Theemiss/Quick_Report

Mako-1.2.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5)

Opened this issue · 0 comments

mend-bolt-for-github commented
Vulnerable Library - Mako-1.2.0-py3-none-any.whl

A super-fast templating language that borrows the best ideas from the existing templating languages.

Library home page: https://files.pythonhosted.org/packages/6e/01/45ab9f723a93e0ca75fba4d2c266bb041120cb4215eab94f7c78743ac7ed/Mako-1.2.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Found in HEAD commit: 8132fbdbfff0ec0a5c67241289b0b10059bc8370

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-40023 High 7.5 Mako-1.2.0-py3-none-any.whl Direct Mako - 1.2.2

Details

CVE-2022-40023

Vulnerable Library - Mako-1.2.0-py3-none-any.whl

A super-fast templating language that borrows the best ideas from the existing templating languages.

Library home page: https://files.pythonhosted.org/packages/6e/01/45ab9f723a93e0ca75fba4d2c266bb041120cb4215eab94f7c78743ac7ed/Mako-1.2.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

  • Mako-1.2.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8132fbdbfff0ec0a5c67241289b0b10059bc8370

Found in base branch: main

Vulnerability Details

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

Publish Date: 2022-09-07

URL: CVE-2022-40023

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-09-07

Fix Resolution: Mako - 1.2.2

Step up your Open Source Security Game with Mend here