datasets-2.2.1-py3-none-any.whl: 11 vulnerabilities (highest severity is: 9.8)
mend-bolt-for-github opened this issue · 0 comments
Vulnerable Library - datasets-2.2.1-py3-none-any.whl
Path to dependency file: /textdiff_streamlit/requirements.txt
Path to vulnerable library: /requirements.txt,/paper/requirements.txt,/textdiff_streamlit/requirements.txt,/mrpc_streamlit/requirements.txt
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (datasets version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-47248 |  Critical |
9.8 | pyarrow-8.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Transitive | 2.2.2 | ❌ |
| CVE-2023-37920 | Critical |
9.8 | certifi-2021.10.8-py2.py3-none-any.whl | Transitive | 2.2.2 | ❌ |
| CVE-2022-23491 |  High |
7.5 | certifi-2021.10.8-py2.py3-none-any.whl | Transitive | 2.2.2 | ❌ |
| CVE-2023-37276 | High |
7.5 | aiohttp-3.8.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 2.2.2 | ❌ |
| CVE-2023-47627 | High |
7.5 | aiohttp-3.8.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 2.2.2 | ❌ |
| CVE-2023-49082 |  Medium |
5.3 | aiohttp-3.8.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 2.2.2 | ❌ |
| CVE-2023-49081 | Medium |
5.3 | aiohttp-3.8.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 2.2.2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-47248
Vulnerable Library - pyarrow-8.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Python library for Apache Arrow
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/mrpc_streamlit/requirements.txt,/paper/requirements.txt,/textdiff_streamlit/requirements.txt
Dependency Hierarchy:
- datasets-2.2.1-py3-none-any.whl (Root Library)
- ❌ pyarrow-8.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).
This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.
It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.
If it is not possible to upgrade, we provide a separate package pyarrow-hotfix that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.
Publish Date: 2023-11-09
URL: CVE-2023-47248
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n
Release Date: 2023-11-09
Fix Resolution (pyarrow): 14.0.1
Direct dependency fix Resolution (datasets): 2.2.2
Step up your Open Source Security Game with Mend here
CVE-2023-37920
Vulnerable Library - certifi-2021.10.8-py2.py3-none-any.whl
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/37/45/946c02767aabb873146011e665728b680884cd8fe70dde973c640e45b775/certifi-2021.10.8-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/paper/requirements.txt,/textdiff_streamlit/requirements.txt,/mrpc_streamlit/requirements.txt
Dependency Hierarchy:
- datasets-2.2.1-py3-none-any.whl (Root Library)
- requests-2.27.1-py2.py3-none-any.whl
- ❌ certifi-2021.10.8-py2.py3-none-any.whl (Vulnerable Library)
- requests-2.27.1-py2.py3-none-any.whl
Found in base branch: main
Vulnerability Details
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
Publish Date: 2023-07-25
URL: CVE-2023-37920
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xqr8-7jwr-rhp7
Release Date: 2023-07-25
Fix Resolution (certifi): 2023.7.22
Direct dependency fix Resolution (datasets): 2.2.2
Step up your Open Source Security Game with Mend here
CVE-2022-23491
Vulnerable Library - certifi-2021.10.8-py2.py3-none-any.whl
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/37/45/946c02767aabb873146011e665728b680884cd8fe70dde973c640e45b775/certifi-2021.10.8-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/paper/requirements.txt,/textdiff_streamlit/requirements.txt,/mrpc_streamlit/requirements.txt
Dependency Hierarchy:
- datasets-2.2.1-py3-none-any.whl (Root Library)
- requests-2.27.1-py2.py3-none-any.whl
- ❌ certifi-2021.10.8-py2.py3-none-any.whl (Vulnerable Library)
- requests-2.27.1-py2.py3-none-any.whl
Found in base branch: main
Vulnerability Details
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
Publish Date: 2022-12-07
URL: CVE-2022-23491
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491
Release Date: 2022-12-07
Fix Resolution (certifi): 2022.12.7
Direct dependency fix Resolution (datasets): 2.2.2
Step up your Open Source Security Game with Mend here
CVE-2023-37276
Vulnerable Library - aiohttp-3.8.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /textdiff_streamlit/requirements.txt
Path to vulnerable library: /textdiff_streamlit/requirements.txt,/requirements.txt,/paper/requirements.txt
Dependency Hierarchy:
- datasets-2.2.1-py3-none-any.whl (Root Library)
- ❌ aiohttp-3.8.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie aiohttp.ClientSession). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using AIOHTTP_NO_EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.
Publish Date: 2023-07-19
URL: CVE-2023-37276
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-45c4-8wx5-qw6w
Release Date: 2023-07-19
Fix Resolution (aiohttp): 3.8.5
Direct dependency fix Resolution (datasets): 2.2.2
Step up your Open Source Security Game with Mend here
CVE-2023-47627
Vulnerable Library - aiohttp-3.8.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /textdiff_streamlit/requirements.txt
Path to vulnerable library: /textdiff_streamlit/requirements.txt,/requirements.txt,/paper/requirements.txt
Dependency Hierarchy:
- datasets-2.2.1-py3-none-any.whl (Root Library)
- ❌ aiohttp-3.8.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit d5c12ba89 which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.
Publish Date: 2023-11-14
URL: CVE-2023-47627
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-gfw2-4jvh-wgfg
Release Date: 2023-11-14
Fix Resolution (aiohttp): 3.8.6
Direct dependency fix Resolution (datasets): 2.2.2
Step up your Open Source Security Game with Mend here
CVE-2023-49082
Vulnerable Library - aiohttp-3.8.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /textdiff_streamlit/requirements.txt
Path to vulnerable library: /textdiff_streamlit/requirements.txt,/requirements.txt,/paper/requirements.txt
Dependency Hierarchy:
- datasets-2.2.1-py3-none-any.whl (Root Library)
- ❌ aiohttp-3.8.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
Publish Date: 2023-11-29
URL: CVE-2023-49082
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-qvrw-v9rv-5rjx
Release Date: 2023-11-29
Fix Resolution (aiohttp): 3.9.0
Direct dependency fix Resolution (datasets): 2.2.2
Step up your Open Source Security Game with Mend here
CVE-2023-49081
Vulnerable Library - aiohttp-3.8.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /textdiff_streamlit/requirements.txt
Path to vulnerable library: /textdiff_streamlit/requirements.txt,/requirements.txt,/paper/requirements.txt
Dependency Hierarchy:
- datasets-2.2.1-py3-none-any.whl (Root Library)
- ❌ aiohttp-3.8.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.
Publish Date: 2023-11-30
URL: CVE-2023-49081
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-q3qx-c6g2-7pw2
Release Date: 2023-11-30
Fix Resolution (aiohttp): 3.9.0
Direct dependency fix Resolution (datasets): 2.2.2
Step up your Open Source Security Game with Mend here