themagicalmammal / wikibot Goto Github PK

Vulnerable Library - httplib2-0.18.1.tar.gz

A comprehensive HTTP client library.

Library home page: https://files.pythonhosted.org/packages/98/3f/0769a851fbb0ecc458260055da67d550d3015ebe6b8b861c79ad00147bb9/httplib2-0.18.1.tar.gz

Path to dependency file: wikibot/requirements.txt

Path to vulnerable library: wikibot/requirements.txt

Dependency Hierarchy:

• google_api_python_client-1.12.8-py2.py3-none-any.whl (Root Library)
  • ❌ httplib2-0.18.1.tar.gz (Vulnerable Library)

Found in HEAD commit: c6bf4b5a3ae9d6a08215141dc07c0566281ec8c9

Found in base branch: master

Vulnerability Details

httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.

Publish Date: 2021-02-08

URL: CVE-2021-21240

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-93xj-8mrv-444m

Release Date: 2021-02-08

Fix Resolution: v0.19.0

Vulnerable Library - Jinja2-2.11.2-py2.py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/30/9e/f663a2aa66a09d838042ae1a2c5659828bb9b41ea3a6efa20a20fd92b121/Jinja2-2.11.2-py2.py3-none-any.whl

Path to dependency file: wikibot/requirements.txt

Path to vulnerable library: wikibot/requirements.txt

Dependency Hierarchy:

• Flask-1.1.2-py2.py3-none-any.whl (Root Library)
  • ❌ Jinja2-2.11.2-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: d0c3138f5658d9b5e79f78fc3875dd957f09cb1c

Found in base branch: master

Vulnerability Details

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9.-]+.[a-zA-Z0-9.-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

Publish Date: 2021-02-01

URL: CVE-2020-28493

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28493

Release Date: 2021-02-01

Fix Resolution: 2.11.3

Vulnerable Library - urllib3-1.26.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/23/fc/8a49991f7905261f9ca9df5aa9b58363c3c821ce3e7f671895442b7100f2/urllib3-1.26.3-py2.py3-none-any.whl

Path to dependency file: wikibot/requirements.txt

Path to vulnerable library: wikibot/requirements.txt

Dependency Hierarchy:

• wikipedia-1.4.0.tar.gz (Root Library)
  • requests-2.25.1-py2.py3-none-any.whl
    • ❌ urllib3-1.26.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 54f7b65e6dd856ca3a17692f84d51b302025279a

Found in base branch: master

Vulnerability Details

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Publish Date: 2021-03-15

URL: CVE-2021-28363

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5phf-pp7p-vc2r

Release Date: 2021-03-15

Fix Resolution: 1.26.4

Vulnerable Library - rsa-4.5-py2.py3-none-any.whl

Pure-Python RSA implementation

Library home page: https://files.pythonhosted.org/packages/26/f8/8127fdda0294f044121d20aac7785feb810e159098447967a6103dedfb96/rsa-4.5-py2.py3-none-any.whl

Path to dependency file: wikibot/requirements.txt

Path to vulnerable library: wikibot/requirements.txt

Dependency Hierarchy:

• google_auth_httplib2-0.1.0-py2.py3-none-any.whl (Root Library)
  • google_auth-1.29.0-py2.py3-none-any.whl
    • ❌ rsa-4.5-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Publish Date: 2020-11-12

URL: CVE-2020-25658

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None