recommended method for security reasons. Non-superuser backups need to grant some privileges to the user used by Barman to connect to PostgreSQL, as documented in the 21-preliminary_steps.en.md section.\r\n\r\nIt also ensures each postgres connection has an empty search_path. This is the only safe option when there is no information about how secure the search path is on the target database. This is done by appending \"options=-csearch_path=\" to any conninfo string.",
+ "cve": "PVE-2021-38502",
+ "id": "pyup.io-38502",
"specs": [
- "<4.6.0"
+ "<2.11"
],
- "v": "<4.6.0"
+ "v": "<2.11"
}
],
- "cairosvg": [
+ "baseplate": [
{
- "advisory": "cairosvg 1.0.21 is a security update. CairoSVG was vulnerable to XML eXternal Entity (XXE) attacks, this release fixes this vulnerability by not resolving the XML entities anymore. The ``--unsafe`` option has been added to force the resolution of XML entities. Obviously, this option is not safe and should only be used with trusted SVG files.",
- "cve": "PVE-2021-25643",
- "id": "pyup.io-25643",
+ "advisory": "Baseplate 0.19.0 includes support for fetching secrets in a secure, auditable, manner from Hashicorp Vault. A sidecar daemon manages the infrastructure-level authentication with Vault and fetches secrets to a file on disk. Helpers in Baseplate then allow your application to fetch these secrets efficiently from the sidecar daemon with some helpful conventions for versioning/key rotation. This is now the right way to get secret tokens into your application going forward. See: .",
+ "cve": "PVE-2021-38349",
+ "id": "pyup.io-38349",
"specs": [
- "<1.0.21"
+ "<0.19.0"
],
- "v": "<1.0.21"
+ "v": "<0.19.0"
},
{
- "advisory": "CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information. See CVE-2021-21236.",
- "cve": "CVE-2021-21236",
- "id": "pyup.io-39419",
+ "advisory": "Authentication tokens in baseplate 0.22.0 provided by the authentication service can now be automatically propagated between services when making Thrift calls. This allows internal services to securely and accurately understand on whose behalf a given request is being made so they can decide if the requester is authorized for a particular action. The context is passed implicitly, in request headers, so no extra parameters need be added to service IDLs. Baseplate provides APIs for validating and accessing the tokens from within request context and will automatically pass upstream credentials to downstream services without extra work.",
+ "cve": "PVE-2021-38348",
+ "id": "pyup.io-38348",
"specs": [
- "<2.5.1"
+ "<0.22.0"
],
- "v": "<2.5.1"
+ "v": "<0.22.0"
},
{
- "advisory": "When processing SVG files, cairosvg before 2.5.1 was using two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provided a malicious SVG, it could make CairoSVG get stuck processing the file for a very long time.",
- "cve": "PVE-2021-39404",
- "id": "pyup.io-39404",
- "specs": [
- "<2.5.1"
- ],
- "v": "<2.5.1"
- }
- ],
- "calcipy": [
- {
- "advisory": "Calcipy 2021.0.2.0 adding security check task.",
- "cve": "PVE-2021-40621",
- "id": "pyup.io-40621",
+ "advisory": "Baseplate 0.24.0 includes a EdgeRequestContext/AuthenticationToken unification. This isn't a new addition, but a **breaking** rework of authentication context in Baseplate. Authentication token propagation and access is now fully integrated into the edge request context. Authentication tokens are propagated inside the edge context header and the API for applications built on Baseplate is unified. See below for details on how to use this.",
+ "cve": "PVE-2021-38347",
+ "id": "pyup.io-38347",
"specs": [
- "<2021.0.2.0"
+ "<0.24.0"
],
- "v": "<2021.0.2.0"
- }
- ],
- "calcwave": [
+ "v": "<0.24.0"
+ },
{
- "advisory": "Calcwave 1.2.6 updates limits for modules and functions available to 'eval()' in the interpreter. This greatly improves the security and reduces the risk of accidentally calling the 'Python' function that damages your computer.",
- "cve": "PVE-2021-40507",
- "id": "pyup.io-40507",
+ "advisory": "Services often need to securely store username/password pairs. Baseplate 0.30.0 has a convention for doing so called a credential secret. In addition, the sqlalchemy integration now uses this new credential type and you can expect other integrations to do so in the future. See also: .",
+ "cve": "PVE-2021-38346",
+ "id": "pyup.io-38346",
"specs": [
- "<1.2.6"
+ "<0.30.0"
],
- "v": "<1.2.6"
+ "v": "<0.30.0"
}
],
- "candig-server": [
- {
- "advisory": "Candig-server 0.9.0 has enhanced security through a refined data access control mechanism.",
- "cve": "PVE-2021-37219",
- "id": "pyup.io-37219",
- "specs": [
- "<0.9.0"
- ],
- "v": "<0.9.0"
- },
+ "basketball-reference-web-scraper": [
{
- "advisory": "candig-server 0.9.2 changes: Jinja2 package has been updated to resolve security vulnerability issues.",
- "cve": "PVE-2021-37218",
- "id": "pyup.io-37218",
+ "advisory": "Basketball-reference-web-scraper 4.2.2 includes upgrades the `urllib3` library to `1.25.2` due to a security vulnerability with versions less than `1.24.2`.",
+ "cve": "PVE-2021-37123",
+ "id": "pyup.io-37123",
"specs": [
- "<0.9.2"
+ "<4.2.2"
],
- "v": "<0.9.2"
+ "v": "<4.2.2"
},
{
- "advisory": "Candig-server 1.0.2 updates WerkZeug to 0.15.5 to resolve its security vulnerabilities.",
- "cve": "PVE-2021-37467",
- "id": "pyup.io-37467",
+ "advisory": "Basketball-reference-web-scraper 4.2.3 updates urllib3 to 1.24.3 to avoid a security vulnerability.",
+ "cve": "CVE-2019-11324",
+ "id": "pyup.io-37195",
"specs": [
- "<1.0.2"
+ "<4.2.3"
],
- "v": "<1.0.2"
- },
+ "v": "<4.2.3"
+ }
+ ],
+ "basxconnect": [
{
- "advisory": "Candig-server 1.4.0 includes some upgraded third-party libraries, improving security.",
- "cve": "PVE-2021-39169",
- "id": "pyup.io-39169",
+ "advisory": "Basxconnect 0.3.54 fixes a missing CSRF token issue.\r\nhttps://github.com/basxsoftwareassociation/basxconnect/commit/6d5809b78dcf033e4f0ca30e305dd3a382f56709",
+ "cve": "PVE-2021-42928",
+ "id": "pyup.io-42928",
"specs": [
- "<1.4.0"
+ "<0.3.54"
],
- "v": "<1.4.0"
+ "v": "<0.3.54"
}
],
- "cartridge-braintree": [
+ "bbcode": [
{
- "advisory": "Cartridge-braintree 1.2.2 sets minimum Django version to 1.11.29 and maximum version to 1.12 to fix security vulnerabilities.",
- "cve": "PVE-2021-40229",
- "id": "pyup.io-40229",
+ "advisory": "Bbcode 1.0.9 escapes quotes to prevent XSS.\r\nhttps://github.com/dcwatson/bbcode/issues/4",
+ "cve": "PVE-2021-25634",
+ "id": "pyup.io-25634",
"specs": [
- "<1.2.2"
+ "<1.0.9"
],
- "v": "<1.2.2"
+ "v": "<1.0.9"
}
],
- "catboost": [
+ "beaker": [
{
- "advisory": "Catboost 0.26 updates version of scala 2.11 for security reasons.\r\nhttps://github.com/catboost/catboost/issues/1632",
- "cve": "PVE-2021-41743",
- "id": "pyup.io-41743",
+ "advisory": "beaker 0.9.4 fixes security issue with Beaker not properly removing directory escaping characters from the session ID when un-signed sessions are used.",
+ "cve": "PVE-2021-25635",
+ "id": "pyup.io-25635",
"specs": [
- "<0.26"
+ "<0.9.4"
],
- "v": "<0.26"
- }
- ],
- "cbapi": [
+ "v": "<0.9.4"
+ },
{
- "advisory": "The underlying CbAPI connection class erroneously disabled hostname validation by default. This does *not* affect code that uses CbAPI through the public interfaces documented here; it only affects code that accesses the new ``CbAPISessionAdapter`` class directly. This class was introduced in version 1.3.3. Regardless, it is strongly recommended that all users currently using 1.3.3 upgrade to 1.3.4.",
- "cve": "PVE-2021-34933",
- "id": "pyup.io-34933",
+ "advisory": "Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.",
+ "cve": "CVE-2012-3458",
+ "id": "pyup.io-25636",
"specs": [
- ">=1.3.3,<1.3.4"
+ "<1.6.4"
],
- "v": ">=1.3.3,<1.3.4"
- }
- ],
- "ccf": [
+ "v": "<1.6.4"
+ },
{
- "advisory": "Ccf 0.7 fixes a vulnerability to a possible replay attack.",
- "cve": "PVE-2021-38641",
- "id": "pyup.io-38641",
+ "advisory": "The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.",
+ "cve": "CVE-2013-7489",
+ "id": "pyup.io-38464",
"specs": [
- "<0.7"
+ "<=1.11.0"
],
- "v": "<0.7"
+ "v": "<=1.11.0"
}
],
- "celery": [
+ "beets": [
{
- "advisory": "Insecure default configuration The default accept_content setting was set to allow deserialization of pickled messages in Celery 4.0.0. The insecure default has been fixed in 4.0.1, and you can also configure the 4.0.0 version to explicitly only allow json serialized messages.",
- "cve": "PVE-2021-25646",
- "id": "pyup.io-25646",
+ "advisory": "Beets 1.6.0 sanitize filenames in image IDs in the Aura plugin.\r\nhttps://github.com/beetbox/beets/pull/4160/commits/1fad3d01aea4627af42a9b7190d6869d2b007cc4",
+ "cve": "PVE-2021-42892",
+ "id": "pyup.io-42892",
"specs": [
- ">=4.0,<4.0.1"
+ "<1.6.0"
],
- "v": ">=4.0,<4.0.1"
+ "v": "<1.6.0"
}
],
- "cellxgene": [
+ "benchexec": [
{
- "advisory": "Cellxgene 0.12.0 has Python and Javascript package updates, for both security and performance.",
- "cve": "PVE-2021-37801",
- "id": "pyup.io-37801",
+ "advisory": "Benchexec 2.2 fixes a security issue. The kernel offers a keyring feature for storage of keys related to features like Kerberos and ecryptfs. Before Linux 5.2, there existed one keyring per user, and BenchExec did not prevent access from the tool inside the container to the kernel keyring of the user who started BenchExec. Now such accesses are forbidden (on all kernel versions) using seccomp (http://man7.org/linux/man-pages/man2/seccomp.2.html) if libseccomp2 (https://github.com/seccomp/libseccomp) is installed, which should be the case on any standard distribution. Note that seccomp filters do have a slight performance impact and could prevent some binaries on exotic architectures from working. In such a case please file a bug report.\r\nhttps://github.com/sosy-lab/benchexec/commit/5f043cd2d2484a75bee48efb924700c0b1ce32b4",
+ "cve": "PVE-2021-42546",
+ "id": "pyup.io-42546",
"specs": [
- "<0.12.0"
+ "<2.2"
],
- "v": "<0.12.0"
+ "v": "<2.2"
},
{
- "advisory": "Cellxgene 0.16.0 removed the `client` package that introduced security vulnerabilities.",
- "cve": "PVE-2021-38696",
- "id": "pyup.io-38696",
+ "advisory": "Benchexec 2.2 fixes a security issue. Since BenchExec 2.1, the setup of the container for the tool-info module (which was added in BenchExec 1.20) could silently fail, for example if user namespaces are disabled on the system. In this case the tool-info module would be executed outside of the container. Run execution was not affected.\r\nhttps://github.com/sosy-lab/benchexec/commit/dea58cac6e066d89e3ab3e374c6472d575493d07",
+ "cve": "PVE-2021-37510",
+ "id": "pyup.io-37510",
"specs": [
- "<0.16.0"
+ "==2.1"
],
- "v": "<0.16.0"
+ "v": "==2.1"
}
],
- "centrifuge": [
+ "bento-lib": [
{
- "advisory": "centrifuge 0.3.8 includes a security fix! Please, upgrade to this version or disable access to `/dumps` location.",
- "cve": "PVE-2021-25647",
- "id": "pyup.io-25647",
+ "advisory": "Bento-lib 3.0.1 includes security fix to prevent data leak in error messages from data structure queries by default and adds 'secure_errors' param for data structure querying methods.",
+ "cve": "PVE-2021-41035",
+ "id": "pyup.io-41035",
"specs": [
- "<0.3.8"
+ "<3.0.1"
],
- "v": "<0.3.8"
+ "v": "<3.0.1"
}
],
- "certbot": [
+ "bepasty": [
{
- "advisory": "Certbot before 0.34.0 does not print warnings when run as root with insecure file system permissions.",
- "cve": "PVE-2021-38484",
- "id": "pyup.io-38484",
+ "advisory": "bepasty 0.3.0 contains two security fixes: \r\n- When showing potentially dangerous text/* types, force the\r\n content-type to be text/plain and also turn the browser's sniffer off.\r\n- Prevent disclosure of locked item's metadata",
+ "cve": "PVE-2021-25637",
+ "id": "pyup.io-25637",
"specs": [
- "<0.34.0"
+ "<0.3.0"
],
- "v": "<0.34.0"
+ "v": "<0.3.0"
},
{
- "advisory": "Certbot through 0.34.0 does not configure the web server so that all requests redirect to secure HTTPS access.",
- "cve": "PVE-2021-37112",
- "id": "pyup.io-37112",
+ "advisory": "Bepasty 0.6.0 invalidates old client-side cookies if PERMISSIONS in config are changed. This is a security fix.",
+ "cve": "PVE-2021-39120",
+ "id": "pyup.io-39120",
"specs": [
- "<=0.34.0"
+ "<0.6.0"
],
- "v": "<=0.34.0"
+ "v": "<0.6.0"
}
],
- "cerulean": [
+ "berglas": [
{
- "advisory": "cerulean 0.3.4 - Directory permissions when using mkdir(). This is a security issue, and you\r\n should upgrade as soon as possible.",
- "cve": "PVE-2021-36796",
- "id": "pyup.io-36796",
+ "advisory": "Berglas 0.2.0 no longer trusts the environment variables.",
+ "cve": "PVE-2021-37340",
+ "id": "pyup.io-37340",
"specs": [
- "<0.3.4"
+ "<0.2.0"
],
- "v": "<0.3.4"
+ "v": "<0.2.0"
}
],
- "cffconvert": [
+ "bigchaindb": [
{
- "advisory": "cffconvert 1.0.3 updates requests from 2.18.4 to 2.20.0 (security bugfix)",
- "cve": "PVE-2021-36623",
- "id": "pyup.io-36623",
+ "advisory": "Bigchaindb 2.2.2 updates several dependencies, including Flask, which had a vulnerability.",
+ "cve": "PVE-2021-38832",
+ "id": "pyup.io-38832",
"specs": [
- "<1.0.3"
+ "<2.2.2"
],
- "v": "<1.0.3"
+ "v": "<2.2.2"
}
],
- "cfscrape": [
+ "bigchaindb-driver": [
{
- "advisory": "An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A malicious website owner could craft a page that executes arbitrary Python code against any cfscrape user who scrapes that website. This is fixed in 1.8.0.",
- "cve": "CVE-2017-7235",
- "id": "pyup.io-35741",
+ "advisory": "Bigchaindb-driver 0.5.2 includes a fix for CVE-2018-10903: A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.",
+ "cve": "CVE-2018-10903",
+ "id": "pyup.io-36427",
"specs": [
- ">=1.6.6,<1.7.1"
+ "<0.5.2"
],
- "v": ">=1.6.6,<1.7.1"
- },
+ "v": "<0.5.2"
+ }
+ ],
+ "bigdl": [
{
- "advisory": "Please upgrade to 1.8.0 immediately.\r\n\r\nVersions 1.6.6 to 1.7.1 are vulnerable to code execution. If you are running a vulnerable version, a malicious website owner could craft a page which executes arbitrary Python code on the machine that runs this script. This can only occur if the website that the user attempts to scrape has specifically prepared a page to exploit vulnerable versions of cfscrape.",
- "cve": "PVE-2021-34275",
- "id": "pyup.io-34275",
+ "advisory": "Bigdl 0.8.0 fixes the scala compiler security issue in 2.10 & 2.11",
+ "cve": "PVE-2021-37576",
+ "id": "pyup.io-37576",
"specs": [
- ">=1.6.6,<=1.8"
+ "<0.8.0"
],
- "v": ">=1.6.6,<=1.8"
+ "v": "<0.8.0"
}
],
- "cfstacks": [
+ "bikeshed": [
{
- "advisory": "Cfstacks 0.4.4 upgrades PyAML to 4.2b1 (or later) to fix a security vulnerability.",
- "cve": "PVE-2021-38388",
- "id": "pyup.io-38388",
+ "advisory": "Bikeshed version 3.0.0 includes a fix for CVE-2021-23422:\r\nWhen an untrusted source file containing Inline Tag Command metadata is processed or when an arbitrary OS command is executed, the command output would be included in the HTML output.\r\nhttps://github.com/tabatkins/bikeshed/commit/b2f668fca204260b1cad28d5078e93471cb6b2dd",
+ "cve": "CVE-2021-23422",
+ "id": "pyup.io-41179",
"specs": [
- "<0.4.4"
+ "<3.0.0"
],
- "v": "<0.4.4"
+ "v": "<3.0.0"
+ },
+ {
+ "advisory": "Bikeshed version 3.0.0 includes a fix for CVE-2021-23423:\r\nWhen an untrusted source file containing include, include-code or include-raw block is processed, the contents of arbitrary files could be disclosed in the HTML output.\r\nhttps://github.com/tabatkins/bikeshed/commit/b2f668fca204260b1cad28d5078e93471cb6b2dd",
+ "cve": "CVE-2021-23423",
+ "id": "pyup.io-41180",
+ "specs": [
+ "<3.0.0"
+ ],
+ "v": "<3.0.0"
}
],
- "cg": [
+ "bincrafters-envy": [
{
- "advisory": "Cg 18.11.3 upgrades the insecure cryptography dependency.",
- "cve": "PVE-2021-39614",
- "id": "pyup.io-39614",
+ "advisory": "Bincrafters-envy 0.1.3 updates its dependency 'requests' to v2.20.0 to include a security fix.",
+ "cve": "CVE-2018-18074",
+ "id": "pyup.io-36732",
"specs": [
- "<18.11.3"
+ "<0.1.3"
],
- "v": "<18.11.3"
+ "v": "<0.1.3"
}
],
- "chanjo-report": [
+ "birdhousebuilder-recipe-nginx": [
{
- "advisory": "chanjo-report 2.4.0 removes a link to the \"index\" page from the report (security).",
- "cve": "PVE-2021-25648",
- "id": "pyup.io-25648",
+ "advisory": "Birdhousebuilder-recipe-nginx 0.1.5 disables the use of SSLv3 to handle CVE-2014-3566 (poodle attack).",
+ "cve": "CVE-2014-3566",
+ "id": "pyup.io-36135",
"specs": [
- "<2.4.0"
+ "<0.1.5"
],
- "v": "<2.4.0"
+ "v": "<0.1.5"
}
],
- "channels": [
+ "bise.theme": [
{
- "advisory": "Channels 3.0.3 includes a fix for CVE-2020-35681. See also: .",
- "cve": "CVE-2020-35681",
- "id": "pyup.io-39368",
+ "advisory": "bise.theme 2.4 fixes a potential XSS issue with catalogue search.",
+ "cve": "PVE-2021-25639",
+ "id": "pyup.io-25639",
"specs": [
- ">=3.0.0,<3.0.3"
+ "<2.4"
],
- "v": ">=3.0.0,<3.0.3"
+ "v": "<2.4"
}
],
- "chaosloader": [
+ "bitbot": [
{
- "advisory": "Chaosloader 1.0.0 adds secure encrypted password to travis.yml.",
- "cve": "PVE-2021-37048",
- "id": "pyup.io-37048",
+ "advisory": "For security reasons, REST API only listens on localhost in Bitbot 1.12.0.",
+ "cve": "PVE-2021-37551",
+ "id": "pyup.io-37551",
"specs": [
- "<1.0.0"
+ "<1.12.0"
],
- "v": "<1.0.0"
+ "v": "<1.12.0"
}
],
- "charm-tools": [
+ "bjoern": [
{
- "advisory": "Charm-tools 2.6.0 addresses security alerts from GitHub (#484).",
- "cve": "PVE-2021-37201",
- "id": "pyup.io-37201",
+ "advisory": "bjoern before 1.4.2 uses a insecure Django release which is vulnerable to CVE-2015-0219, see https://www.djangoproject.com/weblog/2015/jan/13/security/.",
+ "cve": "CVE-2015-0219",
+ "id": "pyup.io-25640",
"specs": [
- "<2.6.0"
+ "<1.4.2"
],
- "v": "<2.6.0"
+ "v": "<1.4.2"
}
],
- "charmhelpers": [
+ "blackduck": [
{
- "advisory": "Charmhelpers 0.19.13 updates Keystone expectations to meet security guide (299).",
- "cve": "PVE-2021-37032",
- "id": "pyup.io-37032",
+ "advisory": "Synopsys hub-rest-api-python (aka blackduck on PyPI) version 0.0.25 - 0.0.52 does not validate SSL certificates in certain cases. See CVE-2020-27589.",
+ "cve": "CVE-2020-27589",
+ "id": "pyup.io-39070",
"specs": [
- "<0.19.13"
+ ">=0.0.25,<=0.0.52"
],
- "v": "<0.19.13"
+ "v": ">=0.0.25,<=0.0.52"
}
],
- "chartify": [
+ "blask": [
{
- "advisory": "Chartify 2.7.0 bumps the base Pillow dependency to avoid a version that's not secure.",
- "cve": "PVE-2021-38345",
- "id": "pyup.io-38345",
+ "advisory": "Blask 0.2.2 fixes some vulnerabilities. See: .",
+ "cve": "PVE-2021-39028",
+ "id": "pyup.io-39028",
"specs": [
- "<2.7.0"
+ "<0.2.2"
],
- "v": "<2.7.0"
- },
+ "v": "<0.2.2"
+ }
+ ],
+ "blazar": [
{
- "advisory": "A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.",
- "cve": "CVE-2020-14343",
- "id": "pyup.io-41310",
+ "advisory": "An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2.0.0, and 3.0.0. A user allowed to access the Blazar dashboard in Horizon may trigger code execution on the Horizon host as the user the Horizon service runs under (because the Python eval function is used). This may result in Horizon host unauthorized access and further compromise of the Horizon service. All setups using the Horizon dashboard with the blazar-dashboard plugin are affected. See: CVE-2020-26943.",
+ "cve": "CVE-2020-26943",
+ "id": "pyup.io-38884",
"specs": [
- "<3.0.3"
+ "<1.3.1"
],
- "v": "<3.0.3"
+ "v": "<1.3.1"
}
],
- "chatbot-ner": [
+ "bleach": [
{
- "advisory": "For security reasons, chatbot-ner 0.5.8 updates requirements and adds a new version of Django upgrade.",
- "cve": "PVE-2021-38516",
- "id": "pyup.io-38516",
+ "advisory": "bleach 2.1 converts control characters (backspace particularly) to \"?\" preventing malicious copy-and-paste situations.",
+ "cve": "PVE-2021-34965",
+ "id": "pyup.io-34965",
"specs": [
- "<0.5.8"
+ "<2.1"
],
- "v": "<0.5.8"
+ "v": "<2.1"
},
{
- "advisory": "For security reasons, chatbot-ner 0.6.0 updates requirements and adds a new version of Django upgrade.",
- "cve": "PVE-2021-38515",
- "id": "pyup.io-38515",
+ "advisory": "Bleach 3.1.2 includes a fix for CVE-2020-6816: In Mozilla Bleach before 3.1.2, was discovered a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.\r\nhttps://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743",
+ "cve": "CVE-2020-6816",
+ "id": "pyup.io-42298",
"specs": [
- "<0.6.0"
+ "<3.1.2"
],
- "v": "<0.6.0"
- }
- ],
- "cheetah": [
+ "v": "<3.1.2"
+ },
{
- "advisory": "cheetah 0.9.17rc1 removeS the use of temp files for handling imports with dynamic compilation. This removes a whole slew of issues, including a temp file security issue.",
- "cve": "PVE-2021-25649",
- "id": "pyup.io-25649",
+ "advisory": "In Mozilla Bleach before 3.1.1, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.\r\nhttps://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r",
+ "cve": "CVE-2020-6802",
+ "id": "pyup.io-42297",
"specs": [
- "<0.9.17rc1"
+ "<=3.1.0"
],
- "v": "<0.9.17rc1"
- }
- ],
- "cheetah3": [
+ "v": "<=3.1.0"
+ },
{
- "advisory": "Cheetah3 version 3.2.2 replaces the outdated and insecure ``mktemp`` with ``mkstemp``.",
- "cve": "PVE-2021-37134",
- "id": "pyup.io-37134",
+ "advisory": "The ``bleach.clean`` behavior parsing style attributes in bleach before 3.1.4 could result in a regular expression denial of service (ReDoS). Calls to ``bleach.clean`` with an allowed tag with an allowed ``style`` attribute were vulnerable to ReDoS. For example, ``bleach.clean(..., attributes={'a': ['style']})``. This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1, v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar regular expression and should be considered vulnerable too.",
+ "cve": "PVE-2021-38107",
+ "id": "pyup.io-38107",
"specs": [
- "<3.2.2"
+ "<=3.1.3"
],
- "v": "<3.2.2"
- }
- ],
- "cheroot": [
+ "v": "<=3.1.3"
+ },
{
- "advisory": "Cheroot 6.3.2 introduces a HTTP 400 response to a malicious 'Content-Length' in the request headers.",
- "cve": "PVE-2021-39125",
- "id": "pyup.io-39125",
+ "advisory": "bleach 2.1.3 fixes a security issue. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.",
+ "cve": "CVE-2018-7753",
+ "id": "pyup.io-35792",
"specs": [
- "<6.3.2"
+ ">=2.1,<2.1.3"
],
- "v": "<6.3.2"
+ "v": ">=2.1,<2.1.3"
}
],
- "cherrymusic": [
+ "bleach-extras": [
{
- "advisory": "Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the \"value\" parameter to \"download.\"",
- "cve": "CVE-2015-8309",
- "id": "pyup.io-25650",
+ "advisory": "Bleach-extras 0.0.4 requires bleach version 3.2.1 to deal with security issues.",
+ "cve": "PVE-2021-38875",
+ "id": "pyup.io-38875",
"specs": [
- "<0.36.0"
+ "<0.0.4"
],
- "v": "<0.36.0"
+ "v": "<0.0.4"
}
],
- "chia": [
+ "blinkpy": [
{
- "advisory": "Chia 2.4.0 updates tensorflow and tensorflow-addons versions to include mitigations against vulnerabilities.",
- "cve": "PVE-2021-41298",
- "id": "pyup.io-41298",
+ "advisory": "blinkpy 0.10.2 sets minimum required version of the requests library to 2.20.0 due to vulnerability in earlier releases.",
+ "cve": "PVE-2021-36596",
+ "id": "pyup.io-36596",
"specs": [
- "<2.4.0"
+ "<0.10.2"
],
- "v": "<2.4.0"
+ "v": "<0.10.2"
}
],
- "chia-blockchain": [
+ "block-io": [
{
- "advisory": "Consideration of the new consensus algorithm in chia-blockchain version 1.0beta19 resulted in a much higher security level against all attacks.",
- "cve": "PVE-2021-39444",
- "id": "pyup.io-39444",
+ "advisory": "block-io 1.1.7 includes a fix for CVE-2013-7459 - https://security-tracker.debian.org/tracker/CVE-2013-7459",
+ "cve": "CVE-2013-7459",
+ "id": "pyup.io-36442",
"specs": [
- "<1.0b19"
+ "<1.1.7"
],
- "v": "<1.0b19"
+ "v": "<1.1.7"
},
{
- "advisory": "Chia-blockchain 1.0beta10 includes various vulnerability fixes.",
- "cve": "PVE-2021-38700",
- "id": "pyup.io-38700",
+ "advisory": "Block-io 1.1.9 includes a fix for Requests vulnerability. See CVE-2018-18074.",
+ "cve": "CVE-2018-18074",
+ "id": "pyup.io-36712",
"specs": [
- "<1.0beta10"
+ "<1.1.9"
],
- "v": "<1.0beta10"
- },
+ "v": "<1.1.9"
+ }
+ ],
+ "boatswain": [
{
- "advisory": "Node peers in chia-blockchain 1.0beta14 are gossiped between nodes with logic to keep connected nodes on disparate internet networks to partially protect from eclipse attacks.",
- "cve": "PVE-2021-38844",
- "id": "pyup.io-38844",
+ "advisory": "Boatswain version 1.0.4 includes a security patch for the function 'main' in 'boatswain/cli.py'. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/NLeSC/boatswain/commit/1fc3f79b8f1f2affb407c7a147cca71c11f26d3c",
+ "cve": "CVE-2020-1747",
+ "id": "pyup.io-41308",
"specs": [
- "<1.0beta14"
+ "<1.0.4"
],
- "v": "<1.0beta14"
- },
- {
- "advisory": "Chia-blockchain 1.0beta8 removes the ability to pass in sk_seed to plotting. This increases security.",
- "cve": "PVE-2021-38582",
- "id": "pyup.io-38582",
- "specs": [
- "<1.0beta8"
- ],
- "v": "<1.0beta8"
- },
+ "v": "<1.0.4"
+ }
+ ],
+ "bodhi": [
{
- "advisory": "The Windows BLS Signature library in chia-blockchain 1.0beta9 uses libsodium for additional security. Additionally, this version includes various fixes for various node dependency security vulnerabilities.",
- "cve": "PVE-2021-38629",
- "id": "pyup.io-38629",
+ "advisory": "Bodhi 2.2.0 addresses CVE-2016-1000008 by disallowing the re-use of solved captchas. Additionally, the captcha is\r\nwarped to make it more difficult to solve through automation.\r\n\r\n- https://github.com/fedora-infra/bodhi/pull/857\r\n- https://github.com/fedora-infra/bodhi/commit/f0122855",
+ "cve": "CVE-2016-1000008",
+ "id": "pyup.io-34274",
"specs": [
- "<1.0beta9"
+ "<2.2.0"
],
- "v": "<1.0beta9"
+ "v": "<2.2.0"
},
{
- "advisory": "Chia-blockchain 1.0rc5 updates the 'aiohttp' dependency to 3.7.4 to address a low severity [security issue] (CVE-2021-21330).",
- "cve": "CVE-2021-21330",
- "id": "pyup.io-39672",
+ "advisory": "In bodhi before 2.9.1 it is possible to inject JavaScript into Bodhi's web interface through Bugzilla ticket subjects.",
+ "cve": "PVE-2021-35208",
+ "id": "pyup.io-35208",
"specs": [
- "<1.0rc5"
+ "<2.9.1"
],
- "v": "<1.0rc5"
+ "v": "<2.9.1"
},
{
- "advisory": "Chia-blockchain 1.0rc6 improves defense against many DDoS attacks by rate limiting for the full node. It also changes 'chia keys add' command to take secret words a prompt on the command line or stdin instead of command line arguments.",
- "cve": "PVE-2021-39703",
- "id": "pyup.io-39703",
+ "advisory": "Bodhi 2.9.0 and lower is vulnerable to cross-site scripting resulting in code injection caused by incorrect validation of bug titles.",
+ "cve": "CVE-2017-1002152",
+ "id": "pyup.io-42337",
"specs": [
- "<1.0rc6"
+ "<=2.9.0"
],
- "v": "<1.0rc6"
+ "v": "<=2.9.0"
}
],
- "chiavdf": [
+ "bodhi-server": [
{
- "advisory": "Chiavdf 1.0 includes a fix to prevent potential grinding attacks.",
- "cve": "PVE-2021-39691",
- "id": "pyup.io-39691",
+ "advisory": "Bodhi-server 2.2.0 addresses CVE-2016-1000008 by disallowing the re-use of solved captchas. Additionally, the captcha is warped to make it more difficult to solve through automation.\r\n\r\nSee: https://github.com/fedora-infra/bodhi/pull/857\r\nAnd: https://github.com/fedora-infra/bodhi/commit/f0122855",
+ "cve": "CVE-2016-1000008",
+ "id": "pyup.io-34241",
"specs": [
- "<1.0"
+ "<2.2.0"
],
- "v": "<1.0"
+ "v": "<2.2.0"
}
],
- "choochoo": [
+ "bokeh": [
{
- "advisory": "Choochoo 0.40.0 updates its dependency React to the latest version \"hopefully\" removing several npm vulnerabilities.",
- "cve": "PVE-2021-41273",
- "id": "pyup.io-41273",
+ "advisory": "Bokeh before 1.0.4 used a Pyyaml version that was vulnerable to CVE-2017-18342.",
+ "cve": "CVE-2017-18342",
+ "id": "pyup.io-36780",
"specs": [
- "<0.40.0"
+ "<1.0.4"
],
- "v": "<0.40.0"
- }
- ],
- "ciftify": [
+ "v": "<1.0.4"
+ },
{
- "advisory": "Ciftify version 2.3.3 includes security patches for several functions. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/edickie/ciftify/commit/7ac66dc2efc78bae272a0e1e713c81756f780969#diff-d55ace9e33dabdeba89768d93ae8fe97cf6d2ba4936fc5ab472b7bf749270b63",
- "cve": "CVE-2020-1747",
- "id": "pyup.io-41312",
+ "advisory": "Bokeh before 1.1.0 includes a handlebars security vulnerability [components: bokehjs & build]. NPM won't install.",
+ "cve": "PVE-2021-37031",
+ "id": "pyup.io-37031",
"specs": [
- "<2.3.3"
+ "<1.1.0"
],
- "v": "<2.3.3"
- }
- ],
- "cinder": [
+ "v": "<1.1.0"
+ },
{
- "advisory": "An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the 'connection_info' element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint. Source: OpenStack project. See: CVE-2020-10755.",
- "cve": "CVE-2020-10755",
- "id": "pyup.io-38408",
+ "advisory": "Bokeh 1.2.0 fixes a security vulnerabilities reported by npm audit.",
+ "cve": "PVE-2021-37170",
+ "id": "pyup.io-37170",
"specs": [
- "<14.1.0",
- ">=15.0.0.0rc1,<15.2.0",
- ">=16.0.0.0b1,<16.1.0"
+ "<1.2.0"
],
- "v": "<14.1.0,>=15.0.0.0rc1,<15.2.0,>=16.0.0.0b1,<16.1.0"
+ "v": "<1.2.0"
},
{
- "advisory": "The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.1 and 1:2014.1-0 before 1:2014.1-0ubuntu1.1 for Ubuntu 13.10 and 14.04 LTS does not properly set the sudo configuration, which makes it easier for attackers to gain privileges by leveraging another vulnerability.",
- "cve": "CVE-2013-1068",
- "id": "pyup.io-25651",
+ "advisory": "Bokeh 2.4.2 updates its dependency 'jquery-ui' to v1.13.0 to include security fixes.",
+ "cve": "CVE-2021-41182",
+ "id": "pyup.io-42772",
"specs": [
- "<2013.2.3"
+ "<2.4.2"
],
- "v": "<2013.2.3"
- }
- ],
- "cipher.googlepam": [
+ "v": "<2.4.2"
+ },
{
- "advisory": "In cipher.googlepam before 1.5.1 do not use the same cache key for all users. Previously when one user logged in successfully, others could not log in using their own passwords -- but the first user could now use her password to log in as anyone else.",
- "cve": "PVE-2021-25652",
- "id": "pyup.io-25652",
+ "advisory": "Bokeh 2.4.2 updates its dependency 'jquery-ui' to v1.13.0 to include security fixes.",
+ "cve": "CVE-2021-41183",
+ "id": "pyup.io-42814",
"specs": [
- "<1.5.1"
+ "<2.4.2"
],
- "v": "<1.5.1"
- }
- ],
- "circuit-maintenance-parser": [
+ "v": "<2.4.2"
+ },
{
- "advisory": "Circuit-maintenance-parser 1.1.0 updates the 'Pydantic' dependency version due to security advisory (GHSA-5jqp-qgf6-3pvh).",
- "cve": "PVE-2021-41103",
- "id": "pyup.io-41103",
+ "advisory": "Bokeh 2.4.2 updates its dependency 'jquery-ui' to v1.13.0 to include security fixes.",
+ "cve": "CVE-2021-41184",
+ "id": "pyup.io-42815",
"specs": [
- "<1.1.0"
+ "<2.4.2"
],
- "v": "<1.1.0"
+ "v": "<2.4.2"
}
],
- "circup": [
+ "boss-cli": [
{
- "advisory": "Circup 0.0.6 includes an unspecified security fix.",
- "cve": "PVE-2021-37936",
- "id": "pyup.io-37936",
+ "advisory": "Boss-cli 1.0.0-alpha.20 fixes a CVE-2018-18074 vulnerability due to an issue with the `Requests` package.",
+ "cve": "CVE-2018-18074",
+ "id": "pyup.io-38521",
"specs": [
- "<0.0.6"
+ "<1.0.0a20"
],
- "v": "<0.0.6"
+ "v": "<1.0.0a20"
+ },
+ {
+ "advisory": "boss-cli 1.0.0alpha.18 fixes CVE-2018-7750 security vulnerability - https://github.com/kabirbaidhya/boss/pull/126",
+ "cve": "CVE-2018-7750",
+ "id": "pyup.io-36543",
+ "specs": [
+ "<1.0.0alpha.18"
+ ],
+ "v": "<1.0.0alpha.18"
+ },
+ {
+ "advisory": "Boss-cli 1.0.0alpha.20 fixes CVE-2018-18074 vulnerability due to `requests`.",
+ "cve": "CVE-2018-18074",
+ "id": "pyup.io-36595",
+ "specs": [
+ "<1.0.0alpha.20"
+ ],
+ "v": "<1.0.0alpha.20"
+ },
+ {
+ "advisory": "Boss-cli 1.0.0beta.6 uses yaml.FullLoader for loading yaml config and upgrades the dependency pyyaml (CVE-2017-18342).",
+ "cve": "CVE-2017-18342",
+ "id": "pyup.io-37129",
+ "specs": [
+ "<1.0.0beta.6"
+ ],
+ "v": "<1.0.0beta.6"
}
],
- "ck": [
+ "boto3": [
{
- "advisory": "Ck 1.7.1 fixes a server vulnerability (action with ; can run various CMD commands).",
- "cve": "PVE-2021-40221",
- "id": "pyup.io-40221",
+ "advisory": "Boto3 version 1.4.5 fixes an information exposure vulnerability: The boto logger boto3.resources.action, which propagates to root logger, logs the entire uploaded bytes at INFO level.\r\nhttps://github.com/boto/boto3/issues/1017",
+ "cve": "PVE-2021-41708",
+ "id": "pyup.io-41708",
"specs": [
- "<1.7.1"
+ "<1.4.5"
],
- "v": "<1.7.1"
+ "v": "<1.4.5"
}
],
- "ckan": [
+ "bottle": [
{
- "advisory": "ckan 1.5.1 fixes a security issue affecting CKAN v1.5 and before.",
- "cve": "PVE-2021-34556",
- "id": "pyup.io-34556",
+ "advisory": "redirect() in bottle.py in bottle 0.12.10 doesn't filter a \"\\r\\n\" sequence, which leads to a CRLF attack, as demonstrated by a redirect(\"233\\r\\nSet-Cookie: name=salt\") call.",
+ "cve": "CVE-2016-9964",
+ "id": "pyup.io-25642",
"specs": [
- "<1.5.1"
+ "<0.12.10"
],
- "v": "<1.5.1"
+ "v": "<0.12.10"
},
{
- "advisory": "ckan 1.8.1 fixes possible XSS vulnerability on html input.",
- "cve": "PVE-2021-34558",
- "id": "pyup.io-34558",
+ "advisory": "The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. See CVE-2020-28473.",
+ "cve": "CVE-2020-28473",
+ "id": "pyup.io-39461",
"specs": [
- "<1.8.1"
+ "<0.12.19"
],
- "v": "<1.8.1"
+ "v": "<0.12.19"
},
{
- "advisory": "Ckan 2.6.9 fixes a code injection issue in the autocomplete module. See .",
- "cve": "PVE-2021-39613",
- "id": "pyup.io-39613",
+ "advisory": "Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.",
+ "cve": "CVE-2014-3137",
+ "id": "pyup.io-35548",
"specs": [
- "<2.6.9"
+ ">=0.10,<0.10.12",
+ ">=0.11,<0.11.7",
+ ">=0.12,<0.12.6"
],
- "v": "<2.6.9"
+ "v": ">=0.10,<0.10.12,>=0.11,<0.11.7,>=0.12,<0.12.6"
}
],
- "clam": [
+ "boussole": [
{
- "advisory": "clam 0.9.10 contains security fixes, better protection against possible code injection.",
- "cve": "PVE-2021-25653",
- "id": "pyup.io-25653",
+ "advisory": "Boussole 1.5.0 fixes the PyYAML 'load()' deprecation warning. For a recent security issue, PyYAML has introduced a change to its ``load()`` method to be more safe. Boussole now uses the full loader mode so it does not trigger a warning anymore.",
+ "cve": "PVE-2021-37147",
+ "id": "pyup.io-37147",
"specs": [
- "<0.9.10"
+ "<1.5.0"
],
- "v": "<0.9.10"
- },
+ "v": "<1.5.0"
+ }
+ ],
+ "bpython-django": [
{
- "advisory": "clam 0.9.11 contains unknown security fixes in dispatcher.",
- "cve": "PVE-2021-25654",
- "id": "pyup.io-25654",
+ "advisory": "Bpython-django version 0.15 changes its dependency \"requests\"to \"pyOpenSSL\", \"pyasn1\", and \"ndg-httpsclient\" to improve security.",
+ "cve": "PVE-2021-42117",
+ "id": "pyup.io-42117",
"specs": [
- "<0.9.11"
+ "<0.15"
],
- "v": "<0.9.11"
+ "v": "<0.15"
}
],
- "clearsilver": [
+ "brasil.gov.portal": [
{
- "advisory": "Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.",
- "cve": "CVE-2011-4357",
- "id": "pyup.io-25655",
+ "advisory": "Brasil.gov.portal before 1.5.1 uses Plone <4.3.15 which is vulnerable to several XSS and redirect flaws, and a sandbox escape.",
+ "cve": "CVE-2017-1000484",
+ "id": "pyup.io-35086",
"specs": [
- "<0.10.5"
+ "<1.5.1"
],
- "v": "<0.10.5"
+ "v": "<1.5.1"
}
],
- "client-sdk-python": [
+ "brotli": [
{
- "advisory": "Client-sdk-python 4.7.0 upgrades eth-hash to 0.2.0 with pycryptodome 3.6.6 which resolves a vulnerability.",
- "cve": "PVE-2021-37584",
- "id": "pyup.io-37584",
+ "advisory": "A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a \"one-shot\" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the \"streaming\" API as opposed to the \"one-shot\" API, and impose chunk size limits.",
+ "cve": "CVE-2020-8927",
+ "id": "pyup.io-42299",
"specs": [
- "<4.7.0"
+ "<1.0.8"
],
- "v": "<4.7.0"
+ "v": "<1.0.8"
}
],
- "clipster-desktop": [
+ "brume": [
{
- "advisory": "Clipster-desktop 0.3.0 includes various improvements to make the host more secure:\r\n* All clips are encrypted locally in the client before transmission to the server. \r\n* Server host can't decrypt clips: it never learns the users' password.\r\n* Password is not stored in cleartext anymore. Instead password hash is used.",
- "cve": "PVE-2021-39388",
- "id": "pyup.io-39388",
+ "advisory": "Brume version 2.0.2 includes a security patch for the function 'load' in 'brume/config.py'. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/flou/brume/commit/9407537a4f24521b6d009a52a77b4f6deabb0b71#diff-db395031eb85fc2c76864f9a9e13ed341de029a79e0fc76a798090f50504fb6a",
+ "cve": "CVE-2020-1747",
+ "id": "pyup.io-41309",
"specs": [
- "<0.3.0"
+ "<2.0.2"
],
- "v": "<0.3.0"
+ "v": "<2.0.2"
}
],
- "cliquery": [
+ "bsblan": [
{
- "advisory": "Cliquery 1.10.0 updates the 'lxml' dependency from 4.6.2 to 4.6.3 to fix a security vulnerability.",
- "cve": "PVE-2021-40090",
- "id": "pyup.io-40090",
+ "advisory": "Bsblan 0.27 sets the DEFAULT_FLAG in config to read-only for added level of security.",
+ "cve": "PVE-2021-37697",
+ "id": "pyup.io-37697",
"specs": [
- "<1.10.0"
+ "<0.27"
],
- "v": "<1.10.0"
- },
+ "v": "<0.27"
+ }
+ ],
+ "bsdiff4": [
{
- "advisory": "Cliquery 1.9.3 updates the 'lxml' dependency from 4.3.0 to 4.6.2. This is a security patch.",
- "cve": "PVE-2021-39423",
- "id": "pyup.io-39423",
+ "advisory": "A buffer overflow in the patching routine of bsdiff4 before 1.2.0 allows an attacker to write to heap memory (beyond allocated bounds) via a crafted patch file.",
+ "cve": "CVE-2020-15904",
+ "id": "pyup.io-42280",
"specs": [
- "<1.9.3"
+ "<1.2.0"
],
- "v": "<1.9.3"
+ "v": "<1.2.0"
}
],
- "cloudinary": [
+ "buildbot": [
{
- "advisory": "cloudinary before 1.0.21 is vulnerable to an XSS attack on cloudinary_cors.html.",
- "cve": "PVE-2021-34603",
- "id": "pyup.io-34603",
+ "advisory": "Buildbot before 1.3.0 did not use ``hmac.compare_digest()`` in GitHub hooks.",
+ "cve": "PVE-2021-36320",
+ "id": "pyup.io-36320",
"specs": [
- "<1.0.21"
+ "<1.3.0"
],
- "v": "<1.0.21"
- }
- ],
- "cloudmarker": [
+ "v": "<1.3.0"
+ },
{
- "advisory": "Cloudmarker 0.0.5 adds the `FirewallRuleEvent` plugin to detect insecure firewall rules.",
- "cve": "PVE-2021-37138",
- "id": "pyup.io-37138",
+ "advisory": "Buildbot 1.8.2 fixes a vulnerability in OAuth where user-submitted authorization tokens are used for authentication. See: .",
+ "cve": "PVE-2021-37161",
+ "id": "pyup.io-37161",
"specs": [
- "<0.0.5"
+ "<1.8.2"
],
- "v": "<0.0.5"
- }
- ],
- "cloudwatch-to-graphite": [
+ "v": "<1.8.2"
+ },
{
- "advisory": "Cloudwatch-to-graphite version 0.11.0 includes a security patch for the function 'get_config' in 'leadbutt.py'. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/crccheck/cloudwatch-to-graphite/commit/5875100c54a54a9c90cf2fe782cc3df147d32053#diff-ddb0922eafb2fa54199e50bb13de6178b1755e780387144df032f9e26512f15e",
- "cve": "CVE-2020-1747",
- "id": "pyup.io-41313",
+ "advisory": "buildbot 2.0.0 fixes CRLF injection vulnerability with validating user provided redirect parameters (https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code)",
+ "cve": "PVE-2021-36865",
+ "id": "pyup.io-36865",
"specs": [
- "<0.11.0"
+ "<2.0.0"
],
- "v": "<0.11.0"
- }
- ],
- "cloverly-python-module": [
+ "v": "<2.0.0"
+ },
{
- "advisory": "Cloverly-python-module 0.2.0 adds a clear session function for security purposes.",
- "cve": "PVE-2021-41085",
- "id": "pyup.io-41085",
+ "advisory": "Buildbot 2.3.1 fixes a vulnerability in OAuth where a user-submitted authorization token was used for authentication. See: .",
+ "cve": "PVE-2021-37160",
+ "id": "pyup.io-37160",
"specs": [
- "<0.2.0"
+ "<2.3.1"
],
- "v": "<0.2.0"
+ "v": "<2.3.1"
}
],
- "cmdlr": [
+ "byarse": [
{
- "advisory": "cmdlr 4.1.0 resists malicious js attack in `run_in_nodejs`",
- "cve": "PVE-2021-36854",
- "id": "pyup.io-36854",
+ "advisory": "Byarse 1.1.0 introduces 'Safe mode', which can be enabled to prevent unpickling Pickle type during deserialization. This prevents a big security vulnerability.",
+ "cve": "PVE-2021-38754",
+ "id": "pyup.io-38754",
"specs": [
- "<4.1.0"
+ "<1.1.0"
],
- "v": "<4.1.0"
+ "v": "<1.1.0"
}
],
- "cmsplugin-filer": [
+ "bzip": [
{
- "advisory": "cmsplugin-filer 1.0.0 contains an unknown XSS fix.",
- "cve": "PVE-2021-25656",
- "id": "pyup.io-25656",
+ "advisory": "bzip is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
+ "cve": "PVE-2021-34980",
+ "id": "pyup.io-34980",
"specs": [
- "<1.0.0"
+ ">0",
+ "<0"
],
- "v": "<1.0.0"
+ "v": ">0,<0"
}
],
- "cnx-publishing": [
+ "cabot": [
{
- "advisory": "Cnx-publishing 0.17.6 bumps urllib3 for a security fix.",
- "cve": "PVE-2021-38128",
- "id": "pyup.io-38128",
+ "advisory": "In September 2020 it was reported that all versions of the cabot package are vulnerable to Cross-site Scripting (XSS) via the Endpoint column. The latest release of cabot at that date was version 0.11.7.",
+ "cve": "CVE-2020-7734",
+ "id": "pyup.io-38806",
"specs": [
- "<0.17.6"
+ "<=0.11.7"
],
- "v": "<0.17.6"
+ "v": "<=0.11.7"
}
],
- "cobbler": [
+ "cacophonyapi": [
{
- "advisory": "Cobbler has local privilege escalation via the use of insecure location for PYTHON_EGG_CACHE. No information was provided about fixes or affected versions. See: CVE-2011-4954.",
- "cve": "CVE-2011-4954",
- "id": "pyup.io-37739",
+ "advisory": "Cacophonyapi 4.13.0 addresses a security vulnerability. No details were given.",
+ "cve": "PVE-2021-39127",
+ "id": "pyup.io-39127",
"specs": [
- ">0"
+ "<4.13.0"
],
- "v": ">0"
- }
- ],
- "cockroachdb": [
+ "v": "<4.13.0"
+ },
{
- "advisory": "cockroachdb 0.3.2 updated urllib3 to remove security vulnerability.",
- "cve": "PVE-2021-37264",
- "id": "pyup.io-37264",
+ "advisory": "Cacophonyapi 4.6.0 addresses a security vulnerability in eslint-utils.",
+ "cve": "PVE-2021-39128",
+ "id": "pyup.io-39128",
"specs": [
- "<0.3.2"
+ "<4.6.0"
],
- "v": "<0.3.2"
+ "v": "<4.6.0"
}
],
- "codalab": [
+ "cairosvg": [
{
- "advisory": "codalab before 0.2.33 was using a version of gunicorn that had security vulnerabilities.",
- "cve": "PVE-2021-36386",
- "id": "pyup.io-36386",
+ "advisory": "cairosvg 1.0.21 is a security update. CairoSVG was vulnerable to XML eXternal Entity (XXE) attacks, this release fixes this vulnerability by not resolving the XML entities anymore. The ``--unsafe`` option has been added to force the resolution of XML entities. Obviously, this option is not safe and should only be used with trusted SVG files.",
+ "cve": "PVE-2021-25643",
+ "id": "pyup.io-25643",
"specs": [
- "<0.2.33"
+ "<1.0.21"
],
- "v": "<0.2.33"
+ "v": "<1.0.21"
},
{
- "advisory": "Codalab 0.5.12 fixes a vulnerability. No description of the vulnerability was included.",
- "cve": "PVE-2021-38927",
- "id": "pyup.io-38927",
+ "advisory": "CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information. See CVE-2021-21236.",
+ "cve": "CVE-2021-21236",
+ "id": "pyup.io-39419",
"specs": [
- "<0.5.12"
+ "<2.5.1"
],
- "v": "<0.5.12"
+ "v": "<2.5.1"
},
{
- "advisory": "Codalab 0.5.33 includes a fix for some front-end vulnerabilities (with `npm audit fix`).",
- "cve": "PVE-2021-39434",
- "id": "pyup.io-39434",
+ "advisory": "When processing SVG files, cairosvg before 2.5.1 was using two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provided a malicious SVG, it could make CairoSVG get stuck processing the file for a very long time.",
+ "cve": "PVE-2021-39404",
+ "id": "pyup.io-39404",
"specs": [
- "<0.5.33"
+ "<2.5.1"
],
- "v": "<0.5.33"
+ "v": "<2.5.1"
}
],
- "codecov": [
+ "calcipy": [
{
- "advisory": "Codecov 2.0.16 fixes a reported command injection vulnerability.",
- "cve": "PVE-2021-37934",
- "id": "pyup.io-37934",
+ "advisory": "Calcipy 2021.0.2.0 adding security check task.",
+ "cve": "PVE-2021-40621",
+ "id": "pyup.io-40621",
"specs": [
- "<2.0.16"
+ "<2021.0.2.0"
],
- "v": "<2.0.16"
- },
+ "v": "<2021.0.2.0"
+ }
+ ],
+ "calcwave": [
{
- "advisory": "Codecov 2.0.17 fixes a reported command injection vulnerability.",
- "cve": "PVE-2021-38075",
- "id": "pyup.io-38075",
+ "advisory": "Calcwave 1.2.6 updates limits for modules and functions available to 'eval()' in the interpreter. This greatly improves the security and reduces the risk of accidentally calling the 'Python' function that damages your computer.\r\nhttps://github.com/zenarcher007/calcwave/commit/1d95d1861a0bf9954e95f82469f279bb3ba12d9a",
+ "cve": "PVE-2021-40507",
+ "id": "pyup.io-40507",
"specs": [
- "<2.0.17"
+ "<1.2.6"
],
- "v": "<2.0.17"
+ "v": "<1.2.6"
}
],
- "codeforcesapipy": [
+ "calibreweb": [
{
- "advisory": "Codeforcesapipy 2.0.8 updates the 'lxml' dependency to 4.6.3 to resolve security issues.",
- "cve": "PVE-2021-40099",
- "id": "pyup.io-40099",
+ "advisory": "Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT' hardcoded secret key.",
+ "cve": "CVE-2020-12627",
+ "id": "pyup.io-42274",
"specs": [
- "<2.0.8"
+ "==0.6.6"
],
- "v": "<2.0.8"
+ "v": "==0.6.6"
}
],
- "coinbasepro": [
+ "candig-server": [
{
- "advisory": "coinbasepro 0.1.0 updates requests version to >=2.20.0 to address security vulnerability.",
- "cve": "PVE-2021-36975",
- "id": "pyup.io-36975",
+ "advisory": "Candig-server 0.9.0 has enhanced security through a refined data access control mechanism.",
+ "cve": "PVE-2021-37219",
+ "id": "pyup.io-37219",
"specs": [
- "<0.1.0"
+ "<0.9.0"
],
- "v": "<0.1.0"
- }
- ],
- "coincurve": [
+ "v": "<0.9.0"
+ },
{
- "advisory": "coincurve before 8.0.0 does not support the new GitHub and PyPI security requirements. \r\nBinary wheels on macOS for Python 3.5 now uses Homebrew Python for compilation due to new security requirements.",
- "cve": "PVE-2021-36299",
- "id": "pyup.io-36299",
+ "advisory": "candig-server 0.9.2 changes: Jinja2 package has been updated to resolve security vulnerability issues.",
+ "cve": "PVE-2021-37218",
+ "id": "pyup.io-37218",
"specs": [
- "<8.0.0"
+ "<0.9.2"
],
- "v": "<8.0.0"
- }
- ],
- "coinstac": [
+ "v": "<0.9.2"
+ },
{
- "advisory": "Coinstac 5.2.1 includes various security fixes and package updates.",
- "cve": "PVE-2021-40091",
- "id": "pyup.io-40091",
+ "advisory": "Candig-server 1.0.2 updates WerkZeug to 0.15.5 to resolve its security vulnerabilities.",
+ "cve": "PVE-2021-37467",
+ "id": "pyup.io-37467",
"specs": [
- "<5.2.1"
+ "<1.0.2"
],
- "v": "<5.2.1"
- }
- ],
- "colander": [
+ "v": "<1.0.2"
+ },
{
- "advisory": "colander 1.7.0 - The URL validator regex has been updated to no longer be vulnerable to a\r\n catastrophic backtracking that would have led to an infinite loop.",
- "cve": "PVE-2021-36856",
- "id": "pyup.io-36856",
+ "advisory": "Candig-server 1.4.0 includes some upgraded third-party libraries, improving security.",
+ "cve": "PVE-2021-39169",
+ "id": "pyup.io-39169",
"specs": [
- "<1.7.0"
+ "<1.4.0"
],
- "v": "<1.7.0"
+ "v": "<1.4.0"
}
],
- "collective-contact-core": [
+ "carla": [
{
- "advisory": "collective-contact-core before 1.10",
- "cve": "PVE-2021-36089",
- "id": "pyup.io-36089",
+ "advisory": "Carla 0.9.9 adds security features to the standalone OpenDRIVE mode aiming to prevent cars from falling down from the road.\r\nhttps://github.com/carla-simulator/carla/pull/2678/commits/35032c7ed47a30211869bbd2c7731215bc37b4e1",
+ "cve": "PVE-2021-42713",
+ "id": "pyup.io-42713",
"specs": [
- "<1.10"
+ "<0.9.9"
],
- "v": "<1.10"
+ "v": "<0.9.9"
}
],
- "collective-noticeboard": [
+ "cartridge-braintree": [
{
- "advisory": "collective-noticeboard before 0.7.1 has a security issue, anonymous users could modify notes positions.",
- "cve": "PVE-2021-35879",
- "id": "pyup.io-35879",
+ "advisory": "Cartridge-braintree 1.2.2 sets minimum Django version to 1.11.29 and maximum version to 1.12 to fix security vulnerabilities.",
+ "cve": "PVE-2021-40229",
+ "id": "pyup.io-40229",
"specs": [
- "<0.7.1"
+ "<1.2.2"
],
- "v": "<0.7.1"
+ "v": "<1.2.2"
}
],
- "collective.contact.core": [
+ "cassandra-medusa": [
{
- "advisory": "collective.contact.core 1.10 fixes a security issue related to AddContact.",
- "cve": "PVE-2021-25657",
- "id": "pyup.io-25657",
+ "advisory": "Cassandra-medusa 0.9.1 fixes MinIO support that had unsecured access.\r\nhttps://github.com/thelastpickle/cassandra-medusa/commit/2edb8afd9e0961fb3cf390322c0f59066967de84",
+ "cve": "PVE-2021-42517",
+ "id": "pyup.io-42517",
"specs": [
- "<1.10"
+ "<0.9.1"
],
- "v": "<1.10"
+ "v": "<0.9.1"
}
],
- "collective.documentviewer": [
+ "castle-cms": [
{
- "advisory": "collective.documentviewer 1.5.1 fixes a security issue on file resources.",
- "cve": "PVE-2021-25658",
- "id": "pyup.io-25658",
+ "advisory": "Castle-cms version 2.6.1 includes fixes for secure-login.",
+ "cve": "PVE-2021-41903",
+ "id": "pyup.io-41903",
"specs": [
- "<1.5.1"
+ "<2.6.1"
],
- "v": "<1.5.1"
- }
- ],
- "collective.easyform": [
+ "v": "<2.6.1"
+ },
{
- "advisory": "The modeleditor in collective.easyform 3.0.5 no longer resolves entities, and it removes processing instructions. This increases the security.",
- "cve": "PVE-2021-39144",
- "id": "pyup.io-39144",
+ "advisory": "Castle-cms version 2.6.2 fixes default behavior that allowed access to published content inside a private container.",
+ "cve": "PVE-2021-41902",
+ "id": "pyup.io-41902",
"specs": [
- "<3.0.5"
+ "<2.6.2"
],
- "v": "<3.0.5"
+ "v": "<2.6.2"
}
],
- "collective.js.datatables": [
+ "catboost": [
{
- "advisory": "collective.js.datatables 4.1.1 updates Datatables to 1.10.11, due to a XSS vulnerability in 1.10.4.",
- "cve": "PVE-2021-25659",
- "id": "pyup.io-25659",
+ "advisory": "Catboost 0.26 updates version of scala 2.11 for security reasons.\r\nhttps://github.com/catboost/catboost/issues/1632",
+ "cve": "PVE-2021-41743",
+ "id": "pyup.io-41743",
"specs": [
- "<4.1.1"
+ "<0.26"
],
- "v": "<4.1.1"
+ "v": "<0.26"
}
],
- "collective.noticeboard": [
+ "cbapi": [
{
- "advisory": "collective.noticeboard 0.7.1 fixes a security issue, anonymous users could modify notes positions.",
- "cve": "PVE-2021-25660",
- "id": "pyup.io-25660",
+ "advisory": "The underlying CbAPI connection class erroneously disabled hostname validation by default. This does *not* affect code that uses CbAPI through the public interfaces documented here; it only affects code that accesses the new ``CbAPISessionAdapter`` class directly. This class was introduced in version 1.3.3. Regardless, it is strongly recommended that all users currently using 1.3.3 upgrade to 1.3.4.",
+ "cve": "PVE-2021-34933",
+ "id": "pyup.io-34933",
"specs": [
- "<0.7.1"
+ ">=1.3.3,<1.3.4"
],
- "v": "<0.7.1"
+ "v": ">=1.3.3,<1.3.4"
}
],
- "collective.portlet.twitter": [
+ "ccf": [
{
- "advisory": "collective.portlet.twitter 1.0b3 fixes a potential XSS (arbitrary injection) issue by escaping and quoting all attributes being set on the rendered portlet.",
- "cve": "PVE-2021-25661",
- "id": "pyup.io-25661",
+ "advisory": "Ccf 0.7 fixes a vulnerability to a possible replay attack.",
+ "cve": "PVE-2021-38641",
+ "id": "pyup.io-38641",
"specs": [
- "<1.0b3"
+ "<0.7"
],
- "v": "<1.0b3"
+ "v": "<0.7"
}
],
- "collective.tablepage": [
+ "cdk-ecr-deployment": [
{
- "advisory": "collective.tablepage 0.3 fixes a security problem: data inside text cells were transformed to HTML without any check.",
- "cve": "PVE-2021-25664",
- "id": "pyup.io-25664",
+ "advisory": "Cdk-ecr-deployment 0.0.60 includes a workaround to fix a security issue in its dependency 'xmldom'.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/7b222a9a253a9a18371c489fbb2577e90f59fc4f",
+ "cve": "PVE-2021-42166",
+ "id": "pyup.io-42166",
"specs": [
- "<0.3"
+ "<0.0.60"
],
- "v": "<0.3"
+ "v": "<0.0.60"
}
],
- "collective.xmpp.chat": [
+ "cedar-backup3": [
{
- "advisory": "collective.xmpp.chat 0.3.1 updates convers.js to 0.6.3 which includes an important security fix.",
- "cve": "PVE-2021-25666",
- "id": "pyup.io-25666",
+ "advisory": "Cedar-backup3 version 1.10 fixes 2 security issues:\r\n-A shell-interpolation bug.\r\n-Use of insecure os.popen(). Replaced with new execute_command()",
+ "cve": "PVE-2021-42010",
+ "id": "pyup.io-42010",
"specs": [
- "<0.3.1"
+ "<1.10"
],
- "v": "<0.3.1"
- }
- ],
- "collins-client": [
+ "v": "<1.10"
+ },
{
- "advisory": "Collins 2.1.0 has a very important security patch.\r\n\r\nCollins has a feature that allows you to [encrypt certain attributes](http://tumblr.github.io/collins/configuration.htmlfeatures) on every asset. It also had a permission that restricted which users could read those encrypted tags. It did NOT have a permission that restricted which users could modify encrypted tags.\r\n\r\n*It is strongly recommended that you upgrade to collins 2.1.0 if you are using the encrypted tags feature, as well as rotate any values stored in encrypted tags.*\r\n\r\nThe severity of this vulnerability depends heavily upon how you use collins in your infrastructure. If you do not use the encrypted tags feature, you are not vulnerable to this problem. If you do use the encrypted tags feature, you will need to explore your automation and consider how vulnerable you are.\r\n\r\nIf, for example, your infrastructure has automation that regularly sets the root password on servers to match a value that is in collins, an attacker without the ability to read the current password could set it to a value that they know, wait for the automation to change the password, and then gain root on a server.\r\n\r\nThis change is backwards compatible with collins v2.0.0, though once you upgrade it will stop any writes to encrypted tags by users that have not been granted `feature.canWriteEncryptedTags` permission. We have also renamed `feature.canSeePasswords` to `feature.canSeeEncryptedTags`, but collins will continue to respect the value of `feature.canSeePasswords` if `feature.canSeeEncryptedTags` is not set. Once `feature.canSeeEncryptedTags` is set, collins will ignore the value of `feature.canSeePasswords`.",
- "cve": "PVE-2021-25667",
- "id": "pyup.io-25667",
+ "advisory": "Cedar-backup3 version 3.6.0 updates build process to include security scans using Safety.",
+ "cve": "PVE-2021-42008",
+ "id": "pyup.io-42008",
"specs": [
- "<2.1.0"
+ "<3.6.0"
],
- "v": "<2.1.0"
+ "v": "<3.6.0"
}
],
- "colonyscanalyser": [
+ "celery": [
{
- "advisory": "Colonyscanalyser 0.2.0 adds snyk security checks for dependencies.",
- "cve": "PVE-2021-37635",
- "id": "pyup.io-37635",
+ "advisory": "Celery 5.2.0 updates 'kombu' to v5.2.1, which includes dependencies updates that resolve security issues.",
+ "cve": "PVE-2021-42498",
+ "id": "pyup.io-42498",
"specs": [
- "<0.2.0"
+ "<5.2.0"
],
- "v": "<0.2.0"
- }
- ],
- "compliance-trestle": [
+ "v": "<5.2.0"
+ },
{
- "advisory": "Compliance-trestle 0.15.0 upgrades the 'pydantic' to 1.8.2 for an security issue.",
- "cve": "PVE-2021-40566",
- "id": "pyup.io-40566",
+ "advisory": "Celery 4.0.1 includes a fix for a code execution vulnerability: The default accept_content setting was set to allow deserialization of pickled messages in Celery 4.0.0. A workaround is to configure the 4.0.0 version to explicitly only allow json serialized messages.\r\nhttps://github.com/celery/celery/blob/master/docs/sec/CELERYSA-0003.txt",
+ "cve": "PVE-2021-25646",
+ "id": "pyup.io-25646",
"specs": [
- "<0.15.0"
+ ">=4.0,<4.0.1"
],
- "v": "<0.15.0"
+ "v": ">=4.0,<4.0.1"
}
],
- "concrete-datastore": [
+ "cellxgene": [
{
- "advisory": "Concrete-datastore 1.22.0 adds useful checks to the url_format to avoid template injections.",
- "cve": "PVE-2021-39449",
- "id": "pyup.io-39449",
+ "advisory": "Cellxgene 0.12.0 has Python and Javascript package updates, for both security and performance.",
+ "cve": "PVE-2021-37801",
+ "id": "pyup.io-37801",
"specs": [
- "<1.22.0"
+ "<0.12.0"
],
- "v": "<1.22.0"
+ "v": "<0.12.0"
},
{
- "advisory": "Concrete-datastore 1.23.0 adds checks on the url_format for reset password view to avoid template injections.",
- "cve": "PVE-2021-39709",
- "id": "pyup.io-39709",
+ "advisory": "Cellxgene 0.16.0 removed the `client` package that introduced security vulnerabilities.",
+ "cve": "PVE-2021-38696",
+ "id": "pyup.io-38696",
"specs": [
- "<1.23.0"
+ "<0.16.0"
],
- "v": "<1.23.0"
+ "v": "<0.16.0"
}
],
- "conference-scheduler-cli": [
+ "centrifuge": [
{
- "advisory": "In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.",
- "cve": "CVE-2018-14572",
- "id": "pyup.io-36425",
+ "advisory": "centrifuge 0.3.8 includes a security fix! Please, upgrade to this version or disable access to `/dumps` location.",
+ "cve": "PVE-2021-25647",
+ "id": "pyup.io-25647",
"specs": [
- "<=0.10.1"
+ "<0.3.8"
],
- "v": "<=0.10.1"
+ "v": "<0.3.8"
}
],
- "confidant": [
+ "ceph-deploy": [
{
- "advisory": "Confidant 1.1.13 includes a security fix. It was discovered when adding tests after a refactor of some of the KMS authentication code that confidant wasn't properly checking the expiration of KMS auth tokens. If tokens were able to be exfiltrated from a service, they could be used indefinitely. Also, any tokens that are expired will now correctly fail to authenticate.",
- "cve": "PVE-2021-26670",
- "id": "pyup.io-26670",
+ "advisory": "ceph-deploy before 1.5.23 uses weak permissions (644) for ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file.",
+ "cve": "CVE-2015-3010",
+ "id": "pyup.io-42238",
"specs": [
- "<1.1.13"
+ "<1.5.23"
],
- "v": "<1.1.13"
- },
+ "v": "<1.5.23"
+ }
+ ],
+ "certbot": [
{
- "advisory": "confidant 1.1.14 contains a security fix: While preparing for the 1.1 stable release Lyft found a KMS authentication vulnerability in the unreleased 1.1 branch while performing an audit of the code. The vulnerability was introduced while adding the scoped auth key feature (for limiting authentication keys and services to specific AWS accounts), where the key was not properly checked after decryption. This check is an additional verification to add additional safety on-top of the IAM policy of your KMS keys. If IAM policy allows users to use KMS keys without limits on encryption context, a KMS key that wasn't intended to be used for auth, could be used for auth.",
- "cve": "PVE-2021-25668",
- "id": "pyup.io-25668",
+ "advisory": "Certbot before 0.34.0 does not print warnings when run as root with insecure file system permissions.",
+ "cve": "PVE-2021-38484",
+ "id": "pyup.io-38484",
"specs": [
- "<1.1.14"
+ "<0.34.0"
],
- "v": "<1.1.14"
+ "v": "<0.34.0"
},
{
- "advisory": "Confidant v1.10.0 upgrades gevent and greenlet to address CVE-2016-5180 and gevent/gevent#477.",
- "cve": "CVE-2016-5180",
- "id": "pyup.io-38504",
+ "advisory": "Certbot through 0.34.0 does not configure the web server so that all requests redirect to secure HTTPS access.",
+ "cve": "PVE-2021-37112",
+ "id": "pyup.io-37112",
"specs": [
- "<1.10.0"
+ "<=0.34.0"
],
- "v": "<1.10.0"
- },
+ "v": "<=0.34.0"
+ }
+ ],
+ "cerulean": [
{
- "advisory": "Confidant 1.6.0 updates python-saml to address CVE-2016-1000252.",
- "cve": "CVE-2016-1000252",
- "id": "pyup.io-38505",
+ "advisory": "cerulean 0.3.4 - Directory permissions when using mkdir(). This is a security issue, and you\r\n should upgrade as soon as possible.",
+ "cve": "PVE-2021-36796",
+ "id": "pyup.io-36796",
"specs": [
- "<1.6.0"
+ "<0.3.4"
],
- "v": "<1.6.0"
- },
+ "v": "<0.3.4"
+ }
+ ],
+ "cffconvert": [
{
- "advisory": "In confidant 5.0.0, requirements have been updated to resolve some reported security vulnerabilities in a few of the frozen requirements. A library affecting user sessions was upgraded which will cause users to be logged out after upgrade, which means if you're doing a rolling upgrade, that during the upgrade, you may have users that seemingly randomly get logged out. After a finished upgrade, users should only be logged out once, if they're currently logged in.",
- "cve": "PVE-2021-37471",
- "id": "pyup.io-37471",
+ "advisory": "Cffconvert 1.0.3 updates requests from v2.18.4 to v2.20.0 to include a security fix.",
+ "cve": "CVE-2018-18074",
+ "id": "pyup.io-36623",
"specs": [
- "<5.0.0"
+ "<1.0.3"
],
- "v": "<5.0.0"
- },
+ "v": "<1.0.3"
+ }
+ ],
+ "cfscrape": [
{
- "advisory": "Confidant 6.3.0 adds support for keeping track of when credentials should be rotated. It therefore adds three new fields to the Credential model, two of which improve the security (`last_decrypted_date` and `last_rotation_date`). The former explicitly stores when someone viewed a credential. Certain credentials can potentially be highly vulnerable and could benefit from being rotated the moment the credential pair is viewed. The latter stores when a credential was last rotated. Some credentials might need to periodically be rotated for security purposes.",
- "cve": "PVE-2021-38560",
- "id": "pyup.io-38560",
+ "advisory": "Cfscrape 1.8.0 includes a fix for CVE-2017-7235: An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A malicious website owner could craft a page that executes arbitrary Python code against any cfscrape user who scrapes that website. This is fixed in 1.8.0.",
+ "cve": "CVE-2017-7235",
+ "id": "pyup.io-35741",
"specs": [
- "<6.3.0"
+ ">=1.6.6,<1.8.0"
],
- "v": "<6.3.0"
+ "v": ">=1.6.6,<1.8.0"
}
],
- "confidence": [
+ "cfstacks": [
{
- "advisory": "confidence before 0.4 has a security vulnerability from using ``yaml.load``. \r\nconfidence >=0.4 now uses ``yaml.safe_load``",
- "cve": "PVE-2021-36308",
- "id": "pyup.io-36308",
+ "advisory": "Cfstacks 0.4.4 upgrades PyAML to 4.2b1 (or later) to fix a security vulnerability.",
+ "cve": "PVE-2021-38388",
+ "id": "pyup.io-38388",
"specs": [
- "<0.4"
+ "<0.4.4"
],
- "v": "<0.4"
+ "v": "<0.4.4"
}
],
- "confire": [
+ "cg": [
{
- "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Due to the user-specific configuration being loaded from \"~/.confire.yaml\" using the yaml.load function, a YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.",
- "cve": "CVE-2017-16763",
- "id": "pyup.io-35721",
+ "advisory": "Cg 18.11.3 upgrades the insecure cryptography dependency.",
+ "cve": "PVE-2021-39614",
+ "id": "pyup.io-39614",
"specs": [
- "<=0.2.0"
+ "<18.11.3"
],
- "v": "<=0.2.0"
+ "v": "<18.11.3"
}
],
- "confluent-kafka": [
+ "chanjo-report": [
{
- "advisory": "Confluent-kafka 1.1.0 securely clears the private key data from memory after last use.",
- "cve": "PVE-2021-37508",
- "id": "pyup.io-37508",
+ "advisory": "chanjo-report 2.4.0 removes a link to the \"index\" page from the report (security).",
+ "cve": "PVE-2021-25648",
+ "id": "pyup.io-25648",
"specs": [
- "<1.1.0"
+ "<2.4.0"
],
- "v": "<1.1.0"
- },
+ "v": "<2.4.0"
+ }
+ ],
+ "channels": [
{
- "advisory": "Confluent-kafka 1.3.0 includes a fix for CVE-2019-17543: LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"",
- "cve": "CVE-2019-17543",
- "id": "pyup.io-38072",
- "specs": [
- "<1.3.0"
- ],
- "v": "<1.3.0"
- },
- {
- "advisory": "Confluent-kafka 1.4.0 includes two security issues in the SASL SCRAM protocol handler:\r\n * The client nonce, which is expected to be a random string, was a static string.\r\n * If `sasl.username` and `sasl.password` contained characters that needed escaping, a buffer overflow and heap corruption would occur. This was protected, but too late, by an assertion.",
- "cve": "PVE-2021-38165",
- "id": "pyup.io-38165",
+ "advisory": "Channels 3.0.3 includes a fix for CVE-2020-35681. See also: .",
+ "cve": "CVE-2020-35681",
+ "id": "pyup.io-39368",
"specs": [
- "<1.4.0"
+ ">=3.0.0,<3.0.3"
],
- "v": "<1.4.0"
+ "v": ">=3.0.0,<3.0.3"
}
],
- "conn-check": [
+ "chaosloader": [
{
- "advisory": "conn-check 1.0.18 ensures pyOpenSSL is always used instead of the ssl modules, see https://urllib3.readthedocs.org/en/latest/security.htmlpyopenssl.",
- "cve": "PVE-2021-25669",
- "id": "pyup.io-25669",
+ "advisory": "Chaosloader 1.0.0 adds secure encrypted password to travis.yml.",
+ "cve": "PVE-2021-37048",
+ "id": "pyup.io-37048",
"specs": [
- "<1.0.18"
+ "<1.0.0"
],
- "v": "<1.0.18"
+ "v": "<1.0.0"
}
],
- "container-service-extension": [
+ "charm-crypto": [
{
- "advisory": "container-service-extension 1.2.5 adds K8s vulnerability patching",
- "cve": "PVE-2021-36876",
- "id": "pyup.io-36876",
+ "advisory": "In Charm 0.43, any single user can decrypt DAC-MACS or MA-ABE-YJ14 data.",
+ "cve": "CVE-2021-37587",
+ "id": "pyup.io-42317",
"specs": [
- "<1.2.5"
+ "==0.43"
],
- "v": "<1.2.5"
+ "v": "==0.43"
},
{
- "advisory": "Container-service-extension 2.5.0b1 updates the hardcoded_password_string: false positives and test environment password strings marked not vulnerable.",
- "cve": "PVE-2021-37529",
- "id": "pyup.io-37529",
+ "advisory": "In Charm 0.43, any two users can collude to achieve the ability to decrypt YCT14 data.",
+ "cve": "CVE-2021-37588",
+ "id": "pyup.io-42318",
"specs": [
- "<2.5.0b1"
+ "==0.43"
],
- "v": "<2.5.0b1"
+ "v": "==0.43"
}
],
- "contentful": [
+ "charm-tools": [
{
- "advisory": "contentful 1.11.3 updates `requests` version due to a vulnerability found in versions `2.19` and below",
- "cve": "PVE-2021-36633",
- "id": "pyup.io-36633",
+ "advisory": "Charm-tools 2.6.0 addresses security alerts from GitHub (#484).",
+ "cve": "PVE-2021-37201",
+ "id": "pyup.io-37201",
"specs": [
- "<1.11.3"
+ "<2.6.0"
],
- "v": "<1.11.3"
- },
+ "v": "<2.6.0"
+ }
+ ],
+ "charmhelpers": [
{
- "advisory": "Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py.",
- "cve": "CVE-2020-13258",
- "id": "pyup.io-38314",
+ "advisory": "Charmhelpers 0.19.13 updates Keystone expectations to meet security guide (299).",
+ "cve": "PVE-2021-37032",
+ "id": "pyup.io-37032",
"specs": [
- "<=1.12.3"
+ "<0.19.13"
],
- "v": "<=1.12.3"
+ "v": "<0.19.13"
}
],
- "contentful-management": [
+ "chartify": [
{
- "advisory": "contentful-management 2.5.0 updates `requests` version due to a vulnerability found in versions `2.19` and below.",
- "cve": "PVE-2021-36599",
- "id": "pyup.io-36599",
+ "advisory": "Chartify 2.7.0 bumps the base Pillow dependency to avoid a version that's not secure.",
+ "cve": "PVE-2021-38345",
+ "id": "pyup.io-38345",
"specs": [
- "<2.5.0"
+ "<2.7.0"
],
- "v": "<2.5.0"
- }
- ],
- "contestms": [
+ "v": "<2.7.0"
+ },
{
- "advisory": "contestms 1.2.0 fixes several security bugs around an unsafe use of isolate. These won't be backported to 1.1, so make sure you update.",
- "cve": "PVE-2021-34249",
- "id": "pyup.io-34249",
+ "advisory": "Chartify version 3.0.3 includes a security patch for the function '_from_yaml' in 'chartify/_core/colors.py'. It uses unsafe FullLoader, which allows instantiation of arbitrary objects. Consider yaml.safe_load().\r\nhttps://github.com/spotify/chartify/commit/e9d34194b19f973b934497a1013c918bc8a98fee#diff-8238e9741da72d8460f3b7e87879bad2821fe5cfbadb42112a6a7373ee5c494a",
+ "cve": "CVE-2020-14343",
+ "id": "pyup.io-41310",
"specs": [
- "<1.2.0"
+ "<3.0.3"
],
- "v": "<1.2.0"
+ "v": "<3.0.3"
}
],
- "cookie-manager": [
+ "chatbot-ner": [
{
- "advisory": "Cookie-manager 1.0.3 bumps dependency versions to fix a security issue.",
- "cve": "PVE-2021-38106",
- "id": "pyup.io-38106",
+ "advisory": "Chatbot-ner 0.5.8 updates its dependency 'NLTK' to v3.4.5 to include a security fix.",
+ "cve": "CVE-2019-14751",
+ "id": "pyup.io-42431",
"specs": [
- "<1.0.3"
+ "<0.5.8"
],
- "v": "<1.0.3"
+ "v": "<0.5.8"
},
{
- "advisory": "Cookie-manager 1.1.0 bumps Bleach to patch a vulnerability.",
- "cve": "PVE-2021-38153",
- "id": "pyup.io-38153",
+ "advisory": "Chatbot-ner 0.5.8 updates its dependency 'django' to v1.11.26 to include security fixes.",
+ "cve": "CVE-2019-14235",
+ "id": "pyup.io-38516",
"specs": [
- "<1.1.0"
+ "<0.5.8"
],
- "v": "<1.1.0"
+ "v": "<0.5.8"
},
{
- "advisory": "Cookie-manager 1.2.1 fixes a security vulnerability discovered and patched in a dependency. See Bleach 3.3.0 for further details.",
- "cve": "PVE-2021-40165",
- "id": "pyup.io-40165",
+ "advisory": "Chatbot-ner 0.5.8 updates its dependency 'django' to v1.11.26 to include security fixes.",
+ "cve": "CVE-2019-14232",
+ "id": "pyup.io-42434",
"specs": [
- "<1.2.1"
+ "<0.5.8"
],
- "v": "<1.2.1"
- }
- ],
- "cookiecutter": [
+ "v": "<0.5.8"
+ },
{
- "advisory": "Cookiecutter 0.1.0 fixes insecure gitlab_token retrieval - see: https://github.com/NathanUrwin/cookiecutter-git/issues/6",
- "cve": "PVE-2021-34683",
- "id": "pyup.io-34683",
+ "advisory": "Chatbot-ner 0.5.8 updates its dependency 'django' to v1.11.26 to include security fixes.",
+ "cve": "CVE-2019-14234",
+ "id": "pyup.io-42432",
"specs": [
- "<0.1.0"
+ "<0.5.8"
],
- "v": "<0.1.0"
+ "v": "<0.5.8"
},
{
- "advisory": "Cookiecutter 0.3.1 updates Pillow version to 3.2.0 (security fix).",
- "cve": "PVE-2021-27445",
- "id": "pyup.io-27445",
+ "advisory": "Chatbot-ner 0.5.8 updates its dependency 'django' to v1.11.26 to include security fixes.",
+ "cve": "CVE-2019-14233",
+ "id": "pyup.io-42433",
"specs": [
- "<0.3.1"
+ "<0.5.8"
],
- "v": "<0.3.1"
+ "v": "<0.5.8"
},
{
- "advisory": "Cookiecutter 1.1.0 sets explicitly the list of allowed hosts for security reasons.",
- "cve": "PVE-2021-37672",
- "id": "pyup.io-37672",
+ "advisory": "For security reasons, chatbot-ner 0.6.0 updates requirements and adds a new version of Django upgrade.",
+ "cve": "PVE-2021-38515",
+ "id": "pyup.io-38515",
"specs": [
- "<1.1.0"
+ "<0.6.0"
],
- "v": "<1.1.0"
+ "v": "<0.6.0"
}
],
- "coordination-network-toolkit": [
+ "cheetah": [
{
- "advisory": "Coordination-network-toolkit 1.0.2 includes a security patch to the 'urllib3' among other dependency updates.",
- "cve": "PVE-2021-40624",
- "id": "pyup.io-40624",
+ "advisory": "cheetah 0.9.17rc1 removeS the use of temp files for handling imports with dynamic compilation. This removes a whole slew of issues, including a temp file security issue.",
+ "cve": "PVE-2021-25649",
+ "id": "pyup.io-25649",
"specs": [
- "<1.0.2"
+ "<0.9.17rc1"
],
- "v": "<1.0.2"
+ "v": "<0.9.17rc1"
}
],
- "copyparty": [
+ "cheetah3": [
{
- "advisory": "The maintainers of Copyparty report that they \"hopefully\" have fixed a bug in version 0.12.3 where malicious POSTs through an nginx reverse-proxy could put the connection in a bad state, causing the next legit request to fail with bad headers",
- "cve": "PVE-2021-41050",
- "id": "pyup.io-41050",
+ "advisory": "Cheetah3 version 3.2.2 replaces the outdated and insecure ``mktemp`` with ``mkstemp``.",
+ "cve": "PVE-2021-37134",
+ "id": "pyup.io-37134",
"specs": [
- "<0.12.3"
+ "<3.2.2"
],
- "v": "<0.12.3"
+ "v": "<3.2.2"
}
],
- "cortex": [
+ "cheroot": [
{
- "advisory": "cortex before 0.32.0",
- "cve": "PVE-2021-40128",
- "id": "pyup.io-40128",
+ "advisory": "Cheroot 6.3.2 introduces a HTTP 400 response to a malicious 'Content-Length' in the request headers.",
+ "cve": "PVE-2021-39125",
+ "id": "pyup.io-39125",
"specs": [
- "<0.32.0"
+ "<6.3.2"
],
- "v": "<0.32.0"
+ "v": "<6.3.2"
}
],
- "cosmos-wfm": [
+ "cherrymusic": [
{
- "advisory": "cosmos-wfm before 2.1.1 is vulnerable to an attack where malicious hackers can run arbitrary code if they have file system (even external mounts!)+network access on the machine running luigid (executed by the user that you run luigid with).",
- "cve": "PVE-2021-34181",
- "id": "pyup.io-34181",
+ "advisory": "Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the \"value\" parameter to \"download.\"",
+ "cve": "CVE-2015-8309",
+ "id": "pyup.io-25650",
"specs": [
- "<2.1.1"
+ "<0.36.0"
],
- "v": "<2.1.1"
- }
- ],
- "coveralls": [
+ "v": "<0.36.0"
+ },
{
- "advisory": "coveralls 0.1.1 removes repo_token from verbose output for security reasons.",
- "cve": "PVE-2021-25671",
- "id": "pyup.io-25671",
+ "advisory": "Cross-site scripting (XSS) vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to inject arbitrary web script or HTML via the playlistname field when creating a new playlist.",
+ "cve": "CVE-2015-8310",
+ "id": "pyup.io-42242",
"specs": [
- "<0.1.1"
+ "<0.36.0"
],
- "v": "<0.1.1"
+ "v": "<0.36.0"
}
],
- "cplay-ng": [
+ "cherrypy": [
{
- "advisory": "cplay-ng 1.50 fixes insecure /tmp handling.",
- "cve": "PVE-2021-25672",
- "id": "pyup.io-25672",
+ "advisory": "Directory traversal vulnerability in the staticfilter component in CherryPy before 2.1.1 allows remote attackers to read arbitrary files via \"..\" sequences in unspecified vectors.",
+ "cve": "CVE-2006-0847",
+ "id": "pyup.io-42231",
"specs": [
- "<1.50"
+ "<2.1.1"
],
- "v": "<1.50"
+ "v": "<2.1.1"
}
],
- "crate-docs-theme": [
+ "chia": [
{
- "advisory": "Crate-docs-theme 0.13.0 updates/removes Bootstrap and jQuery packages (nine vulnerabilities detected).",
- "cve": "PVE-2021-39529",
- "id": "pyup.io-39529",
+ "advisory": "Chia 2.4.0 updates tensorflow and tensorflow-addons versions to include mitigations against vulnerabilities.",
+ "cve": "PVE-2021-41298",
+ "id": "pyup.io-41298",
"specs": [
- "<0.13.0"
+ "<2.4.0"
],
- "v": "<0.13.0"
+ "v": "<2.4.0"
}
],
- "creavel": [
+ "chia-blockchain": [
{
- "advisory": "creavel before 0.11.0 has a unspecified security issue and is vulnerable via unknown vectors.",
- "cve": "PVE-2021-25673",
- "id": "pyup.io-25673",
+ "advisory": "Consideration of the new consensus algorithm in chia-blockchain version 1.0beta19 resulted in a much higher security level against all attacks.",
+ "cve": "PVE-2021-39444",
+ "id": "pyup.io-39444",
"specs": [
- "<0.11.0"
+ "<1.0b19"
],
- "v": "<0.11.0"
+ "v": "<1.0b19"
},
{
- "advisory": "creavel 0.14.0 fixes jinja2 security by using SandboxedEnvironment.",
- "cve": "PVE-2021-25674",
- "id": "pyup.io-25674",
+ "advisory": "Chia-blockchain 1.0b27 updates its GUI to handle CVE-2020-28477.\r\nhttps://github.com/Chia-Network/chia-blockchain/commit/45c85c0030a9b07bd3d07fc0e7f7afc540b53009",
+ "cve": "CVE-2020-28477",
+ "id": "pyup.io-42341",
"specs": [
- "<0.14.0"
+ "<1.0b27"
],
- "v": "<0.14.0"
- }
- ],
- "credstash": [
+ "v": "<1.0b27"
+ },
{
- "advisory": "credstash 1.16.0 updates to pyyaml>=4.2b1 due to security vulnerability in older versions",
- "cve": "PVE-2021-37852",
- "id": "pyup.io-37852",
+ "advisory": "Chia-blockchain 1.0b27 updates its dependency 'pyyaml' to v5.4.1 to include a security fix.",
+ "cve": "CVE-2020-14343",
+ "id": "pyup.io-42367",
"specs": [
- "<1.16.0"
+ "<1.0b27"
],
- "v": "<1.16.0"
- }
- ],
- "creopyson": [
+ "v": "<1.0b27"
+ },
{
- "advisory": "Creopyson 0.4.2 modifies the pipenv config for the bleach security alert.",
- "cve": "PVE-2021-37964",
- "id": "pyup.io-37964",
+ "advisory": "Chia-blockchain 1.0beta10 includes various vulnerability fixes.",
+ "cve": "PVE-2021-38700",
+ "id": "pyup.io-38700",
"specs": [
- "<0.4.2"
+ "<1.0beta10"
],
- "v": "<0.4.2"
- }
- ],
- "cromwell-tools": [
+ "v": "<1.0beta10"
+ },
{
- "advisory": "cromwell-tools 1.0.0 updates requests to avoid security issues.",
- "cve": "PVE-2021-36659",
- "id": "pyup.io-36659",
+ "advisory": "Node peers in chia-blockchain 1.0beta14 are gossiped between nodes with logic to keep connected nodes on disparate internet networks to partially protect from eclipse attacks.",
+ "cve": "PVE-2021-38844",
+ "id": "pyup.io-38844",
"specs": [
- "<1.0.0"
+ "<1.0beta14"
],
- "v": "<1.0.0"
- }
- ],
- "crossbar": [
+ "v": "<1.0beta14"
+ },
{
- "advisory": "In crossbar before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.",
- "cve": "PVE-2021-25675",
- "id": "pyup.io-25675",
+ "advisory": "Chia-blockchain 1.0beta8 removes the ability to pass in sk_seed to plotting. This increases security.",
+ "cve": "PVE-2021-38582",
+ "id": "pyup.io-38582",
"specs": [
- "<0.15.0"
+ "<1.0beta8"
],
- "v": "<0.15.0"
+ "v": "<1.0beta8"
},
{
- "advisory": "crossbar 0.6.4 fixes a WAMP-CRA timing attack very, very unlikely to be exploitable.",
- "cve": "PVE-2021-25676",
- "id": "pyup.io-25676",
+ "advisory": "The Windows BLS Signature library in chia-blockchain 1.0beta9 uses libsodium for additional security. Additionally, this version includes various fixes for various node dependency security vulnerabilities.",
+ "cve": "PVE-2021-38629",
+ "id": "pyup.io-38629",
"specs": [
- "<0.6.4"
+ "<1.0beta9"
],
- "v": "<0.6.4"
+ "v": "<1.0beta9"
},
{
- "advisory": "Crossbar 20.12.3 fixes a dependency on Autobahn v20.12.3, which in turn fixes a potential security issue when enabling the Web status page ('enable_webstatus') on WebSocket-WAMP listening transports.",
- "cve": "PVE-2021-39329",
- "id": "pyup.io-39329",
+ "advisory": "Chia-blockchain 1.0rc5 updates the 'aiohttp' dependency to 3.7.4 to address a low severity [security issue] (CVE-2021-21330).",
+ "cve": "CVE-2021-21330",
+ "id": "pyup.io-39672",
"specs": [
- "<20.12.3"
+ "<1.0rc5"
],
- "v": "<20.12.3"
- }
- ],
- "crypt": [
+ "v": "<1.0rc5"
+ },
{
- "advisory": "crypt is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
- "cve": "PVE-2021-34981",
- "id": "pyup.io-34981",
+ "advisory": "Chia-blockchain 1.0rc6 improves defense against many DDoS attacks by rate limiting for the full node. It also changes 'chia keys add' command to take secret words a prompt on the command line or stdin instead of command line arguments.",
+ "cve": "PVE-2021-39703",
+ "id": "pyup.io-39703",
"specs": [
- ">0",
- "<0"
+ "<1.0rc6"
],
- "v": ">0,<0"
+ "v": "<1.0rc6"
}
],
- "cryptacular": [
+ "chiavdf": [
{
- "advisory": "crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.",
- "cve": "PVE-2021-25677",
- "id": "pyup.io-25677",
+ "advisory": "Chiavdf 1.0 includes a fix to prevent potential grinding attacks.",
+ "cve": "PVE-2021-39691",
+ "id": "pyup.io-39691",
"specs": [
- "<1.2"
+ "<1.0"
],
- "v": "<1.2"
+ "v": "<1.0"
}
],
- "crypto-candlesticks": [
+ "choochoo": [
{
- "advisory": "Crypto-candlesticks 0.1.5 fixes a vulnerability in the 'jinja2' dependency.",
- "cve": "PVE-2021-39697",
- "id": "pyup.io-39697",
+ "advisory": "Choochoo 0.40.0 updates its dependency React to the latest version \"hopefully\" removing several npm vulnerabilities.",
+ "cve": "PVE-2021-41273",
+ "id": "pyup.io-41273",
"specs": [
- "<0.1.5"
+ "<0.40.0"
],
- "v": "<0.1.5"
+ "v": "<0.40.0"
}
],
- "cryptography": [
+ "ciftify": [
{
- "advisory": "cryptography 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.",
- "cve": "PVE-2021-25678",
- "id": "pyup.io-25678",
+ "advisory": "Ciftify version 2.3.3 includes security patches for several functions. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/edickie/ciftify/commit/7ac66dc2efc78bae272a0e1e713c81756f780969#diff-d55ace9e33dabdeba89768d93ae8fe97cf6d2ba4936fc5ab472b7bf749270b63",
+ "cve": "CVE-2020-1747",
+ "id": "pyup.io-41312",
"specs": [
- "<0.9.1"
+ "<2.3.3"
],
- "v": "<0.9.1"
- },
+ "v": "<2.3.3"
+ }
+ ],
+ "cinder": [
{
- "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)** for the report.",
- "cve": "PVE-2021-25679",
- "id": "pyup.io-25679",
+ "advisory": "Cinder versions 14.1.0, 15.2.0 and 16.1.0 include a fix for CVE-2020-10755: An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the 'connection_info' element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API.\r\nhttps://wiki.openstack.org/wiki/OSSN/OSSN-0086",
+ "cve": "CVE-2020-10755",
+ "id": "pyup.io-38408",
"specs": [
- "<1.0.2"
+ "<14.1.0",
+ ">=15.0.0.0rc1,<15.2.0",
+ ">=16.0.0.0b1,<16.1.0"
],
- "v": "<1.0.2"
+ "v": "<14.1.0,>=15.0.0.0rc1,<15.2.0,>=16.0.0.0b1,<16.1.0"
},
{
- "advisory": "HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.",
- "cve": "CVE-2016-9243",
- "id": "pyup.io-25680",
+ "advisory": "The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.1 and 1:2014.1-0 before 1:2014.1-0ubuntu1.1 for Ubuntu 13.10 and 14.04 LTS does not properly set the sudo configuration, which makes it easier for attackers to gain privileges by leveraging another vulnerability.",
+ "cve": "CVE-2013-1068",
+ "id": "pyup.io-25651",
"specs": [
- "<1.5.3"
+ "<2013.2.3"
],
- "v": "<1.5.3"
- },
+ "v": "<2013.2.3"
+ }
+ ],
+ "cipher.googlepam": [
{
- "advisory": "Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing.",
- "cve": "PVE-2021-39252",
- "id": "pyup.io-39252",
+ "advisory": "In cipher.googlepam before 1.5.1 do not use the same cache key for all users. Previously when one user logged in successfully, others could not log in using their own passwords -- but the first user could now use her password to log in as anyone else.",
+ "cve": "PVE-2021-25652",
+ "id": "pyup.io-25652",
"specs": [
- "<3.3"
+ "<1.5.1"
],
- "v": "<3.3"
- },
+ "v": "<1.5.1"
+ }
+ ],
+ "circuit-maintenance-parser": [
{
- "advisory": "In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. See: CVE-2020-36242.",
- "cve": "CVE-2020-36242",
- "id": "pyup.io-39606",
+ "advisory": "Circuit-maintenance-parser 1.1.0 updates the 'Pydantic' dependency version due to security advisory (GHSA-5jqp-qgf6-3pvh).",
+ "cve": "PVE-2021-41103",
+ "id": "pyup.io-41103",
"specs": [
- "<3.3.2"
+ "<1.1.0"
],
- "v": "<3.3.2"
- },
+ "v": "<1.1.0"
+ }
+ ],
+ "circup": [
{
- "advisory": "Cryptography 3.2 was released with the warning that its maintainers became aware of a Bleichenbacher vulnerability that they were only partly able to mitigate. See: CVE-2020-25659.",
- "cve": "CVE-2020-25659",
- "id": "pyup.io-38932",
+ "advisory": "Circup 0.0.6 includes an unspecified security fix.",
+ "cve": "PVE-2021-37936",
+ "id": "pyup.io-37936",
"specs": [
- "<=3.2"
+ "<0.0.6"
],
- "v": "<=3.2"
- },
+ "v": "<0.0.6"
+ }
+ ],
+ "ck": [
{
- "advisory": "A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903.",
- "cve": "CVE-2018-10903",
- "id": "pyup.io-36351",
+ "advisory": "Ck 1.7.1 fixes a server vulnerability (action with ; can run various CMD commands).",
+ "cve": "PVE-2021-40221",
+ "id": "pyup.io-40221",
"specs": [
- ">=1.9.0,<2.3"
+ "<1.7.1"
],
- "v": ">=1.9.0,<2.3"
+ "v": "<1.7.1"
}
],
- "cryptography-vectors": [
+ "ckan": [
{
- "advisory": "cryptography-vectors 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.",
- "cve": "PVE-2021-25681",
- "id": "pyup.io-25681",
+ "advisory": "ckan 1.5.1 fixes a security issue affecting CKAN v1.5 and before.",
+ "cve": "PVE-2021-34556",
+ "id": "pyup.io-34556",
"specs": [
- "<0.9.1"
+ "<1.5.1"
],
- "v": "<0.9.1"
+ "v": "<1.5.1"
},
{
- "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)** for the report.",
- "cve": "PVE-2021-25682",
- "id": "pyup.io-25682",
+ "advisory": "ckan 1.8.1 fixes possible XSS vulnerability on html input.",
+ "cve": "PVE-2021-34558",
+ "id": "pyup.io-34558",
"specs": [
- "<1.0.2"
+ "<1.8.1"
],
- "v": "<1.0.2"
+ "v": "<1.8.1"
},
{
- "advisory": "HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.",
- "cve": "CVE-2016-9243",
- "id": "pyup.io-25683",
+ "advisory": "Ckan 2.6.9 fixes a code injection issue in the autocomplete module. See .",
+ "cve": "PVE-2021-39613",
+ "id": "pyup.io-39613",
"specs": [
- "<1.5.3"
+ "<2.6.9"
],
- "v": "<1.5.3"
+ "v": "<2.6.9"
}
],
- "cssutils": [
+ "clam": [
{
- "advisory": "In cssutils before 0.9.6a2 comments added by ``cssutils.resolveImports`` only use the import rules' href and not the absolute href of the referenced sheets anymore (might have been a possible security hole when showing a full local path to a sheet in a combined but not minified sheet)",
- "cve": "PVE-2021-25684",
- "id": "pyup.io-25684",
+ "advisory": "clam 0.9.10 contains security fixes, better protection against possible code injection.",
+ "cve": "PVE-2021-25653",
+ "id": "pyup.io-25653",
"specs": [
- "<0.9.6a2"
+ "<0.9.10"
],
- "v": "<0.9.6a2"
- }
- ],
- "cstar": [
+ "v": "<0.9.10"
+ },
{
- "advisory": "Cstar 0.5.0 fixes a security problem in a dependency (spotify). See: .",
- "cve": "PVE-2021-39224",
- "id": "pyup.io-39224",
+ "advisory": "Clam 0.9.11 fixes a RCE vulnerability in its dispatcher.\r\nhttps://github.com/proycon/clam/commit/f89ba22a3b74f0b86ce9d8190ce28b6da7331813",
+ "cve": "PVE-2021-25654",
+ "id": "pyup.io-25654",
"specs": [
- "<0.5.0"
+ "<0.9.11"
],
- "v": "<0.5.0"
+ "v": "<0.9.11"
}
],
- "cumin": [
+ "clearsilver": [
{
- "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Cumin before r5238 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) widgets or (2) pages.",
- "cve": "CVE-2012-1575",
- "id": "pyup.io-35357",
+ "advisory": "Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.",
+ "cve": "CVE-2011-4357",
+ "id": "pyup.io-25655",
"specs": [
- "1.7 aren't affected.\r\nhttps://github.com/divio/cmsplugin-filer/pull/185",
+ "cve": "PVE-2021-25656",
+ "id": "pyup.io-25656",
"specs": [
- "<0.6.0"
+ "<0.10.2"
],
- "v": "<0.6.0"
+ "v": "<0.10.2"
}
],
- "datasette": [
+ "cnx-publishing": [
{
- "advisory": "Datasette 0.46 contains a security fix related to authenticated writable canned queries. CSRF tokens were incorrectly included in read-only canned query forms, which could allow them to be leaked to a sophisticated attacker.",
- "cve": "PVE-2021-38671",
- "id": "pyup.io-38671",
+ "advisory": "Cnx-publishing 0.17.6 bumps urllib3 for a security fix.",
+ "cve": "PVE-2021-38128",
+ "id": "pyup.io-38128",
"specs": [
- "<0.46"
+ "<0.17.6"
],
- "v": "<0.46"
- },
+ "v": "<0.17.6"
+ }
+ ],
+ "coapthon": [
{
- "advisory": "Datasette 0.55 starts to use Python 3.7.10 in official Docker image, applying the latest security fix.",
- "cve": "PVE-2021-40541",
- "id": "pyup.io-40541",
+ "advisory": "The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client) when they receive crafted CoAP messages.",
+ "cve": "CVE-2018-12680",
+ "id": "pyup.io-42251",
"specs": [
- "<0.55"
+ "==3.1",
+ "==4.0.0",
+ "==4.0.1",
+ "==4.0.2"
],
- "v": "<0.55"
- },
+ "v": "==3.1,==4.0.0,==4.0.1,==4.0.2"
+ }
+ ],
+ "cobbler": [
{
- "advisory": "Datasette 0.56.1 fixes a reflected cross-site scripting security hole with the '?_trace=1' feature. You should upgrade to this version, or to the 'Datasette' 0.57, as soon as possible.",
- "cve": "PVE-2021-40619",
- "id": "pyup.io-40619",
+ "advisory": "Cobbler has local privilege escalation via the use of insecure location for PYTHON_EGG_CACHE. No information was provided about fixes or affected versions. See: CVE-2011-4954.",
+ "cve": "CVE-2011-4954",
+ "id": "pyup.io-37739",
"specs": [
- "<0.56.1"
+ ">0"
],
- "v": "<0.56.1"
- },
+ "v": ">0"
+ }
+ ],
+ "cockroachdb": [
{
- "advisory": "Datasette 0.57 fixes a reflected cross-site scripting security hole with the '?_trace=1' feature. You should upgrade to this version, or to the 'Datasette' 0.56.1, as soon as possible.",
- "cve": "PVE-2021-40618",
- "id": "pyup.io-40618",
+ "advisory": "cockroachdb 0.3.2 updated urllib3 to remove security vulnerability.",
+ "cve": "PVE-2021-37264",
+ "id": "pyup.io-37264",
"specs": [
- "<0.57"
+ "<0.3.2"
],
- "v": "<0.57"
+ "v": "<0.3.2"
}
],
- "datasette-auth-passwords": [
+ "codalab": [
{
- "advisory": "Datasette-auth-passwords 0.4.1 now depends on the 'datasette' >=0.56.1, to avoid a security vulnerability.",
- "cve": "PVE-2021-40620",
- "id": "pyup.io-40620",
+ "advisory": "codalab before 0.2.33 was using a version of gunicorn that had security vulnerabilities.",
+ "cve": "PVE-2021-36386",
+ "id": "pyup.io-36386",
"specs": [
- "<0.4.1"
+ "<0.2.33"
],
- "v": "<0.4.1"
- }
- ],
- "datasette-css-properties": [
+ "v": "<0.2.33"
+ },
{
- "advisory": "Datasette-css-properties 0.2 makes the '.css' pages send the 'x-content-type-options: nosniff' header to protect against browsers incorrectly rendering the CSS as HTML which could be an XSS security hole.",
- "cve": "PVE-2021-39422",
- "id": "pyup.io-39422",
+ "advisory": "Codalab 0.5.12 fixes a vulnerability. No description of the vulnerability was included.",
+ "cve": "PVE-2021-38927",
+ "id": "pyup.io-38927",
"specs": [
- "<0.2"
+ "<0.5.12"
],
- "v": "<0.2"
- }
- ],
- "datasette-graphql": [
+ "v": "<0.5.12"
+ },
{
- "advisory": "Satasette-graphql before 1.2 included a plugin that could expose schema details of databases that should not be visible, though not their actual row content. See: .",
- "cve": "PVE-2021-39174",
- "id": "pyup.io-39174",
+ "advisory": "Codalab 0.5.33 includes a fix for some front-end vulnerabilities (with `npm audit fix`).",
+ "cve": "PVE-2021-39434",
+ "id": "pyup.io-39434",
"specs": [
- "<1.2"
+ "<0.5.33"
],
- "v": "<1.2"
+ "v": "<0.5.33"
}
],
- "datasette-indieauth": [
+ "code42cli": [
{
- "advisory": "Datasette-indieauth before 1.1 trusts the \"me\" field returned by the authorization server without verifying it.",
- "cve": "PVE-2021-39164",
- "id": "pyup.io-39164",
+ "advisory": "Code42cli 1.3.0 starts to support a secure transporting of data with the TLS-TCP protocol.",
+ "cve": "PVE-2021-42534",
+ "id": "pyup.io-42534",
"specs": [
- "<1.1"
+ "<1.3.0"
],
- "v": "<1.1"
+ "v": "<1.3.0"
}
],
- "datasette-insert": [
+ "codecov": [
{
- "advisory": "Datasette-insert 0.6 is locked down by default. This plugin no longer defaults to allowing all, reducing the risk that someone may deploy it without sufficient security.",
- "cve": "PVE-2021-38644",
- "id": "pyup.io-38644",
+ "advisory": "Codecov 2.0.16 fixes a reported command injection vulnerability.",
+ "cve": "PVE-2021-37934",
+ "id": "pyup.io-37934",
"specs": [
- "<0.6"
+ "<2.0.16"
],
- "v": "<0.6"
- }
- ],
- "datasette-query-links": [
+ "v": "<2.0.16"
+ },
{
- "advisory": "Datasette-query-links 0.1.1 fixes an XSS security bug. See: https://github.com/simonw/datasette-query-links/issues/2",
- "cve": "PVE-2021-41092",
- "id": "pyup.io-41092",
+ "advisory": "Codecov 2.0.17 fixes a reported command injection vulnerability.",
+ "cve": "PVE-2021-38075",
+ "id": "pyup.io-38075",
"specs": [
- "<0.1.1"
+ "<2.0.17"
],
- "v": "<0.1.1"
+ "v": "<2.0.17"
}
],
- "datasette-seaborn": [
+ "codeforcesapipy": [
{
- "advisory": "The maintainers or the datasette-seaborn package acknowledge that version 0.1a0 is buggy and probably not secure.",
- "cve": "PVE-2021-38782",
- "id": "pyup.io-38782",
+ "advisory": "Codeforcesapipy 2.0.8 updates the 'lxml' dependency to 4.6.3 to resolve security issues.",
+ "cve": "PVE-2021-40099",
+ "id": "pyup.io-40099",
"specs": [
- "==0.1a0"
+ "<2.0.8"
],
- "v": "==0.1a0"
+ "v": "<2.0.8"
}
],
- "dateable-chronos": [
+ "cohen3": [
{
- "advisory": "dateable-chronos before 0.7.2 fixed a XSS vulnerability in the get_view_day method.",
- "cve": "PVE-2021-35988",
- "id": "pyup.io-35988",
+ "advisory": "Cohen3 version 0.8.3 updates its dependency \"requests\" to include a security fix.",
+ "cve": "CVE-2018-18074",
+ "id": "pyup.io-42040",
"specs": [
- "<0.7.2"
+ "<0.8.3"
],
- "v": "<0.7.2"
- }
- ],
- "dateable.chronos": [
+ "v": "<0.8.3"
+ },
{
- "advisory": "dateable.chronos 0.7.2 fixes a XSS vulnerability in the get_view_day method.",
- "cve": "PVE-2021-25685",
- "id": "pyup.io-25685",
+ "advisory": "Cohen3 version 0.9.1 updates its dependency \"urlib3\" to v1.24.2 to include a security fix.",
+ "cve": "CVE-2019-11324",
+ "id": "pyup.io-42039",
"specs": [
- "<0.7.2"
+ "<0.9.1"
],
- "v": "<0.7.2"
+ "v": "<0.9.1"
}
],
- "datera-cinder": [
+ "coinbasepro": [
{
- "advisory": "Datera-cinder 2018.10.30.0 updates the required requests version to >=2.20.0 because of a security vulnerability in <=2.19.X.",
- "cve": "PVE-2021-37204",
- "id": "pyup.io-37204",
+ "advisory": "Coinbasepro 0.1.0 updates requests version to >=2.20.0 to address a security vulnerability.",
+ "cve": "CVE-2018-18074",
+ "id": "pyup.io-36975",
"specs": [
- "<2018.10.30.0"
+ "<0.1.0"
],
- "v": "<2018.10.30.0"
+ "v": "<0.1.0"
}
],
- "dawgie": [
+ "coincurve": [
{
- "advisory": "Dawgie 1.2.3 includes a vulnerability fix.",
- "cve": "PVE-2021-40122",
- "id": "pyup.io-40122",
+ "advisory": "coincurve before 8.0.0 does not support the new GitHub and PyPI security requirements. \r\nBinary wheels on macOS for Python 3.5 now uses Homebrew Python for compilation due to new security requirements.",
+ "cve": "PVE-2021-36299",
+ "id": "pyup.io-36299",
"specs": [
- "<1.2.3"
+ "<8.0.0"
],
- "v": "<1.2.3"
- },
+ "v": "<8.0.0"
+ }
+ ],
+ "coinstac": [
{
- "advisory": "Dawgie 1.2.9 adds clean methods to limit malicious code.",
- "cve": "PVE-2021-40121",
- "id": "pyup.io-40121",
+ "advisory": "Coinstac 5.2.1 includes various security fixes and package updates.",
+ "cve": "PVE-2021-40091",
+ "id": "pyup.io-40091",
"specs": [
- "<1.2.9"
+ "<5.2.1"
],
- "v": "<1.2.9"
+ "v": "<5.2.1"
}
],
- "ddtrace": [
+ "colander": [
{
- "advisory": "ddtrace 0.11.0 removes the `sql.query` tag from SQL spans, so that the content is properly obfuscated in the Agent. This security fix is required to prevent wrong data collection of reported SQL queries. This issue impacts only MySQL integrations and NOT `psycopg2` or `sqlalchemy` while using the PostgreSQL driver.",
- "cve": "PVE-2021-35790",
- "id": "pyup.io-35790",
+ "advisory": "colander 1.7.0 - The URL validator regex has been updated to no longer be vulnerable to a\r\n catastrophic backtracking that would have led to an infinite loop.",
+ "cve": "PVE-2021-36856",
+ "id": "pyup.io-36856",
"specs": [
- "<0.11.0"
+ "<1.7.0"
],
- "v": "<0.11.0"
+ "v": "<1.7.0"
+ },
+ {
+ "advisory": "In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.",
+ "cve": "CVE-2017-18361",
+ "id": "pyup.io-42247",
+ "specs": [
+ "<=1.6"
+ ],
+ "v": "<=1.6"
}
],
- "debianized-jupyterhub": [
+ "collective-contact-core": [
{
- "advisory": "debianized-jupyterhub 0.9.51 updates to release 0.9.5 + NB 5.7.7 (fix for Open Redirect vulnerability)",
- "cve": "PVE-2021-37002",
- "id": "pyup.io-37002",
+ "advisory": "collective-contact-core before 1.10",
+ "cve": "PVE-2021-36089",
+ "id": "pyup.io-36089",
"specs": [
- "<0.9.51"
+ "<1.10"
],
- "v": "<0.9.51"
+ "v": "<1.10"
}
],
- "debops": [
+ "collective-easyform": [
{
- "advisory": "Debops 0.8.0 installs upstream NodeSource APT packages by default. This is due to `no security support in Debian Stable`__, therefore an upstream packages should be considered more secure. The upstream NodeJS packages include a compatible NPM release, therefore it won't be separately installed from GitHub.",
- "cve": "PVE-2021-36371",
- "id": "pyup.io-36371",
+ "advisory": "Collective-easyform version 3.0.5 doesn't resolves entities in the modeleditor and removes processing instructions (commit #254).",
+ "cve": "PVE-2021-41911",
+ "id": "pyup.io-41911",
"specs": [
- "<0.8.0"
+ "<3.0.5"
],
- "v": "<0.8.0"
- },
+ "v": "<3.0.5"
+ }
+ ],
+ "collective-indexing": [
{
- "advisory": "Debops 1.0.0:\r\n\r\n- The :command:`lxc-prepare-ssh` script will read the public SSH keys from specific files (``root`` key file, and the ``$SUDO_USER`` key file) and will not accept any custom files to read from, to avoid possible security issues. Each public SSH key listed in the key files is validated before being added to the container's ``root`` account.\r\n\r\n- The :command:`lxc-new-unprivileged` script will similarly not accept any custom files as initial LXC container configuration to fix any potential security holes when used via :command:`sudo`. The default LXC configuration file used by the script can be configured in :file:`/etc/lxc/lxc.conf` configuration file.\r\n\r\n- (:ref:`debops.php` role) New APT signing keys` have been created for his Debian APT repository with PHP packages, due to security concerns. The :ref:`debops.php` role will remove the old APT GPG key and add the new one automatically. See: .",
- "cve": "PVE-2021-37159",
- "id": "pyup.io-37159",
+ "advisory": "Collective-indexing version 2.1 includes a fix that prevents out-of-sync security indexes on Solr. Now, reindexObjectSecurity operations are handled by the queue.\r\nhttps://github.com/plone/collective.indexing/pull/17",
+ "cve": "PVE-2021-41879",
+ "id": "pyup.io-41879",
"specs": [
- "<1.0.0"
+ "<2.1"
],
- "v": "<1.0.0"
- },
+ "v": "<2.1"
+ }
+ ],
+ "collective-noticeboard": [
{
- "advisory": "The :command:`lxc-prepare-ssh` script in debops 1.1.0 will no longer install SSH keys from the LXC host ``root`` account on the LXC container ``root`` account. This can cause confusion and unintended security breaches when other services (for example backup scripts or remote command execution tools) install their own SSH keys on the LXC host and they are subsequently copied inside of the LXC containers created on that host.",
- "cve": "PVE-2021-37404",
- "id": "pyup.io-37404",
+ "advisory": "collective-noticeboard before 0.7.1 has a security issue, anonymous users could modify notes positions.",
+ "cve": "PVE-2021-35879",
+ "id": "pyup.io-35879",
"specs": [
- "<1.1.0"
+ "<0.7.1"
],
- "v": "<1.1.0"
- },
+ "v": "<0.7.1"
+ }
+ ],
+ "collective.contact.core": [
{
- "advisory": "Debops 1.2.0 includes a security patch for CVE-2019-11043: In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.",
- "cve": "CVE-2019-11043",
- "id": "pyup.io-37733",
+ "advisory": "Collective.contact.core 1.10 fixes a security issue related to AddContact. The vulnerability was found in its dependency Plone CMS. See CVE-2016-7138.\r\nhttps://github.com/collective/collective.contact.core/pull/25",
+ "cve": "CVE-2016-7138",
+ "id": "pyup.io-25657",
"specs": [
- "<1.2.0"
+ "<1.10"
],
- "v": "<1.2.0"
- },
+ "v": "<1.10"
+ }
+ ],
+ "collective.documentviewer": [
{
- "advisory": "Debops 1.7.0 includes a change in its RoundCube configuration. RoundCube will use the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.",
- "cve": "PVE-2021-37732",
- "id": "pyup.io-37732",
+ "advisory": "Collective.documentviewer 1.5.1 fixes a security issue on file resources permissions.\r\nhttps://github.com/collective/collective.documentviewer/commit/7222b0d30b1976d3f6773553bd6948c39efcbc20",
+ "cve": "PVE-2021-25658",
+ "id": "pyup.io-25658",
"specs": [
- "<1.7.0"
+ "<1.5.1"
],
- "v": "<1.7.0"
- },
+ "v": "<1.5.1"
+ }
+ ],
+ "collective.easyform": [
{
- "advisory": "RoundCube in debops 2.0.0 uses the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.",
- "cve": "PVE-2021-26403",
- "id": "pyup.io-26403",
+ "advisory": "The modeleditor in collective.easyform 3.0.5 no longer resolves entities, and it removes processing instructions. This increases the security.",
+ "cve": "PVE-2021-39144",
+ "id": "pyup.io-39144",
"specs": [
- "<2.0.0"
+ "<3.0.5"
],
- "v": "<2.0.0"
+ "v": "<3.0.5"
}
],
- "decaptcha": [
+ "collective.js.datatables": [
{
- "advisory": "decaptcha 1.0.0 includes a patch for security vulnerability: pin pillow>=6.2.0",
- "cve": "PVE-2021-37892",
- "id": "pyup.io-37892",
+ "advisory": "collective.js.datatables 4.1.1 updates Datatables to 1.10.11, due to a XSS vulnerability in 1.10.4.",
+ "cve": "PVE-2021-25659",
+ "id": "pyup.io-25659",
"specs": [
- "<1.0.0"
+ "<4.1.1"
],
- "v": "<1.0.0"
- },
+ "v": "<4.1.1"
+ }
+ ],
+ "collective.noticeboard": [
{
- "advisory": "decaptcha 1.0.1 includes a patch for security vulnerability: tensorflow==1.15.0",
- "cve": "PVE-2021-37891",
- "id": "pyup.io-37891",
+ "advisory": "Collective.noticeboard 0.7.1 fixes a security issue, anonymous users could modify notes positions.",
+ "cve": "PVE-2021-25660",
+ "id": "pyup.io-25660",
"specs": [
- "<1.0.1"
+ "<0.7.1"
],
- "v": "<1.0.1"
+ "v": "<0.7.1"
}
],
- "deeposlandia": [
+ "collective.portlet.twitter": [
{
- "advisory": "Deeposlandia 0.6 updates its dependencies, especially `Tensorflow`, due to vulnerability issues.",
- "cve": "PVE-2021-38133",
- "id": "pyup.io-38133",
+ "advisory": "collective.portlet.twitter 1.0b3 fixes a potential XSS (arbitrary injection) issue by escaping and quoting all attributes being set on the rendered portlet.",
+ "cve": "PVE-2021-25661",
+ "id": "pyup.io-25661",
"specs": [
- "<0.6"
+ "<1.0b3"
],
- "v": "<0.6"
- },
+ "v": "<1.0b3"
+ }
+ ],
+ "collective.tablepage": [
{
- "advisory": "Deeposlandia 0.6.2 updates pillow to 7.1.1 to fix a moderate-severity vulnerability in pillow <6.2.2.",
- "cve": "PVE-2021-38285",
- "id": "pyup.io-38285",
+ "advisory": "collective.tablepage 0.3 fixes a security problem: data inside text cells were transformed to HTML without any check.",
+ "cve": "PVE-2021-25664",
+ "id": "pyup.io-25664",
"specs": [
- "<0.6.2"
+ "<0.3"
],
- "v": "<0.6.2"
+ "v": "<0.3"
}
],
- "definitions": [
+ "collective.xmpp.chat": [
{
- "advisory": "There is a vulnerability in load() method in definitions/parser.py in the Danijar Hafner definitions package for Python. It can execute arbitrary python commands resulting in command execution.",
- "cve": "CVE-2018-20325",
- "id": "pyup.io-36752",
+ "advisory": "collective.xmpp.chat 0.3.1 updates convers.js to 0.6.3 which includes an important security fix.",
+ "cve": "PVE-2021-25666",
+ "id": "pyup.io-25666",
"specs": [
- "<=0.2.0"
+ "<0.3.1"
],
- "v": "<=0.2.0"
+ "v": "<0.3.1"
}
],
- "defusedexpat": [
+ "collins-client": [
{
- "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.",
- "cve": "CVE-2013-1664",
- "id": "pyup.io-33054",
+ "advisory": "Collins 2.1.0 has a very important security patch.\r\n\r\nCollins has a feature that allows you to [encrypt certain attributes](http://tumblr.github.io/collins/configuration.htmlfeatures) on every asset. It also had a permission that restricted which users could read those encrypted tags. It did NOT have a permission that restricted which users could modify encrypted tags.\r\n\r\n*It is strongly recommended that you upgrade to collins 2.1.0 if you are using the encrypted tags feature, as well as rotate any values stored in encrypted tags.*\r\n\r\nThe severity of this vulnerability depends heavily upon how you use collins in your infrastructure. If you do not use the encrypted tags feature, you are not vulnerable to this problem. If you do use the encrypted tags feature, you will need to explore your automation and consider how vulnerable you are.\r\n\r\nIf, for example, your infrastructure has automation that regularly sets the root password on servers to match a value that is in collins, an attacker without the ability to read the current password could set it to a value that they know, wait for the automation to change the password, and then gain root on a server.\r\n\r\nThis change is backwards compatible with collins v2.0.0, though once you upgrade it will stop any writes to encrypted tags by users that have not been granted `feature.canWriteEncryptedTags` permission. We have also renamed `feature.canSeePasswords` to `feature.canSeeEncryptedTags`, but collins will continue to respect the value of `feature.canSeePasswords` if `feature.canSeeEncryptedTags` is not set. Once `feature.canSeeEncryptedTags` is set, collins will ignore the value of `feature.canSeePasswords`.",
+ "cve": "PVE-2021-25667",
+ "id": "pyup.io-25667",
"specs": [
- "<0.3"
+ "<2.1.0"
],
- "v": "<0.3"
- },
+ "v": "<2.1.0"
+ }
+ ],
+ "colonyscanalyser": [
{
- "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.",
- "cve": "CVE-2013-1665",
- "id": "pyup.io-33055",
+ "advisory": "Colonyscanalyser 0.2.0 adds snyk security checks for dependencies.",
+ "cve": "PVE-2021-37635",
+ "id": "pyup.io-37635",
"specs": [
- "<0.3"
+ "<0.2.0"
],
- "v": "<0.3"
+ "v": "<0.2.0"
}
],
- "defusedxml": [
+ "compliance-trestle": [
{
- "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.",
- "cve": "CVE-2013-1664",
- "id": "pyup.io-33056",
+ "advisory": "Compliance-trestle 0.15.0 upgrades the 'pydantic' to 1.8.2 for an security issue.",
+ "cve": "PVE-2021-40566",
+ "id": "pyup.io-40566",
"specs": [
- "<0.4"
+ "<0.15.0"
],
- "v": "<0.4"
+ "v": "<0.15.0"
},
{
- "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.",
- "cve": "CVE-2013-1665",
- "id": "pyup.io-33057",
+ "advisory": "Compliance-trestle 0.26.0 removes user names from logs.\r\nhttps://github.com/IBM/compliance-trestle/commit/4d075b89776552a1f58751674e2056ac7afac3cc",
+ "cve": "PVE-2021-42185",
+ "id": "pyup.io-42185",
"specs": [
- "<0.4"
+ "<0.26.0"
],
- "v": "<0.4"
+ "v": "<0.26.0"
}
],
- "deis": [
+ "concrete-datastore": [
{
- "advisory": "Deis version 1.4.0 includes a fix for CVE-2014-3566: \r\nThe SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the \"POODLE\" issue.",
- "cve": "CVE-2014-3566",
- "id": "pyup.io-25691",
- "specs": [
- "<1.4.0"
- ],
- "v": "<1.4.0"
- }
- ],
- "deltachat": [
- {
- "advisory": "Deltachat 1.0.0b17 fixes SQL/injection malformed Chat-Group-Name breakage.",
- "cve": "PVE-2021-40086",
- "id": "pyup.io-40086",
- "specs": [
- "<1.0.0b17"
- ],
- "v": "<1.0.0b17"
- },
- {
- "advisory": "deltachat 1.0.0beta.2 has several security fixes",
- "cve": "PVE-2021-37922",
- "id": "pyup.io-37922",
+ "advisory": "Concrete-datastore 1.22.0 adds useful checks to the url_format to avoid template injections.",
+ "cve": "PVE-2021-39449",
+ "id": "pyup.io-39449",
"specs": [
- "<1.0.0beta.2"
+ "<1.22.0"
],
- "v": "<1.0.0beta.2"
+ "v": "<1.22.0"
},
{
- "advisory": "Deltachat 1.51.0 improves and harden secure join feature.",
- "cve": "PVE-2021-40084",
- "id": "pyup.io-40084",
- "specs": [
- "<1.51.0"
- ],
- "v": "<1.51.0"
- }
- ],
- "deluge": [
- {
- "advisory": "Deluge 2.0.0 updates SSL/TLS Protocol parameters for better security.",
- "cve": "PVE-2021-37155",
- "id": "pyup.io-37155",
+ "advisory": "Concrete-datastore 1.23.0 adds checks on the url_format for reset password view to avoid template injections.",
+ "cve": "PVE-2021-39709",
+ "id": "pyup.io-39709",
"specs": [
- "<2.0.0"
+ "<1.23.0"
],
- "v": "<2.0.0"
+ "v": "<1.23.0"
}
],
- "descarteslabs": [
+ "conference-scheduler-cli": [
{
- "advisory": "Descarteslabs 1.8.1 upgrades the 'requests' dependency (>=2.25.1, <3) to fix a security issue.",
- "cve": "PVE-2021-40827",
- "id": "pyup.io-40827",
+ "advisory": "In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.",
+ "cve": "CVE-2018-14572",
+ "id": "pyup.io-36425",
"specs": [
- "<1.8.1"
+ "<=0.10.1"
],
- "v": "<1.8.1"
+ "v": "<=0.10.1"
}
],
- "destringcare": [
+ "confidant": [
{
- "advisory": "destringcare 0.0.4 change: Removed `pycrypto` due to security issue",
- "cve": "PVE-2021-37228",
- "id": "pyup.io-37228",
+ "advisory": "Confidant 1.1.13 includes a security fix. It was discovered when adding tests after a refactor of some of the KMS authentication code that confidant wasn't properly checking the expiration of KMS auth tokens. If tokens were able to be exfiltrated from a service, they could be used indefinitely. Also, any tokens that are expired will now correctly fail to authenticate.",
+ "cve": "PVE-2021-26670",
+ "id": "pyup.io-26670",
"specs": [
- "<0.0.4"
+ "<1.1.13"
],
- "v": "<0.0.4"
- }
- ],
- "determined": [
+ "v": "<1.1.13"
+ },
{
- "advisory": "Determined 0.12.12rc0 upgrades lodash to fix a vulnerability.",
- "cve": "PVE-2021-38656",
- "id": "pyup.io-38656",
+ "advisory": "confidant 1.1.14 contains a security fix: While preparing for the 1.1 stable release Lyft found a KMS authentication vulnerability in the unreleased 1.1 branch while performing an audit of the code. The vulnerability was introduced while adding the scoped auth key feature (for limiting authentication keys and services to specific AWS accounts), where the key was not properly checked after decryption. This check is an additional verification to add additional safety on-top of the IAM policy of your KMS keys. If IAM policy allows users to use KMS keys without limits on encryption context, a KMS key that wasn't intended to be used for auth, could be used for auth.",
+ "cve": "PVE-2021-25668",
+ "id": "pyup.io-25668",
"specs": [
- "<0.12.12rc0"
+ "<1.1.14"
],
- "v": "<0.12.12rc0"
+ "v": "<1.1.14"
},
{
- "advisory": "Determined 0.12.7 resolves new node security vulnerabilities (fd34fec) and updates link to support secure blank targets (d1146d3).",
- "cve": "PVE-2021-38415",
- "id": "pyup.io-38415",
+ "advisory": "Confidant v1.10.0 upgrades gevent and greenlet to address CVE-2016-5180 and gevent/gevent#477.",
+ "cve": "CVE-2016-5180",
+ "id": "pyup.io-38504",
"specs": [
- "<0.12.7"
+ "<1.10.0"
],
- "v": "<0.12.7"
+ "v": "<1.10.0"
},
{
- "advisory": "Determined 0.14.0 updates the 'storybook' dependency to resolve a GitHub security vulnerability for 'highlight.js'.",
- "cve": "PVE-2021-39625",
- "id": "pyup.io-39625",
+ "advisory": "Confidant 1.6.0 updates python-saml to address CVE-2016-1000252.",
+ "cve": "CVE-2016-1000252",
+ "id": "pyup.io-38505",
"specs": [
- "<0.14.0"
+ "<1.6.0"
],
- "v": "<0.14.0"
+ "v": "<1.6.0"
},
{
- "advisory": "Determined 0.16.0.dev0 upgrades the 'ws' dependency to patch a security vulnerability.",
- "cve": "PVE-2021-40670",
- "id": "pyup.io-40670",
+ "advisory": "In confidant 5.0.0, requirements have been updated to resolve some reported security vulnerabilities in a few of the frozen requirements. A library affecting user sessions was upgraded which will cause users to be logged out after upgrade, which means if you're doing a rolling upgrade, that during the upgrade, you may have users that seemingly randomly get logged out. After a finished upgrade, users should only be logged out once, if they're currently logged in.",
+ "cve": "PVE-2021-37471",
+ "id": "pyup.io-37471",
"specs": [
- "<0.16.0.dev0"
+ "<5.0.0"
],
- "v": "<0.16.0.dev0"
+ "v": "<5.0.0"
},
{
- "advisory": "Determined 0.16.4 includes a fix to prevent log html injection via unicode.",
- "cve": "PVE-2021-41255",
- "id": "pyup.io-41255",
+ "advisory": "Confidant 6.3.0 adds support for keeping track of when credentials should be rotated. It therefore adds three new fields to the Credential model, two of which improve the security (`last_decrypted_date` and `last_rotation_date`). The former explicitly stores when someone viewed a credential. Certain credentials can potentially be highly vulnerable and could benefit from being rotated the moment the credential pair is viewed. The latter stores when a credential was last rotated. Some credentials might need to periodically be rotated for security purposes.",
+ "cve": "PVE-2021-38560",
+ "id": "pyup.io-38560",
"specs": [
- "<0.16.4"
+ "<6.3.0"
],
- "v": "<0.16.4"
+ "v": "<6.3.0"
}
],
- "devpi-ldap": [
+ "confidence": [
{
- "advisory": "Devpi-ldap version 2.0.0 includes a security patch for the function 'init' in 'devpi_ldap/main.py'. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\n https://github.com/devpi/devpi-ldap/commit/8da2b3c1ed44e8223ce006a3737dc6a8446e945d#diff-ecbfd22333fa5942c9fe7a999189222d1ca71d72a1a89d7a1f55d559671eb200",
- "cve": "CVE-2020-1747",
- "id": "pyup.io-41316",
+ "advisory": "confidence before 0.4 has a security vulnerability from using ``yaml.load``. \r\nconfidence >=0.4 now uses ``yaml.safe_load``",
+ "cve": "PVE-2021-36308",
+ "id": "pyup.io-36308",
"specs": [
- "<2.0.0"
+ "<0.4"
],
- "v": "<2.0.0"
+ "v": "<0.4"
}
],
- "diffpriv": [
+ "confire": [
{
- "advisory": "Diffpriv 1.0.0rc1 includes a security fix: with the 'diff' and 'enc' modules, parameters were stored in Python memory, and never removed. This commit deletes these parameters and helps prevent attackers from gaining access to these parameters, which can help them gain access to the original text and/or data.",
- "cve": "PVE-2021-40539",
- "id": "pyup.io-40539",
+ "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Due to the user-specific configuration being loaded from \"~/.confire.yaml\" using the yaml.load function, a YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.",
+ "cve": "CVE-2017-16763",
+ "id": "pyup.io-35721",
"specs": [
- "<1.0.0rc1"
+ "<=0.2.0"
],
- "v": "<1.0.0rc1"
+ "v": "<=0.2.0"
}
],
- "digitalmarketplace-utils": [
+ "confluent-kafka": [
{
- "advisory": "Digitalmarketplace-utils versions before v22.0.0 included vulnerabilities where untrusted input might result in susceptibility to a cross-site scripting (XSS) exploit.",
- "cve": "PVE-2021-39653",
- "id": "pyup.io-39653",
+ "advisory": "Confluent-kafka 1.1.0 securely clears the private key data from memory after last use.",
+ "cve": "PVE-2021-37508",
+ "id": "pyup.io-37508",
"specs": [
- "<22.0.0"
+ "<1.1.0"
],
- "v": "<22.0.0"
- }
- ],
- "dirac": [
+ "v": "<1.1.0"
+ },
{
- "advisory": "dirac 2.1 updates OpenSSL to avoid CVE-2021-3449 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449",
- "cve": "PVE-2021-40206",
- "id": "pyup.io-40206",
+ "advisory": "Confluent-kafka 1.3.0 includes a fix for CVE-2019-17543: LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"",
+ "cve": "CVE-2019-17543",
+ "id": "pyup.io-38072",
"specs": [
- "<2.1"
+ "<1.3.0"
],
- "v": "<2.1"
+ "v": "<1.3.0"
+ },
+ {
+ "advisory": "Confluent-kafka 1.4.0 includes two security issues in the SASL SCRAM protocol handler:\r\n * The client nonce, which is expected to be a random string, was a static string.\r\n * If `sasl.username` and `sasl.password` contained characters that needed escaping, a buffer overflow and heap corruption would occur. This was protected, but too late, by an assertion.",
+ "cve": "PVE-2021-38165",
+ "id": "pyup.io-38165",
+ "specs": [
+ "<1.4.0"
+ ],
+ "v": "<1.4.0"
}
],
- "directory-client-core": [
+ "conn-check": [
{
- "advisory": "Directory-client-core 5.1.1 upgrades a vulnerable Django version to Django 1.11.22.",
- "cve": "PVE-2021-38689",
- "id": "pyup.io-38689",
+ "advisory": "conn-check 1.0.18 ensures pyOpenSSL is always used instead of the ssl modules, see https://urllib3.readthedocs.org/en/latest/security.htmlpyopenssl.",
+ "cve": "PVE-2021-25669",
+ "id": "pyup.io-25669",
"specs": [
- "<5.1.1"
+ "<1.0.18"
],
- "v": "<5.1.1"
+ "v": "<1.0.18"
}
],
- "directory-components": [
+ "container-service-extension": [
{
- "advisory": "Directory-components 25.0.1 includes an update to fix the lodash vulnerability.",
- "cve": "PVE-2021-37298",
- "id": "pyup.io-37298",
+ "advisory": "container-service-extension 1.2.5 adds K8s vulnerability patching",
+ "cve": "PVE-2021-36876",
+ "id": "pyup.io-36876",
"specs": [
- "<25.0.1"
+ "<1.2.5"
],
- "v": "<25.0.1"
+ "v": "<1.2.5"
},
{
- "advisory": "The `django_language` and `country` cookies in directory-components 33.0.0 set as secure and http-only.",
- "cve": "PVE-2021-37475",
- "id": "pyup.io-37475",
+ "advisory": "Container-service-extension version 1.2.7 upgrades its dependency \"docker\" to include a security fix.",
+ "cve": "CVE-2019-5736",
+ "id": "pyup.io-37100",
"specs": [
- "<33.0.0"
+ "<1.2.7"
],
- "v": "<33.0.0"
- }
- ],
- "dirsearch": [
+ "v": "<1.2.7"
+ },
{
- "advisory": "Dirsearch 0.4.2 fixes a CSV Injection vulnerability. See also: .",
- "cve": "PVE-2021-40799",
- "id": "pyup.io-40799",
+ "advisory": "Container-service-extension 2.5.0b1 updates the hardcoded_password_string: false positives and test environment password strings marked not vulnerable.",
+ "cve": "PVE-2021-37529",
+ "id": "pyup.io-37529",
"specs": [
- "<0.4.2"
+ "<2.5.0b1"
],
- "v": "<0.4.2"
+ "v": "<2.5.0b1"
}
],
- "discogs-client": [
+ "contentful": [
{
- "advisory": "discogs-client 2.2.2 updates dependencies to resolve security vulnerabilities",
- "cve": "PVE-2021-36787",
- "id": "pyup.io-36787",
+ "advisory": "Contentful 1.11.3 updates 'requests' version due to a vulnerability found in versions '2.19' and below.",
+ "cve": "CVE-2018-18074",
+ "id": "pyup.io-36633",
"specs": [
- "<2.2.2"
+ "<1.11.3"
],
- "v": "<2.2.2"
- }
- ],
- "discord-ext-slash": [
+ "v": "<1.11.3"
+ },
{
- "advisory": "For some extra security, Discord-ext-slash 0.2.3 looks up commands by both their name and guild ID if their command ID fails to return any results (it returns a warning with 'SlashWarning' both times, and returns an error if still no command is found.)",
- "cve": "PVE-2021-39641",
- "id": "pyup.io-39641",
+ "advisory": "Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py.",
+ "cve": "CVE-2020-13258",
+ "id": "pyup.io-38314",
"specs": [
- "<0.2.3"
+ "<=1.12.3"
],
- "v": "<0.2.3"
+ "v": "<=1.12.3"
}
],
- "discordpie": [
+ "contentful-management": [
{
- "advisory": "Discordpie 0.5.1 includes a security patch. No details are given.",
- "cve": "PVE-2021-38343",
- "id": "pyup.io-38343",
+ "advisory": "Contentful-management 2.5.0 updates 'requests' version due to a vulnerability found in previous versions.",
+ "cve": "CVE-2018-18074",
+ "id": "pyup.io-36599",
"specs": [
- "<0.5.1"
+ "<2.5.0"
],
- "v": "<0.5.1"
+ "v": "<2.5.0"
}
],
- "dispatch": [
+ "contestms": [
{
- "advisory": "Dispatch 1.3.16 updates the 'Django' dependency version for security reasons.",
- "cve": "PVE-2021-40402",
- "id": "pyup.io-40402",
+ "advisory": "contestms 1.2.0 fixes several security bugs around an unsafe use of isolate. These won't be backported to 1.1, so make sure you update.",
+ "cve": "PVE-2021-34249",
+ "id": "pyup.io-34249",
"specs": [
- "<1.3.16"
+ "<1.2.0"
],
- "v": "<1.3.16"
+ "v": "<1.2.0"
}
],
- "divina": [
+ "cookie-manager": [
{
- "advisory": "Divina 0.1 adds a security group with ssh access enabled on partitioning EC2.",
- "cve": "PVE-2021-41294",
- "id": "pyup.io-41294",
+ "advisory": "Cookie-manager 1.0.3 bumps dependency versions to fix a security issue.",
+ "cve": "PVE-2021-38106",
+ "id": "pyup.io-38106",
"specs": [
- "<0.1"
+ "<1.0.3"
],
- "v": "<0.1"
+ "v": "<1.0.3"
},
{
- "advisory": "Divina 2021.8.1 adds a security group with ssh access enabled for the EC2 partitioning.",
- "cve": "PVE-2021-41237",
- "id": "pyup.io-41237",
- "specs": [
- "<2021.8.1"
- ],
- "v": "<2021.8.1"
- }
- ],
- "diycrate": [
- {
- "advisory": "Diycrate version 0.2.11.0 includes a security patch for the function 'oauth_dance' in 'diycrate/oauth_utils.py'. It contained requests calls with verify=False, disabling SSL certificate checks.\r\nhttps://github.com/jheld/diycrate/commit/40e51a586f16da215a3ff8096cfa64e23b0fa5cb#diff-7772b99d74abcfaa2bf013c9a4647b2b42cec23f84a79a5d4de0ef6973720971",
- "cve": "PVE-2021-41317",
- "id": "pyup.io-41317",
+ "advisory": "Cookie-manager 1.1.0 bumps Bleach to patch a vulnerability.",
+ "cve": "PVE-2021-38153",
+ "id": "pyup.io-38153",
"specs": [
- "<0.2.11.0"
+ "<1.1.0"
],
- "v": "<0.2.11.0"
- }
- ],
- "djangae": [
+ "v": "<1.1.0"
+ },
{
- "advisory": "djangae before 0.9.4 uses Django 1.7 which is no longer supported (EOL, with known security issues).",
- "cve": "PVE-2021-25693",
- "id": "pyup.io-25693",
+ "advisory": "Cookie-manager 1.2.1 fixes a security vulnerability discovered and patched in a dependency. See Bleach 3.3.0 for further details.",
+ "cve": "PVE-2021-40165",
+ "id": "pyup.io-40165",
"specs": [
- "<0.9.4"
+ "<1.2.1"
],
- "v": "<0.9.4"
+ "v": "<1.2.1"
}
],
- "django": [
+ "cookiecutter": [
{
- "advisory": "The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected \"static media files,\" which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.",
- "cve": "CVE-2009-2659",
- "id": "pyup.io-25694",
+ "advisory": "Cookiecutter 0.1.0 fixes insecure gitlab_token retrieval - see: https://github.com/NathanUrwin/cookiecutter-git/issues/6",
+ "cve": "PVE-2021-34683",
+ "id": "pyup.io-34683",
"specs": [
- "<1.0"
+ "<0.1.0"
],
- "v": "<1.0"
+ "v": "<0.1.0"
},
{
- "advisory": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.",
- "cve": "CVE-2009-3695",
- "id": "pyup.io-25695",
+ "advisory": "Cookiecutter 0.3.1 updates Pillow version to 3.2.0 (security fix).",
+ "cve": "PVE-2021-27445",
+ "id": "pyup.io-27445",
"specs": [
- "<1.0.4",
- ">=1.1,<1.1.1"
+ "<0.3.1"
],
- "v": "<1.0.4,>=1.1,<1.1.1"
+ "v": "<0.3.1"
},
{
- "advisory": "The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.",
- "cve": "CVE-2010-4535",
- "id": "pyup.io-33059",
+ "advisory": "Cookiecutter 1.1.0 sets explicitly the list of allowed hosts for security reasons.",
+ "cve": "PVE-2021-37672",
+ "id": "pyup.io-37672",
"specs": [
- "<1.1.3",
- ">=1.2,<1.2.4"
+ "<1.1.0"
],
- "v": "<1.1.3,>=1.2,<1.2.4"
- },
+ "v": "<1.1.0"
+ }
+ ],
+ "coordination-network-toolkit": [
{
- "advisory": "The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.",
- "cve": "CVE-2010-4534",
- "id": "pyup.io-33058",
+ "advisory": "Coordination-network-toolkit 1.0.2 includes a security patch to the 'urllib3' among other dependency updates.",
+ "cve": "PVE-2021-40624",
+ "id": "pyup.io-40624",
"specs": [
- "<1.1.3",
- ">=1.2,<1.2.4"
+ "<1.0.2"
],
- "v": "<1.1.3,>=1.2,<1.2.4"
- },
+ "v": "<1.0.2"
+ }
+ ],
+ "copyparty": [
{
- "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.",
- "cve": "CVE-2011-0697",
- "id": "pyup.io-33061",
+ "advisory": "The maintainers of Copyparty report that they \"hopefully\" have fixed a bug in version 0.12.3 where malicious POSTs through an nginx reverse-proxy could put the connection in a bad state, causing the next legit request to fail with bad headers",
+ "cve": "PVE-2021-41050",
+ "id": "pyup.io-41050",
"specs": [
- "<1.1.4"
+ "<0.12.3"
],
- "v": "<1.1.4"
- },
+ "v": "<0.12.3"
+ }
+ ],
+ "cortex": [
{
- "advisory": "Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a \"combination of browser plugins and redirects,\" a related issue to CVE-2011-0447.",
- "cve": "CVE-2011-0696",
- "id": "pyup.io-33060",
+ "advisory": "cortex before 0.32.0",
+ "cve": "PVE-2021-40128",
+ "id": "pyup.io-40128",
"specs": [
- "<1.1.4",
- ">=1.2,<1.2.5"
+ "<0.32.0"
],
- "v": "<1.1.4,>=1.2,<1.2.5"
- },
+ "v": "<0.32.0"
+ }
+ ],
+ "cosmos-wfm": [
{
- "advisory": "Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.",
- "cve": "CVE-2011-0698",
- "id": "pyup.io-33062",
+ "advisory": "cosmos-wfm before 2.1.1 is vulnerable to an attack where malicious hackers can run arbitrary code if they have file system (even external mounts!)+network access on the machine running luigid (executed by the user that you run luigid with).",
+ "cve": "PVE-2021-34181",
+ "id": "pyup.io-34181",
"specs": [
- "<1.1.4",
- ">=1.2,<1.2.5"
+ "<2.1.1"
],
- "v": "<1.1.4,>=1.2,<1.2.5"
- },
+ "v": "<2.1.1"
+ }
+ ],
+ "coveralls": [
{
- "advisory": "Django 1.11.x before 1.11.19 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.",
- "cve": "CVE-2019-6975",
- "id": "pyup.io-36885",
+ "advisory": "coveralls 0.1.1 removes repo_token from verbose output for security reasons.",
+ "cve": "PVE-2021-25671",
+ "id": "pyup.io-25671",
"specs": [
- "<1.11.19,>=1.11.0"
+ "<0.1.1"
],
- "v": "<1.11.19,>=1.11.0"
- },
+ "v": "<0.1.1"
+ }
+ ],
+ "covert": [
{
- "advisory": "An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.",
- "cve": "CVE-2019-12781",
- "id": "pyup.io-37261",
+ "advisory": "Covert 0.2.1 ensures that all authentication tokens are unique, also for repeated public keys.\r\nhttps://github.com/covert-encryption/covert/commit/1a40aa80bb9f0401e2eb59d93df5e531c4ec1623",
+ "cve": "PVE-2021-42679",
+ "id": "pyup.io-42679",
"specs": [
- "<1.11.22,>1.11",
- "<2.1.10,>2.1",
- "<2.2.3,>2.2"
+ "<0.2.1"
],
- "v": "<1.11.22,>1.11,<2.1.10,>2.1,<2.2.3,>2.2"
- },
+ "v": "<0.2.1"
+ }
+ ],
+ "cplay-ng": [
{
- "advisory": "Django 1.11.22 fixes a security issue in 1.11.21.",
- "cve": "PVE-2021-37259",
- "id": "pyup.io-37259",
+ "advisory": "cplay-ng 1.50 fixes insecure /tmp handling.",
+ "cve": "PVE-2021-25672",
+ "id": "pyup.io-25672",
"specs": [
- "<1.11.22,>1.11.21"
+ "<1.50"
],
- "v": "<1.11.22,>1.11.21"
- },
+ "v": "<1.50"
+ }
+ ],
+ "crate-docs-theme": [
{
- "advisory": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) See CVE-2019-19844.",
- "cve": "CVE-2019-19844",
- "id": "pyup.io-37771",
+ "advisory": "Crate-docs-theme 0.13.0 updates/removes Bootstrap and jQuery packages (nine vulnerabilities detected).",
+ "cve": "PVE-2021-39529",
+ "id": "pyup.io-39529",
"specs": [
- "<1.11.27",
- ">=2.0a1,<2.2.9",
- ">=3.0a1,<3.0.1"
+ "<0.13.0"
],
- "v": "<1.11.27,>=2.0a1,<2.2.9,>=3.0a1,<3.0.1"
- },
+ "v": "<0.13.0"
+ }
+ ],
+ "creavel": [
{
- "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.",
- "cve": "CVE-2010-3082",
- "id": "pyup.io-25701",
+ "advisory": "creavel before 0.11.0 has a unspecified security issue and is vulnerable via unknown vectors.",
+ "cve": "PVE-2021-25673",
+ "id": "pyup.io-25673",
"specs": [
- "<1.2.2"
+ "<0.11.0"
],
- "v": "<1.2.2"
+ "v": "<0.11.0"
},
{
- "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.",
- "cve": "CVE-2011-4138",
- "id": "pyup.io-33065",
+ "advisory": "creavel 0.14.0 fixes jinja2 security by using SandboxedEnvironment.",
+ "cve": "PVE-2021-25674",
+ "id": "pyup.io-25674",
"specs": [
- "<1.2.7",
- ">=1.3,<1.3.1"
+ "<0.14.0"
],
- "v": "<1.2.7,>=1.3,<1.3.1"
- },
+ "v": "<0.14.0"
+ }
+ ],
+ "credstash": [
{
- "advisory": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.",
- "cve": "CVE-2011-4140",
- "id": "pyup.io-33066",
+ "advisory": "credstash 1.16.0 updates to pyyaml>=4.2b1 due to security vulnerability in older versions",
+ "cve": "PVE-2021-37852",
+ "id": "pyup.io-37852",
"specs": [
- "<1.2.7",
- ">=1.3,<1.3.1"
+ "<1.16.0"
],
- "v": "<1.2.7,>=1.3,<1.3.1"
- },
- {
- "advisory": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.",
- "cve": "CVE-2011-4136",
- "id": "pyup.io-33063",
- "specs": [
- "<1.2.7",
- ">=1.3,<1.3.1"
- ],
- "v": "<1.2.7,>=1.3,<1.3.1"
- },
+ "v": "<1.16.0"
+ }
+ ],
+ "creopyson": [
{
- "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.",
- "cve": "CVE-2011-4137",
- "id": "pyup.io-33064",
+ "advisory": "Creopyson 0.4.2 modifies the pipenv config for the bleach security alert.",
+ "cve": "PVE-2021-37964",
+ "id": "pyup.io-37964",
"specs": [
- "<1.2.7",
- ">=1.3,<1.3.1"
+ "<0.4.2"
],
- "v": "<1.2.7,>=1.3,<1.3.1"
- },
+ "v": "<0.4.2"
+ }
+ ],
+ "cromwell-tools": [
{
- "advisory": "The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.",
- "cve": "CVE-2012-3442",
- "id": "pyup.io-33067",
+ "advisory": "Cromwell-tools 1.0.0 updates requests to v2.20.0 to avoid security issues.",
+ "cve": "CVE-2018-18074",
+ "id": "pyup.io-36659",
"specs": [
- "<1.3.2",
- ">=1.4,<1.4.1"
+ "<1.0.0"
],
- "v": "<1.3.2,>=1.4,<1.4.1"
- },
+ "v": "<1.0.0"
+ }
+ ],
+ "crossbar": [
{
- "advisory": "The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.",
- "cve": "CVE-2012-3443",
- "id": "pyup.io-33068",
+ "advisory": "In crossbar before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.",
+ "cve": "PVE-2021-25675",
+ "id": "pyup.io-25675",
"specs": [
- "<1.3.2",
- ">=1.4,<1.4.1"
+ "<0.15.0"
],
- "v": "<1.3.2,>=1.4,<1.4.1"
+ "v": "<0.15.0"
},
{
- "advisory": "The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.",
- "cve": "CVE-2012-3444",
- "id": "pyup.io-33069",
+ "advisory": "crossbar 0.6.4 fixes a WAMP-CRA timing attack very, very unlikely to be exploitable.",
+ "cve": "PVE-2021-25676",
+ "id": "pyup.io-25676",
"specs": [
- "<1.3.2",
- ">=1.4,<1.4.1"
+ "<0.6.4"
],
- "v": "<1.3.2,>=1.4,<1.4.1"
+ "v": "<0.6.4"
},
{
- "advisory": "The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.",
- "cve": "CVE-2012-4520",
- "id": "pyup.io-25709",
+ "advisory": "Crossbar 20.12.3 fixes a dependency on Autobahn v20.12.3, which in turn fixes a potential security issue when enabling the Web status page ('enable_webstatus') on WebSocket-WAMP listening transports.",
+ "cve": "PVE-2021-39329",
+ "id": "pyup.io-39329",
"specs": [
- "<1.3.4",
- ">=1.4,<1.4.2"
+ "<20.12.3"
],
- "v": "<1.3.4,>=1.4,<1.4.2"
- },
+ "v": "<20.12.3"
+ }
+ ],
+ "croud": [
{
- "advisory": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL.",
- "cve": "CVE-2015-0220",
- "id": "pyup.io-33071",
+ "advisory": "Croud 0.3.0 includes a fix for CVE-2017-18342, an arbitrary code execution vulnerability in yaml.load().\r\nhttps://github.com/crate/croud/commit/821f2ba47285f5b5ad3e2e2782c44f867da931ee",
+ "cve": "CVE-2017-18342",
+ "id": "pyup.io-42353",
"specs": [
- "<1.4.18",
- ">=1.6,<1.6.10",
- ">=1.7,<1.7.3"
+ "<0.3.0"
],
- "v": "<1.4.18,>=1.6,<1.6.10,>=1.7,<1.7.3"
- },
+ "v": "<0.3.0"
+ }
+ ],
+ "crypt": [
{
- "advisory": "The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.",
- "cve": "CVE-2015-0221",
- "id": "pyup.io-33072",
+ "advisory": "crypt is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
+ "cve": "PVE-2021-34981",
+ "id": "pyup.io-34981",
"specs": [
- "<1.4.18",
- ">=1.6,<1.6.10",
- ">=1.7,<1.7.3"
+ ">0",
+ "<0"
],
- "v": "<1.4.18,>=1.6,<1.6.10,>=1.7,<1.7.3"
- },
+ "v": ">0,<0"
+ }
+ ],
+ "cryptacular": [
{
- "advisory": "Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.",
- "cve": "CVE-2015-0219",
- "id": "pyup.io-33070",
+ "advisory": "crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.",
+ "cve": "CVE-2011-2483",
+ "id": "pyup.io-42230",
"specs": [
- "<1.4.18",
- ">=1.7,<1.7.3",
- ">=1.6,<1.6.10"
+ "<1.2"
],
- "v": "<1.4.18,>=1.7,<1.7.3,>=1.6,<1.6.10"
+ "v": "<1.2"
},
{
- "advisory": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.",
- "cve": "CVE-2016-2512",
- "id": "pyup.io-33073",
+ "advisory": "crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.",
+ "cve": "PVE-2021-25677",
+ "id": "pyup.io-25677",
"specs": [
- "<1.8.10",
- ">=1.9,<1.9.3"
+ "<1.2"
],
- "v": "<1.8.10,>=1.9,<1.9.3"
- },
+ "v": "<1.2"
+ }
+ ],
+ "crypto-candlesticks": [
{
- "advisory": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.",
- "cve": "CVE-2016-2513",
- "id": "pyup.io-33074",
+ "advisory": "Crypto-candlesticks 0.1.5 fixes a vulnerability in the 'jinja2' dependency.",
+ "cve": "PVE-2021-39697",
+ "id": "pyup.io-39697",
"specs": [
- "<1.8.10",
- ">=1.9,<1.9.3"
+ "<0.1.5"
],
- "v": "<1.8.10,>=1.9,<1.9.3"
- },
+ "v": "<0.1.5"
+ }
+ ],
+ "cryptography": [
{
- "advisory": "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.",
- "cve": "CVE-2018-16984",
- "id": "pyup.io-36522",
+ "advisory": "cryptography 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.",
+ "cve": "PVE-2021-25678",
+ "id": "pyup.io-25678",
"specs": [
- "<2.1.2,>=2.1"
+ "<0.9.1"
],
- "v": "<2.1.2,>=2.1"
+ "v": "<0.9.1"
},
{
- "advisory": "django before 2.1.2 fixes a security bug in 2.1.x. \r\nIf an admin user has the change permission to the user model, only part of the\r\npassword hash is displayed in the change form. Admin users with the view (but\r\nnot change) permission to the user model were displayed the entire hash.",
- "cve": "CVE-2018-16984",
- "id": "pyup.io-36517",
+ "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)** for the report.",
+ "cve": "PVE-2021-25679",
+ "id": "pyup.io-25679",
"specs": [
- "<2.1.2,>=2.1.0"
+ "<1.0.2"
],
- "v": "<2.1.2,>=2.1.0"
+ "v": "<1.0.2"
},
{
- "advisory": "Django 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.",
- "cve": "CVE-2019-6975",
- "id": "pyup.io-36883",
+ "advisory": "HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.",
+ "cve": "CVE-2016-9243",
+ "id": "pyup.io-25680",
"specs": [
- "<2.1.6,>=2.1.0"
+ "<1.5.3"
],
- "v": "<2.1.6,>=2.1.0"
+ "v": "<1.5.3"
},
{
- "advisory": "Django versions 2.2.24, 3.1.12, and 3.2.4 include a fix for CVE-2021-33203: Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories. See CVE-2021-33203.\r\nhttps://www.djangoproject.com/weblog/2021/jun/02/security-releases/\r\nhttps://docs.djangoproject.com/en/3.2/releases/security/\r\nhttps://groups.google.com/forum/#%21forum/django-announce",
- "cve": "CVE-2021-33203",
- "id": "pyup.io-40637",
+ "advisory": "Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing.",
+ "cve": "PVE-2021-39252",
+ "id": "pyup.io-39252",
"specs": [
- "<2.2.24",
- ">=3.0a1,<3.1.12",
- ">=3.2a1,<3.2.4"
+ "<3.3"
],
- "v": "<2.2.24,>=3.0a1,<3.1.12,>=3.2a1,<3.2.4"
+ "v": "<3.3"
},
{
- "advisory": "django 1.11.15 fixes a phishing security issue in 1.11.14 if the :class:`~django.middleware.common.CommonMiddleware` and the :setting:`APPEND_SLASH` setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash. See: CVE-2018-14574.",
- "cve": "CVE-2018-14574",
- "id": "pyup.io-36359",
+ "advisory": "In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. See: CVE-2020-36242.",
+ "cve": "CVE-2020-36242",
+ "id": "pyup.io-39606",
"specs": [
- "==1.11.14"
+ "<3.3.2"
],
- "v": "==1.11.14"
+ "v": "<3.3.2"
},
{
- "advisory": "Django 1.11.21 fixes a security issue in 1.11.20: CVE-2019-12308 (AdminURLFieldWidget XSS).",
- "cve": "CVE-2019-12308",
- "id": "pyup.io-37186",
+ "advisory": "Cryptography 3.2 was released with the warning that its maintainers became aware of a Bleichenbacher vulnerability that they were only partly able to mitigate. See: CVE-2020-25659.",
+ "cve": "CVE-2020-25659",
+ "id": "pyup.io-38932",
"specs": [
- "==1.11.20"
+ "<=3.2"
],
- "v": "==1.11.20"
+ "v": "<=3.2"
},
{
- "advisory": "Django 1.11.23 fixes CVE-2019-14235 in 1.11.22.",
- "cve": "CVE-2019-14235",
- "id": "pyup.io-39599",
+ "advisory": "A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903.",
+ "cve": "CVE-2018-10903",
+ "id": "pyup.io-36351",
"specs": [
- "==1.11.22"
+ ">=1.9.0,<2.3"
],
- "v": "==1.11.22"
- },
+ "v": ">=1.9.0,<2.3"
+ }
+ ],
+ "cryptography-vectors": [
{
- "advisory": "Django 1.11.23 fixes CVE-2019-14233 in 1.11.22.",
- "cve": "CVE-2019-14233",
- "id": "pyup.io-39601",
+ "advisory": "cryptography-vectors 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.",
+ "cve": "PVE-2021-25681",
+ "id": "pyup.io-25681",
"specs": [
- "==1.11.22"
+ "<0.9.1"
],
- "v": "==1.11.22"
+ "v": "<0.9.1"
},
{
- "advisory": "Django 1.11.23 fixes CVE-2019-14234 in 1.11.22.",
- "cve": "CVE-2019-14234",
- "id": "pyup.io-39600",
+ "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)** for the report.",
+ "cve": "PVE-2021-25682",
+ "id": "pyup.io-25682",
"specs": [
- "==1.11.22"
+ "<1.0.2"
],
- "v": "==1.11.22"
+ "v": "<1.0.2"
},
{
- "advisory": "Django 1.11.23 fixes the following security issue in 1.11.22: CVE-2019-14232.",
- "cve": "CVE-2019-14232",
- "id": "pyup.io-37326",
+ "advisory": "HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.",
+ "cve": "CVE-2016-9243",
+ "id": "pyup.io-25683",
"specs": [
- "==1.11.22"
+ "<1.5.3"
],
- "v": "==1.11.22"
- },
- {
- "advisory": "Django 1.11.27 fixes CVE-2019-19844 in 1.11.26: potential account hijack via password reset form.",
- "cve": "CVE-2019-19844",
- "id": "pyup.io-37663",
+ "v": "<1.5.3"
+ }
+ ],
+ "cssutils": [
+ {
+ "advisory": "In cssutils before 0.9.6a2 comments added by ``cssutils.resolveImports`` only use the import rules' href and not the absolute href of the referenced sheets anymore (might have been a possible security hole when showing a full local path to a sheet in a combined but not minified sheet)",
+ "cve": "PVE-2021-25684",
+ "id": "pyup.io-25684",
"specs": [
- "==1.11.26"
+ "<0.9.6a2"
],
- "v": "==1.11.26"
- },
+ "v": "<0.9.6a2"
+ }
+ ],
+ "cstar": [
{
- "advisory": "Django 1.11.28 fixes a security issue in 1.11.27. Potential SQL injection via `StringAgg(delimiter)`. See: CVE-2020-7471.",
- "cve": "CVE-2020-7471",
- "id": "pyup.io-37817",
+ "advisory": "Cstar 0.5.0 fixes a security problem in a dependency (spotify). See: .",
+ "cve": "PVE-2021-39224",
+ "id": "pyup.io-39224",
"specs": [
- "==1.11.27"
+ "<0.5.0"
],
- "v": "==1.11.27"
- },
+ "v": "<0.5.0"
+ }
+ ],
+ "cumin": [
{
- "advisory": "django 2.0.8 fixes a security issue and several bugs in 2.0.7 if the :class:`~django.middleware.common.CommonMiddleware` and the\r\n:setting:`APPEND_SLASH` setting are both enabled, and if the project has a\r\nURL pattern that accepts any path ending in a slash. See: CVE-2018-14574.",
- "cve": "CVE-2018-14574",
- "id": "pyup.io-36358",
+ "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Cumin before r5238 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) widgets or (2) pages.",
+ "cve": "CVE-2012-1575",
+ "id": "pyup.io-35357",
"specs": [
- "==2.0.7"
+ "=0.56.1, to avoid a security vulnerability.",
+ "cve": "PVE-2021-40620",
+ "id": "pyup.io-40620",
"specs": [
- "==3.0.12"
+ "<0.4.1"
],
- "v": "==3.0.12"
- },
+ "v": "<0.4.1"
+ }
+ ],
+ "datasette-css-properties": [
{
- "advisory": "Django 3.0.3 fixes a security issue and several bugs in 3.0.2. Potential SQL injection via `StringAgg(delimiter)`. See: CVE-2020-7471.",
- "cve": "CVE-2020-7471",
- "id": "pyup.io-37815",
+ "advisory": "Datasette-css-properties 0.2 makes the '.css' pages send the 'x-content-type-options: nosniff' header to protect against browsers incorrectly rendering the CSS as HTML which could be an XSS security hole.",
+ "cve": "PVE-2021-39422",
+ "id": "pyup.io-39422",
"specs": [
- "==3.0.2"
+ "<0.2"
],
- "v": "==3.0.2"
- },
+ "v": "<0.2"
+ }
+ ],
+ "datasette-graphql": [
{
- "advisory": "Django 3.1.12 fixes two security issues in 3.1.11 (CVE-2021-33571).",
- "cve": "PVE-2021-40598",
- "id": "pyup.io-40598",
+ "advisory": "Satasette-graphql before 1.2 included a plugin that could expose schema details of databases that should not be visible, though not their actual row content. See: .",
+ "cve": "PVE-2021-39174",
+ "id": "pyup.io-39174",
"specs": [
- "==3.1.11"
+ "<1.2"
],
- "v": "==3.1.11"
- },
+ "v": "<1.2"
+ }
+ ],
+ "datasette-indieauth": [
{
- "advisory": "Django 3.1.12 fixes two security issues in 3.1.11 (CVE-2021-33203).",
- "cve": "PVE-2021-40585",
- "id": "pyup.io-40585",
+ "advisory": "Datasette-indieauth before 1.1 trusts the \"me\" field returned by the authorization server without verifying it.",
+ "cve": "PVE-2021-39164",
+ "id": "pyup.io-39164",
"specs": [
- "==3.1.11"
+ "<1.1"
],
- "v": "==3.1.11"
- },
+ "v": "<1.1"
+ }
+ ],
+ "datasette-insert": [
{
- "advisory": "Django 3.1.6 fixes a security issue with severity \"low\" and a bug in 3.1.5 (CVE-2021-3281).",
- "cve": "CVE-2021-3281",
- "id": "pyup.io-39521",
+ "advisory": "Datasette-insert 0.6 is locked down by default. This plugin no longer defaults to allowing all, reducing the risk that someone may deploy it without sufficient security.",
+ "cve": "PVE-2021-38644",
+ "id": "pyup.io-38644",
"specs": [
- "==3.1.5"
+ "<0.6"
],
- "v": "==3.1.5"
- },
+ "v": "<0.6"
+ }
+ ],
+ "datasette-query-links": [
{
- "advisory": "Django 3.1.6 includes vulnerability CVE-2021-23336: The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.",
- "cve": "CVE-2021-23336",
- "id": "pyup.io-39644",
+ "advisory": "Datasette-query-links 0.1.1 fixes an XSS security bug. See: https://github.com/simonw/datasette-query-links/issues/2",
+ "cve": "PVE-2021-41092",
+ "id": "pyup.io-41092",
"specs": [
- "==3.1.6"
+ "<0.1.1"
],
- "v": "==3.1.6"
- },
+ "v": "<0.1.1"
+ }
+ ],
+ "datasette-seaborn": [
{
- "advisory": "Django 3.2.4 fixes two security issues and several bugs in 3.2.3 (CVE-2021-33203).",
- "cve": "PVE-2021-40584",
- "id": "pyup.io-40584",
+ "advisory": "The maintainers or the datasette-seaborn package acknowledge that version 0.1a0 is buggy and probably not secure.",
+ "cve": "PVE-2021-38782",
+ "id": "pyup.io-38782",
"specs": [
- "==3.2.3"
+ "==0.1a0"
],
- "v": "==3.2.3"
- },
+ "v": "==0.1a0"
+ }
+ ],
+ "dateable-chronos": [
{
- "advisory": "Django 3.2.4 fixes two security issues and several bugs in 3.2.3 (CVE-2021-3357).",
- "cve": "PVE-2021-40599",
- "id": "pyup.io-40599",
+ "advisory": "Dateable-chronos 0.8 includes a fix for a XSS vulnerability in the get_view_day method.\r\nhttps://github.com/collective/dateable.chronos/commit/fd91af02186e61b3e161a2f620da9422eb228c71",
+ "cve": "PVE-2021-35988",
+ "id": "pyup.io-35988",
"specs": [
- "==3.2.3"
+ "<0.8"
],
- "v": "==3.2.3"
- },
+ "v": "<0.8"
+ }
+ ],
+ "dateable.chronos": [
{
- "advisory": "Django 1.10.3 fixes two security issues and several bugs in 1.10.2.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================",
- "cve": "PVE-2021-25722",
- "id": "pyup.io-25722",
+ "advisory": "dateable.chronos 0.7.2 fixes a XSS vulnerability in the get_view_day method.",
+ "cve": "PVE-2021-25685",
+ "id": "pyup.io-25685",
"specs": [
- ">=1.10,<1.10.3"
+ "<0.7.2"
],
- "v": ">=1.10,<1.10.3"
- },
+ "v": "<0.7.2"
+ }
+ ],
+ "datera-cinder": [
{
- "advisory": "CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs\r\n============================================================================================\r\n\r\nDjango relies on user input in some cases (e.g.\r\n:func:`django.contrib.auth.views.login` and :doc:`i18n `)\r\nto redirect the user to an \"on success\" URL. The security check for these\r\nredirects (namely ``django.utils.http.is_safe_url()``) considered some numeric\r\nURLs (e.g. ``http:999999999``) \"safe\" when they shouldn't be.\r\n\r\nAlso, if a developer relies on ``is_safe_url()`` to provide safe redirect\r\ntargets and puts such a URL into a link, they could suffer from an XSS attack.\r\n\r\nCVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``\r\n=============================================================================\r\n\r\nA maliciously crafted URL to a Django site using the\r\n:func:`~django.views.static.serve` view could redirect to any other domain. The\r\nview no longer does any redirects as they don't provide any known, useful\r\nfunctionality.\r\n\r\nNote, however, that this view has always carried a warning that it is not\r\nhardened for production use and should be used only as a development aid.",
- "cve": "CVE-2017-7233",
- "id": "pyup.io-33300",
+ "advisory": "Datera-cinder 2018.10.30.0 updates the required 'requests' version to >=2.20.0 to include a fix for CVE-2018-18074.",
+ "cve": "CVE-2018-18074",
+ "id": "pyup.io-37204",
"specs": [
- ">=1.10,<1.10.7"
+ "<2018.10.30.0"
],
- "v": ">=1.10,<1.10.7"
- },
+ "v": "<2018.10.30.0"
+ }
+ ],
+ "datumaro": [
{
- "advisory": "Django 1.10.8 fixes a security issue in 1.10.7. In older versions, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with 'DEBUG = True' (which makes this page accessible) in your production settings. See also: CVE-2017-12794, described as \"Possible XSS in traceback section of technical 500 debug page\".",
- "cve": "CVE-2017-12794",
- "id": "pyup.io-34918",
+ "advisory": "Datumaro version 0.1.10 includes a fix for an arbitrary code execution vulnerability: Cifar implementation is based on pickle, which can run arbitrary code on unpickling.\r\nhttps://github.com/openvinotoolkit/datumaro/issues/327",
+ "cve": "PVE-2021-41817",
+ "id": "pyup.io-41817",
"specs": [
- ">=1.10.7,<1.10.8"
+ "<0.1.10"
],
- "v": ">=1.10.7,<1.10.8"
- },
+ "v": "<0.1.10"
+ }
+ ],
+ "dawgie": [
{
- "advisory": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.",
- "cve": "CVE-2020-7471",
- "id": "pyup.io-37970",
+ "advisory": "Dawgie 1.2.3 includes a vulnerability fix.",
+ "cve": "PVE-2021-40122",
+ "id": "pyup.io-40122",
"specs": [
- ">=1.11,<1.11.28",
- ">=2.2,<2.2.10",
- ">=3.0,<3.0.3"
+ "<1.2.3"
],
- "v": ">=1.11,<1.11.28,>=2.2,<2.2.10,>=3.0,<3.0.3"
+ "v": "<1.2.3"
},
{
- "advisory": "Django 1.11.5 fixes a security issue and several bugs in 1.11.4.\r\n\r\nCVE-2017-12794: Possible XSS in traceback section of technical 500 debug page\r\n=============================================================================\r\n\r\nIn older versions, HTML autoescaping was disabled in a portion of the template\r\nfor the technical 500 debug page. Given the right circumstances, this allowed\r\na cross-site scripting attack. This vulnerability shouldn't affect most\r\nproduction sites since you shouldn't run with ``DEBUG = True`` (which makes\r\nthis page accessible) in your production settings.",
- "cve": "CVE-2017-12794",
- "id": "pyup.io-34917",
+ "advisory": "Dawgie 1.2.9 adds clean methods to limit malicious code.",
+ "cve": "PVE-2021-40121",
+ "id": "pyup.io-40121",
"specs": [
- ">=1.11,<1.11.5"
+ "<1.2.9"
],
- "v": ">=1.11,<1.11.5"
- },
+ "v": "<1.2.9"
+ }
+ ],
+ "dbcat": [
{
- "advisory": "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.",
- "cve": "CVE-2019-12308",
- "id": "pyup.io-37191",
+ "advisory": "Dbcat 0.3.1 updates its dependency 'cryptography' to v3.4.4 to include a security fix.",
+ "cve": "CVE-2020-36242",
+ "id": "pyup.io-42696",
"specs": [
- ">=1.11.0,<1.11.21",
- ">=2.1,<2.1.9",
- ">=2.2,<2.2.2"
+ "<0.3.1"
],
- "v": ">=1.11.0,<1.11.21,>=2.1,<2.1.9,>=2.2,<2.2.2"
- },
+ "v": "<0.3.1"
+ }
+ ],
+ "dbt-core": [
{
- "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.",
- "cve": "CVE-2019-14232",
- "id": "pyup.io-37329",
+ "advisory": "Dbt-core 0.20.0rc1 updates its dependency 'jinja2' to v2.11.3 to include a security fix.",
+ "cve": "CVE-2020-28493",
+ "id": "pyup.io-42229",
"specs": [
- ">=1.11.0,<1.11.23",
- ">=2.1.0,<2.1.11",
- ">=2.2.0,<2.2.4"
+ "<0.20.0rc1"
],
- "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4"
- },
+ "v": "<0.20.0rc1"
+ }
+ ],
+ "dbtos3": [
{
- "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.",
- "cve": "CVE-2019-14234",
- "id": "pyup.io-37357",
+ "advisory": "Dbtos3 version 0.0.2a0 includes security fixes related to dependencies' updates.",
+ "cve": "PVE-2021-42017",
+ "id": "pyup.io-42017",
"specs": [
- ">=1.11.0,<1.11.23",
- ">=2.1.0,<2.1.11",
- ">=2.2.0,<2.2.4"
+ "<0.0.2a0"
],
- "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4"
- },
+ "v": "<0.0.2a0"
+ }
+ ],
+ "ddtrace": [
{
- "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.",
- "cve": "CVE-2019-14233",
- "id": "pyup.io-37330",
+ "advisory": "ddtrace 0.11.0 removes the `sql.query` tag from SQL spans, so that the content is properly obfuscated in the Agent. This security fix is required to prevent wrong data collection of reported SQL queries. This issue impacts only MySQL integrations and NOT `psycopg2` or `sqlalchemy` while using the PostgreSQL driver.",
+ "cve": "PVE-2021-35790",
+ "id": "pyup.io-35790",
"specs": [
- ">=1.11.0,<1.11.23",
- ">=2.1.0,<2.1.11",
- ">=2.2.0,<2.2.4"
+ "<0.11.0"
],
- "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4"
- },
+ "v": "<0.11.0"
+ }
+ ],
+ "debianized-jupyterhub": [
{
- "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.",
- "cve": "CVE-2019-14235",
- "id": "pyup.io-37331",
+ "advisory": "debianized-jupyterhub 0.9.51 updates to release 0.9.5 + NB 5.7.7 (fix for Open Redirect vulnerability)",
+ "cve": "PVE-2021-37002",
+ "id": "pyup.io-37002",
"specs": [
- ">=1.11.0,<1.11.23",
- ">=2.1.0,<2.1.11",
- ">=2.2.0,<2.2.4"
+ "<0.9.51"
],
- "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4"
- },
+ "v": "<0.9.51"
+ }
+ ],
+ "debops": [
{
- "advisory": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL Injections if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. See: CVE-2020-9402.",
- "cve": "CVE-2020-9402",
- "id": "pyup.io-38010",
+ "advisory": "Debops 0.8.0 installs upstream NodeSource APT packages by default. This is due to `no security support in Debian Stable`__, therefore an upstream packages should be considered more secure. The upstream NodeJS packages include a compatible NPM release, therefore it won't be separately installed from GitHub.",
+ "cve": "PVE-2021-36371",
+ "id": "pyup.io-36371",
"specs": [
- ">=1.11.0,<1.11.29",
- ">=2.2.0,<2.2.11",
- ">=3.0.0,<3.0.4"
+ "<0.8.0"
],
- "v": ">=1.11.0,<1.11.29,>=2.2.0,<2.2.11,>=3.0.0,<3.0.4"
+ "v": "<0.8.0"
},
{
- "advisory": "CVE-2018-6188: Information leakage in ``AuthenticationForm``\r\n============================================================\r\n\r\nA regression in Django 1.11.8 made\r\n:class:`~django.contrib.auth.forms.AuthenticationForm` run its\r\n``confirm_login_allowed()`` method even if an incorrect password is entered.\r\nThis can leak information about a user, depending on what messages\r\n``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't\r\noverridden, an attacker enter an arbitrary username and see if that user has\r\nbeen set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,\r\nmore sensitive details could be leaked.\r\n\r\nThis issue is fixed with the caveat that ``AuthenticationForm`` can no longer\r\nraise the \"This account is inactive.\" error if the authentication backend\r\nrejects inactive users (the default authentication backend, ``ModelBackend``,\r\nhas done that since Django 1.10). This issue will be revisited for Django 2.1\r\nas a fix to address the caveat will likely be too invasive for inclusion in\r\nolder versions.",
- "cve": "CVE-2018-6188",
- "id": "pyup.io-35174",
+ "advisory": "Debops 1.0.0:\r\n\r\n- The :command:`lxc-prepare-ssh` script will read the public SSH keys from specific files (``root`` key file, and the ``$SUDO_USER`` key file) and will not accept any custom files to read from, to avoid possible security issues. Each public SSH key listed in the key files is validated before being added to the container's ``root`` account.\r\n\r\n- The :command:`lxc-new-unprivileged` script will similarly not accept any custom files as initial LXC container configuration to fix any potential security holes when used via :command:`sudo`. The default LXC configuration file used by the script can be configured in :file:`/etc/lxc/lxc.conf` configuration file.\r\n\r\n- (:ref:`debops.php` role) New APT signing keys` have been created for his Debian APT repository with PHP packages, due to security concerns. The :ref:`debops.php` role will remove the old APT GPG key and add the new one automatically. See: .",
+ "cve": "PVE-2021-37159",
+ "id": "pyup.io-37159",
"specs": [
- ">=1.11.8,<1.11.10"
+ "<1.0.0"
],
- "v": ">=1.11.8,<1.11.10"
+ "v": "<1.0.0"
},
{
- "advisory": "django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. A remote user can redirect the target user's browser to an arbitrary site.",
- "cve": "CVE-2018-14574",
- "id": "pyup.io-36368",
+ "advisory": "The :command:\"lxc-prepare-ssh\" script in debops 1.1.0 will no longer install SSH keys from the LXC host \"root\" account on the LXC container \"root\" account. That could cause confusion and unintended security breaches when other services (for example backup scripts or remote command execution tools) install their own SSH keys on the LXC host and they are subsequently copied inside of the LXC containers created on that host.\r\nhttps://github.com/debops/debops/commit/6dd088e413ef4c5dac23d94bb338ae19398985e2",
+ "cve": "PVE-2021-37404",
+ "id": "pyup.io-37404",
"specs": [
- ">=1.11a1,<1.11.15",
- ">=2.0a1,<2.0.8"
+ "<1.1.0"
],
- "v": ">=1.11a1,<1.11.15,>=2.0a1,<2.0.8"
+ "v": "<1.1.0"
},
{
- "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.",
- "cve": "CVE-2019-3498",
- "id": "pyup.io-36771",
+ "advisory": "Debops 1.2.0 includes a security patch for CVE-2019-11043: In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.",
+ "cve": "CVE-2019-11043",
+ "id": "pyup.io-37733",
"specs": [
- ">=1.11a1,<1.11.18"
+ "<1.2.0"
],
- "v": ">=1.11a1,<1.11.18"
+ "v": "<1.2.0"
},
{
- "advisory": "The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.",
- "cve": "CVE-2013-0305",
- "id": "pyup.io-33111",
+ "advisory": "Debops 1.7.0 includes a change in its RoundCube configuration. RoundCube will use the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.",
+ "cve": "PVE-2021-37732",
+ "id": "pyup.io-37732",
"specs": [
- ">=1.3,<1.3.6",
- ">=1.4,<1.4.4",
- ">=1.5,<1.5.1"
+ "<1.7.0"
],
- "v": ">=1.3,<1.3.6,>=1.4,<1.4.4,>=1.5,<1.5.1"
+ "v": "<1.7.0"
},
{
- "advisory": "The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.",
- "cve": "CVE-2013-0306",
- "id": "pyup.io-33112",
+ "advisory": "RoundCube in debops 2.0.0 uses the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.",
+ "cve": "PVE-2021-26403",
+ "id": "pyup.io-26403",
"specs": [
- ">=1.3,<1.3.6",
- ">=1.4,<1.4.4",
- ">=1.5,<1.5.1"
+ "<2.0.0"
],
- "v": ">=1.3,<1.3.6,>=1.4,<1.4.4,>=1.5,<1.5.1"
- },
+ "v": "<2.0.0"
+ }
+ ],
+ "decaptcha": [
{
- "advisory": "The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.",
- "cve": "CVE-2015-5964",
- "id": "pyup.io-25728",
+ "advisory": "decaptcha 1.0.0 includes a patch for security vulnerability: pin pillow>=6.2.0",
+ "cve": "PVE-2021-37892",
+ "id": "pyup.io-37892",
"specs": [
- ">=1.4,<1.4.22",
- ">=1.7,<1.7.10"
+ "<1.0.0"
],
- "v": ">=1.4,<1.4.22,>=1.7,<1.7.10"
+ "v": "<1.0.0"
},
{
- "advisory": "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.",
- "cve": "CVE-2015-5963",
- "id": "pyup.io-25727",
+ "advisory": "decaptcha 1.0.1 includes a patch for security vulnerability: tensorflow==1.15.0",
+ "cve": "PVE-2021-37891",
+ "id": "pyup.io-37891",
"specs": [
- ">=1.4,<1.4.22",
- ">=1.7,<1.7.10",
- ">=1.8,<1.8.4"
+ "<1.0.1"
],
- "v": ">=1.4,<1.4.22,>=1.7,<1.7.10,>=1.8,<1.8.4"
- },
+ "v": "<1.0.1"
+ }
+ ],
+ "deeposlandia": [
{
- "advisory": "The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.",
- "cve": "CVE-2013-1443",
- "id": "pyup.io-25729",
+ "advisory": "Deeposlandia 0.6 updates its dependencies, especially `Tensorflow`, due to vulnerability issues.",
+ "cve": "PVE-2021-38133",
+ "id": "pyup.io-38133",
"specs": [
- ">=1.6,<1.6-beta-4",
- ">=1.4,<1.4.8",
- ">=1.5,<1.5.4"
+ "<0.6"
],
- "v": ">=1.6,<1.6-beta-4,>=1.4,<1.4.8,>=1.5,<1.5.4"
+ "v": "<0.6"
},
{
- "advisory": "ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.",
- "cve": "CVE-2015-0222",
- "id": "pyup.io-25730",
+ "advisory": "Deeposlandia 0.6.2 updates pillow to 7.1.1 to fix a moderate-severity vulnerability in pillow <6.2.2.",
+ "cve": "PVE-2021-38285",
+ "id": "pyup.io-38285",
"specs": [
- ">=1.7,<1.7.3",
- ">=1.6,<1.6.10"
+ "<0.6.2"
],
- "v": ">=1.7,<1.7.3,>=1.6,<1.6.10"
- },
+ "v": "<0.6.2"
+ }
+ ],
+ "definitions": [
{
- "advisory": "The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.",
- "cve": "CVE-2015-2316",
- "id": "pyup.io-25731",
+ "advisory": "There is a vulnerability in load() method in definitions/parser.py in the Danijar Hafner definitions package for Python. It can execute arbitrary python commands resulting in command execution.",
+ "cve": "CVE-2018-20325",
+ "id": "pyup.io-36752",
"specs": [
- ">=1.7,<1.7.7",
- ">=1.6,<1.6.11",
- ">=1.8a1,<1.8c1"
+ "<=0.2.0"
],
- "v": ">=1.7,<1.7.7,>=1.6,<1.6.11,>=1.8a1,<1.8c1"
- },
+ "v": "<=0.2.0"
+ }
+ ],
+ "defusedexpat": [
{
- "advisory": "The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.",
- "cve": "CVE-2015-5143",
- "id": "pyup.io-25725",
+ "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.",
+ "cve": "CVE-2013-1664",
+ "id": "pyup.io-33054",
"specs": [
- ">=1.7,<1.7.9",
- ">=1.5,<1.7",
- ">=1.4,<1.4.21"
+ "<0.3"
],
- "v": ">=1.7,<1.7.9,>=1.5,<1.7,>=1.4,<1.4.21"
+ "v": "<0.3"
},
{
- "advisory": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.",
- "cve": "CVE-2016-9014",
- "id": "pyup.io-33075",
+ "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.",
+ "cve": "CVE-2013-1665",
+ "id": "pyup.io-33055",
"specs": [
- ">=1.8,<1.8.16",
- ">=1.9,<1.9.11",
- ">=1.10,<1.10.3"
+ "<0.3"
],
- "v": ">=1.8,<1.8.16,>=1.9,<1.9.11,>=1.10,<1.10.3"
- },
+ "v": "<0.3"
+ }
+ ],
+ "defusedxml": [
{
- "advisory": "Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.",
- "cve": "CVE-2016-9013",
- "id": "pyup.io-33076",
+ "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.",
+ "cve": "CVE-2013-1664",
+ "id": "pyup.io-33056",
"specs": [
- ">=1.8,<1.8.16",
- ">=1.9,<1.9.11",
- ">=1.10,<1.10.3"
+ "<0.4"
],
- "v": ">=1.8,<1.8.16,>=1.9,<1.9.11,>=1.10,<1.10.3"
+ "v": "<0.4"
},
{
- "advisory": "Django 1.8.18 fixes two security issues in 1.8.17.\r\n\r\nCVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs\r\n============================================================================================\r\n\r\nDjango relies on user input in some cases (e.g.\r\n:func:`django.contrib.auth.views.login` and :doc:`i18n `)\r\nto redirect the user to an \"on success\" URL. The security check for these\r\nredirects (namely ``django.utils.http.is_safe_url()``) considered some numeric\r\nURLs (e.g. ``http:999999999``) \"safe\" when they shouldn't be.\r\n\r\nAlso, if a developer relies on ``is_safe_url()`` to provide safe redirect\r\ntargets and puts such a URL into a link, they could suffer from an XSS attack.\r\n\r\nCVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``\r\n=============================================================================\r\n\r\nA maliciously crafted URL to a Django site using the\r\n:func:`~django.views.static.serve` view could redirect to any other domain. The\r\nview no longer does any redirects as they don't provide any known, useful\r\nfunctionality.\r\n\r\nNote, however, that this view has always carried a warning that it is not\r\nhardened for production use and should be used only as a development aid.",
- "cve": "CVE-2017-7233",
- "id": "pyup.io-33301",
+ "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.",
+ "cve": "CVE-2013-1665",
+ "id": "pyup.io-33057",
"specs": [
- ">=1.8,<1.8.18"
+ "<0.4"
],
- "v": ">=1.8,<1.8.18"
- },
+ "v": "<0.4"
+ }
+ ],
+ "deis": [
{
- "advisory": "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.",
- "cve": "CVE-2015-3982",
- "id": "pyup.io-25732",
+ "advisory": "Deis 1.4.0 disables SSLv3 in its router module to handle CVE-2014-3566.\r\nhttps://github.com/deis/deis/commit/93bb0fd9cb33e5b8bdcfdc277d15d61b938a88d4",
+ "cve": "CVE-2014-3566",
+ "id": "pyup.io-25691",
"specs": [
- ">=1.8,<1.8.2"
+ "<1.4.0"
],
- "v": ">=1.8,<1.8.2"
- },
+ "v": "<1.4.0"
+ }
+ ],
+ "deltachat": [
{
- "advisory": "validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.",
- "cve": "CVE-2015-5145",
- "id": "pyup.io-25733",
+ "advisory": "Deltachat 1.0.0b17 fixes SQL/injection malformed Chat-Group-Name breakage.",
+ "cve": "PVE-2021-40086",
+ "id": "pyup.io-40086",
"specs": [
- ">=1.8,<1.8.3"
+ "<1.0.0b17"
],
- "v": ">=1.8,<1.8.3"
+ "v": "<1.0.0b17"
},
{
- "advisory": "Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.",
- "cve": "CVE-2015-5144",
- "id": "pyup.io-25726",
+ "advisory": "deltachat 1.0.0beta.2 has several security fixes",
+ "cve": "PVE-2021-37922",
+ "id": "pyup.io-37922",
"specs": [
- ">=1.8,<1.8.3",
- ">=1.7,<1.7.9",
- ">=1.5,<1.6",
- ">=1.4,<1.4.21"
+ "<1.0.0beta.2"
],
- "v": ">=1.8,<1.8.3,>=1.7,<1.7.9,>=1.5,<1.6,>=1.4,<1.4.21"
+ "v": "<1.0.0beta.2"
},
{
- "advisory": "The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.",
- "cve": "CVE-2015-8213",
- "id": "pyup.io-25714",
+ "advisory": "Deltachat 1.51.0 improves and harden secure join feature.",
+ "cve": "PVE-2021-40084",
+ "id": "pyup.io-40084",
"specs": [
- ">=1.8,<1.8.7",
- "<1.7.11",
- ">=1.9,<1.9rc2"
+ "<1.51.0"
],
- "v": ">=1.8,<1.8.7,<1.7.11,>=1.9,<1.9rc2"
- },
+ "v": "<1.51.0"
+ }
+ ],
+ "deluge": [
{
- "advisory": "Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.",
- "cve": "CVE-2015-2241",
- "id": "pyup.io-25715",
+ "advisory": "Deluge 2.0.0 updates SSL/TLS Protocol parameters for better security.",
+ "cve": "PVE-2021-37155",
+ "id": "pyup.io-37155",
"specs": [
- ">=1.8,<1.8b2",
- "<1.7.6"
+ "<2.0.0"
],
- "v": ">=1.8,<1.8b2,<1.7.6"
- },
- {
- "advisory": "The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \\x08javascript: URL.",
- "cve": "CVE-2015-2317",
- "id": "pyup.io-25713",
- "specs": [
- ">=1.8,<1.8c1",
- "<1.4.20",
- ">=1.5,<1.6",
- ">=1.6,<1.6.11",
- ">=1.7,<1.7.7"
- ],
- "v": ">=1.8,<1.8c1,<1.4.20,>=1.5,<1.6,>=1.6,<1.6.11,>=1.7,<1.7.7"
- },
+ "v": "<2.0.0"
+ }
+ ],
+ "descarteslabs": [
{
- "advisory": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.",
- "cve": "CVE-2016-7401",
- "id": "pyup.io-25718",
+ "advisory": "Descarteslabs 1.8.1 upgrades the 'requests' dependency (>=2.25.1, <3) to fix a security issue.",
+ "cve": "PVE-2021-40827",
+ "id": "pyup.io-40827",
"specs": [
- ">=1.9,<1.9.10",
- "<1.8.15"
+ "<1.8.1"
],
- "v": ">=1.9,<1.9.10,<1.8.15"
- },
+ "v": "<1.8.1"
+ }
+ ],
+ "destringcare": [
{
- "advisory": "Django 1.9.11 fixes two security issues in 1.9.10.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================",
- "cve": "PVE-2021-25734",
- "id": "pyup.io-25734",
+ "advisory": "Destringcare 0.0.4 removes its dependency 'pycrypto' to fix security vulnerabilities.",
+ "cve": "CVE-2013-7459",
+ "id": "pyup.io-37228",
"specs": [
- ">=1.9,<1.9.11"
+ "<0.0.4"
],
- "v": ">=1.9,<1.9.11"
+ "v": "<0.0.4"
},
{
- "advisory": "Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final\r\nrelease of the 1.9.x series.\r\n\r\nCVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs\r\n============================================================================================\r\n\r\nDjango relies on user input in some cases (e.g.\r\n:func:`django.contrib.auth.views.login` and :doc:`i18n `)\r\nto redirect the user to an \"on success\" URL. The security check for these\r\nredirects (namely ``django.utils.http.is_safe_url()``) considered some numeric\r\nURLs (e.g. ``http:999999999``) \"safe\" when they shouldn't be.\r\n\r\nAlso, if a developer relies on ``is_safe_url()`` to provide safe redirect\r\ntargets and puts such a URL into a link, they could suffer from an XSS attack.\r\n\r\nCVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``\r\n=============================================================================\r\n\r\nA maliciously crafted URL to a Django site using the\r\n:func:`~django.views.static.serve` view could redirect to any other domain. The\r\nview no longer does any redirects as they don't provide any known, useful\r\nfunctionality.\r\n\r\nNote, however, that this view has always carried a warning that it is not\r\nhardened for production use and should be used only as a development aid.",
- "cve": "CVE-2017-7233",
- "id": "pyup.io-33302",
+ "advisory": "Destringcare 0.0.4 removes its dependency 'pycrypto' to fix security vulnerabilities.",
+ "cve": "CVE-2018-6594",
+ "id": "pyup.io-42205",
"specs": [
- ">=1.9,<1.9.13"
+ "<0.0.4"
],
- "v": ">=1.9,<1.9.13"
- },
+ "v": "<0.0.4"
+ }
+ ],
+ "determined": [
{
- "advisory": "Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the \"Save as New\" option when editing objects and leveraging the \"change\" permission.",
- "cve": "CVE-2016-2048",
- "id": "pyup.io-25735",
+ "advisory": "Determined 0.12.12rc0 upgrades lodash to fix a vulnerability.",
+ "cve": "PVE-2021-38656",
+ "id": "pyup.io-38656",
"specs": [
- ">=1.9,<1.9.2"
+ "<0.12.12rc0"
],
- "v": ">=1.9,<1.9.2"
+ "v": "<0.12.12rc0"
},
{
- "advisory": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.",
- "cve": "CVE-2016-6186",
- "id": "pyup.io-25721",
+ "advisory": "Determined 0.12.7 resolves new node security vulnerabilities (fd34fec) and updates link to support secure blank targets (d1146d3).",
+ "cve": "PVE-2021-38415",
+ "id": "pyup.io-38415",
"specs": [
- ">=1.9,<1.9.8",
- "==1.8.14",
- ">=1.10,<1.10rc1"
+ "<0.12.7"
],
- "v": ">=1.9,<1.9.8,==1.8.14,>=1.10,<1.10rc1"
+ "v": "<0.12.7"
},
{
- "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.",
- "cve": "CVE-2019-3498",
- "id": "pyup.io-36770",
+ "advisory": "Determined 0.14.0 updates the 'storybook' dependency to resolve a GitHub security vulnerability for 'highlight.js'.",
+ "cve": "PVE-2021-39625",
+ "id": "pyup.io-39625",
"specs": [
- ">=2.0a1,<2.0.10"
+ "<0.14.0"
],
- "v": ">=2.0a1,<2.0.10"
+ "v": "<0.14.0"
},
{
- "advisory": "Django 2.0.x before 2.0.11 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.",
- "cve": "CVE-2019-6975",
- "id": "pyup.io-36884",
+ "advisory": "Determined 0.16.0.dev0 upgrades the 'ws' dependency to patch a security vulnerability.",
+ "cve": "PVE-2021-40670",
+ "id": "pyup.io-40670",
"specs": [
- ">=2.0a1,<2.0.11"
+ "<0.16.0.dev0"
],
- "v": ">=2.0a1,<2.0.11"
+ "v": "<0.16.0.dev0"
},
{
- "advisory": "CVE-2018-6188: Information leakage in ``AuthenticationForm``\r\n============================================================\r\n\r\nA regression in Django 1.11.8 made\r\n:class:`~django.contrib.auth.forms.AuthenticationForm` run its\r\n``confirm_login_allowed()`` method even if an incorrect password is entered.\r\nThis can leak information about a user, depending on what messages\r\n``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't\r\noverridden, an attacker enter an arbitrary username and see if that user has\r\nbeen set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,\r\nmore sensitive details could be leaked.\r\n\r\nThis issue is fixed with the caveat that ``AuthenticationForm`` can no longer\r\nraise the \"This account is inactive.\" error if the authentication backend\r\nrejects inactive users (the default authentication backend, ``ModelBackend``,\r\nhas done that since Django 1.10). This issue will be revisited for Django 2.1\r\nas a fix to address the caveat will likely be too invasive for inclusion in\r\nolder versions.",
- "cve": "CVE-2018-6188",
- "id": "pyup.io-35173",
+ "advisory": "Determined 0.16.4 includes a fix to prevent log html injection via unicode.",
+ "cve": "PVE-2021-41255",
+ "id": "pyup.io-41255",
"specs": [
- ">=2.0a1,<2.0.2",
- "==1.11.8",
- "==1.11.9"
+ "<0.16.4"
],
- "v": ">=2.0a1,<2.0.2,==1.11.8,==1.11.9"
+ "v": "<0.16.4"
},
{
- "advisory": "If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were\r\npassed the ``html=True`` argument, they were extremely slow to evaluate certain\r\ninputs due to a catastrophic backtracking vulnerability in a regular\r\nexpression. The ``chars()`` and ``words()`` methods are used to implement the\r\n``truncatechars_html`` and ``truncatewords_html`` template filters, which were\r\nthus vulnerable.",
- "cve": "CVE-2018-7537",
- "id": "pyup.io-35796",
+ "advisory": "Determined 0.17.0rc0 switches from debian:10.3-slim to ubuntu:20.04 and unattended-upgrades, to get better security upgrades.\r\nhttps://github.com/determined-ai/determined/pull/2914",
+ "cve": "PVE-2021-42148",
+ "id": "pyup.io-42148",
"specs": [
- ">=2.0a1,<2.0.3",
- ">=1.8a1 ,<1.8.19",
- ">=1.11a1,<1.11.11"
+ "<0.17.0rc0"
],
- "v": ">=2.0a1,<2.0.3,>=1.8a1 ,<1.8.19,>=1.11a1,<1.11.11"
- },
+ "v": "<0.17.0rc0"
+ }
+ ],
+ "devito": [
{
- "advisory": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. See: CVE-2018-7536.",
- "cve": "CVE-2018-7536",
- "id": "pyup.io-35797",
+ "advisory": "Devito version 4.3-beta includes a fix to handle ARM processors vulnerabilities.\r\nhttps://github.com/devitocodes/devito/pull/1515",
+ "cve": "PVE-2021-42102",
+ "id": "pyup.io-42102",
"specs": [
- ">=2.0a1,<2.0.3",
- ">=1.8a1 ,<1.8.19",
- ">=1.11a1,<1.11.11"
+ "<4.3-beta"
],
- "v": ">=2.0a1,<2.0.3,>=1.8a1 ,<1.8.19,>=1.11a1,<1.11.11"
- },
+ "v": "<4.3-beta"
+ }
+ ],
+ "devpi-ldap": [
{
- "advisory": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.) See: CVE-2019-19118.",
- "cve": "CVE-2019-19118",
- "id": "pyup.io-37766",
+ "advisory": "Devpi-ldap version 2.0.0 includes a security patch for the function 'init' in 'devpi_ldap/main.py'. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\n https://github.com/devpi/devpi-ldap/commit/8da2b3c1ed44e8223ce006a3737dc6a8446e945d#diff-ecbfd22333fa5942c9fe7a999189222d1ca71d72a1a89d7a1f55d559671eb200",
+ "cve": "CVE-2020-1747",
+ "id": "pyup.io-41316",
"specs": [
- ">=2.1,<2.1.15",
- ">=2.2,<2.2.8"
+ "<2.0.0"
],
- "v": ">=2.1,<2.1.15,>=2.2,<2.2.8"
- },
+ "v": "<2.0.0"
+ }
+ ],
+ "diffpriv": [
{
- "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.",
- "cve": "CVE-2019-3498",
- "id": "pyup.io-36769",
+ "advisory": "Diffpriv 1.0.0rc1 includes a security fix: with the 'diff' and 'enc' modules, parameters were stored in Python memory, and never removed. This commit deletes these parameters and helps prevent attackers from gaining access to these parameters, which can help them gain access to the original text and/or data.",
+ "cve": "PVE-2021-40539",
+ "id": "pyup.io-40539",
"specs": [
- ">=2.1a1,<2.1.5"
+ "<1.0.0rc1"
],
- "v": ">=2.1a1,<2.1.5"
- },
+ "v": "<1.0.0rc1"
+ }
+ ],
+ "digitalmarketplace-utils": [
{
- "advisory": "In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments. See CVE-2021-3281.",
- "cve": "CVE-2021-3281",
- "id": "pyup.io-39526",
+ "advisory": "Digitalmarketplace-utils versions before v22.0.0 included vulnerabilities where untrusted input might result in susceptibility to a cross-site scripting (XSS) exploit.\r\nhttps://github.com/Crown-Commercial-Service/digitalmarketplace-utils/pull/286",
+ "cve": "PVE-2021-39653",
+ "id": "pyup.io-39653",
"specs": [
- ">=2.2,<2.2.18",
- ">=3.1,<3.1.6",
- ">=3.0,<3.0.12"
+ "<22.0.0"
],
- "v": ">=2.2,<2.2.18,>=3.1,<3.1.6,>=3.0,<3.0.12"
- },
+ "v": "<22.0.0"
+ }
+ ],
+ "dirac": [
{
- "advisory": "In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.",
- "cve": "CVE-2021-31542",
- "id": "pyup.io-40404",
+ "advisory": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).",
+ "cve": "CVE-2021-3449",
+ "id": "pyup.io-42327",
"specs": [
- ">=2.2,<2.2.21",
- ">=3.1a1,<3.1.9",
- ">=3.2,<3.2.1"
+ "<2.1"
],
- "v": ">=2.2,<2.2.21,>=3.1a1,<3.1.9,>=3.2,<3.2.1"
+ "v": "<2.1"
},
{
- "advisory": "Django 2.2.24, 3.1.12, and 3.2.4 includes a fix for CVE-2021-33571: In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+).",
- "cve": "CVE-2021-33571",
- "id": "pyup.io-40638",
+ "advisory": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).",
+ "cve": "CVE-2021-23841",
+ "id": "pyup.io-42328",
"specs": [
- ">=2.2.0a1,<2.2.24",
- ">=3.0.0a1,<3.1.12",
- ">=3.2.0a1,<3.2.4"
+ "<2.1"
],
- "v": ">=2.2.0a1,<2.2.24,>=3.0.0a1,<3.1.12,>=3.2.0a1,<3.2.4"
+ "v": "<2.1"
},
{
- "advisory": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.",
- "cve": "CVE-2021-28658",
- "id": "pyup.io-40163",
+ "advisory": "dirac 2.1 updates OpenSSL to avoid CVE-2021-3449 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449",
+ "cve": "PVE-2021-40206",
+ "id": "pyup.io-40206",
"specs": [
- ">=2.2a1,<2.2.20",
- ">=3.0a1,<3.0.14",
- ">=3.1a1,<3.1.8"
+ "<2.1"
],
- "v": ">=2.2a1,<2.2.20,>=3.0a1,<3.0.14,>=3.1a1,<3.1.8"
- },
+ "v": "<2.1"
+ }
+ ],
+ "directory-client-core": [
{
- "advisory": "CVE-2020-13254: Potential data leakage via malformed memcached keys. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.\r\n\r\nAdditionally, Django 2.2.13 and 3.0.7 upgrade the version of jQuery used by the admin to 3.5.1 for security reasons.",
- "cve": "CVE-2020-13254",
- "id": "pyup.io-38373",
+ "advisory": "Directory-client-core 5.1.1 upgrades a vulnerable Django version to Django 1.11.22.",
+ "cve": "PVE-2021-38689",
+ "id": "pyup.io-38689",
"specs": [
- ">=3.0a1,<3.0.7",
- ">=2.2a1,<2.2.13"
+ "<5.1.1"
],
- "v": ">=3.0a1,<3.0.7,>=2.2a1,<2.2.13"
- },
+ "v": "<5.1.1"
+ }
+ ],
+ "directory-components": [
{
- "advisory": "CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.\r\n\r\nAdditionally, Django 2.2.13 and 3.0.7 upgrade the version of jQuery used by the admin to 3.5.1 for security reasons.",
- "cve": "CVE-2020-13596",
- "id": "pyup.io-38372",
+ "advisory": "Directory-components 25.0.1 includes an update to fix the lodash vulnerability.",
+ "cve": "PVE-2021-37298",
+ "id": "pyup.io-37298",
"specs": [
- ">=3.0a1,<3.0.7",
- ">=2.2a1,<2.2.13"
+ "<25.0.1"
],
- "v": ">=3.0a1,<3.0.7,>=2.2a1,<2.2.13"
+ "v": "<25.0.1"
},
{
- "advisory": "Django versions 3.1.13 and 3.2.5 include a fix for CVE-2021-35042: Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.\r\nhttps://www.djangoproject.com/weblog/2021/jul/01/security-releases/\r\nhttps://www.openwall.com/lists/oss-security/2021/07/02/2\r\nhttps://docs.djangoproject.com/en/3.2/releases/security/\r\nhttps://groups.google.com/forum/#%21forum/django-announce",
- "cve": "CVE-2021-35042",
- "id": "pyup.io-40899",
+ "advisory": "The `django_language` and `country` cookies in directory-components 33.0.0 set as secure and http-only.",
+ "cve": "PVE-2021-37475",
+ "id": "pyup.io-37475",
"specs": [
- ">=3.1,<3.1.13",
- ">=3.2,<3.2.5"
+ "<33.0.0"
],
- "v": ">=3.1,<3.1.13,>=3.2,<3.2.5"
- },
+ "v": "<33.0.0"
+ }
+ ],
+ "dirsearch": [
{
- "advisory": "In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.",
- "cve": "CVE-2021-32052",
- "id": "pyup.io-40414",
+ "advisory": "Dirsearch 0.4.2 fixes a CSV Injection vulnerability. See also: .",
+ "cve": "PVE-2021-40799",
+ "id": "pyup.io-40799",
"specs": [
- ">=3.1a1,<3.1.10",
- ">=2.2a1,<2.2.22",
- ">=3.2a1,<3.2.2"
+ "<0.4.2"
],
- "v": ">=3.1a1,<3.1.10,>=2.2a1,<2.2.22,>=3.2a1,<3.2.2"
+ "v": "<0.4.2"
}
],
- "django-access-tokens": [
+ "discogs-client": [
{
- "advisory": "django-access-tokens 0.9.2 fixes scoping of permissions where the token provides a smaller subset of the required permissions. As an extreme case, an access token granting no permissions could be used to access any permissions on the site.",
- "cve": "PVE-2021-25736",
- "id": "pyup.io-25736",
+ "advisory": "Discogs-client 2.2.2 updates dependency 'requests' to v2.20.0 to resolve security vulnerabilities.",
+ "cve": "CVE-2014-1829",
+ "id": "pyup.io-42494",
"specs": [
- "<0.9.2"
+ "<2.2.2"
],
- "v": "<0.9.2"
- }
- ],
- "django-access-tokens-py3": [
+ "v": "<2.2.2"
+ },
{
- "advisory": "Fixing scoping of permissions where the token provides a\r\nsmaller subset of the required permissions. As an extreme case, an access token\r\ngranting no permissions could be used to access any permissions on the site.",
- "cve": "PVE-2021-34892",
- "id": "pyup.io-34892",
+ "advisory": "Discogs-client 2.2.2 updates dependency 'PyYAML' to v4.2b1 to resolve security vulnerabilities.",
+ "cve": "CVE-2017-18342",
+ "id": "pyup.io-42495",
"specs": [
- "<0.9.2"
+ "<2.2.2"
],
- "v": "<0.9.2"
+ "v": "<2.2.2"
+ },
+ {
+ "advisory": "Discogs-client 2.2.2 updates dependency 'requests' to v2.20.0 to resolve security vulnerabilities.",
+ "cve": "CVE-2018-18074",
+ "id": "pyup.io-36787",
+ "specs": [
+ "<2.2.2"
+ ],
+ "v": "<2.2.2"
}
],
- "django-afip": [
+ "discord-ext-slash": [
{
- "advisory": "Django-afip 7.1.1 overrides the TLS configuration for AFIP's servers (and only those). They have worsened their security configuration, and it's now seen as insecure by default on many environments.",
- "cve": "PVE-2021-38705",
- "id": "pyup.io-38705",
+ "advisory": "For some extra security, Discord-ext-slash 0.2.3 looks up commands by both their name and guild ID if their command ID fails to return any results (it returns a warning with 'SlashWarning' both times, and returns an error if still no command is found.)",
+ "cve": "PVE-2021-39641",
+ "id": "pyup.io-39641",
"specs": [
- "<7.1.1"
+ "<0.2.3"
],
- "v": "<7.1.1"
+ "v": "<0.2.3"
}
],
- "django-airplane": [
+ "discordpie": [
{
- "advisory": "django-airplane 0.3 updates minimum django to secure 2.0.2.",
- "cve": "PVE-2021-36587",
- "id": "pyup.io-36587",
+ "advisory": "Discordpie 0.5.1 includes a security patch. No details are given.",
+ "cve": "PVE-2021-38343",
+ "id": "pyup.io-38343",
"specs": [
- "<0.3"
+ "<0.5.1"
],
- "v": "<0.3"
+ "v": "<0.5.1"
}
],
- "django-allauth": [
+ "dispatch": [
{
- "advisory": "django-allauth before 0.28.0 previous versions contained a vulnerability allowing an attacker to alter the provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the larger ``SOCIALACCOUNT_PROVIDERS`` setting). The changes would persist across subsequent requests for all users, provided these settings were explicitly set within your project. These settings translate directly into request parameters, giving the attacker undesirable control over the OAuth(2) handshake. You are not affected if you did not explicitly configure these settings.",
- "cve": "PVE-2021-25737",
- "id": "pyup.io-25737",
+ "advisory": "Dispatch 1.3.16 updates the 'Django' dependency version for security reasons.",
+ "cve": "PVE-2021-40402",
+ "id": "pyup.io-40402",
"specs": [
- "<0.28.0"
+ "<1.3.16"
],
- "v": "<0.28.0"
- },
+ "v": "<1.3.16"
+ }
+ ],
+ "divina": [
{
- "advisory": "On django-allauth before 0.34.0 the \"Set Password\" view did not properly check whether or not the user already had a usable password set. This allowed an attacker to set the password without providing the current password, but only in case the attacker already gained control over the victim's session.",
- "cve": "PVE-2021-35034",
- "id": "pyup.io-35034",
+ "advisory": "Divina 0.1 adds a security group with ssh access enabled on partitioning EC2.",
+ "cve": "PVE-2021-41294",
+ "id": "pyup.io-41294",
"specs": [
- "<0.34.0"
+ "<0.1"
],
- "v": "<0.34.0"
+ "v": "<0.1"
},
{
- "advisory": "Django-allauth 0.41.0 conforms to the general Django 3.0.1, 2.2.9, and 1.11.27 security release. See CVE-2019-19844 and .",
- "cve": "CVE-2019-19844",
- "id": "pyup.io-37664",
+ "advisory": "Divina 2021.8.1 adds a security group with ssh access enabled for the EC2 partitioning.",
+ "cve": "PVE-2021-41237",
+ "id": "pyup.io-41237",
"specs": [
- "<0.41.0"
+ "<2021.8.1"
],
- "v": "<0.41.0"
+ "v": "<2021.8.1"
}
],
- "django-allauth-underground": [
+ "diycrate": [
{
- "advisory": "django-allauth-underground before 0.28.0 contained a vulnerability allowing an attacker to alter the\r\n provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the\r\n larger ``SOCIALACCOUNT_PROVIDERS`` setting).",
- "cve": "PVE-2021-36394",
- "id": "pyup.io-36394",
+ "advisory": "Diycrate version 0.2.11.0 includes a security patch for the function 'oauth_dance' in 'diycrate/oauth_utils.py'. It contained requests calls with verify=False, disabling SSL certificate checks.\r\nhttps://github.com/jheld/diycrate/commit/40e51a586f16da215a3ff8096cfa64e23b0fa5cb#diff-7772b99d74abcfaa2bf013c9a4647b2b42cec23f84a79a5d4de0ef6973720971",
+ "cve": "PVE-2021-41317",
+ "id": "pyup.io-41317",
"specs": [
- "<0.28.0"
+ "<0.2.11.0"
],
- "v": "<0.28.0"
+ "v": "<0.2.11.0"
}
],
- "django-anonymizer": [
+ "djangae": [
{
- "advisory": "Changed 'Anonymizer.attributes' to require every field to be listed. This is deal with the common security problem when a model is updated, but the Anonymizer is not updated.",
- "cve": "PVE-2021-25738",
- "id": "pyup.io-25738",
+ "advisory": "djangae before 0.9.4 uses Django 1.7 which is no longer supported (EOL, with known security issues).",
+ "cve": "PVE-2021-25693",
+ "id": "pyup.io-25693",
"specs": [
- "<0.4"
+ "<0.9.4"
],
- "v": "<0.4"
+ "v": "<0.9.4"
}
],
- "django-anonymizer-compat": [
+ "django": [
{
- "advisory": "Changed 'Anonymizer.attributes' to require every field to be listed. This is deal with the common security problem when a model is updated, but the Anonymizer is not updated.",
- "cve": "PVE-2021-25739",
- "id": "pyup.io-25739",
+ "advisory": "The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected \"static media files,\" which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.",
+ "cve": "CVE-2009-2659",
+ "id": "pyup.io-25694",
"specs": [
- "<0.4"
+ "<1.0"
],
- "v": "<0.4"
- }
- ],
- "django-anymail": [
+ "v": "<1.0"
+ },
{
- "advisory": "In django-anymail before 1.4 the webhook validation was vulnerable to a timing attack. An attacker could have used this to obtain the WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to the app.",
- "cve": "CVE-2018-6596",
- "id": "pyup.io-35178",
+ "advisory": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.",
+ "cve": "CVE-2009-3695",
+ "id": "pyup.io-25695",
"specs": [
- "<1.4"
+ "<1.0.4",
+ ">=1.1,<1.1.1"
],
- "v": "<1.4"
+ "v": "<1.0.4,>=1.1,<1.1.1"
},
{
- "advisory": "In django-anymail v0.2\u2013v1.3 the WEBHOOK_AUTHORIZATION key might get leaked if DEBUG=True since it isn\u2019t sanitized properly.",
- "cve": "PVE-2021-35198",
- "id": "pyup.io-35198",
+ "advisory": "The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.",
+ "cve": "CVE-2010-4535",
+ "id": "pyup.io-33059",
"specs": [
- ">=0.2,<1.4"
+ "<1.1.3",
+ ">=1.2,<1.2.4"
],
- "v": ">=0.2,<1.4"
- }
- ],
- "django-autocomplete-light": [
+ "v": "<1.1.3,>=1.2,<1.2.4"
+ },
{
- "advisory": "django-autocomplete-light before 2.3.0 when updating the queryset from outside the autocomplete class may lead to a security problem, ie. if you don't replicate filters you apply manually on the autocomplete object choices into choices_for_request() then a malicious user could see choices which they shouldn't by querying the autocomplete directly.",
- "cve": "PVE-2021-25740",
- "id": "pyup.io-25740",
+ "advisory": "The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.",
+ "cve": "CVE-2010-4534",
+ "id": "pyup.io-33058",
"specs": [
- "<2.3.0"
+ "<1.1.3",
+ ">=1.2,<1.2.4"
],
- "v": "<2.3.0"
- }
- ],
- "django-awl": [
+ "v": "<1.1.3,>=1.2,<1.2.4"
+ },
{
- "advisory": "django-awl 0.22.2 updates minimum library requirements for django 2.0.2 and 2.1.2 to reflect\r\nsecurity updates.",
- "cve": "PVE-2021-36588",
- "id": "pyup.io-36588",
+ "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.",
+ "cve": "CVE-2011-0697",
+ "id": "pyup.io-33061",
"specs": [
- "<0.22.2"
+ "<1.1.4"
],
- "v": "<0.22.2"
+ "v": "<1.1.4"
},
{
- "advisory": "Django-awl 1.0 updates the minimum library requirements for django 2.0.2 and 2.1.2 to reflect security updates.",
- "cve": "PVE-2021-38139",
- "id": "pyup.io-38139",
+ "advisory": "Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a \"combination of browser plugins and redirects,\" a related issue to CVE-2011-0447.",
+ "cve": "CVE-2011-0696",
+ "id": "pyup.io-33060",
"specs": [
- "<1.0"
+ "<1.1.4",
+ ">=1.2,<1.2.5"
],
- "v": "<1.0"
- }
- ],
- "django-basic-auth-ip-whitelist": [
+ "v": "<1.1.4,>=1.2,<1.2.5"
+ },
{
- "advisory": "In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid credentials. This attack is understood not to be realistic over the Internet. However, it may be achieved from within local networks where the website is hosted, e.g. from inside a data centre where a website's server is located. Sites protected by IP address whitelisting only are unaffected by this vulnerability. This vulnerability has been fixed on version 0.3.4 of django-basic-auth-ip-whitelist. Update to version 0.3.4 as soon as possible and change basic authentication username and password configured on a Django project using this package. A workaround without upgrading to version 0.3.4 is to stop using basic authentication and use the IP whitelisting component only. It can be achieved by not setting BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD in Django project settings. See: CVE-2020-4071.",
- "cve": "CVE-2020-4071",
- "id": "pyup.io-38443",
+ "advisory": "Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.",
+ "cve": "CVE-2011-0698",
+ "id": "pyup.io-33062",
"specs": [
- "<0.3.4"
+ "<1.1.4",
+ ">=1.2,<1.2.5"
],
- "v": "<0.3.4"
+ "v": "<1.1.4,>=1.2,<1.2.5"
},
{
- "advisory": "Django-basic-auth-ip-whitelist 0.3.4 fixes a potential timing attack if basic authentication is enabled.",
- "cve": "PVE-2021-38438",
- "id": "pyup.io-38438",
+ "advisory": "Django 1.11.x before 1.11.19 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.",
+ "cve": "CVE-2019-6975",
+ "id": "pyup.io-36885",
"specs": [
- "<0.3.4"
+ "<1.11.19,>=1.11.0"
],
- "v": "<0.3.4"
- }
- ],
- "django-basicauth": [
+ "v": "<1.11.19,>=1.11.0"
+ },
{
- "advisory": "django-basicauth before 0.4.2 is vulnerable to undisclosed timing attacks.",
- "cve": "PVE-2021-35076",
- "id": "pyup.io-35076",
+ "advisory": "An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.",
+ "cve": "CVE-2019-12781",
+ "id": "pyup.io-37261",
"specs": [
- "<0.4.2"
+ "<1.11.22,>1.11",
+ "<2.1.10,>2.1",
+ "<2.2.3,>2.2"
],
- "v": "<0.4.2"
- }
- ],
- "django-bootstrap4": [
+ "v": "<1.11.22,>1.11,<2.1.10,>2.1,<2.2.3,>2.2"
+ },
{
- "advisory": "Django-bootstrap4 2.3.0 updates the Sphinx dependency because of security update.",
- "cve": "PVE-2021-38870",
- "id": "pyup.io-38870",
+ "advisory": "Django 1.11.22 fixes a security issue in 1.11.21.",
+ "cve": "PVE-2021-37259",
+ "id": "pyup.io-37259",
"specs": [
- "<2.3.0"
+ "<1.11.22,>1.11.21"
],
- "v": "<2.3.0"
- }
- ],
- "django-ca": [
+ "v": "<1.11.22,>1.11.21"
+ },
{
- "advisory": "django-ca 1.10.0 stores CA private keys in the more secure PKCS8 format.",
- "cve": "PVE-2021-37015",
- "id": "pyup.io-37015",
+ "advisory": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) See CVE-2019-19844.",
+ "cve": "CVE-2019-19844",
+ "id": "pyup.io-37771",
"specs": [
- "<1.10.0"
+ "<1.11.27",
+ ">=2.0a1,<2.2.9",
+ ">=3.0a1,<3.0.1"
],
- "v": "<1.10.0"
+ "v": "<1.11.27,>=2.0a1,<2.2.9,>=3.0a1,<3.0.1"
},
{
- "advisory": "Django-ca 1.17.0 secures CSRF and session cookies using Djangos `SESSION_COOKIE_SECURE`, `CSRF_COOKIE_HTTPONLY` and `CSRF_COOKIE_SECURE` settings. It also adds several security related headers to the admin interface (CSP, etc).",
- "cve": "PVE-2021-39375",
- "id": "pyup.io-39375",
- "specs": [
- "<1.17.0"
+ "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.",
+ "cve": "CVE-2010-3082",
+ "id": "pyup.io-25701",
+ "specs": [
+ "<1.2.2"
],
- "v": "<1.17.0"
+ "v": "<1.2.2"
},
{
- "advisory": "django-ca before 1.9.0 did not properly escape x509 extensions, allowing for potential injection attacks.",
- "cve": "PVE-2021-36405",
- "id": "pyup.io-36405",
+ "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.",
+ "cve": "CVE-2011-4138",
+ "id": "pyup.io-33065",
"specs": [
- "<1.9.0"
+ "<1.2.7",
+ ">=1.3,<1.3.1"
],
- "v": "<1.9.0"
- }
- ],
- "django-celery-results": [
+ "v": "<1.2.7,>=1.3,<1.3.1"
+ },
{
- "advisory": "Django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database. See CVE-2020-17495.",
- "cve": "CVE-2020-17495",
- "id": "pyup.io-38678",
+ "advisory": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.",
+ "cve": "CVE-2011-4140",
+ "id": "pyup.io-33066",
"specs": [
- "<=1.2.1"
+ "<1.2.7",
+ ">=1.3,<1.3.1"
],
- "v": "<=1.2.1"
- }
- ],
- "django-cms": [
+ "v": "<1.2.7,>=1.3,<1.3.1"
+ },
{
- "advisory": "django-cms 2.1.3 fixes a serious security issue in PlaceholderAdmin",
- "cve": "PVE-2021-25741",
- "id": "pyup.io-25741",
+ "advisory": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.",
+ "cve": "CVE-2011-4136",
+ "id": "pyup.io-33063",
"specs": [
- "<2.1.3"
+ "<1.2.7",
+ ">=1.3,<1.3.1"
],
- "v": "<2.1.3"
+ "v": "<1.2.7,>=1.3,<1.3.1"
},
{
- "advisory": "django-cms before 2.1.4 fixes a XSS issue in Text Plugins.",
- "cve": "PVE-2021-25742",
- "id": "pyup.io-25742",
+ "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.",
+ "cve": "CVE-2011-4137",
+ "id": "pyup.io-33064",
"specs": [
- "<2.1.4"
+ "<1.2.7",
+ ">=1.3,<1.3.1"
],
- "v": "<2.1.4"
+ "v": "<1.2.7,>=1.3,<1.3.1"
},
{
- "advisory": "django-cms 3.0.14 fixes an issue where privileged users could be tricked into performing actions without their knowledge via a CSRF vulnerability",
- "cve": "PVE-2021-25743",
- "id": "pyup.io-25743",
+ "advisory": "The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.",
+ "cve": "CVE-2012-3442",
+ "id": "pyup.io-33067",
"specs": [
- "<3.0.14"
+ "<1.3.2",
+ ">=1.4,<1.4.1"
],
- "v": "<3.0.14"
+ "v": "<1.3.2,>=1.4,<1.4.1"
},
{
- "advisory": "Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors.",
- "cve": "CVE-2015-5081",
- "id": "pyup.io-35628",
+ "advisory": "The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.",
+ "cve": "CVE-2012-3443",
+ "id": "pyup.io-33068",
"specs": [
- "<3.0.14",
- ">3.1,<3.1.1"
+ "<1.3.2",
+ ">=1.4,<1.4.1"
],
- "v": "<3.0.14,>3.1,<3.1.1"
+ "v": "<1.3.2,>=1.4,<1.4.1"
},
{
- "advisory": "django-cms 3.2.4 addresses security vulnerabilities in the `render_model` template tag that could lead to escalation of privileges or other security issues. It also addresses a security vulnerability in the cms' usage of the messages framework. Furthermore it fixes security vulnerabilities in custom FormFields that could lead to escalation of privileges or other security issue",
- "cve": "PVE-2021-25746",
- "id": "pyup.io-25746",
+ "advisory": "The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.",
+ "cve": "CVE-2012-3444",
+ "id": "pyup.io-33069",
"specs": [
- "<3.2.4"
+ "<1.3.2",
+ ">=1.4,<1.4.1"
],
- "v": "<3.2.4"
+ "v": "<1.3.2,>=1.4,<1.4.1"
},
{
- "advisory": "django-cms 3.4.3 fixes a security vulnerability in the page redirect field which allowed users to insert JavaScript code and a vulnerability where the next parameter for the toolbar login was not sanitised and could point to another domain.",
- "cve": "PVE-2021-34226",
- "id": "pyup.io-34226",
+ "advisory": "The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.",
+ "cve": "CVE-2012-4520",
+ "id": "pyup.io-25709",
"specs": [
- "<3.4.3"
+ "<1.3.4",
+ ">=1.4,<1.4.2"
],
- "v": "<3.4.3"
+ "v": "<1.3.4,>=1.4,<1.4.2"
},
{
- "advisory": "Django-cms 3.4.7 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.",
- "cve": "PVE-2021-38791",
- "id": "pyup.io-38791",
+ "advisory": "The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. See: CVE-2014-0483.",
+ "cve": "CVE-2014-0483",
+ "id": "pyup.io-35516",
"specs": [
- ">=3.4.0,<3.4.7"
+ "<1.4.14",
+ ">=1.5,<1.5.9",
+ ">=1.6,<1.6.6",
+ ">=1.7,<1.7rc3"
],
- "v": ">=3.4.0,<3.4.7"
+ "v": "<1.4.14,>=1.5,<1.5.9,>=1.6,<1.6.6,>=1.7,<1.7rc3"
},
{
- "advisory": "Django-cms 3.5.4 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.",
- "cve": "PVE-2021-38790",
- "id": "pyup.io-38790",
+ "advisory": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL.",
+ "cve": "CVE-2015-0220",
+ "id": "pyup.io-33071",
"specs": [
- ">=3.5.0,<3.5.4"
+ "<1.4.18",
+ ">=1.6,<1.6.10",
+ ">=1.7,<1.7.3"
],
- "v": ">=3.5.0,<3.5.4"
+ "v": "<1.4.18,>=1.6,<1.6.10,>=1.7,<1.7.3"
},
{
- "advisory": "django-cms before 3.6.1\r\nDjango-cms 3.6.1 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.",
- "cve": "PVE-2021-38789",
- "id": "pyup.io-38789",
+ "advisory": "The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.",
+ "cve": "CVE-2015-0221",
+ "id": "pyup.io-33072",
"specs": [
- ">=3.6.0,<3.6.1"
+ "<1.4.18",
+ ">=1.6,<1.6.10",
+ ">=1.7,<1.7.3"
],
- "v": ">=3.6.0,<3.6.1"
+ "v": "<1.4.18,>=1.6,<1.6.10,>=1.7,<1.7.3"
},
{
- "advisory": "Django-cms 3.7.4 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.",
- "cve": "PVE-2021-38788",
- "id": "pyup.io-38788",
+ "advisory": "Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.",
+ "cve": "CVE-2015-0219",
+ "id": "pyup.io-33070",
"specs": [
- ">=3.7.0,<3.7.4"
+ "<1.4.18",
+ ">=1.7,<1.7.3",
+ ">=1.6,<1.6.10"
],
- "v": ">=3.7.0,<3.7.4"
- }
- ],
- "django-cms-patched": [
+ "v": "<1.4.18,>=1.7,<1.7.3,>=1.6,<1.6.10"
+ },
{
- "advisory": "django-cms-patched before 3.0.17 has security vulnerabilities in the `render_model` template tag that could\r\n lead to escalation of privileges or other security issues.",
- "cve": "PVE-2021-34123",
- "id": "pyup.io-34123",
+ "advisory": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.",
+ "cve": "CVE-2016-2512",
+ "id": "pyup.io-33073",
"specs": [
- "<3.0.17"
+ "<1.8.10",
+ ">=1.9,<1.9.3"
],
- "v": "<3.0.17"
+ "v": "<1.8.10,>=1.9,<1.9.3"
},
{
- "advisory": "django-cms-patched 3.4.3 fixes a security vulnerability in the page redirect field which allowed users to insert JavaScript code.",
- "cve": "PVE-2021-34121",
- "id": "pyup.io-34121",
+ "advisory": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.",
+ "cve": "CVE-2016-2513",
+ "id": "pyup.io-33074",
"specs": [
- "<3.4.3"
+ "<1.8.10",
+ ">=1.9,<1.9.3"
],
- "v": "<3.4.3"
- }
- ],
- "django-cors-headers": [
+ "v": "<1.8.10,>=1.9,<1.9.3"
+ },
{
- "advisory": "In django-cors-headers version 3.0.0, ``CORS_ORIGIN_WHITELIST`` requires URI schemes, and optionally ports. This is part of the CORS specification (Section 3.2 ) that was not implemented in this library, except from with the ``CORS_ORIGIN_REGEX_WHITELIST`` setting. It fixes a security issue where the CORS middleware would allow requests between schemes, for example from insecure ``http://`` Origins to a secure ``https://`` site.\r\n\r\nYou will need to update your whitelist to include schemes, for example from this:\r\n\r\nCORS_ORIGIN_WHITELIST = ['example.com']\r\n\r\nto this:\r\n\r\nCORS_ORIGIN_WHITELIST = ['https://example.com']",
- "cve": "PVE-2021-37132",
- "id": "pyup.io-37132",
+ "advisory": "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.",
+ "cve": "CVE-2018-16984",
+ "id": "pyup.io-36522",
"specs": [
- "<3.0.0"
+ "<2.1.2,>=2.1"
],
- "v": "<3.0.0"
- }
- ],
- "django-councilmatic": [
+ "v": "<2.1.2,>=2.1"
+ },
{
- "advisory": "Django-councilmatic 2.5.9 patches a XSS vulnerability when using filter options. This issue happens for all cities that use your product. Within the /search view, you can use the filter parameters to run Javascript code in an HTML script tag. See: .",
- "cve": "PVE-2021-38708",
- "id": "pyup.io-38708",
+ "advisory": "django before 2.1.2 fixes a security bug in 2.1.x. \r\nIf an admin user has the change permission to the user model, only part of the\r\npassword hash is displayed in the change form. Admin users with the view (but\r\nnot change) permission to the user model were displayed the entire hash.",
+ "cve": "CVE-2018-16984",
+ "id": "pyup.io-36517",
"specs": [
- "<2.5.9"
+ "<2.1.2,>=2.1.0"
],
- "v": "<2.5.9"
- }
- ],
- "django-countries": [
+ "v": "<2.1.2,>=2.1.0"
+ },
{
- "advisory": "django-countries 3.4 fixes a XSS escaping issue in CountrySelectWidget.",
- "cve": "PVE-2021-25747",
- "id": "pyup.io-25747",
+ "advisory": "Django 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.",
+ "cve": "CVE-2019-6975",
+ "id": "pyup.io-36883",
"specs": [
- "<3.4"
+ "<2.1.6,>=2.1.0"
],
- "v": "<3.4"
+ "v": "<2.1.6,>=2.1.0"
},
{
- "advisory": "django-countries 3.4 fixes an XSS escaping issue in CountrySelectWidget",
- "cve": "PVE-2021-37951",
- "id": "pyup.io-37951",
+ "advisory": "Django versions 2.2.24, 3.1.12, and 3.2.4 include a fix for CVE-2021-33203: Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories. See CVE-2021-33203.\r\nhttps://www.djangoproject.com/weblog/2021/jun/02/security-releases/\r\nhttps://docs.djangoproject.com/en/3.2/releases/security/\r\nhttps://groups.google.com/forum/#%21forum/django-announce",
+ "cve": "CVE-2021-33203",
+ "id": "pyup.io-40637",
"specs": [
- "<3.4"
+ "<2.2.24",
+ ">=3.0a1,<3.1.12",
+ ">=3.2a1,<3.2.4"
],
- "v": "<3.4"
- }
- ],
- "django-crispy-forms": [
+ "v": "<2.2.24,>=3.0a1,<3.1.12,>=3.2a1,<3.2.4"
+ },
{
- "advisory": "django-crispy-forms 1.1.4 contains a security fix: Thread safety fixes to `CrispyFieldNode` thanks to Paul Oswald. This avoids leaking information between requests in multithreaded WSGI servers.",
- "cve": "PVE-2021-25751",
- "id": "pyup.io-25751",
+ "advisory": "django 1.11.15 fixes a phishing security issue in 1.11.14 if the :class:`~django.middleware.common.CommonMiddleware` and the :setting:`APPEND_SLASH` setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash. See: CVE-2018-14574.",
+ "cve": "CVE-2018-14574",
+ "id": "pyup.io-36359",
"specs": [
- "<1.1.4"
+ "==1.11.14"
],
- "v": "<1.1.4"
- }
- ],
- "django-crispy-forms-ng": [
+ "v": "==1.11.14"
+ },
{
- "advisory": "django-crispy-forms before 0.9.0 fixes a XSS bug thanks to Charlie Denton, see GH-98. Errors cannot be rendered safe, because field's input can be part of the error message, that would mean XSS.",
- "cve": "PVE-2021-25750",
- "id": "pyup.io-25750",
+ "advisory": "Django 1.11.21 fixes a security issue in 1.11.20: CVE-2019-12308 (AdminURLFieldWidget XSS).",
+ "cve": "CVE-2019-12308",
+ "id": "pyup.io-37186",
"specs": [
- "<0.9.0"
+ "==1.11.20"
],
- "v": "<0.9.0"
- }
- ],
- "django-crm": [
+ "v": "==1.11.20"
+ },
{
- "advisory": "MicroPyramid Django-CRM 0.2 does not use CSRF token for /users/create/, /users/##/edit/, and /accounts/##/delete/ URIs.",
- "cve": "CVE-2018-16552",
- "id": "pyup.io-36440",
+ "advisory": "Django 1.11.23 fixes CVE-2019-14235 in 1.11.22.",
+ "cve": "CVE-2019-14235",
+ "id": "pyup.io-39599",
"specs": [
- "<=0.2"
+ "==1.11.22"
],
- "v": "<=0.2"
+ "v": "==1.11.22"
},
{
- "advisory": "Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /change-password-by-admin/, /api/settings/add/, /cases/create/, /change-password-by-admin/, /comment/add/, /documents/1/view/, /documents/create/, /opportunities/create/, and /login/. See: CVE-2019-11457.",
- "cve": "CVE-2019-11457",
- "id": "pyup.io-37416",
+ "advisory": "Django 1.11.23 fixes CVE-2019-14233 in 1.11.22.",
+ "cve": "CVE-2019-14233",
+ "id": "pyup.io-39601",
"specs": [
- "==0.2.1"
+ "==1.11.22"
],
- "v": "==0.2.1"
- }
- ],
- "django-dajaxice-me": [
+ "v": "==1.11.22"
+ },
{
- "advisory": "django-dajaxice-me 0.1.7 fixes the dajaxice callback model to improve security against XSS attacks.",
- "cve": "PVE-2021-25752",
- "id": "pyup.io-25752",
+ "advisory": "Django 1.11.23 fixes CVE-2019-14234 in 1.11.22.",
+ "cve": "CVE-2019-14234",
+ "id": "pyup.io-39600",
"specs": [
- "<0.1.7"
+ "==1.11.22"
],
- "v": "<0.1.7"
- }
- ],
- "django-dajaxice-ng": [
+ "v": "==1.11.22"
+ },
{
- "advisory": "django-dajaxice-ng 0.1.7 fixes the dajaxice callback model to improve security against XSS attacks.",
- "cve": "PVE-2021-25753",
- "id": "pyup.io-25753",
+ "advisory": "Django 1.11.23 fixes the following security issue in 1.11.22: CVE-2019-14232.",
+ "cve": "CVE-2019-14232",
+ "id": "pyup.io-37326",
"specs": [
- "<0.1.7"
+ "==1.11.22"
],
- "v": "<0.1.7"
- }
- ],
- "django-debug-toolbar": [
+ "v": "==1.11.22"
+ },
{
- "advisory": "A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar before 1.11.1, 2.x before 2.2.1, and 3.x before 3.2.1 allows attackers to execute SQL statements by changing the raw_sql input field of the SQL explain, analyze, or select form. See CVE-2021-30459.",
- "cve": "CVE-2021-30459",
- "id": "pyup.io-40207",
+ "advisory": "Django 1.11.27 fixes CVE-2019-19844 in 1.11.26: potential account hijack via password reset form.",
+ "cve": "CVE-2019-19844",
+ "id": "pyup.io-37663",
"specs": [
- "<1.11.1",
- ">2,<2.2.1",
- ">3,<3.2.1"
+ "==1.11.26"
],
- "v": "<1.11.1,>2,<2.2.1,>3,<3.2.1"
- }
- ],
- "django-discord-bind": [
+ "v": "==1.11.26"
+ },
{
- "advisory": "django-discord-bind 0.2.0 added state validation to prevent CSRF attacks.",
- "cve": "PVE-2021-25754",
- "id": "pyup.io-25754",
+ "advisory": "Django 1.11.28 fixes a security issue in 1.11.27. Potential SQL injection via `StringAgg(delimiter)`. See: CVE-2020-7471.",
+ "cve": "CVE-2020-7471",
+ "id": "pyup.io-37817",
"specs": [
- "<0.2.0"
+ "==1.11.27"
],
- "v": "<0.2.0"
- }
- ],
- "django-embed-video": [
+ "v": "==1.11.27"
+ },
{
- "advisory": "django-embed-video 0.3 has a security fix: faked urls are treated as invalid.",
- "cve": "PVE-2021-25755",
- "id": "pyup.io-25755",
+ "advisory": "django 2.0.8 fixes a security issue and several bugs in 2.0.7 if the :class:`~django.middleware.common.CommonMiddleware` and the\r\n:setting:`APPEND_SLASH` setting are both enabled, and if the project has a\r\nURL pattern that accepts any path ending in a slash. See: CVE-2018-14574.",
+ "cve": "CVE-2018-14574",
+ "id": "pyup.io-36358",
"specs": [
- "<0.3"
+ "==2.0.7"
],
- "v": "<0.3"
- }
- ],
- "django-envelope": [
+ "v": "==2.0.7"
+ },
{
- "advisory": "django-envelope 0.4.1 contains a security bugfix regarding initial form values.",
- "cve": "PVE-2021-25756",
- "id": "pyup.io-25756",
+ "advisory": "Django 2.1.11 fixes a security issue in 2.1.10:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``",
+ "cve": "CVE-2019-14232",
+ "id": "pyup.io-37325",
"specs": [
- "<0.4.1"
+ "==2.1.10"
],
- "v": "<0.4.1"
- }
- ],
- "django-epiced": [
+ "v": "==2.1.10"
+ },
{
- "advisory": "django-epiced before 0.3.0 does not escape HTML output by default.",
- "cve": "PVE-2021-34269",
- "id": "pyup.io-34269",
+ "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``",
+ "cve": "CVE-2019-14233",
+ "id": "pyup.io-39598",
"specs": [
- "<0.3.0"
+ "==2.1.10"
],
- "v": "<0.3.0"
- }
- ],
- "django-epiceditor": [
+ "v": "==2.1.10"
+ },
{
- "advisory": "There is a cross-site scripting vulnerability in django-epiceditor 0.2.3 via crafted content in a form field.",
- "cve": "CVE-2017-6591",
- "id": "pyup.io-35735",
+ "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``",
+ "cve": "CVE-2019-14235",
+ "id": "pyup.io-39596",
"specs": [
- "<=0.2.3"
+ "==2.1.10"
],
- "v": "<=0.2.3"
- }
- ],
- "django-fernet-fields": [
+ "v": "==2.1.10"
+ },
{
- "advisory": "django-fernet-fields before 0.3 has DualField and HashField. The only cases where they are useful, they aren't secure.",
- "cve": "PVE-2021-34331",
- "id": "pyup.io-34331",
+ "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``",
+ "cve": "CVE-2019-14234",
+ "id": "pyup.io-39597",
"specs": [
- "<0.3"
+ "==2.1.10"
],
- "v": "<0.3"
+ "v": "==2.1.10"
},
{
- "advisory": "django-fernet-fields 0.3 removes DualField and HashField. The only cases where they are useful, they aren't secure.",
- "cve": "PVE-2021-25757",
- "id": "pyup.io-25757",
+ "advisory": "Django 2.1.15 fixes CVE-2019-19118 in 2.1.14: Privilege escalation in the Django admin.",
+ "cve": "CVE-2019-19118",
+ "id": "pyup.io-37657",
"specs": [
- "<0.3"
+ "==2.1.14"
],
- "v": "<0.3"
- }
- ],
- "django-fiber": [
+ "v": "==2.1.14"
+ },
{
- "advisory": "django-fiber 0.9.9.1 contains a security bugfix: Changed permission check in API from IsAuthenticated to IsAdminUser",
- "cve": "PVE-2021-25758",
- "id": "pyup.io-25758",
+ "advisory": "Django 2.1.9 fixes security issues in 2.1.8: CVE-2019-12308 (AdminURLFieldWidget XSS).",
+ "cve": "CVE-2019-12308",
+ "id": "pyup.io-37185",
"specs": [
- "<0.9.9.1"
+ "==2.1.8"
],
- "v": "<0.9.9.1"
- }
- ],
- "django-filebrowser-no-grappelli-staff": [
+ "v": "==2.1.8"
+ },
{
- "advisory": "django-filebrowser-no-grappelli-staff 3.4.2 fixes a XSS vulnerability with fb_tags.",
- "cve": "PVE-2021-25760",
- "id": "pyup.io-25760",
+ "advisory": "Django 2.2.2 fixes security issues in 2.2.1: CVE-2019-12308 (AdminURLFieldWidget XSS).",
+ "cve": "CVE-2019-12308",
+ "id": "pyup.io-37184",
"specs": [
- "<3.4.2"
+ "==2.2.1"
],
- "v": "<3.4.2"
- }
- ],
- "django-filter": [
+ "v": "==2.2.1"
+ },
{
- "advisory": "Django-filter 2.4.0 added a MaxValueValidator to the form field for NumberFilter. This prevents a potential DoS attack if numbers with very large exponents were subsequently converted to integers.",
- "cve": "PVE-2021-38825",
- "id": "pyup.io-38825",
+ "advisory": "Django 2.2.18 fixes a security issue with severity \"low\" in 2.2.17 (CVE-2021-3281).",
+ "cve": "CVE-2021-3281",
+ "id": "pyup.io-39523",
"specs": [
- "<2.4.0"
+ "==2.2.17"
],
- "v": "<2.4.0"
+ "v": "==2.2.17"
},
{
- "advisory": "In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.",
- "cve": "CVE-2020-15225",
- "id": "pyup.io-40317",
+ "advisory": "Django 2.2.3 fixes CVE-2019-12781 in 2.2.2: incorrect HTTP detection with reverse-proxy connecting via HTTPS.",
+ "cve": "CVE-2019-12781",
+ "id": "pyup.io-37324",
"specs": [
- "<2.4.0"
+ "==2.2.2"
],
- "v": "<2.4.0"
- }
- ],
- "django-fluent-comments": [
+ "v": "==2.2.2"
+ },
{
- "advisory": "django-fluent-comments 1.0.1 fixes security hash formatting errors on bad requests..",
- "cve": "PVE-2021-25761",
- "id": "pyup.io-25761",
+ "advisory": "Django 2.2.24 fixes security issue in 2.2.23 (CVE-2021-33571).",
+ "cve": "PVE-2021-40597",
+ "id": "pyup.io-40597",
"specs": [
- "<1.0.1"
+ "==2.2.23"
],
- "v": "<1.0.1"
- }
- ],
- "django-formidable": [
+ "v": "==2.2.23"
+ },
{
- "advisory": "Django-formidable 4.0.0 adds an XSS prevention mechanism.",
- "cve": "PVE-2021-37875",
- "id": "pyup.io-37875",
+ "advisory": "Django 2.2.24 fixes security issue in 2.2.23 (CVE-2021-33203).",
+ "cve": "PVE-2021-40586",
+ "id": "pyup.io-40586",
"specs": [
- "<4.0.0"
+ "==2.2.23"
],
- "v": "<4.0.0"
- }
- ],
- "django-friendship": [
+ "v": "==2.2.23"
+ },
{
- "advisory": "django-friendship 1.2.0 fixes a security issue where the library was not checking the owner of a FriendRequest during accept and cancelation.",
- "cve": "PVE-2021-25762",
- "id": "pyup.io-25762",
+ "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``",
+ "cve": "CVE-2019-14233",
+ "id": "pyup.io-39593",
"specs": [
- "<1.2.0"
+ "==2.2.3"
],
- "v": "<1.2.0"
- }
- ],
- "django-guts": [
+ "v": "==2.2.3"
+ },
{
- "advisory": "django-guts 0.1.1 fixes a security issue, allowing anyone to read any file.",
- "cve": "PVE-2021-25763",
- "id": "pyup.io-25763",
+ "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``",
+ "cve": "CVE-2019-14234",
+ "id": "pyup.io-39592",
"specs": [
- "<0.1.1"
+ "==2.2.3"
],
- "v": "<0.1.1"
- }
- ],
- "django-hashedfilenamestorage": [
+ "v": "==2.2.3"
+ },
{
- "advisory": "django-hashedfilenamestorage 2.4 bumps Django dependency requirement to avoid vulnerable Django versions",
- "cve": "PVE-2021-36802",
- "id": "pyup.io-36802",
+ "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``",
+ "cve": "CVE-2019-14235",
+ "id": "pyup.io-39591",
"specs": [
- "<2.4"
+ "==2.2.3"
],
- "v": "<2.4"
- }
- ],
- "django-hashid-field": [
+ "v": "==2.2.3"
+ },
{
- "advisory": "Django-hashid-field v1.0.0 \r\n\r\nIf you already specified `salt` in fields, like `id = HashidField(salt=\"something\")` everywhere then you're already set, and can upgrade worry-free.\r\n\r\nIf you instead let the module fallback to `salt=settings.SECRET_KEY` (default behavior) then this upgrade will change all of your existing fields. It has been pointed out that it's possible to discover the salt used when encoding Hashids, and thus it is very dangerous to use settings.SECRET_KEY, as an attacker may be able to get your SECRET_KEY from your HashidFields.\r\n\r\nIf you absolutely MUST maintain backwards-compatibility and continue to support your old hashed values, then you can set `HASHID_FIELD_SALT = SECRET_KEY` in your settings. But this is *VERY DISCOURAGED*.",
- "cve": "PVE-2021-38508",
- "id": "pyup.io-38508",
+ "advisory": "Django 2.2.4 fixes a security issue in 2.2.3:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``",
+ "cve": "CVE-2019-14232",
+ "id": "pyup.io-37323",
"specs": [
- "<1.0.0"
+ "==2.2.3"
],
- "v": "<1.0.0"
+ "v": "==2.2.3"
},
{
- "advisory": "Django-hashid-field 3.1.1 fixes a security bug where comparison operators (gt, gte, lt, lte) would allow integer lookups regardless of ALLOW_INT_LOOKUP setting.",
- "cve": "PVE-2021-37680",
- "id": "pyup.io-37680",
+ "advisory": "Django 2.2.8 fixes CVE-2019-19118 in 2.2.7: Privilege escalation in the Django admin.",
+ "cve": "CVE-2019-19118",
+ "id": "pyup.io-37656",
"specs": [
- "<3.1.1"
+ "==2.2.7"
],
- "v": "<3.1.1"
- }
- ],
- "django-haystack": [
+ "v": "==2.2.7"
+ },
{
- "advisory": "django-haystack 1.1 removes insecure use of ``eval`` from the Whoosh backend.",
- "cve": "PVE-2021-25764",
- "id": "pyup.io-25764",
+ "advisory": "Django 2.2.9 fixes CVE-2019-19844 in 2.2.8: potential account hijack via password reset form.",
+ "cve": "CVE-2019-19844",
+ "id": "pyup.io-37662",
"specs": [
- "<1.1"
+ "==2.2.8"
],
- "v": "<1.1"
- }
- ],
- "django-heartbeat": [
+ "v": "==2.2.8"
+ },
{
- "advisory": "Django-heartbeat 2.0.3 fixes its dependency to an insecure psutil package.",
- "cve": "PVE-2021-38604",
- "id": "pyup.io-38604",
+ "advisory": "Django 2.2.10 fixes a security issue in 2.2.9. Potential SQL injection via `StringAgg(delimiter)`. See CVE-2020-7471.",
+ "cve": "CVE-2020-7471",
+ "id": "pyup.io-37816",
"specs": [
- "<2.0.3"
+ "==2.2.9"
],
- "v": "<2.0.3"
- }
- ],
- "django-hijack": [
+ "v": "==2.2.9"
+ },
{
- "advisory": "django-hijack before 1.0.7 has a unspecified security issue and is vulnerable via unknown vectors.",
- "cve": "PVE-2021-25765",
- "id": "pyup.io-25765",
+ "advisory": "Django 3.0.1 fixes CVE-2019-19844 in 3.0: potential account hijack via password reset form.",
+ "cve": "CVE-2019-19844",
+ "id": "pyup.io-37661",
"specs": [
- "<1.0.7"
+ "==3.0"
],
- "v": "<1.0.7"
- }
- ],
- "django-howl": [
+ "v": "==3.0"
+ },
{
- "advisory": "django-howl 1.0.4 updates django version to avoid security warnings.",
- "cve": "PVE-2021-37240",
- "id": "pyup.io-37240",
+ "advisory": "Django 3.0.12 fixes a security issue with severity \"low\" in 3.0.11 (CVE-2021-3281).",
+ "cve": "CVE-2021-3281",
+ "id": "pyup.io-39522",
"specs": [
- "<1.0.4"
+ "==3.0.11"
],
- "v": "<1.0.4"
+ "v": "==3.0.11"
},
{
- "advisory": "Django-howl 1.0.5 updates Pipfile.lock and test environment to avoid security issues.",
- "cve": "PVE-2021-38069",
- "id": "pyup.io-38069",
+ "advisory": "Django 3.0.3 fixes a security issue and several bugs in 3.0.2. Potential SQL injection via `StringAgg(delimiter)`. See: CVE-2020-7471.",
+ "cve": "CVE-2020-7471",
+ "id": "pyup.io-37815",
"specs": [
- "<1.0.5"
+ "==3.0.2"
],
- "v": "<1.0.5"
- }
- ],
- "django-html5-appcache": [
+ "v": "==3.0.2"
+ },
{
- "advisory": "django-html5-appcache 0.3.0 added a security check for sensitive views.",
- "cve": "PVE-2021-25766",
- "id": "pyup.io-25766",
+ "advisory": "Django 3.1.12 fixes two security issues in 3.1.11 (CVE-2021-33571).",
+ "cve": "PVE-2021-40598",
+ "id": "pyup.io-40598",
"specs": [
- "<0.3.0"
+ "==3.1.11"
],
- "v": "<0.3.0"
- }
- ],
- "django-idempotency-key": [
+ "v": "==3.1.11"
+ },
{
- "advisory": "Django-idempotency-key 1.1.0 drops support for Django (1.9, 1.10, 1.11). Django 1.11 was dropped because of security issues and is near to its end of life support. Django-idempotency-key 1.1.0 also updates some packages with security issues: Django (>=2.x), Bleach (>=3.1.4), Urllib3 (>=1.24.2).",
- "cve": "PVE-2021-38162",
- "id": "pyup.io-38162",
+ "advisory": "Django 3.1.12 fixes two security issues in 3.1.11 (CVE-2021-33203).",
+ "cve": "PVE-2021-40585",
+ "id": "pyup.io-40585",
"specs": [
- "<1.1.0"
+ "==3.1.11"
],
- "v": "<1.1.0"
- }
- ],
- "django-initial-avatars": [
+ "v": "==3.1.11"
+ },
{
- "advisory": "django-initial-avatars before 0.4 has a unspecified security issue and is vulnerable via unknown vectors.",
- "cve": "PVE-2021-25767",
- "id": "pyup.io-25767",
+ "advisory": "Django 3.1.6 fixes a security issue with severity \"low\" and a bug in 3.1.5 (CVE-2021-3281).",
+ "cve": "CVE-2021-3281",
+ "id": "pyup.io-39521",
"specs": [
- "<0.4"
+ "==3.1.5"
],
- "v": "<0.4"
+ "v": "==3.1.5"
},
{
- "advisory": "django-initial-avatars before 0.5.0 has a unspecified security issue and is vulnerable via unknown vectors.",
- "cve": "PVE-2021-25768",
- "id": "pyup.io-25768",
+ "advisory": "Django 3.2.4 fixes two security issues and several bugs in 3.2.3 (CVE-2021-33203).",
+ "cve": "PVE-2021-40584",
+ "id": "pyup.io-40584",
"specs": [
- "<0.5.0"
+ "==3.2.3"
],
- "v": "<0.5.0"
- }
- ],
- "django-jet": [
+ "v": "==3.2.3"
+ },
{
- "advisory": "django-jet 1.0.4 fixes a security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.",
- "cve": "PVE-2021-25769",
- "id": "pyup.io-25769",
+ "advisory": "Django 3.2.4 fixes two security issues and several bugs in 3.2.3 (CVE-2021-3357).",
+ "cve": "PVE-2021-40599",
+ "id": "pyup.io-40599",
"specs": [
- "<1.0.4"
+ "==3.2.3"
],
- "v": "<1.0.4"
- }
- ],
- "django-jet-reboot": [
+ "v": "==3.2.3"
+ },
{
- "advisory": "Django-jet-reboot 1.0.4 fixes a security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.",
- "cve": "PVE-2021-39370",
- "id": "pyup.io-39370",
+ "advisory": "Django 1.10.3 fixes two security issues and several bugs in 1.10.2.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================",
+ "cve": "PVE-2021-25722",
+ "id": "pyup.io-25722",
"specs": [
- "<1.0.4"
+ ">=1.10,<1.10.3"
],
- "v": "<1.0.4"
- }
- ],
- "django-jinja-knockout": [
+ "v": ">=1.10,<1.10.3"
+ },
{
- "advisory": "'TemplateContext' class is used in Django-jinja-knockout 0.9.0 to manage client-side data injection.",
- "cve": "PVE-2021-39610",
- "id": "pyup.io-39610",
+ "advisory": "Django version 1.10.7, 1.9.13 and 1.8.18 include a fix for CVE-2017-7233: Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely 'django.utils.http.is_safe_url()') considered some numeric URLs \"safe\" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on 'is_safe_url()' to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.\r\nhttps://www.djangoproject.com/weblog/2017/apr/04/security-releases/",
+ "cve": "CVE-2017-7233",
+ "id": "pyup.io-33300",
"specs": [
- "<0.9.0"
+ ">=1.10,<1.10.7",
+ ">=1.9.0,<1.9.13",
+ ">=1.8.0,<1.8.18"
],
- "v": "<0.9.0"
- }
- ],
- "django-js-reverse": [
+ "v": ">=1.10,<1.10.7,>=1.9.0,<1.9.13,>=1.8.0,<1.8.18"
+ },
{
- "advisory": "django-js-reverse (aka Django JS Reverse) before 0.9.1 has XSS via js_reverse_inline. See: CVE-2019-15486.",
- "cve": "CVE-2019-15486",
- "id": "pyup.io-37399",
+ "advisory": "Django 1.10.8 fixes a security issue in 1.10.7. In older versions, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with 'DEBUG = True' (which makes this page accessible) in your production settings. See also: CVE-2017-12794, described as \"Possible XSS in traceback section of technical 500 debug page\".",
+ "cve": "CVE-2017-12794",
+ "id": "pyup.io-34918",
"specs": [
- "<0.9.1"
+ ">=1.10.7,<1.10.8"
],
- "v": "<0.9.1"
- }
- ],
- "django-lazysignup": [
+ "v": ">=1.10.7,<1.10.8"
+ },
{
- "advisory": "django-lazysignup before 0.4.0 fixes a security issue: Generated usernames are now based on the session key, rather than actually being the session key. This is to avoid a potential security issue where an app might simply display a username, giving away a significant part of the user's session key. The username is now generated from a SHA1 hash of the session key. This change means that existing generated users will become invalid.",
- "cve": "PVE-2021-25770",
- "id": "pyup.io-25770",
+ "advisory": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.",
+ "cve": "CVE-2020-7471",
+ "id": "pyup.io-37970",
"specs": [
- "<0.4.0"
+ ">=1.11,<1.11.28",
+ ">=2.2,<2.2.10",
+ ">=3.0,<3.0.3"
],
- "v": "<0.4.0"
- }
- ],
- "django-lazysignup-redux": [
+ "v": ">=1.11,<1.11.28,>=2.2,<2.2.10,>=3.0,<3.0.3"
+ },
{
- "advisory": "django-lazysignup-redux 0.4.0 fixes a security issue: Generated usernames are now based on the session key, rather than actually being the session key. This is to avoid a potential security issue where an app might simply display a username, giving away a significant part of the user's session key. The username is now generated from a SHA1 hash of the session key. This change means that existing generated users will become invalid.",
- "cve": "PVE-2021-25771",
- "id": "pyup.io-25771",
+ "advisory": "Django 1.11.5 fixes a security issue and several bugs in 1.11.4.\r\n\r\nCVE-2017-12794: Possible XSS in traceback section of technical 500 debug page\r\n=============================================================================\r\n\r\nIn older versions, HTML autoescaping was disabled in a portion of the template\r\nfor the technical 500 debug page. Given the right circumstances, this allowed\r\na cross-site scripting attack. This vulnerability shouldn't affect most\r\nproduction sites since you shouldn't run with ``DEBUG = True`` (which makes\r\nthis page accessible) in your production settings.",
+ "cve": "CVE-2017-12794",
+ "id": "pyup.io-34917",
"specs": [
- "<0.4.0"
+ ">=1.11,<1.11.5"
],
- "v": "<0.4.0"
- }
- ],
- "django-lfs": [
+ "v": ">=1.11,<1.11.5"
+ },
{
- "advisory": "django-lfs before 0.6.9 has a unspecified security issue and is vulnerable via unknown vectors.",
- "cve": "PVE-2021-25772",
- "id": "pyup.io-25772",
+ "advisory": "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.",
+ "cve": "CVE-2019-12308",
+ "id": "pyup.io-37191",
"specs": [
- "<0.6.9"
+ ">=1.11.0,<1.11.21",
+ ">=2.1,<2.1.9",
+ ">=2.2,<2.2.2"
],
- "v": "<0.6.9"
- }
- ],
- "django-mail-auth": [
+ "v": ">=1.11.0,<1.11.21,>=2.1,<2.1.9,>=2.2,<2.2.2"
+ },
{
- "advisory": "Django-mail-auth 0.1.3 fixes session key security issues.",
- "cve": "PVE-2021-37171",
- "id": "pyup.io-37171",
+ "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.",
+ "cve": "CVE-2019-14232",
+ "id": "pyup.io-37329",
"specs": [
- "<0.1.3"
- ],
- "v": "<0.1.3"
- }
- ],
- "django-make-app": [
- {
- "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_app 0.1.3. A YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.",
- "cve": "CVE-2017-16764",
- "id": "pyup.io-35722",
- "specs": [
- "<0.1.3"
+ ">=1.11.0,<1.11.23",
+ ">=2.1.0,<2.1.11",
+ ">=2.2.0,<2.2.4"
],
- "v": "<0.1.3"
- }
- ],
- "django-mapstore-adapter": [
+ "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4"
+ },
{
- "advisory": "Django-mapstore-adapter 1.0.4 fixes an unescaped \"ms2_config\" which may cause JS injection.",
- "cve": "PVE-2021-38936",
- "id": "pyup.io-38936",
+ "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.",
+ "cve": "CVE-2019-14234",
+ "id": "pyup.io-37357",
"specs": [
- "<1.0.4"
+ ">=1.11.0,<1.11.23",
+ ">=2.1.0,<2.1.11",
+ ">=2.2.0,<2.2.4"
],
- "v": "<1.0.4"
- }
- ],
- "django-markupfield": [
+ "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4"
+ },
{
- "advisory": "django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors.",
- "cve": "CVE-2015-0846",
- "id": "pyup.io-25773",
+ "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.",
+ "cve": "CVE-2019-14233",
+ "id": "pyup.io-37330",
"specs": [
- "<1.3.2"
+ ">=1.11.0,<1.11.23",
+ ">=2.1.0,<2.1.11",
+ ">=2.2.0,<2.2.4"
],
- "v": "<1.3.2"
+ "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4"
},
{
- "advisory": "django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors.",
- "cve": "CVE-2015-0846",
- "id": "pyup.io-25774",
+ "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.",
+ "cve": "CVE-2019-14235",
+ "id": "pyup.io-37331",
"specs": [
- "<1.3.3"
+ ">=1.11.0,<1.11.23",
+ ">=2.1.0,<2.1.11",
+ ">=2.2.0,<2.2.4"
],
- "v": "<1.3.3"
- }
- ],
- "django-material": [
+ "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4"
+ },
{
- "advisory": "django-material 0.9.0 fixes a XSS vulnerability in input fields.",
- "cve": "PVE-2021-25775",
- "id": "pyup.io-25775",
+ "advisory": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL Injections if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. See: CVE-2020-9402.",
+ "cve": "CVE-2020-9402",
+ "id": "pyup.io-38010",
"specs": [
- "<0.9.0"
+ ">=1.11.0,<1.11.29",
+ ">=2.2.0,<2.2.11",
+ ">=3.0.0,<3.0.4"
],
- "v": "<0.9.0"
+ "v": ">=1.11.0,<1.11.29,>=2.2.0,<2.2.11,>=3.0.0,<3.0.4"
},
{
- "advisory": "django-material before 1.5.1 included a js injection vulnerability in a list view",
- "cve": "PVE-2021-36950",
- "id": "pyup.io-36950",
+ "advisory": "CVE-2018-6188: Information leakage in ``AuthenticationForm``\r\n============================================================\r\n\r\nA regression in Django 1.11.8 made\r\n:class:`~django.contrib.auth.forms.AuthenticationForm` run its\r\n``confirm_login_allowed()`` method even if an incorrect password is entered.\r\nThis can leak information about a user, depending on what messages\r\n``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't\r\noverridden, an attacker enter an arbitrary username and see if that user has\r\nbeen set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,\r\nmore sensitive details could be leaked.\r\n\r\nThis issue is fixed with the caveat that ``AuthenticationForm`` can no longer\r\nraise the \"This account is inactive.\" error if the authentication backend\r\nrejects inactive users (the default authentication backend, ``ModelBackend``,\r\nhas done that since Django 1.10). This issue will be revisited for Django 2.1\r\nas a fix to address the caveat will likely be too invasive for inclusion in\r\nolder versions.",
+ "cve": "CVE-2018-6188",
+ "id": "pyup.io-35174",
"specs": [
- "<1.5.1"
+ ">=1.11.8,<1.11.10"
],
- "v": "<1.5.1"
- }
- ],
- "django-material-orange": [
+ "v": ">=1.11.8,<1.11.10"
+ },
{
- "advisory": "django-material-orange before 0.9.0 has a XSS vulnerability in input fields.",
- "cve": "PVE-2021-32207",
- "id": "pyup.io-32207",
+ "advisory": "django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. A remote user can redirect the target user's browser to an arbitrary site.",
+ "cve": "CVE-2018-14574",
+ "id": "pyup.io-36368",
"specs": [
- "<0.9.0"
+ ">=1.11a1,<1.11.15",
+ ">=2.0a1,<2.0.8"
],
- "v": "<0.9.0"
- }
- ],
- "django-material-saldoo": [
+ "v": ">=1.11a1,<1.11.15,>=2.0a1,<2.0.8"
+ },
{
- "advisory": "django-material-saldoo before 0.9.0 has a XSS vulnerability in input fields.",
- "cve": "PVE-2021-32243",
- "id": "pyup.io-32243",
+ "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.",
+ "cve": "CVE-2019-3498",
+ "id": "pyup.io-36771",
"specs": [
- "<0.9.0"
+ ">=1.11a1,<1.11.18"
],
- "v": "<0.9.0"
- }
- ],
- "django-modern-rpc": [
+ "v": ">=1.11a1,<1.11.18"
+ },
{
- "advisory": "django-modern-rpc before 0.8.1 isn't correctly checking the authentication backend when executing 'system.multicall()'.",
- "cve": "PVE-2021-34991",
- "id": "pyup.io-34991",
+ "advisory": "The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.",
+ "cve": "CVE-2013-0305",
+ "id": "pyup.io-33111",
"specs": [
- "<0.8.1"
+ ">=1.3,<1.3.6",
+ ">=1.4,<1.4.4",
+ ">=1.5,<1.5.1"
],
- "v": "<0.8.1"
- }
- ],
- "django-mptt": [
+ "v": ">=1.3,<1.3.6,>=1.4,<1.4.4,>=1.5,<1.5.1"
+ },
{
- "advisory": "Django-mptt <0.8.0 uses versions of python/django that no longer receive security patches. You should upgrade to Python 2.7 and Django 1.8+.",
- "cve": "PVE-2021-41205",
- "id": "pyup.io-41205",
+ "advisory": "The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.",
+ "cve": "CVE-2013-0306",
+ "id": "pyup.io-33112",
"specs": [
- "<0.8.0"
+ ">=1.3,<1.3.6",
+ ">=1.4,<1.4.4",
+ ">=1.5,<1.5.1"
],
- "v": "<0.8.0"
- }
- ],
- "django-music-publisher": [
+ "v": ">=1.3,<1.3.6,>=1.4,<1.4.4,>=1.5,<1.5.1"
+ },
{
- "advisory": "Django 2.1 had a minor security issue, so 2.1.2 was promptly released.. django-music-publisher before 18.9.1 included this issue.",
- "cve": "PVE-2021-36523",
- "id": "pyup.io-36523",
+ "advisory": "The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.",
+ "cve": "CVE-2015-5964",
+ "id": "pyup.io-25728",
"specs": [
- "<18.9.1"
+ ">=1.4,<1.4.22",
+ ">=1.7,<1.7.10"
],
- "v": "<18.9.1"
+ "v": ">=1.4,<1.4.22,>=1.7,<1.7.10"
},
{
- "advisory": "django-music-publisher 18.9.3 updates Django to fix a minor security issue.",
- "cve": "PVE-2021-36608",
- "id": "pyup.io-36608",
+ "advisory": "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.",
+ "cve": "CVE-2015-5963",
+ "id": "pyup.io-25727",
"specs": [
- "<18.9.3"
+ ">=1.4,<1.4.22",
+ ">=1.7,<1.7.10",
+ ">=1.8,<1.8.4"
],
- "v": "<18.9.3"
- }
- ],
- "django-nameko-standalone": [
+ "v": ">=1.4,<1.4.22,>=1.7,<1.7.10,>=1.8,<1.8.4"
+ },
{
- "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to avoid security warnings.",
- "cve": "PVE-2021-38565",
- "id": "pyup.io-38565",
+ "advisory": "The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by \"the login view in django.contrib.auth.views\" and the javascript: scheme.",
+ "cve": "CVE-2013-6044",
+ "id": "pyup.io-42237",
"specs": [
- "<1.3.2"
+ ">=1.4,<1.4.6",
+ ">=1.5,<1.5.2",
+ ">1.6,<1.6b2"
],
- "v": "<1.3.2"
- }
- ],
- "django-newsletter": [
+ "v": ">=1.4,<1.4.6,>=1.5,<1.5.2,>1.6,<1.6b2"
+ },
{
- "advisory": "django-newsletter before 0.7 allowed a user to subscribe others to the newsletter without authorization.",
- "cve": "PVE-2021-36318",
- "id": "pyup.io-36318",
+ "advisory": "Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField. See: CVE-2013-4249.",
+ "cve": "CVE-2013-4249",
+ "id": "pyup.io-35456",
"specs": [
- "<0.7"
+ ">=1.5,<1.5.2",
+ ">=1.6,<1.6b2"
],
- "v": "<0.7"
+ "v": ">=1.5,<1.5.2,>=1.6,<1.6b2"
},
{
- "advisory": "django-newsletter 0.9 updates several dependencies (waitress, Django) due to security issues",
- "cve": "PVE-2021-37916",
- "id": "pyup.io-37916",
+ "advisory": "The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.",
+ "cve": "CVE-2013-1443",
+ "id": "pyup.io-25729",
"specs": [
- "<0.9"
+ ">=1.6,<1.6-beta-4",
+ ">=1.4,<1.4.8",
+ ">=1.5,<1.5.4"
],
- "v": "<0.9"
+ "v": ">=1.6,<1.6-beta-4,>=1.4,<1.4.8,>=1.5,<1.5.4"
},
{
- "advisory": "Django-newsletter 0.9b1 updates several dependencies due to security issues.",
- "cve": "PVE-2021-37677",
- "id": "pyup.io-37677",
+ "advisory": "ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.",
+ "cve": "CVE-2015-0222",
+ "id": "pyup.io-25730",
"specs": [
- "<0.9b1"
+ ">=1.7,<1.7.3",
+ ">=1.6,<1.6.10"
],
- "v": "<0.9b1"
- }
- ],
- "django-ninecms": [
+ "v": ">=1.7,<1.7.3,>=1.6,<1.6.10"
+ },
{
- "advisory": "django-ninecms before 0.4.5b has a unknown security issue in its url configuration.",
- "cve": "PVE-2021-25776",
- "id": "pyup.io-25776",
+ "advisory": "The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.",
+ "cve": "CVE-2015-2316",
+ "id": "pyup.io-25731",
"specs": [
- "<0.4.5b"
+ ">=1.7,<1.7.7",
+ ">=1.6,<1.6.11",
+ ">=1.8a1,<1.8c1"
],
- "v": "<0.4.5b"
- }
- ],
- "django-nopassword": [
+ "v": ">=1.7,<1.7.7,>=1.6,<1.6.11,>=1.8a1,<1.8c1"
+ },
{
- "advisory": "django-nopassword before 5.0.0 stores cleartext secrets in the database. See: CVE-2019-10682.",
- "cve": "CVE-2019-10682",
- "id": "pyup.io-38080",
+ "advisory": "The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.",
+ "cve": "CVE-2015-5143",
+ "id": "pyup.io-25725",
"specs": [
- "<5.0.0"
+ ">=1.7,<1.7.9",
+ ">=1.5,<1.7",
+ ">=1.4,<1.4.21"
],
- "v": "<5.0.0"
- }
- ],
- "django-oauth-toolkit": [
+ "v": ">=1.7,<1.7.9,>=1.5,<1.7,>=1.4,<1.4.21"
+ },
{
- "advisory": "Django-oauth-toolkit 0.8.0 includes fixes for various vulnerabilities on 'Basic' authentication.",
- "cve": "PVE-2021-39609",
- "id": "pyup.io-39609",
+ "advisory": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.",
+ "cve": "CVE-2016-9014",
+ "id": "pyup.io-33075",
"specs": [
- "<0.8.0"
+ ">=1.8,<1.8.16",
+ ">=1.9,<1.9.11",
+ ">=1.10,<1.10.3"
],
- "v": "<0.8.0"
- }
- ],
- "django-orghierarchy": [
+ "v": ">=1.8,<1.8.16,>=1.9,<1.9.11,>=1.10,<1.10.3"
+ },
{
- "advisory": "Django-orghierarchy 0.1.13 updates Django for security reasons.",
- "cve": "PVE-2021-37039",
- "id": "pyup.io-37039",
+ "advisory": "Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.",
+ "cve": "CVE-2016-9013",
+ "id": "pyup.io-33076",
"specs": [
- "<0.1.13"
+ ">=1.8,<1.8.16",
+ ">=1.9,<1.9.11",
+ ">=1.10,<1.10.3"
],
- "v": "<0.1.13"
+ "v": ">=1.8,<1.8.16,>=1.9,<1.9.11,>=1.10,<1.10.3"
},
{
- "advisory": "Django-orghierarchy 0.1.18 includes a not further specified security update.",
- "cve": "PVE-2021-37038",
- "id": "pyup.io-37038",
+ "advisory": "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.",
+ "cve": "CVE-2015-3982",
+ "id": "pyup.io-25732",
"specs": [
- "<0.1.18"
+ ">=1.8,<1.8.2"
],
- "v": "<0.1.18"
- }
- ],
- "django-perms-provisioner": [
+ "v": ">=1.8,<1.8.2"
+ },
{
- "advisory": "Django-perms-provisioner 0.0.4 updates PyYAML to a more secure version.",
- "cve": "PVE-2021-38289",
- "id": "pyup.io-38289",
+ "advisory": "validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.",
+ "cve": "CVE-2015-5145",
+ "id": "pyup.io-25733",
"specs": [
- "<0.0.4"
+ ">=1.8,<1.8.3"
],
- "v": "<0.0.4"
- }
- ],
- "django-piston": [
+ "v": ">=1.8,<1.8.3"
+ },
{
- "advisory": "emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.",
- "cve": "CVE-2011-4103",
- "id": "pyup.io-25777",
+ "advisory": "Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.",
+ "cve": "CVE-2015-5144",
+ "id": "pyup.io-25726",
"specs": [
- "<0.2.3"
+ ">=1.8,<1.8.3",
+ ">=1.7,<1.7.9",
+ ">=1.5,<1.6",
+ ">=1.4,<1.4.21"
],
- "v": "<0.2.3"
- }
- ],
- "django-pluggable-filebrowser": [
+ "v": ">=1.8,<1.8.3,>=1.7,<1.7.9,>=1.5,<1.6,>=1.4,<1.4.21"
+ },
{
- "advisory": "django-pluggable-filebrowser 3.4.2 fixes a security bug: added staff_member_required decorator to the upload-function.",
- "cve": "PVE-2021-25778",
- "id": "pyup.io-25778",
+ "advisory": "The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.",
+ "cve": "CVE-2015-8213",
+ "id": "pyup.io-25714",
"specs": [
- "<3.4.2"
+ ">=1.8,<1.8.7",
+ "<1.7.11",
+ ">=1.9,<1.9rc2"
],
- "v": "<3.4.2"
- }
- ],
- "django-polaris": [
+ "v": ">=1.8,<1.8.7,<1.7.11,>=1.9,<1.9rc2"
+ },
{
- "advisory": "Improvements in the Multi-signature Asset Distribution Account Support allow anchors since django-polaris version 1.1.0 to improve the security of the account that controls outbound payments.",
- "cve": "PVE-2021-38837",
- "id": "pyup.io-38837",
+ "advisory": "Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.",
+ "cve": "CVE-2015-2241",
+ "id": "pyup.io-25715",
"specs": [
- "<1.1.0"
+ ">=1.8,<1.8b2",
+ "<1.7.6"
],
- "v": "<1.1.0"
- }
- ],
- "django-postman": [
+ "v": ">=1.8,<1.8b2,<1.7.6"
+ },
{
- "advisory": "django-postman 3.6.2 fixes issue 101, for security concern, ignore the scheme and domain parts in the 'next' query param.",
- "cve": "PVE-2021-36667",
- "id": "pyup.io-36667",
+ "advisory": "The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \\x08javascript: URL.",
+ "cve": "CVE-2015-2317",
+ "id": "pyup.io-25713",
"specs": [
- "<3.6.2"
+ ">=1.8,<1.8c1",
+ "<1.4.20",
+ ">=1.5,<1.6",
+ ">=1.6,<1.6.11",
+ ">=1.7,<1.7.7"
],
- "v": "<3.6.2"
- }
- ],
- "django-python3-ldap": [
+ "v": ">=1.8,<1.8c1,<1.4.20,>=1.5,<1.6,>=1.6,<1.6.11,>=1.7,<1.7.7"
+ },
{
- "advisory": "django-python3-ldap 0.9.5 fixes a security vulnerability where username and password could be transmitted in plain text before starting TLS.",
- "cve": "PVE-2021-25779",
- "id": "pyup.io-25779",
+ "advisory": "Django versions 1.10.7, 1.9.13 and 1.8.18 include a fix for CVE-2017-7234: A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the 'django.views.static.serve()' view could redirect to any other domain, aka an open redirect vulnerability.\r\nhttps://www.djangoproject.com/weblog/2017/apr/04/security-releases/\r\nhttp://www.debian.org/security/2017/dsa-3835\r\nhttp://www.securityfocus.com/bid/97401\r\nhttp://www.securitytracker.com/id/1038177",
+ "cve": "CVE-2017-7234",
+ "id": "pyup.io-35740",
"specs": [
- "<0.9.5"
+ ">=1.8.0a1,<1.8.18",
+ ">=1.9.0a1,<1.9.13",
+ ">=1.10.0a1,<1.10.7"
],
- "v": "<0.9.5"
+ "v": ">=1.8.0a1,<1.8.18,>=1.9.0a1,<1.9.13,>=1.10.0a1,<1.10.7"
},
{
- "advisory": "django-python3-ldap 0.9.8 fixes a security vulnerability allowing users to authenticate with a valid username but with an empty password if anonymous authentication is allowed on the LDAP server.",
- "cve": "PVE-2021-25780",
- "id": "pyup.io-25780",
+ "advisory": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.",
+ "cve": "CVE-2016-7401",
+ "id": "pyup.io-25718",
"specs": [
- "<0.9.8"
+ ">=1.9,<1.9.10",
+ "<1.8.15"
],
- "v": "<0.9.8"
- }
- ],
- "django-rated": [
+ "v": ">=1.9,<1.9.10,<1.8.15"
+ },
{
- "advisory": "django-rated before 1.1.2 has a unspecified security issue and is vulnerable via unknown vectors.",
- "cve": "PVE-2021-25781",
- "id": "pyup.io-25781",
+ "advisory": "Django 1.9.11 fixes two security issues in 1.9.10.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================",
+ "cve": "PVE-2021-25734",
+ "id": "pyup.io-25734",
"specs": [
- "<1.1.2"
+ ">=1.9,<1.9.11"
],
- "v": "<1.1.2"
- }
- ],
- "django-registration": [
+ "v": ">=1.9,<1.9.11"
+ },
{
- "advisory": "django-registration before 1.7 leaked password reset token through the Referer\r\nheader.",
- "cve": "PVE-2021-36431",
- "id": "pyup.io-36431",
+ "advisory": "Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the \"Save as New\" option when editing objects and leveraging the \"change\" permission.",
+ "cve": "CVE-2016-2048",
+ "id": "pyup.io-25735",
"specs": [
- "<1.7"
+ ">=1.9,<1.9.2"
],
- "v": "<1.7"
+ "v": ">=1.9,<1.9.2"
},
{
- "advisory": "django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not properly apply filters to sensitive data, with the result that sensitive data could be included in error reports rather than removed automatically by Django. Triggering this requires: A site is using django-registration < 3.1.2, The site has detailed error reports (such as Django's emailed error reports to site staff/developers) enabled and a server-side error (HTTP 5xx) occurs during an attempt by a user to register an account. Under these conditions, recipients of the detailed error report will see all submitted data from the account-registration attempt, which may include the user's proposed credentials (such as a password). See CVE-2021-21416.",
- "cve": "CVE-2021-21416",
- "id": "pyup.io-40136",
+ "advisory": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.",
+ "cve": "CVE-2016-6186",
+ "id": "pyup.io-25721",
"specs": [
- "<3.1.2"
+ ">=1.9,<1.9.8",
+ "==1.8.14",
+ ">=1.10,<1.10rc1"
],
- "v": "<3.1.2"
- }
- ],
- "django-registration-redux": [
+ "v": ">=1.9,<1.9.8,==1.8.14,>=1.10,<1.10rc1"
+ },
{
- "advisory": "django-registration-redux before 1.7 leaks password reset tokens through the Referer header. For more info, see: https://github.com/macropin/django-registration/pull/268",
- "cve": "PVE-2021-35199",
- "id": "pyup.io-35199",
+ "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.",
+ "cve": "CVE-2019-3498",
+ "id": "pyup.io-36770",
"specs": [
- "<1.7"
+ ">=2.0a1,<2.0.10"
],
- "v": "<1.7"
- }
- ],
- "django-relatives": [
+ "v": ">=2.0a1,<2.0.10"
+ },
{
- "advisory": "django-relatives before 0.3.0 is vulnerable to a unspecified XSS issue.",
- "cve": "PVE-2021-25782",
- "id": "pyup.io-25782",
+ "advisory": "Django 2.0.x before 2.0.11 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.",
+ "cve": "CVE-2019-6975",
+ "id": "pyup.io-36884",
"specs": [
- "<0.3.0"
+ ">=2.0a1,<2.0.11"
],
- "v": "<0.3.0"
- }
- ],
- "django-rest-registration": [
+ "v": ">=2.0a1,<2.0.11"
+ },
{
- "advisory": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.",
- "cve": "CVE-2019-13177",
- "id": "pyup.io-37266",
+ "advisory": "CVE-2018-6188: Information leakage in ``AuthenticationForm``\r\n============================================================\r\n\r\nA regression in Django 1.11.8 made\r\n:class:`~django.contrib.auth.forms.AuthenticationForm` run its\r\n``confirm_login_allowed()`` method even if an incorrect password is entered.\r\nThis can leak information about a user, depending on what messages\r\n``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't\r\noverridden, an attacker enter an arbitrary username and see if that user has\r\nbeen set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,\r\nmore sensitive details could be leaked.\r\n\r\nThis issue is fixed with the caveat that ``AuthenticationForm`` can no longer\r\nraise the \"This account is inactive.\" error if the authentication backend\r\nrejects inactive users (the default authentication backend, ``ModelBackend``,\r\nhas done that since Django 1.10). This issue will be revisited for Django 2.1\r\nas a fix to address the caveat will likely be too invasive for inclusion in\r\nolder versions.",
+ "cve": "CVE-2018-6188",
+ "id": "pyup.io-35173",
"specs": [
- "<0.5.0"
+ ">=2.0a1,<2.0.2",
+ "==1.11.8",
+ "==1.11.9"
],
- "v": "<0.5.0"
+ "v": ">=2.0a1,<2.0.2,==1.11.8,==1.11.9"
},
{
- "advisory": "Django-rest-registration 0.5.0 fixes a critical security issue with misusing the Django Signer API. See: .",
- "cve": "PVE-2021-37385",
- "id": "pyup.io-37385",
+ "advisory": "If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were\r\npassed the ``html=True`` argument, they were extremely slow to evaluate certain\r\ninputs due to a catastrophic backtracking vulnerability in a regular\r\nexpression. The ``chars()`` and ``words()`` methods are used to implement the\r\n``truncatechars_html`` and ``truncatewords_html`` template filters, which were\r\nthus vulnerable.",
+ "cve": "CVE-2018-7537",
+ "id": "pyup.io-35796",
"specs": [
- "<0.5.0"
+ ">=2.0a1,<2.0.3",
+ ">=1.8a1 ,<1.8.19",
+ ">=1.11a1,<1.11.11"
],
- "v": "<0.5.0"
- }
- ],
- "django-revproxy": [
+ "v": ">=2.0a1,<2.0.3,>=1.8a1 ,<1.8.19,>=1.11a1,<1.11.11"
+ },
{
- "advisory": "django-revproxy 0.9.6 fixes a security issue that allowed remote-user header injection.",
- "cve": "PVE-2021-25783",
- "id": "pyup.io-25783",
+ "advisory": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. See: CVE-2018-7536.",
+ "cve": "CVE-2018-7536",
+ "id": "pyup.io-35797",
"specs": [
- "<0.9.6"
+ ">=2.0a1,<2.0.3",
+ ">=1.8a1 ,<1.8.19",
+ ">=1.11a1,<1.11.11"
],
- "v": "<0.9.6"
+ "v": ">=2.0a1,<2.0.3,>=1.8a1 ,<1.8.19,>=1.11a1,<1.11.11"
},
{
- "advisory": "django-revproxy 0.9.7 fixes a security issue: when colon is present at URL path urljoin ignores the upstream and the request is redirected to the path itself allowing content injection.",
- "cve": "PVE-2021-25784",
- "id": "pyup.io-25784",
+ "advisory": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.) See: CVE-2019-19118.",
+ "cve": "CVE-2019-19118",
+ "id": "pyup.io-37766",
"specs": [
- "<0.9.7"
+ ">=2.1,<2.1.15",
+ ">=2.2,<2.2.8"
],
- "v": "<0.9.7"
- }
- ],
- "django-safedelete": [
+ "v": ">=2.1,<2.1.15,>=2.2,<2.2.8"
+ },
{
- "advisory": "django-safedelete 0.3.3 contains a security fix that prevents an XSS attack in the admin interface.",
- "cve": "PVE-2021-25785",
- "id": "pyup.io-25785",
+ "advisory": "Django versions 2.1.9 and 2.2.2 apply a patch to fix a vulnerability in its dependency 'jQuery'.\r\nhttps://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad",
+ "cve": "CVE-2019-11358",
+ "id": "pyup.io-39594",
"specs": [
- "<0.3.3"
+ ">=2.1a0,<2.1.9",
+ ">=2.2a0,<2.2.2"
],
- "v": "<0.3.3"
- }
- ],
- "django-sage-painless": [
- {
- "advisory": "Django-sage-painless 1.10.2 includes fixes for few security bugs.",
- "cve": "PVE-2021-41101",
- "id": "pyup.io-41101",
- "specs": [
- "<1.10.2"
- ],
- "v": "<1.10.2"
- }
- ],
- "django-secure-auth": [
+ "v": ">=2.1a0,<2.1.9,>=2.2a0,<2.2.2"
+ },
{
- "advisory": "django-secure-auth 1.1 includes undisclosed security fixes.",
- "cve": "PVE-2021-34185",
- "id": "pyup.io-34185",
+ "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.",
+ "cve": "CVE-2019-3498",
+ "id": "pyup.io-36769",
"specs": [
- "<1.1"
+ ">=2.1a1,<2.1.5"
],
- "v": "<1.1"
- }
- ],
- "django-select2": [
+ "v": ">=2.1a1,<2.1.5"
+ },
{
- "advisory": "django-select2 5.7.0 contains a security fix that allows a `field_id` to only be used for the intended JSON endpoint.",
- "cve": "PVE-2021-25787",
- "id": "pyup.io-25787",
+ "advisory": "In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments. See CVE-2021-3281.",
+ "cve": "CVE-2021-3281",
+ "id": "pyup.io-39526",
"specs": [
- "<5.7.0"
+ ">=2.2,<2.2.18",
+ ">=3.1,<3.1.6",
+ ">=3.0,<3.0.12"
],
- "v": "<5.7.0"
- }
- ],
- "django-selectable": [
+ "v": ">=2.2,<2.2.18,>=3.1,<3.1.6,>=3.0,<3.0.12"
+ },
{
- "advisory": "django-selectable 0.5.2 fixes a XSS flaw with lookup ``get_item_*`` methods.",
- "cve": "PVE-2021-25788",
- "id": "pyup.io-25788",
+ "advisory": "In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.",
+ "cve": "CVE-2021-31542",
+ "id": "pyup.io-40404",
"specs": [
- "<0.5.2"
+ ">=2.2,<2.2.21",
+ ">=3.1a1,<3.1.9",
+ ">=3.2,<3.2.1"
],
- "v": "<0.5.2"
- }
- ],
- "django-server": [
+ "v": ">=2.2,<2.2.21,>=3.1a1,<3.1.9,>=3.2,<3.2.1"
+ },
{
- "advisory": "django-server is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
- "cve": "PVE-2021-34982",
- "id": "pyup.io-34982",
+ "advisory": "Django 2.2.24, 3.1.12, and 3.2.4 includes a fix for CVE-2021-33571: In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+).",
+ "cve": "CVE-2021-33571",
+ "id": "pyup.io-40638",
"specs": [
- ">0",
- "<0"
+ ">=2.2.0a1,<2.2.24",
+ ">=3.0.0a1,<3.1.12",
+ ">=3.2.0a1,<3.2.4"
],
- "v": ">0,<0"
- }
- ],
- "django-session-security": [
+ "v": ">=2.2.0a1,<2.2.24,>=3.0.0a1,<3.1.12,>=3.2.0a1,<3.2.4"
+ },
{
- "advisory": "django-session-security 2.4.0 fixes a vulnerability when SESSION_EXPIRE_AT_BROWSER_CLOSE is off.",
- "cve": "PVE-2021-25789",
- "id": "pyup.io-25789",
+ "advisory": "Django 2.2.19 includes a security fix for CVE-2021-23336 (affecting python): Web cache poisoning via 'django.utils.http.limited_parse_qsl()'.\r\nhttps://www.openwall.com/lists/oss-security/2021/02/19/4",
+ "cve": "CVE-2021-23336",
+ "id": "pyup.io-39646",
"specs": [
- "<2.4.0"
+ ">=2.2a1,<2.2.19"
],
- "v": "<2.4.0"
- }
- ],
- "django-smart-lists": [
+ "v": ">=2.2a1,<2.2.19"
+ },
{
- "advisory": "Django-smart-lists 1.0.26 fixes a XSS vulnerability in the render_function.",
- "cve": "PVE-2021-38150",
- "id": "pyup.io-38150",
+ "advisory": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.",
+ "cve": "CVE-2021-28658",
+ "id": "pyup.io-40163",
"specs": [
- "<1.0.26"
+ ">=2.2a1,<2.2.20",
+ ">=3.0a1,<3.0.14",
+ ">=3.1a1,<3.1.8"
],
- "v": "<1.0.26"
- }
- ],
- "django-smart-selects": [
+ "v": ">=2.2a1,<2.2.20,>=3.0a1,<3.0.14,>=3.1a1,<3.1.8"
+ },
{
- "advisory": "django-smart-selects before 1.5.0 allowed anybody to list arbitrary objects by tweaking URL parameters. 1.5.0 adds checks to the views to ensure that queries return an HTTP 403 (Permission denied) for models that do not have smart_selects fields defined.",
- "cve": "PVE-2021-34234",
- "id": "pyup.io-34234",
+ "advisory": "Django 3.0.13 includes a security fix for CVE-2021-23336 (affecting python): Web cache poisoning via 'django.utils.http.limited_parse_qsl()'.\r\nhttps://www.openwall.com/lists/oss-security/2021/02/19/4",
+ "cve": "CVE-2021-23336",
+ "id": "pyup.io-39645",
"specs": [
- "<1.5.1"
+ ">=3.0a1,<3.0.13"
],
- "v": "<1.5.1"
- }
- ],
- "django-social-auth": [
+ "v": ">=3.0a1,<3.0.13"
+ },
{
- "advisory": "django-social-auth 0.7.2 fixes a security hole - redirects via the next param are now properly sanitized to disallow redirecting to external hosts.",
- "cve": "PVE-2021-25790",
- "id": "pyup.io-25790",
+ "advisory": "CVE-2020-13254: Potential data leakage via malformed memcached keys. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.\r\n\r\nAdditionally, Django 2.2.13 and 3.0.7 upgrade the version of jQuery used by the admin to 3.5.1 for security reasons.",
+ "cve": "CVE-2020-13254",
+ "id": "pyup.io-38373",
"specs": [
- "<0.7.2"
+ ">=3.0a1,<3.0.7",
+ ">=2.2a1,<2.2.13"
],
- "v": "<0.7.2"
- }
- ],
- "django-social-auth3": [
+ "v": ">=3.0a1,<3.0.7,>=2.2a1,<2.2.13"
+ },
{
- "advisory": "django-social-auth3 0.7.2 fixes a security hole - redirects via the next param are now properly sanitized to disallow redirecting to external hosts.",
- "cve": "PVE-2021-25791",
- "id": "pyup.io-25791",
+ "advisory": "CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.\r\n\r\nAdditionally, Django 2.2.13 and 3.0.7 upgrade the version of jQuery used by the admin to 3.5.1 for security reasons.",
+ "cve": "CVE-2020-13596",
+ "id": "pyup.io-38372",
"specs": [
- "<0.7.2"
+ ">=3.0a1,<3.0.7",
+ ">=2.2a1,<2.2.13"
],
- "v": "<0.7.2"
- }
- ],
- "django-sql-dashboard": [
+ "v": ">=3.0a1,<3.0.7,>=2.2a1,<2.2.13"
+ },
{
- "advisory": "Django-sql-dashboard 0.14 fixes a security and permissions flaw, where users without the 'execute_sql' permission could still run custom queries by editing saved dashboards using the Django admin interface.",
- "cve": "PVE-2021-40482",
- "id": "pyup.io-40482",
+ "advisory": "Django versions 3.1.13 and 3.2.5 include a fix for CVE-2021-35042: Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.\r\nhttps://www.djangoproject.com/weblog/2021/jul/01/security-releases/\r\nhttps://www.openwall.com/lists/oss-security/2021/07/02/2\r\nhttps://docs.djangoproject.com/en/3.2/releases/security/\r\nhttps://groups.google.com/forum/#%21forum/django-announce",
+ "cve": "CVE-2021-35042",
+ "id": "pyup.io-40899",
"specs": [
- "<0.14"
+ ">=3.1,<3.1.13",
+ ">=3.2,<3.2.5"
],
- "v": "<0.14"
- }
- ],
- "django-sql-explorer": [
+ "v": ">=3.1,<3.1.13,>=3.2,<3.2.5"
+ },
{
- "advisory": "Users in django-sql-explorer version 0.5 with view permissions can use query parameters. This results in a potential for SQL injection.",
- "cve": "PVE-2021-39445",
- "id": "pyup.io-39445",
+ "advisory": "In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.",
+ "cve": "CVE-2021-32052",
+ "id": "pyup.io-40414",
"specs": [
- "<0.5"
+ ">=3.1a1,<3.1.10",
+ ">=2.2a1,<2.2.22",
+ ">=3.2a1,<3.2.2"
],
- "v": "<0.5"
+ "v": ">=3.1a1,<3.1.10,>=2.2a1,<2.2.22,>=3.2a1,<3.2.2"
},
{
- "advisory": "django-sql-explorer before 1.1.0 isn't escaping values from the database correctly, making it open for potential XSS-attacks.",
- "cve": "PVE-2021-33293",
- "id": "pyup.io-33293",
+ "advisory": "Django 3.1.7 includes a security fix for CVE-2021-23336 (affecting python): Web cache poisoning via 'django.utils.http.limited_parse_qsl()'.\r\nhttps://www.openwall.com/lists/oss-security/2021/02/19/4",
+ "cve": "CVE-2021-23336",
+ "id": "pyup.io-39644",
"specs": [
- "<1.1.0"
+ ">=3.1a1,<3.1.7"
],
- "v": "<1.1.0"
+ "v": ">=3.1a1,<3.1.7"
}
],
- "django-sticky-uploads": [
+ "django-access-tokens": [
{
- "advisory": "django-sticky-uploads 0.2.0 fixes a security issue related to client changing the upload url specified by the widget for the upload.",
- "cve": "PVE-2021-25793",
- "id": "pyup.io-25793",
+ "advisory": "django-access-tokens 0.9.2 fixes scoping of permissions where the token provides a smaller subset of the required permissions. As an extreme case, an access token granting no permissions could be used to access any permissions on the site.",
+ "cve": "PVE-2021-25736",
+ "id": "pyup.io-25736",
"specs": [
- "<0.2.0"
+ "<0.9.2"
],
- "v": "<0.2.0"
+ "v": "<0.9.2"
}
],
- "django-storages": [
+ "django-access-tokens-py3": [
{
- "advisory": "In django-storages before 1.7 - the ``S3BotoStorage`` and ``S3Boto3Storage`` backends have an insecure default ACL of ``public-read``. It is recommended that all current users upgrade to 1.7 and audit their bucket permissions. Support has been added for setting ``AWS_DEFAULT_ACL = None`` and ``AWS_BUCKET_ACL = None``. V1.7 will raise a warning if ``AWS_DEFAULT_ACL`` or ``AWS_BUCKET_ACL`` is not explicitly set.",
- "cve": "PVE-2021-36434",
- "id": "pyup.io-36434",
+ "advisory": "Fixing scoping of permissions where the token provides a\r\nsmaller subset of the required permissions. As an extreme case, an access token\r\ngranting no permissions could be used to access any permissions on the site.",
+ "cve": "PVE-2021-34892",
+ "id": "pyup.io-34892",
"specs": [
- "<1.7"
+ "<0.9.2"
],
- "v": "<1.7"
+ "v": "<0.9.2"
}
],
- "django-tastypie": [
+ "django-afip": [
{
- "advisory": "The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.",
- "cve": "CVE-2011-4104",
- "id": "pyup.io-25794",
+ "advisory": "Django-afip 7.1.1 overrides the TLS configuration for AFIP's servers (and only those). They have worsened their security configuration, and it's now seen as insecure by default on many environments.",
+ "cve": "PVE-2021-38705",
+ "id": "pyup.io-38705",
"specs": [
- "<0.9.10"
+ "<7.1.1"
],
- "v": "<0.9.10"
+ "v": "<7.1.1"
}
],
- "django-triggers": [
+ "django-airplane": [
{
- "advisory": "Django-triggers 2.0.13 updates some dependencies to their latest secure versions.",
- "cve": "PVE-2021-37072",
- "id": "pyup.io-37072",
+ "advisory": "django-airplane 0.3 updates minimum django to secure 2.0.2.",
+ "cve": "PVE-2021-36587",
+ "id": "pyup.io-36587",
"specs": [
- "<2.0.13"
+ "<0.3"
],
- "v": "<2.0.13"
+ "v": "<0.3"
}
],
- "django-two-factor-auth": [
+ "django-ajax-datatable": [
{
- "advisory": "Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user begins the login process by entering their username and password and then leaves before entering their two-factor authentication code. The severity of this issue depends on which type of session storage you have configured: in the worst case, if you're using Django's default database session storage, then users' passwords are stored in clear text in your database. In the best case, if you're using Django's signed cookie session, then users' passwords are only stored in clear text within their browser's cookie store. In the common case of using Django's cache session store, the users' passwords are stored in clear text in whatever cache storage you have configured (typically Memcached or Redis). This has been fixed in 1.12. After upgrading, users should be sure to delete any clear text passwords that have been stored. For example, if you're using the database session backend, you'll likely want to delete any session record from the database and purge that data from any database backups or replicas. In addition, affected organizations who have suffered a database breach while using an affected version should inform their users that their clear text passwords have been compromised. All organizations should encourage users whose passwords were insecurely stored to change these passwords on any sites where they were used. As a workaround, wwitching Django's session storage to use signed cookies instead of the database or cache lessens the impact of this issue, but should not be done without a thorough understanding of the security tradeoffs of using signed cookies rather than a server-side session storage. There is no way to fully mitigate the issue without upgrading. See: CVE-2020-15105.",
- "cve": "CVE-2020-15105",
- "id": "pyup.io-38562",
+ "advisory": "Django-ajax-datatable version 4.1.4 adds missing CSRF token header in the first POST call (initialize_table()).",
+ "cve": "PVE-2021-41834",
+ "id": "pyup.io-41834",
"specs": [
- "<1.12"
+ "<4.1.4"
],
- "v": "<1.12"
+ "v": "<4.1.4"
}
],
- "django-ucamlookup": [
+ "django-allauth": [
{
- "advisory": "django-ucamlookup 1.9 fixes XXS vulnerability in template macros",
- "cve": "PVE-2021-36744",
- "id": "pyup.io-36744",
+ "advisory": "django-allauth before 0.28.0 previous versions contained a vulnerability allowing an attacker to alter the provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the larger ``SOCIALACCOUNT_PROVIDERS`` setting). The changes would persist across subsequent requests for all users, provided these settings were explicitly set within your project. These settings translate directly into request parameters, giving the attacker undesirable control over the OAuth(2) handshake. You are not affected if you did not explicitly configure these settings.",
+ "cve": "PVE-2021-25737",
+ "id": "pyup.io-25737",
"specs": [
- "<1.9"
+ "<0.28.0"
],
- "v": "<1.9"
- }
- ],
- "django-uni-form": [
+ "v": "<0.28.0"
+ },
{
- "advisory": "django-uni-form 0.9.0 fixes a XSS security issue. Errors cannot be rendered safe, because field's input can be part of the error message, that would mean XSS.",
- "cve": "PVE-2021-25796",
- "id": "pyup.io-25796",
+ "advisory": "On django-allauth before 0.34.0 the \"Set Password\" view did not properly check whether or not the user already had a usable password set. This allowed an attacker to set the password without providing the current password, but only in case the attacker already gained control over the victim's session.",
+ "cve": "PVE-2021-35034",
+ "id": "pyup.io-35034",
"specs": [
- "<0.9.0"
+ "<0.34.0"
],
- "v": "<0.9.0"
- }
- ],
- "django-urlconf-export": [
+ "v": "<0.34.0"
+ },
{
- "advisory": "Django-urlconf-export 1.1.1 updates Django in pipfile.lock to address a security vulnerability.",
- "cve": "PVE-2021-38386",
- "id": "pyup.io-38386",
+ "advisory": "Django-allauth 0.41.0 conforms to the general Django 3.0.1, 2.2.9, and 1.11.27 security release. See CVE-2019-19844 and .",
+ "cve": "CVE-2019-19844",
+ "id": "pyup.io-37664",
"specs": [
- "<1.1.1"
+ "<0.41.0"
],
- "v": "<1.1.1"
+ "v": "<0.41.0"
}
],
- "django-user-accounts": [
+ "django-allauth-underground": [
{
- "advisory": "django-user-accounts before 2.0.2 has a potentional security issue with leaking password reset tokens through HTTP Referer header.",
- "cve": "PVE-2021-34774",
- "id": "pyup.io-34774",
+ "advisory": "django-allauth-underground before 0.28.0 contained a vulnerability allowing an attacker to alter the\r\n provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the\r\n larger ``SOCIALACCOUNT_PROVIDERS`` setting).",
+ "cve": "PVE-2021-36394",
+ "id": "pyup.io-36394",
"specs": [
- "<2.0.2"
+ "<0.28.0"
],
- "v": "<2.0.2"
+ "v": "<0.28.0"
}
],
- "django-user-management": [
+ "django-anonymizer": [
{
- "advisory": "Django-user-management 18.0.0 fixes a Pillow security issue and updates djangorestframework>=3.9.1 for an XSS fix.",
- "cve": "PVE-2021-38634",
- "id": "pyup.io-38634",
+ "advisory": "Django-anonymizer 0.4 changes 'Anonymizer.attributes' to require every field to be listed. This deals with the common security problem when a model is updated, but the Anonymizer is not updated.",
+ "cve": "PVE-2021-25738",
+ "id": "pyup.io-25738",
"specs": [
- "<18.0.0"
+ "<0.4"
],
- "v": "<18.0.0"
+ "v": "<0.4"
}
],
- "django-user-sessions": [
+ "django-anymail": [
{
- "advisory": "In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen. See: CVE-2020-5224.",
- "cve": "CVE-2020-5224",
- "id": "pyup.io-37777",
+ "advisory": "In django-anymail before 1.4 the webhook validation was vulnerable to a timing attack. An attacker could have used this to obtain the WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to the app.",
+ "cve": "CVE-2018-6596",
+ "id": "pyup.io-35178",
"specs": [
- "<1.7.1"
+ "<1.4"
],
- "v": "<1.7.1"
- }
- ],
- "django-watchman": [
+ "v": "<1.4"
+ },
{
- "advisory": "django-watchman 0.10.0 improves security by keeping tokens out of logs.",
- "cve": "PVE-2021-25797",
- "id": "pyup.io-25797",
+ "advisory": "Django-anymail version 1.4 includes a fix for CVE-2018-1000089: Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in an attacker with access to error logs could fabricate email tracking events. If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app.\r\nhttps://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef",
+ "cve": "CVE-2018-1000089",
+ "id": "pyup.io-35198",
"specs": [
- "<0.10.0"
+ ">=0.2,<1.4"
],
- "v": "<0.10.0"
+ "v": ">=0.2,<1.4"
}
],
- "django-widgy": [
+ "django-autocomplete-light": [
{
- "advisory": "Unrestricted Upload of File with Dangerous Type in Django-Widgy v0.8.4 allows remote attackers to execute arbitrary code via the 'image' widget in the component 'Change Widgy Page' (https://github.com/fusionbox/django-widgy/issues/387). See CVE-2020-18704.",
- "cve": "CVE-2020-18704",
- "id": "pyup.io-41185",
+ "advisory": "django-autocomplete-light before 2.3.0 when updating the queryset from outside the autocomplete class may lead to a security problem, ie. if you don't replicate filters you apply manually on the autocomplete object choices into choices_for_request() then a malicious user could see choices which they shouldn't by querying the autocomplete directly.",
+ "cve": "PVE-2021-25740",
+ "id": "pyup.io-25740",
"specs": [
- "==0.8.4"
+ "<2.3.0"
],
- "v": "==0.8.4"
+ "v": "<2.3.0"
}
],
- "django-x509": [
+ "django-awl": [
{
- "advisory": "Django-x509 0.9.1 updates the minimum version of 'cryptography' to 3.2 for security reasons.",
- "cve": "PVE-2021-39116",
- "id": "pyup.io-39116",
+ "advisory": "django-awl 0.22.2 updates minimum library requirements for django 2.0.2 and 2.1.2 to reflect\r\nsecurity updates.",
+ "cve": "PVE-2021-36588",
+ "id": "pyup.io-36588",
"specs": [
- "<0.9.1"
+ "<0.22.2"
],
- "v": "<0.9.1"
- }
- ],
- "djangocms-admin-style": [
+ "v": "<0.22.2"
+ },
{
- "advisory": "djangocms-admin-style 1.2.5 fixes a potential security issue if the ``Site.name`` field contains malicious code.",
- "cve": "PVE-2021-36834",
- "id": "pyup.io-36834",
+ "advisory": "Django-awl 1.0 updates the minimum library requirements for django 2.0.2 and 2.1.2 to reflect security updates.",
+ "cve": "PVE-2021-38139",
+ "id": "pyup.io-38139",
"specs": [
- "<1.2.5"
+ "<1.0"
],
- "v": "<1.2.5"
+ "v": "<1.0"
}
],
- "djangocms-highlightjs": [
+ "django-basic-auth-ip-whitelist": [
{
- "advisory": "djangocms-highlightjs before 0.3.1 has a unspecified security issue and is vulnerable via unknown vectors.",
- "cve": "PVE-2021-25798",
- "id": "pyup.io-25798",
+ "advisory": "In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid credentials. This attack is understood not to be realistic over the Internet. However, it may be achieved from within local networks where the website is hosted, e.g. from inside a data centre where a website's server is located. Sites protected by IP address whitelisting only are unaffected by this vulnerability. This vulnerability has been fixed on version 0.3.4 of django-basic-auth-ip-whitelist. Update to version 0.3.4 as soon as possible and change basic authentication username and password configured on a Django project using this package. A workaround without upgrading to version 0.3.4 is to stop using basic authentication and use the IP whitelisting component only. It can be achieved by not setting BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD in Django project settings. See: CVE-2020-4071.",
+ "cve": "CVE-2020-4071",
+ "id": "pyup.io-38443",
"specs": [
- "<0.3.1"
+ "<0.3.4"
],
- "v": "<0.3.1"
- }
- ],
- "djangorestframework": [
+ "v": "<0.3.4"
+ },
{
- "advisory": "djangorestframework 2.2.1 fixes a security issue: Use `defusedxml` package to address XML parsing vulnerabilities.",
- "cve": "PVE-2021-25799",
- "id": "pyup.io-25799",
+ "advisory": "Django-basic-auth-ip-whitelist 0.3.4 fixes a potential timing attack if basic authentication is enabled.",
+ "cve": "PVE-2021-38438",
+ "id": "pyup.io-38438",
"specs": [
- "<2.2.1"
+ "<0.3.4"
],
- "v": "<2.2.1"
- },
+ "v": "<0.3.4"
+ }
+ ],
+ "django-basicauth": [
{
- "advisory": "djangorestframework 2.3.12 fixes a security issue: `OrderingField` now only allows ordering on readable serializer fields, or on fields explicitly specified using `ordering_fields`. This prevents users being able to order by fields that are not visible in the API, and exploiting the ordering of sensitive data such as password hashes.",
- "cve": "PVE-2021-25800",
- "id": "pyup.io-25800",
+ "advisory": "django-basicauth before 0.4.2 is vulnerable to undisclosed timing attacks.",
+ "cve": "PVE-2021-35076",
+ "id": "pyup.io-35076",
"specs": [
- "<2.3.12"
+ "<0.4.2"
],
- "v": "<2.3.12"
- },
+ "v": "<0.4.2"
+ }
+ ],
+ "django-bootstrap4": [
{
- "advisory": "djangorestframework 2.3.14 fixes a security issue: Escape request path when it is include as part of the login and logout links in the browsable API.",
- "cve": "PVE-2021-25801",
- "id": "pyup.io-25801",
+ "advisory": "Django-bootstrap4 2.3.0 updates the Sphinx dependency because of security update.",
+ "cve": "PVE-2021-38870",
+ "id": "pyup.io-38870",
"specs": [
- "<2.3.14"
+ "<2.3.0"
],
- "v": "<2.3.14"
- },
+ "v": "<2.3.0"
+ }
+ ],
+ "django-ca": [
{
- "advisory": "djangorestframework 2.4.4 fixes a security issue: Escape URLs when replacing `format=` query parameter, as used in dropdown on `GET` button in browsable API to allow explicit selection of JSON vs HTML output.",
- "cve": "PVE-2021-25802",
- "id": "pyup.io-25802",
+ "advisory": "django-ca 1.10.0 stores CA private keys in the more secure PKCS8 format.",
+ "cve": "PVE-2021-37015",
+ "id": "pyup.io-37015",
"specs": [
- "<2.4.4"
+ "<1.10.0"
],
- "v": "<2.4.4"
+ "v": "<1.10.0"
},
{
- "advisory": "djangorestframework 2.4.5 fixes a security issue: Escape tab switching cookie name in browsable API. [Backported from 3.1.1]",
- "cve": "PVE-2021-25803",
- "id": "pyup.io-25803",
+ "advisory": "Django-ca 1.17.0 secures CSRF and session cookies using Djangos `SESSION_COOKIE_SECURE`, `CSRF_COOKIE_HTTPONLY` and `CSRF_COOKIE_SECURE` settings. It also adds several security related headers to the admin interface (CSP, etc).",
+ "cve": "PVE-2021-39375",
+ "id": "pyup.io-39375",
"specs": [
- "<2.4.5"
+ "<1.17.0"
],
- "v": "<2.4.5"
+ "v": "<1.17.0"
},
{
- "advisory": "djangorestframework 3.1.1 fixes a security issue: : Escape tab switching cookie name in browsable API.",
- "cve": "PVE-2021-25804",
- "id": "pyup.io-25804",
+ "advisory": "Django-ca version 1.19.0 fetches only the expected number of bytes when validating ACME challenges via HTTP to prevent DOS attacks.",
+ "cve": "PVE-2021-42088",
+ "id": "pyup.io-42088",
"specs": [
- "<3.1.1"
+ "<1.19.0"
],
- "v": "<3.1.1"
+ "v": "<1.19.0"
},
{
- "advisory": "A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious