Update Python deps to fix security vulnerabilities
Closed this issue · 0 comments
c0c0n3 commented
Is your feature request related to a problem? Please describe.
Our Python deps are ancient and some of them have serious security vulnerabilities.
Describe the solution you'd like
Upgrade all deps that have security vulnerabilities. If possible, upgrade the other deps too.
Describe alternatives you've considered
N/A
Additional context
See
Also, pipenv check reports
-> Vulnerability found in certifi version 2018.10.15
Vulnerability ID: 52365
Affected spec: <2022.12.07
ADVISORY: Certifi 2022.12.07 includes a fix for CVE-2022-23491: Certifi 2022.12.07 removes root certificates from "TrustCor"
from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being...
CVE-2022-23491
For more information, please visit https://pyup.io/v/52365/742
-> Vulnerability found in click version 7.1.2
Vulnerability ID: 47833
Affected spec: <8.0.0
ADVISORY: Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure
'mktemp()'.https://github.com/pallets/click/issues/1752
PVE-2022-47833
For more information, please visit https://pyup.io/v/47833/742
-> Vulnerability found in flask version 1.1.4
Vulnerability ID: 55261
Affected spec: <2.2.5
ADVISORY: Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response
containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also...
CVE-2023-30861
For more information, please visit https://pyup.io/v/55261/742
-> Vulnerability found in pydantic version 1.9.0
Vulnerability ID: 50916
Affected spec: <1.10.2
ADVISORY: Pydantic 1.10.2 prevents long strings as int inputs to fix
CVE-2020-10735.https://github.com/pydantic/pydantic/commit/eccd85e4d012e70ffbd81f379179da900d4621c5
CVE-2020-10735
For more information, please visit https://pyup.io/v/50916/742
-> Vulnerability found in requests version 2.27.1
Vulnerability ID: 58755
Affected spec: >=2.3.0,<2.31.0
ADVISORY: Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-
Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use...
CVE-2023-32681
For more information, please visit https://pyup.io/v/58755/742
-> Vulnerability found in setuptools version 60.8.2
Vulnerability ID: 52495
Affected spec: <65.5.1
ADVISORY: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via
HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
CVE-2022-40897
For more information, please visit https://pyup.io/v/52495/742
-> Vulnerability found in werkzeug version 1.0.1
Vulnerability ID: 54456
Affected spec: >=0,<2.1.1
ADVISORY: ** DISPUTED ** Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform
HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position...
CVE-2022-29361
For more information, please visit https://pyup.io/v/54456/742
-> Vulnerability found in werkzeug version 1.0.1
Vulnerability ID: 53325
Affected spec: <2.2.3
ADVISORY: Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data
parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU...
CVE-2023-25577
For more information, please visit https://pyup.io/v/53325/742
-> Vulnerability found in werkzeug version 1.0.1
Vulnerability ID: 53326
Affected spec: <2.2.3
ADVISORY: Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like
'=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this...
CVE-2023-23934
For more information, please visit https://pyup.io/v/53326/742