sharmas1ddharth / pybox Goto Github PK

View Code? Open in Web Editor NEW

0.0 1.0 0.0 24 KB

A python library with various scripts to perform basic and utility tasks

License: MIT License

Makefile 26.85% Python 73.15%

python-package python-toolbox python3 scripts-python toolbox

pybox's Introduction

pyBox

pybox's People

Contributors

Watchers

pybox's Issues

Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl: 4 vulnerabilities (highest severity is: 8.1)

Vulnerable Library - Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/96/82/0cbf62676f9d64dd0e73e1667ec6cc189bd52051ee85558081167010fdfa/Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (Pillow version)	Remediation Possible**
CVE-2023-50447	High	8.1	Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl	Direct	pillow - 10.2.0	❌
CVE-2023-44271	High	7.5	Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl	Direct	Pillow - 10.0.0	❌
CVE-2022-45199	High	7.5	Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl	Direct	9.3.0	❌
CVE-2022-45198	High	7.5	Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl	Direct	9.2.0	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-50447

Vulnerable Library - Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/96/82/0cbf62676f9d64dd0e73e1667ec6cc189bd52051ee85558081167010fdfa/Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

❌ Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

Publish Date: 2024-01-19

URL: CVE-2023-50447

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2024/01/20/1

Release Date: 2024-01-19

Fix Resolution: pillow - 10.2.0

Step up your Open Source Security Game with Mend here

CVE-2023-44271

Vulnerable Library - Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/96/82/0cbf62676f9d64dd0e73e1667ec6cc189bd52051ee85558081167010fdfa/Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

❌ Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

Publish Date: 2023-11-03

URL: CVE-2023-44271

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-03

Fix Resolution: Pillow - 10.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-45199

Vulnerable Library - Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/96/82/0cbf62676f9d64dd0e73e1667ec6cc189bd52051ee85558081167010fdfa/Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

❌ Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.

Publish Date: 2022-11-14

URL: CVE-2022-45199

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-11-14

Fix Resolution: 9.3.0

Step up your Open Source Security Game with Mend here

CVE-2022-45198

Vulnerable Library - Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/96/82/0cbf62676f9d64dd0e73e1667ec6cc189bd52051ee85558081167010fdfa/Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

❌ Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).

Publish Date: 2022-11-14

URL: CVE-2022-45198

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-11-14

Fix Resolution: 9.2.0

Step up your Open Source Security Game with Mend here

setuptools-60.2.0-py3-none-any.whl: 2 vulnerabilities (highest severity is: 8.8)

Vulnerable Library - setuptools-60.2.0-py3-none-any.whl

Easily download, build, install, upgrade, and uninstall Python packages

Library home page: https://files.pythonhosted.org/packages/8e/16/8f64922c8d7cd7ec193b145c9b11ad281064ff8604452ba19a6d5bbd7ed9/setuptools-60.2.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (setuptools version)	Remediation Possible**
CVE-2024-6345	High	8.8	setuptools-60.2.0-py3-none-any.whl	Direct	70.0.0	❌
CVE-2022-40897	Medium	5.9	setuptools-60.2.0-py3-none-any.whl	Direct	65.5.1	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-6345

Vulnerable Library - setuptools-60.2.0-py3-none-any.whl

Easily download, build, install, upgrade, and uninstall Python packages

Library home page: https://files.pythonhosted.org/packages/8e/16/8f64922c8d7cd7ec193b145c9b11ad281064ff8604452ba19a6d5bbd7ed9/setuptools-60.2.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

❌ setuptools-60.2.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Publish Date: 2024-07-15

URL: CVE-2024-6345

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-6345

Release Date: 2024-07-15

Fix Resolution: 70.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-40897

Vulnerable Library - setuptools-60.2.0-py3-none-any.whl

Easily download, build, install, upgrade, and uninstall Python packages

Library home page: https://files.pythonhosted.org/packages/8e/16/8f64922c8d7cd7ec193b145c9b11ad281064ff8604452ba19a6d5bbd7ed9/setuptools-60.2.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

❌ setuptools-60.2.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

Publish Date: 2022-12-23

URL: CVE-2022-40897

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

Release Date: 2022-12-23

Fix Resolution: 65.5.1

Step up your Open Source Security Game with Mend here

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs

Jooble