starlette-0.13.2-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5)
Closed this issue · 4 comments
Vulnerable Library - starlette-0.13.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/37/2e/f56602beda25b376bbaaeadb626cf212b673457075ffed0dd12969ad6014/starlette-0.13.2-py3-none-any.whl
Path to dependency file: /module/sprites-as-a-service-0.5.0/backend/requirements.txt
Path to vulnerable library: /module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/runx-0.0.5
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
WS-2020-0300 | High | 7.5 | starlette-0.13.2-py3-none-any.whl | Direct | starlette - 0.13.5 | ❌ |
Details
WS-2020-0300
Vulnerable Library - starlette-0.13.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/37/2e/f56602beda25b376bbaaeadb626cf212b673457075ffed0dd12969ad6014/starlette-0.13.2-py3-none-any.whl
Path to dependency file: /module/sprites-as-a-service-0.5.0/backend/requirements.txt
Path to vulnerable library: /module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/runx-0.0.5
Dependency Hierarchy:
- ❌ starlette-0.13.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
Path Traversal vulnerability was found in starlette before 0.13.5. The vulnerability allows a remote attacker to perform directory traversal attacks. The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Publish Date: 2020-06-23
URL: WS-2020-0300
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-06-23
Fix Resolution: starlette - 0.13.5
Step up your Open Source Security Game with Mend here
Nice, one of tasks is done
Nice to meet you, @mend-bolt-for-github[bot]. Thank you for creating an issue. There are some tasks for you:
- Need at least one label
- Need at least one assignee
- Need a milestone
To close issue send comment "close", to reopen - "reopen"
Micro-Learning Topic: Directory traversal (Detected by phrase)
Matched on "directory traversal"
Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).
Try a challenge in Secure Code Warrior
Helpful references
- OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications, including defence against path traversal.
- OWASP Path Traversal - OWASP community page with comprehensive information about path traversal, and links to various OWASP resources to help detect or prevent it.
Micro-Learning Topic: Path traversal (Detected by phrase)
Matched on "Path Traversal"
Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).
Try a challenge in Secure Code Warrior
Helpful references
- OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications, including defence against path traversal.
- OWASP Path Traversal - OWASP community page with comprehensive information about path traversal, and links to various OWASP resources to help detect or prevent it.
Micro-Learning Topic: Vulnerable library (Detected by phrase)
Matched on "Vulnerable Library"
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
Try a challenge in Secure Code Warrior
Thanks for issue, @mend-bolt-for-github[bot]! @AdamOswald, thank you for closing this issue, I have less work. I will look forward to our next meeting😜
If you want to reopen the issue - type "reopen"