oauthlib-3.2.1-py3-none-any.whl: 1 vulnerabilities (highest severity is: 6.5)
Closed this issue · 4 comments
Vulnerable Library - oauthlib-3.2.1-py3-none-any.whl
A generic, spec-compliant, thorough implementation of the OAuth request-signing logic
Library home page: https://files.pythonhosted.org/packages/92/bb/d669baf53d4ffe081dab80aad93c5c79f84eeac885dd31507c8c055a98d5/oauthlib-3.2.1-py3-none-any.whl
Path to dependency file: /module
Path to vulnerable library: /module,/docs/sphinx_requirements.txt,/module/MM-RealSR-1.0.0,/module/Jupyter-master/requirements.txt,/module/requirements.txt,/module/imagen-pytorch-1.11.12,/module/PRNet-master/requirements.txt,/module/MM-RealSR-1.0.0/requirements.txt,/module/_tests_requirements.txt,/PRNet-master/requirements.txt,/module/openai-python-0.22.1,/tmp/ws-scm/face
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-36087 |  Medium |
6.5 | oauthlib-3.2.1-py3-none-any.whl | Direct | N/A | ❌ |
Details
CVE-2022-36087
Vulnerable Library - oauthlib-3.2.1-py3-none-any.whl
A generic, spec-compliant, thorough implementation of the OAuth request-signing logic
Library home page: https://files.pythonhosted.org/packages/92/bb/d669baf53d4ffe081dab80aad93c5c79f84eeac885dd31507c8c055a98d5/oauthlib-3.2.1-py3-none-any.whl
Path to dependency file: /module
Path to vulnerable library: /module,/docs/sphinx_requirements.txt,/module/MM-RealSR-1.0.0,/module/Jupyter-master/requirements.txt,/module/requirements.txt,/module/imagen-pytorch-1.11.12,/module/PRNet-master/requirements.txt,/module/MM-RealSR-1.0.0/requirements.txt,/module/_tests_requirements.txt,/PRNet-master/requirements.txt,/module/openai-python-0.22.1,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ oauthlib-3.2.1-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of uri_validate functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly uri_validate are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.
Mend Note: After conducting further research, Mend has determined that versions 3.1.1 through 3.2.1 of oauthlib are vulnerable to CVE-2022-36087.
Publish Date: 2022-09-09
URL: CVE-2022-36087
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
Nice to meet you, @mend-bolt-for-github[bot]. Thank you for creating an issue. There are some tasks for you:
- Need at least one label
- Need at least one assignee
- Need a milestone
To close issue send comment "close", to reopen - "reopen"
Nice, one of tasks is done
Micro-Learning Topic: Denial of service (Detected by phrase)
Matched on "denial of service"
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
Try a challenge in Secure Code Warrior
Micro-Learning Topic: Vulnerable library (Detected by phrase)
Matched on "Vulnerable Library"
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
Try a challenge in Secure Code Warrior
Thanks for issue, @mend-bolt-for-github[bot]! @AdamOswald, thank you for closing this issue, I have less work. I will look forward to our next meeting😜
If you want to reopen the issue - type "reopen"