@fabasoad/sarif-to-slack 0.2.5 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (192) hide show
  1. package/.github/workflows/release.yml +1 -1
  2. package/.github/workflows/security.yml +0 -1
  3. package/.github/workflows/send-sarif-to-slack.yml +145 -73
  4. package/.gitleaksignore +8 -0
  5. package/.pre-commit-config.yaml +3 -3
  6. package/.tool-versions +1 -1
  7. package/dist/Logger.js +4 -1
  8. package/dist/SarifToSlackClient.d.ts +33 -0
  9. package/dist/SarifToSlackClient.d.ts.map +1 -0
  10. package/dist/SarifToSlackClient.js +178 -0
  11. package/dist/SlackMessageBuilder.js +34 -82
  12. package/dist/System.d.ts +1 -3
  13. package/dist/System.d.ts.map +1 -1
  14. package/dist/System.js +10 -3
  15. package/dist/index.cjs +826 -472
  16. package/dist/index.d.ts +35 -12
  17. package/dist/index.d.ts.map +1 -1
  18. package/dist/index.js +36 -12
  19. package/dist/model/Color.d.ts +80 -0
  20. package/dist/model/Color.d.ts.map +1 -0
  21. package/dist/model/Color.js +106 -0
  22. package/dist/model/Finding.d.ts +2 -0
  23. package/dist/model/Finding.d.ts.map +1 -0
  24. package/dist/model/Finding.js +93 -0
  25. package/dist/model/FindingsArray.d.ts +2 -0
  26. package/dist/model/FindingsArray.d.ts.map +1 -0
  27. package/dist/model/FindingsArray.js +24 -0
  28. package/dist/processors/CodeQLProcessor.d.ts +2 -0
  29. package/dist/processors/CodeQLProcessor.d.ts.map +1 -0
  30. package/dist/processors/CodeQLProcessor.js +17 -0
  31. package/dist/processors/CommonProcessor.d.ts +2 -0
  32. package/dist/processors/CommonProcessor.d.ts.map +1 -0
  33. package/dist/processors/CommonProcessor.js +84 -0
  34. package/dist/processors/ProcessorFactory.d.ts +2 -0
  35. package/dist/processors/ProcessorFactory.d.ts.map +1 -0
  36. package/dist/processors/ProcessorFactory.js +22 -0
  37. package/dist/processors/SnykProcessor.d.ts +2 -0
  38. package/dist/processors/SnykProcessor.d.ts.map +1 -0
  39. package/dist/processors/SnykProcessor.js +18 -0
  40. package/dist/representations/CompactGroupByRepresentation.d.ts +2 -0
  41. package/dist/representations/CompactGroupByRepresentation.d.ts.map +1 -0
  42. package/dist/representations/CompactGroupByRepresentation.js +58 -0
  43. package/dist/representations/CompactGroupByRunPerLevelRepresentation.d.ts +2 -0
  44. package/dist/representations/CompactGroupByRunPerLevelRepresentation.d.ts.map +1 -0
  45. package/dist/representations/CompactGroupByRunPerLevelRepresentation.js +13 -0
  46. package/dist/representations/CompactGroupByRunPerSeverityRepresentation.d.ts +2 -0
  47. package/dist/representations/CompactGroupByRunPerSeverityRepresentation.d.ts.map +1 -0
  48. package/dist/representations/CompactGroupByRunPerSeverityRepresentation.js +13 -0
  49. package/dist/representations/CompactGroupByRunRepresentation.d.ts +2 -0
  50. package/dist/representations/CompactGroupByRunRepresentation.d.ts.map +1 -0
  51. package/dist/representations/CompactGroupByRunRepresentation.js +39 -0
  52. package/dist/representations/CompactGroupBySarifPerLevelRepresentation.d.ts +2 -0
  53. package/dist/representations/CompactGroupBySarifPerLevelRepresentation.d.ts.map +1 -0
  54. package/dist/representations/CompactGroupBySarifPerLevelRepresentation.js +13 -0
  55. package/dist/representations/CompactGroupBySarifPerSeverityRepresentation.d.ts +2 -0
  56. package/dist/representations/CompactGroupBySarifPerSeverityRepresentation.d.ts.map +1 -0
  57. package/dist/representations/CompactGroupBySarifPerSeverityRepresentation.js +13 -0
  58. package/dist/representations/CompactGroupBySarifRepresentation.d.ts +2 -0
  59. package/dist/representations/CompactGroupBySarifRepresentation.d.ts.map +1 -0
  60. package/dist/representations/CompactGroupBySarifRepresentation.js +40 -0
  61. package/dist/representations/CompactGroupByToolNamePerLevelRepresentation.d.ts +2 -0
  62. package/dist/representations/CompactGroupByToolNamePerLevelRepresentation.d.ts.map +1 -0
  63. package/dist/representations/CompactGroupByToolNamePerLevelRepresentation.js +13 -0
  64. package/dist/representations/CompactGroupByToolNamePerSeverityRepresentation.d.ts +2 -0
  65. package/dist/representations/CompactGroupByToolNamePerSeverityRepresentation.d.ts.map +1 -0
  66. package/dist/representations/CompactGroupByToolNamePerSeverityRepresentation.js +13 -0
  67. package/dist/representations/CompactGroupByToolNameRepresentation.d.ts +2 -0
  68. package/dist/representations/CompactGroupByToolNameRepresentation.d.ts.map +1 -0
  69. package/dist/representations/CompactGroupByToolNameRepresentation.js +39 -0
  70. package/dist/representations/CompactTotalPerLevelRepresentation.d.ts +2 -0
  71. package/dist/representations/CompactTotalPerLevelRepresentation.d.ts.map +1 -0
  72. package/dist/representations/CompactTotalPerLevelRepresentation.js +13 -0
  73. package/dist/representations/CompactTotalPerSeverityRepresentation.d.ts +2 -0
  74. package/dist/representations/CompactTotalPerSeverityRepresentation.d.ts.map +1 -0
  75. package/dist/representations/CompactTotalPerSeverityRepresentation.js +13 -0
  76. package/dist/representations/CompactTotalRepresentation.d.ts +2 -0
  77. package/dist/representations/CompactTotalRepresentation.d.ts.map +1 -0
  78. package/dist/representations/CompactTotalRepresentation.js +25 -0
  79. package/dist/representations/Representation.d.ts +2 -0
  80. package/dist/representations/Representation.d.ts.map +1 -0
  81. package/dist/representations/Representation.js +28 -0
  82. package/dist/representations/RepresentationFactory.d.ts +2 -0
  83. package/dist/representations/RepresentationFactory.d.ts.map +1 -0
  84. package/dist/representations/RepresentationFactory.js +37 -0
  85. package/dist/sarif-to-slack.d.ts +347 -85
  86. package/dist/tsdoc-metadata.json +1 -1
  87. package/dist/types.d.ts +215 -51
  88. package/dist/types.d.ts.map +1 -1
  89. package/dist/types.js +225 -33
  90. package/dist/utils/Comparators.d.ts +2 -0
  91. package/dist/utils/Comparators.d.ts.map +1 -0
  92. package/dist/utils/Comparators.js +18 -0
  93. package/dist/utils/ExtendedArray.d.ts +2 -0
  94. package/dist/utils/ExtendedArray.d.ts.map +1 -0
  95. package/dist/utils/ExtendedArray.js +11 -0
  96. package/dist/utils/FileUtils.d.ts +2 -0
  97. package/dist/utils/FileUtils.d.ts.map +1 -0
  98. package/dist/utils/FileUtils.js +51 -0
  99. package/dist/utils/SarifUtils.js +20 -54
  100. package/etc/sarif-to-slack.api.md +162 -99
  101. package/jest.config.json +2 -2
  102. package/package.json +7 -7
  103. package/scripts/save-metadata.sh +12 -10
  104. package/src/Logger.ts +4 -0
  105. package/src/SarifToSlackClient.ts +202 -0
  106. package/src/SlackMessageBuilder.ts +35 -115
  107. package/src/System.ts +9 -2
  108. package/src/index.ts +47 -20
  109. package/src/model/Color.ts +195 -0
  110. package/src/model/Finding.ts +137 -0
  111. package/src/model/FindingsArray.ts +27 -0
  112. package/src/processors/CodeQLProcessor.ts +19 -0
  113. package/src/processors/CommonProcessor.ts +103 -0
  114. package/src/processors/ProcessorFactory.ts +23 -0
  115. package/src/processors/SnykProcessor.ts +19 -0
  116. package/src/representations/CompactGroupByRepresentation.ts +67 -0
  117. package/src/representations/CompactGroupByRunPerLevelRepresentation.ts +14 -0
  118. package/src/representations/CompactGroupByRunPerSeverityRepresentation.ts +14 -0
  119. package/src/representations/CompactGroupByRunRepresentation.ts +44 -0
  120. package/src/representations/CompactGroupBySarifPerLevelRepresentation.ts +15 -0
  121. package/src/representations/CompactGroupBySarifPerSeverityRepresentation.ts +15 -0
  122. package/src/representations/CompactGroupBySarifRepresentation.ts +45 -0
  123. package/src/representations/CompactGroupByToolNamePerLevelRepresentation.ts +15 -0
  124. package/src/representations/CompactGroupByToolNamePerSeverityRepresentation.ts +15 -0
  125. package/src/representations/CompactGroupByToolNameRepresentation.ts +44 -0
  126. package/src/representations/CompactTotalPerLevelRepresentation.ts +14 -0
  127. package/src/representations/CompactTotalPerSeverityRepresentation.ts +14 -0
  128. package/src/representations/CompactTotalRepresentation.ts +27 -0
  129. package/src/representations/Representation.ts +35 -0
  130. package/src/representations/RepresentationFactory.ts +49 -0
  131. package/src/types.ts +270 -53
  132. package/src/utils/Comparators.ts +19 -0
  133. package/src/utils/ExtendedArray.ts +11 -0
  134. package/src/utils/FileUtils.ts +60 -0
  135. package/src/utils/SarifUtils.ts +20 -72
  136. package/test-data/sarif/codeql-python.sarif +1448 -1
  137. package/test-data/sarif/codeql-typescript.sarif +3474 -1
  138. package/test-data/sarif/grype-github-actions.sarif +65 -0
  139. package/test-data/sarif/osv-scanner-composer.sarif +972 -0
  140. package/test-data/sarif/osv-scanner-container.sarif +2278 -0
  141. package/test-data/sarif/osv-scanner-gomodules.sarif +813 -0
  142. package/test-data/sarif/osv-scanner-hex.sarif +147 -0
  143. package/test-data/sarif/osv-scanner-maven.sarif +171 -0
  144. package/test-data/sarif/osv-scanner-npm.sarif +627 -0
  145. package/test-data/sarif/osv-scanner-pip.sarif +206 -0
  146. package/test-data/sarif/osv-scanner-pipenv.sarif +243 -0
  147. package/test-data/sarif/osv-scanner-pnpm.sarif +174 -0
  148. package/test-data/sarif/osv-scanner-poetry.sarif +1893 -0
  149. package/test-data/sarif/osv-scanner-rubygems.sarif +402 -0
  150. package/test-data/sarif/osv-scanner-uv.sarif +206 -0
  151. package/test-data/sarif/osv-scanner-yarn.sarif +5207 -0
  152. package/test-data/sarif/runs-0.sarif +5 -0
  153. package/test-data/sarif/runs-2-tools-2-results-0.sarif +1 -1
  154. package/test-data/sarif/runs-2-tools-2.sarif +1 -1
  155. package/test-data/sarif/runs-3-tools-2-results-0.sarif +1 -1
  156. package/test-data/sarif/runs-3-tools-2.sarif +1 -1
  157. package/test-data/sarif/tmp/codeql-csharp.sarif +1 -0
  158. package/test-data/sarif/tmp/grype-container.sarif +1774 -0
  159. package/test-data/sarif/tmp/runs-1-tools-1-results-0.sarif +18 -0
  160. package/test-data/sarif/tmp/runs-2-tools-2.sarif +686 -0
  161. package/test-data/sarif/trivy-iac.sarif +1 -1
  162. package/tests/integration/SendSarifToSlack.spec.ts +95 -27
  163. package/tsconfig.json +2 -0
  164. package/dist/Processors.d.ts +0 -2
  165. package/dist/Processors.d.ts.map +0 -1
  166. package/dist/Processors.js +0 -61
  167. package/dist/SarifToSlackService.d.ts +0 -39
  168. package/dist/SarifToSlackService.d.ts.map +0 -1
  169. package/dist/SarifToSlackService.js +0 -104
  170. package/dist/metadata.d.ts +0 -2
  171. package/dist/metadata.d.ts.map +0 -1
  172. package/dist/metadata.js +0 -11
  173. package/dist/model/SarifModelPerRun.d.ts +0 -2
  174. package/dist/model/SarifModelPerRun.d.ts.map +0 -1
  175. package/dist/model/SarifModelPerRun.js +0 -90
  176. package/dist/model/SarifModelPerSarif.d.ts +0 -2
  177. package/dist/model/SarifModelPerSarif.d.ts.map +0 -1
  178. package/dist/model/SarifModelPerSarif.js +0 -102
  179. package/dist/model/types.d.ts +0 -2
  180. package/dist/model/types.d.ts.map +0 -1
  181. package/dist/model/types.js +0 -49
  182. package/dist/utils/SortUtils.d.ts +0 -2
  183. package/dist/utils/SortUtils.d.ts.map +0 -1
  184. package/dist/utils/SortUtils.js +0 -20
  185. package/src/Processors.ts +0 -68
  186. package/src/SarifToSlackService.ts +0 -117
  187. package/src/metadata.ts +0 -10
  188. package/src/model/SarifModelPerRun.ts +0 -120
  189. package/src/model/SarifModelPerSarif.ts +0 -126
  190. package/src/model/types.ts +0 -50
  191. package/src/utils/SortUtils.ts +0 -33
  192. package/tests/Processors.spec.ts +0 -76
package/test-data/sarif/osv-scanner-poetry.sarif ADDED
@@ -0,0 +1,1893 @@
1
+ {
2
+ "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
3
+ "version": "2.1.0",
4
+ "runs": [
5
+ {
6
+ "addresses": [],
7
+ "artifacts": [
8
+ {
9
+ "length": -1,
10
+ "location": {
11
+ "index": -1,
12
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
13
+ },
14
+ "parentIndex": -1,
15
+ "roles": []
16
+ }
17
+ ],
18
+ "graphs": [],
19
+ "invocations": [],
20
+ "language": "en-US",
21
+ "logicalLocations": [],
22
+ "newlineSequences": [
23
+ "\r\n",
24
+ "\n"
25
+ ],
26
+ "policies": [],
27
+ "redactionTokens": [],
28
+ "results": [
29
+ {
30
+ "attachments": [],
31
+ "codeFlows": [],
32
+ "fixes": [],
33
+ "graphTraversals": [],
34
+ "graphs": [],
35
+ "kind": "fail",
36
+ "level": "warning",
37
+ "locations": [
38
+ {
39
+ "annotations": [],
40
+ "id": -1,
41
+ "logicalLocations": [],
42
+ "physicalLocation": {
43
+ "artifactLocation": {
44
+ "index": -1,
45
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
46
+ }
47
+ },
48
+ "relationships": []
49
+ }
50
+ ],
51
+ "message": {
52
+ "arguments": [],
53
+ "text": "Package 'werkzeug@0.16.1' is vulnerable to 'CVE-2024-34069' (also known as 'CGA-4f6v-wx38-68gq', 'GHSA-2g68-c3qc-8985')."
54
+ },
55
+ "rank": -1,
56
+ "relatedLocations": [],
57
+ "ruleId": "CVE-2024-34069",
58
+ "ruleIndex": 0,
59
+ "stacks": [],
60
+ "taxa": []
61
+ },
62
+ {
63
+ "attachments": [],
64
+ "codeFlows": [],
65
+ "fixes": [],
66
+ "graphTraversals": [],
67
+ "graphs": [],
68
+ "kind": "fail",
69
+ "level": "warning",
70
+ "locations": [
71
+ {
72
+ "annotations": [],
73
+ "id": -1,
74
+ "logicalLocations": [],
75
+ "physicalLocation": {
76
+ "artifactLocation": {
77
+ "index": -1,
78
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
79
+ }
80
+ },
81
+ "relationships": []
82
+ }
83
+ ],
84
+ "message": {
85
+ "arguments": [],
86
+ "text": "Package 'dnspython@2.0.0' is vulnerable to 'CVE-2023-29483' (also known as 'GHSA-3rq5-2g8h-59hc')."
87
+ },
88
+ "rank": -1,
89
+ "relatedLocations": [],
90
+ "ruleId": "CVE-2023-29483",
91
+ "ruleIndex": 1,
92
+ "stacks": [],
93
+ "taxa": []
94
+ },
95
+ {
96
+ "attachments": [],
97
+ "codeFlows": [],
98
+ "fixes": [],
99
+ "graphTraversals": [],
100
+ "graphs": [],
101
+ "kind": "fail",
102
+ "level": "warning",
103
+ "locations": [
104
+ {
105
+ "annotations": [],
106
+ "id": -1,
107
+ "logicalLocations": [],
108
+ "physicalLocation": {
109
+ "artifactLocation": {
110
+ "index": -1,
111
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
112
+ }
113
+ },
114
+ "relationships": []
115
+ }
116
+ ],
117
+ "message": {
118
+ "arguments": [],
119
+ "text": "Package 'flask-cors@3.0.8' is vulnerable to 'CVE-2024-6866' (also known as 'GHSA-43qf-4rqw-9q2g')."
120
+ },
121
+ "rank": -1,
122
+ "relatedLocations": [],
123
+ "ruleId": "CVE-2024-6866",
124
+ "ruleIndex": 2,
125
+ "stacks": [],
126
+ "taxa": []
127
+ },
128
+ {
129
+ "attachments": [],
130
+ "codeFlows": [],
131
+ "fixes": [],
132
+ "graphTraversals": [],
133
+ "graphs": [],
134
+ "kind": "fail",
135
+ "level": "warning",
136
+ "locations": [
137
+ {
138
+ "annotations": [],
139
+ "id": -1,
140
+ "logicalLocations": [],
141
+ "physicalLocation": {
142
+ "artifactLocation": {
143
+ "index": -1,
144
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
145
+ }
146
+ },
147
+ "relationships": []
148
+ }
149
+ ],
150
+ "message": {
151
+ "arguments": [],
152
+ "text": "Package 'ihatemoney@4.1.4' is vulnerable to 'CVE-2020-15120' (also known as 'PYSEC-2020-264', 'GHSA-67j9-c52g-w2q9')."
153
+ },
154
+ "rank": -1,
155
+ "relatedLocations": [],
156
+ "ruleId": "CVE-2020-15120",
157
+ "ruleIndex": 3,
158
+ "stacks": [],
159
+ "taxa": []
160
+ },
161
+ {
162
+ "attachments": [],
163
+ "codeFlows": [],
164
+ "fixes": [],
165
+ "graphTraversals": [],
166
+ "graphs": [],
167
+ "kind": "fail",
168
+ "level": "warning",
169
+ "locations": [
170
+ {
171
+ "annotations": [],
172
+ "id": -1,
173
+ "logicalLocations": [],
174
+ "physicalLocation": {
175
+ "artifactLocation": {
176
+ "index": -1,
177
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
178
+ }
179
+ },
180
+ "relationships": []
181
+ }
182
+ ],
183
+ "message": {
184
+ "arguments": [],
185
+ "text": "Package 'flask-cors@3.0.8' is vulnerable to 'CVE-2024-6839' (also known as 'GHSA-7rxf-gvfg-47g4')."
186
+ },
187
+ "rank": -1,
188
+ "relatedLocations": [],
189
+ "ruleId": "CVE-2024-6839",
190
+ "ruleIndex": 4,
191
+ "stacks": [],
192
+ "taxa": []
193
+ },
194
+ {
195
+ "attachments": [],
196
+ "codeFlows": [],
197
+ "fixes": [],
198
+ "graphTraversals": [],
199
+ "graphs": [],
200
+ "kind": "fail",
201
+ "level": "warning",
202
+ "locations": [
203
+ {
204
+ "annotations": [],
205
+ "id": -1,
206
+ "logicalLocations": [],
207
+ "physicalLocation": {
208
+ "artifactLocation": {
209
+ "index": -1,
210
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
211
+ }
212
+ },
213
+ "relationships": []
214
+ }
215
+ ],
216
+ "message": {
217
+ "arguments": [],
218
+ "text": "Package 'flask-cors@3.0.8' is vulnerable to 'CVE-2024-1681' (also known as 'GHSA-84pr-m4jr-85g5')."
219
+ },
220
+ "rank": -1,
221
+ "relatedLocations": [],
222
+ "ruleId": "CVE-2024-1681",
223
+ "ruleIndex": 5,
224
+ "stacks": [],
225
+ "taxa": []
226
+ },
227
+ {
228
+ "attachments": [],
229
+ "codeFlows": [],
230
+ "fixes": [],
231
+ "graphTraversals": [],
232
+ "graphs": [],
233
+ "kind": "fail",
234
+ "level": "warning",
235
+ "locations": [
236
+ {
237
+ "annotations": [],
238
+ "id": -1,
239
+ "logicalLocations": [],
240
+ "physicalLocation": {
241
+ "artifactLocation": {
242
+ "index": -1,
243
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
244
+ }
245
+ },
246
+ "relationships": []
247
+ }
248
+ ],
249
+ "message": {
250
+ "arguments": [],
251
+ "text": "Package 'flask-cors@3.0.8' is vulnerable to 'CVE-2024-6844' (also known as 'GHSA-8vgw-p6qm-5gr7')."
252
+ },
253
+ "rank": -1,
254
+ "relatedLocations": [],
255
+ "ruleId": "CVE-2024-6844",
256
+ "ruleIndex": 6,
257
+ "stacks": [],
258
+ "taxa": []
259
+ },
260
+ {
261
+ "attachments": [],
262
+ "codeFlows": [],
263
+ "fixes": [],
264
+ "graphTraversals": [],
265
+ "graphs": [],
266
+ "kind": "fail",
267
+ "level": "warning",
268
+ "locations": [
269
+ {
270
+ "annotations": [],
271
+ "id": -1,
272
+ "logicalLocations": [],
273
+ "physicalLocation": {
274
+ "artifactLocation": {
275
+ "index": -1,
276
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
277
+ }
278
+ },
279
+ "relationships": []
280
+ }
281
+ ],
282
+ "message": {
283
+ "arguments": [],
284
+ "text": "Package 'jinja2@2.10.1' is vulnerable to 'CVE-2025-27516' (also known as 'GHSA-cpwx-vrp4-4pq7')."
285
+ },
286
+ "rank": -1,
287
+ "relatedLocations": [],
288
+ "ruleId": "CVE-2025-27516",
289
+ "ruleIndex": 7,
290
+ "stacks": [],
291
+ "taxa": []
292
+ },
293
+ {
294
+ "attachments": [],
295
+ "codeFlows": [],
296
+ "fixes": [],
297
+ "graphTraversals": [],
298
+ "graphs": [],
299
+ "kind": "fail",
300
+ "level": "warning",
301
+ "locations": [
302
+ {
303
+ "annotations": [],
304
+ "id": -1,
305
+ "logicalLocations": [],
306
+ "physicalLocation": {
307
+ "artifactLocation": {
308
+ "index": -1,
309
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
310
+ }
311
+ },
312
+ "relationships": []
313
+ }
314
+ ],
315
+ "message": {
316
+ "arguments": [],
317
+ "text": "Package 'werkzeug@0.16.1' is vulnerable to 'CVE-2024-49766' (also known as 'GHSA-f9vj-2wh5-fj8j')."
318
+ },
319
+ "rank": -1,
320
+ "relatedLocations": [],
321
+ "ruleId": "CVE-2024-49766",
322
+ "ruleIndex": 8,
323
+ "stacks": [],
324
+ "taxa": []
325
+ },
326
+ {
327
+ "attachments": [],
328
+ "codeFlows": [],
329
+ "fixes": [],
330
+ "graphTraversals": [],
331
+ "graphs": [],
332
+ "kind": "fail",
333
+ "level": "warning",
334
+ "locations": [
335
+ {
336
+ "annotations": [],
337
+ "id": -1,
338
+ "logicalLocations": [],
339
+ "physicalLocation": {
340
+ "artifactLocation": {
341
+ "index": -1,
342
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
343
+ }
344
+ },
345
+ "relationships": []
346
+ }
347
+ ],
348
+ "message": {
349
+ "arguments": [],
350
+ "text": "Package 'jinja2@2.10.1' is vulnerable to 'CVE-2020-28493' (also known as 'PYSEC-2021-66', 'SNYK-PYTHON-JINJA2-1012994', 'GHSA-g3rq-g295-4j3m')."
351
+ },
352
+ "rank": -1,
353
+ "relatedLocations": [],
354
+ "ruleId": "CVE-2020-28493",
355
+ "ruleIndex": 9,
356
+ "stacks": [],
357
+ "taxa": []
358
+ },
359
+ {
360
+ "attachments": [],
361
+ "codeFlows": [],
362
+ "fixes": [],
363
+ "graphTraversals": [],
364
+ "graphs": [],
365
+ "kind": "fail",
366
+ "level": "warning",
367
+ "locations": [
368
+ {
369
+ "annotations": [],
370
+ "id": -1,
371
+ "logicalLocations": [],
372
+ "physicalLocation": {
373
+ "artifactLocation": {
374
+ "index": -1,
375
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
376
+ }
377
+ },
378
+ "relationships": []
379
+ }
380
+ ],
381
+ "message": {
382
+ "arguments": [],
383
+ "text": "Package 'babel@2.8.0' is vulnerable to 'CVE-2021-42771' (also known as 'PYSEC-2021-421', 'GHSA-h4m5-qpfp-3mpv')."
384
+ },
385
+ "rank": -1,
386
+ "relatedLocations": [],
387
+ "ruleId": "CVE-2021-42771",
388
+ "ruleIndex": 10,
389
+ "stacks": [],
390
+ "taxa": []
391
+ },
392
+ {
393
+ "attachments": [],
394
+ "codeFlows": [],
395
+ "fixes": [],
396
+ "graphTraversals": [],
397
+ "graphs": [],
398
+ "kind": "fail",
399
+ "level": "warning",
400
+ "locations": [
401
+ {
402
+ "annotations": [],
403
+ "id": -1,
404
+ "logicalLocations": [],
405
+ "physicalLocation": {
406
+ "artifactLocation": {
407
+ "index": -1,
408
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
409
+ }
410
+ },
411
+ "relationships": []
412
+ }
413
+ ],
414
+ "message": {
415
+ "arguments": [],
416
+ "text": "Package 'jinja2@2.10.1' is vulnerable to 'CVE-2024-22195' (also known as 'GHSA-h5c8-rqwp-cp95')."
417
+ },
418
+ "rank": -1,
419
+ "relatedLocations": [],
420
+ "ruleId": "CVE-2024-22195",
421
+ "ruleIndex": 11,
422
+ "stacks": [],
423
+ "taxa": []
424
+ },
425
+ {
426
+ "attachments": [],
427
+ "codeFlows": [],
428
+ "fixes": [],
429
+ "graphTraversals": [],
430
+ "graphs": [],
431
+ "kind": "fail",
432
+ "level": "warning",
433
+ "locations": [
434
+ {
435
+ "annotations": [],
436
+ "id": -1,
437
+ "logicalLocations": [],
438
+ "physicalLocation": {
439
+ "artifactLocation": {
440
+ "index": -1,
441
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
442
+ }
443
+ },
444
+ "relationships": []
445
+ }
446
+ ],
447
+ "message": {
448
+ "arguments": [],
449
+ "text": "Package 'jinja2@2.10.1' is vulnerable to 'CVE-2024-34064' (also known as 'CGA-g5xx-83xq-8g5j', 'GHSA-h75v-3vvj-5mfj')."
450
+ },
451
+ "rank": -1,
452
+ "relatedLocations": [],
453
+ "ruleId": "CVE-2024-34064",
454
+ "ruleIndex": 12,
455
+ "stacks": [],
456
+ "taxa": []
457
+ },
458
+ {
459
+ "attachments": [],
460
+ "codeFlows": [],
461
+ "fixes": [],
462
+ "graphTraversals": [],
463
+ "graphs": [],
464
+ "kind": "fail",
465
+ "level": "warning",
466
+ "locations": [
467
+ {
468
+ "annotations": [],
469
+ "id": -1,
470
+ "logicalLocations": [],
471
+ "physicalLocation": {
472
+ "artifactLocation": {
473
+ "index": -1,
474
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
475
+ }
476
+ },
477
+ "relationships": []
478
+ }
479
+ ],
480
+ "message": {
481
+ "arguments": [],
482
+ "text": "Package 'werkzeug@0.16.1' is vulnerable to 'CVE-2023-46136' (also known as 'PYSEC-2023-221', 'GHSA-hrfv-mqp8-q5rw')."
483
+ },
484
+ "rank": -1,
485
+ "relatedLocations": [],
486
+ "ruleId": "CVE-2023-46136",
487
+ "ruleIndex": 13,
488
+ "stacks": [],
489
+ "taxa": []
490
+ },
491
+ {
492
+ "attachments": [],
493
+ "codeFlows": [],
494
+ "fixes": [],
495
+ "graphTraversals": [],
496
+ "graphs": [],
497
+ "kind": "fail",
498
+ "level": "warning",
499
+ "locations": [
500
+ {
501
+ "annotations": [],
502
+ "id": -1,
503
+ "logicalLocations": [],
504
+ "physicalLocation": {
505
+ "artifactLocation": {
506
+ "index": -1,
507
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
508
+ }
509
+ },
510
+ "relationships": []
511
+ }
512
+ ],
513
+ "message": {
514
+ "arguments": [],
515
+ "text": "Package 'flask-cors@3.0.8' is vulnerable to 'CVE-2024-6221' (also known as 'PYSEC-2024-71', 'GHSA-hxwh-jpp2-84pm')."
516
+ },
517
+ "rank": -1,
518
+ "relatedLocations": [],
519
+ "ruleId": "CVE-2024-6221",
520
+ "ruleIndex": 14,
521
+ "stacks": [],
522
+ "taxa": []
523
+ },
524
+ {
525
+ "attachments": [],
526
+ "codeFlows": [],
527
+ "fixes": [],
528
+ "graphTraversals": [],
529
+ "graphs": [],
530
+ "kind": "fail",
531
+ "level": "warning",
532
+ "locations": [
533
+ {
534
+ "annotations": [],
535
+ "id": -1,
536
+ "logicalLocations": [],
537
+ "physicalLocation": {
538
+ "artifactLocation": {
539
+ "index": -1,
540
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
541
+ }
542
+ },
543
+ "relationships": []
544
+ }
545
+ ],
546
+ "message": {
547
+ "arguments": [],
548
+ "text": "Package 'idna@2.10' is vulnerable to 'CVE-2024-3651' (also known as 'PYSEC-2024-60', 'GHSA-jjg7-2v4v-x38h')."
549
+ },
550
+ "rank": -1,
551
+ "relatedLocations": [],
552
+ "ruleId": "CVE-2024-3651",
553
+ "ruleIndex": 15,
554
+ "stacks": [],
555
+ "taxa": []
556
+ },
557
+ {
558
+ "attachments": [],
559
+ "codeFlows": [],
560
+ "fixes": [],
561
+ "graphTraversals": [],
562
+ "graphs": [],
563
+ "kind": "fail",
564
+ "level": "warning",
565
+ "locations": [
566
+ {
567
+ "annotations": [],
568
+ "id": -1,
569
+ "logicalLocations": [],
570
+ "physicalLocation": {
571
+ "artifactLocation": {
572
+ "index": -1,
573
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
574
+ }
575
+ },
576
+ "relationships": []
577
+ }
578
+ ],
579
+ "message": {
580
+ "arguments": [],
581
+ "text": "Package 'flask@1.1.1' is vulnerable to 'CVE-2023-30861' (also known as 'PYSEC-2023-62', 'GHSA-m2qf-hxjv-5gpq')."
582
+ },
583
+ "rank": -1,
584
+ "relatedLocations": [],
585
+ "ruleId": "CVE-2023-30861",
586
+ "ruleIndex": 16,
587
+ "stacks": [],
588
+ "taxa": []
589
+ },
590
+ {
591
+ "attachments": [],
592
+ "codeFlows": [],
593
+ "fixes": [],
594
+ "graphTraversals": [],
595
+ "graphs": [],
596
+ "kind": "fail",
597
+ "level": "warning",
598
+ "locations": [
599
+ {
600
+ "annotations": [],
601
+ "id": -1,
602
+ "logicalLocations": [],
603
+ "physicalLocation": {
604
+ "artifactLocation": {
605
+ "index": -1,
606
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
607
+ }
608
+ },
609
+ "relationships": []
610
+ }
611
+ ],
612
+ "message": {
613
+ "arguments": [],
614
+ "text": "Package 'fastecdsa@2.1.3' is vulnerable to 'CVE-2024-21502' (also known as 'PYSEC-2024-39', 'GHSA-ph86-g9r3-5qw4')."
615
+ },
616
+ "rank": -1,
617
+ "relatedLocations": [],
618
+ "ruleId": "CVE-2024-21502",
619
+ "ruleIndex": 17,
620
+ "stacks": [],
621
+ "taxa": []
622
+ },
623
+ {
624
+ "attachments": [],
625
+ "codeFlows": [],
626
+ "fixes": [],
627
+ "graphTraversals": [],
628
+ "graphs": [],
629
+ "kind": "fail",
630
+ "level": "warning",
631
+ "locations": [
632
+ {
633
+ "annotations": [],
634
+ "id": -1,
635
+ "logicalLocations": [],
636
+ "physicalLocation": {
637
+ "artifactLocation": {
638
+ "index": -1,
639
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
640
+ }
641
+ },
642
+ "relationships": []
643
+ }
644
+ ],
645
+ "message": {
646
+ "arguments": [],
647
+ "text": "Package 'werkzeug@0.16.1' is vulnerable to 'CVE-2023-23934' (also known as 'PYSEC-2023-57', 'GHSA-px8h-6qxv-m22q')."
648
+ },
649
+ "rank": -1,
650
+ "relatedLocations": [],
651
+ "ruleId": "CVE-2023-23934",
652
+ "ruleIndex": 18,
653
+ "stacks": [],
654
+ "taxa": []
655
+ },
656
+ {
657
+ "attachments": [],
658
+ "codeFlows": [],
659
+ "fixes": [],
660
+ "graphTraversals": [],
661
+ "graphs": [],
662
+ "kind": "fail",
663
+ "level": "warning",
664
+ "locations": [
665
+ {
666
+ "annotations": [],
667
+ "id": -1,
668
+ "logicalLocations": [],
669
+ "physicalLocation": {
670
+ "artifactLocation": {
671
+ "index": -1,
672
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
673
+ }
674
+ },
675
+ "relationships": []
676
+ }
677
+ ],
678
+ "message": {
679
+ "arguments": [],
680
+ "text": "Package 'jinja2@2.10.1' is vulnerable to 'CVE-2024-56326' (also known as 'GHSA-q2x7-8rv6-6q7h')."
681
+ },
682
+ "rank": -1,
683
+ "relatedLocations": [],
684
+ "ruleId": "CVE-2024-56326",
685
+ "ruleIndex": 19,
686
+ "stacks": [],
687
+ "taxa": []
688
+ },
689
+ {
690
+ "attachments": [],
691
+ "codeFlows": [],
692
+ "fixes": [],
693
+ "graphTraversals": [],
694
+ "graphs": [],
695
+ "kind": "fail",
696
+ "level": "warning",
697
+ "locations": [
698
+ {
699
+ "annotations": [],
700
+ "id": -1,
701
+ "logicalLocations": [],
702
+ "physicalLocation": {
703
+ "artifactLocation": {
704
+ "index": -1,
705
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
706
+ }
707
+ },
708
+ "relationships": []
709
+ }
710
+ ],
711
+ "message": {
712
+ "arguments": [],
713
+ "text": "Package 'werkzeug@0.16.1' is vulnerable to 'CVE-2024-49767' (also known as 'GHSA-q34m-jh98-gwm2')."
714
+ },
715
+ "rank": -1,
716
+ "relatedLocations": [],
717
+ "ruleId": "CVE-2024-49767",
718
+ "ruleIndex": 20,
719
+ "stacks": [],
720
+ "taxa": []
721
+ },
722
+ {
723
+ "attachments": [],
724
+ "codeFlows": [],
725
+ "fixes": [],
726
+ "graphTraversals": [],
727
+ "graphs": [],
728
+ "kind": "fail",
729
+ "level": "warning",
730
+ "locations": [
731
+ {
732
+ "annotations": [],
733
+ "id": -1,
734
+ "logicalLocations": [],
735
+ "physicalLocation": {
736
+ "artifactLocation": {
737
+ "index": -1,
738
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
739
+ }
740
+ },
741
+ "relationships": []
742
+ }
743
+ ],
744
+ "message": {
745
+ "arguments": [],
746
+ "text": "Package 'mako@1.1.3' is vulnerable to 'CVE-2022-40023' (also known as 'PYSEC-2022-260', 'GHSA-v973-fxgf-6xhp')."
747
+ },
748
+ "rank": -1,
749
+ "relatedLocations": [],
750
+ "ruleId": "CVE-2022-40023",
751
+ "ruleIndex": 21,
752
+ "stacks": [],
753
+ "taxa": []
754
+ },
755
+ {
756
+ "attachments": [],
757
+ "codeFlows": [],
758
+ "fixes": [],
759
+ "graphTraversals": [],
760
+ "graphs": [],
761
+ "kind": "fail",
762
+ "level": "warning",
763
+ "locations": [
764
+ {
765
+ "annotations": [],
766
+ "id": -1,
767
+ "logicalLocations": [],
768
+ "physicalLocation": {
769
+ "artifactLocation": {
770
+ "index": -1,
771
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
772
+ }
773
+ },
774
+ "relationships": []
775
+ }
776
+ ],
777
+ "message": {
778
+ "arguments": [],
779
+ "text": "Package 'flask-cors@3.0.8' is vulnerable to 'CVE-2020-25032' (also known as 'PYSEC-2020-43', 'GHSA-xc3p-ff3m-f46v')."
780
+ },
781
+ "rank": -1,
782
+ "relatedLocations": [],
783
+ "ruleId": "CVE-2020-25032",
784
+ "ruleIndex": 22,
785
+ "stacks": [],
786
+ "taxa": []
787
+ },
788
+ {
789
+ "attachments": [],
790
+ "codeFlows": [],
791
+ "fixes": [],
792
+ "graphTraversals": [],
793
+ "graphs": [],
794
+ "kind": "fail",
795
+ "level": "warning",
796
+ "locations": [
797
+ {
798
+ "annotations": [],
799
+ "id": -1,
800
+ "logicalLocations": [],
801
+ "physicalLocation": {
802
+ "artifactLocation": {
803
+ "index": -1,
804
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
805
+ }
806
+ },
807
+ "relationships": []
808
+ }
809
+ ],
810
+ "message": {
811
+ "arguments": [],
812
+ "text": "Package 'werkzeug@0.16.1' is vulnerable to 'CVE-2023-25577' (also known as 'PYSEC-2023-58', 'GHSA-xg9f-g7g7-2323')."
813
+ },
814
+ "rank": -1,
815
+ "relatedLocations": [],
816
+ "ruleId": "CVE-2023-25577",
817
+ "ruleIndex": 23,
818
+ "stacks": [],
819
+ "taxa": []
820
+ },
821
+ {
822
+ "attachments": [],
823
+ "codeFlows": [],
824
+ "fixes": [],
825
+ "graphTraversals": [],
826
+ "graphs": [],
827
+ "kind": "fail",
828
+ "level": "warning",
829
+ "locations": [
830
+ {
831
+ "annotations": [],
832
+ "id": -1,
833
+ "logicalLocations": [],
834
+ "physicalLocation": {
835
+ "artifactLocation": {
836
+ "index": -1,
837
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
838
+ }
839
+ },
840
+ "relationships": []
841
+ }
842
+ ],
843
+ "message": {
844
+ "arguments": [],
845
+ "text": "Package 'ihatemoney@4.1.4' is vulnerable to 'CVE-2020-15120' (also known as 'PYSEC-2020-264', 'GHSA-67j9-c52g-w2q9')."
846
+ },
847
+ "rank": -1,
848
+ "relatedLocations": [],
849
+ "ruleId": "CVE-2020-15120",
850
+ "ruleIndex": 3,
851
+ "stacks": [],
852
+ "taxa": []
853
+ },
854
+ {
855
+ "attachments": [],
856
+ "codeFlows": [],
857
+ "fixes": [],
858
+ "graphTraversals": [],
859
+ "graphs": [],
860
+ "kind": "fail",
861
+ "level": "warning",
862
+ "locations": [
863
+ {
864
+ "annotations": [],
865
+ "id": -1,
866
+ "logicalLocations": [],
867
+ "physicalLocation": {
868
+ "artifactLocation": {
869
+ "index": -1,
870
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
871
+ }
872
+ },
873
+ "relationships": []
874
+ }
875
+ ],
876
+ "message": {
877
+ "arguments": [],
878
+ "text": "Package 'flask-cors@3.0.8' is vulnerable to 'CVE-2020-25032' (also known as 'PYSEC-2020-43', 'GHSA-xc3p-ff3m-f46v')."
879
+ },
880
+ "rank": -1,
881
+ "relatedLocations": [],
882
+ "ruleId": "CVE-2020-25032",
883
+ "ruleIndex": 22,
884
+ "stacks": [],
885
+ "taxa": []
886
+ },
887
+ {
888
+ "attachments": [],
889
+ "codeFlows": [],
890
+ "fixes": [],
891
+ "graphTraversals": [],
892
+ "graphs": [],
893
+ "kind": "fail",
894
+ "level": "warning",
895
+ "locations": [
896
+ {
897
+ "annotations": [],
898
+ "id": -1,
899
+ "logicalLocations": [],
900
+ "physicalLocation": {
901
+ "artifactLocation": {
902
+ "index": -1,
903
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
904
+ }
905
+ },
906
+ "relationships": []
907
+ }
908
+ ],
909
+ "message": {
910
+ "arguments": [],
911
+ "text": "Package 'babel@2.8.0' is vulnerable to 'CVE-2021-42771' (also known as 'PYSEC-2021-421', 'GHSA-h4m5-qpfp-3mpv')."
912
+ },
913
+ "rank": -1,
914
+ "relatedLocations": [],
915
+ "ruleId": "CVE-2021-42771",
916
+ "ruleIndex": 10,
917
+ "stacks": [],
918
+ "taxa": []
919
+ },
920
+ {
921
+ "attachments": [],
922
+ "codeFlows": [],
923
+ "fixes": [],
924
+ "graphTraversals": [],
925
+ "graphs": [],
926
+ "kind": "fail",
927
+ "level": "warning",
928
+ "locations": [
929
+ {
930
+ "annotations": [],
931
+ "id": -1,
932
+ "logicalLocations": [],
933
+ "physicalLocation": {
934
+ "artifactLocation": {
935
+ "index": -1,
936
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
937
+ }
938
+ },
939
+ "relationships": []
940
+ }
941
+ ],
942
+ "message": {
943
+ "arguments": [],
944
+ "text": "Package 'jinja2@2.10.1' is vulnerable to 'CVE-2020-28493' (also known as 'PYSEC-2021-66', 'SNYK-PYTHON-JINJA2-1012994', 'GHSA-g3rq-g295-4j3m')."
945
+ },
946
+ "rank": -1,
947
+ "relatedLocations": [],
948
+ "ruleId": "CVE-2020-28493",
949
+ "ruleIndex": 9,
950
+ "stacks": [],
951
+ "taxa": []
952
+ },
953
+ {
954
+ "attachments": [],
955
+ "codeFlows": [],
956
+ "fixes": [],
957
+ "graphTraversals": [],
958
+ "graphs": [],
959
+ "kind": "fail",
960
+ "level": "warning",
961
+ "locations": [
962
+ {
963
+ "annotations": [],
964
+ "id": -1,
965
+ "logicalLocations": [],
966
+ "physicalLocation": {
967
+ "artifactLocation": {
968
+ "index": -1,
969
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
970
+ }
971
+ },
972
+ "relationships": []
973
+ }
974
+ ],
975
+ "message": {
976
+ "arguments": [],
977
+ "text": "Package 'werkzeug@0.16.1' is vulnerable to 'CVE-2022-29361' (also known as 'PYSEC-2022-203')."
978
+ },
979
+ "rank": -1,
980
+ "relatedLocations": [],
981
+ "ruleId": "CVE-2022-29361",
982
+ "ruleIndex": 24,
983
+ "stacks": [],
984
+ "taxa": []
985
+ },
986
+ {
987
+ "attachments": [],
988
+ "codeFlows": [],
989
+ "fixes": [],
990
+ "graphTraversals": [],
991
+ "graphs": [],
992
+ "kind": "fail",
993
+ "level": "warning",
994
+ "locations": [
995
+ {
996
+ "annotations": [],
997
+ "id": -1,
998
+ "logicalLocations": [],
999
+ "physicalLocation": {
1000
+ "artifactLocation": {
1001
+ "index": -1,
1002
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
1003
+ }
1004
+ },
1005
+ "relationships": []
1006
+ }
1007
+ ],
1008
+ "message": {
1009
+ "arguments": [],
1010
+ "text": "Package 'mako@1.1.3' is vulnerable to 'CVE-2022-40023' (also known as 'PYSEC-2022-260', 'GHSA-v973-fxgf-6xhp')."
1011
+ },
1012
+ "rank": -1,
1013
+ "relatedLocations": [],
1014
+ "ruleId": "CVE-2022-40023",
1015
+ "ruleIndex": 21,
1016
+ "stacks": [],
1017
+ "taxa": []
1018
+ },
1019
+ {
1020
+ "attachments": [],
1021
+ "codeFlows": [],
1022
+ "fixes": [],
1023
+ "graphTraversals": [],
1024
+ "graphs": [],
1025
+ "kind": "fail",
1026
+ "level": "warning",
1027
+ "locations": [
1028
+ {
1029
+ "annotations": [],
1030
+ "id": -1,
1031
+ "logicalLocations": [],
1032
+ "physicalLocation": {
1033
+ "artifactLocation": {
1034
+ "index": -1,
1035
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
1036
+ }
1037
+ },
1038
+ "relationships": []
1039
+ }
1040
+ ],
1041
+ "message": {
1042
+ "arguments": [],
1043
+ "text": "Package 'werkzeug@0.16.1' is vulnerable to 'CVE-2023-46136' (also known as 'PYSEC-2023-221', 'GHSA-hrfv-mqp8-q5rw')."
1044
+ },
1045
+ "rank": -1,
1046
+ "relatedLocations": [],
1047
+ "ruleId": "CVE-2023-46136",
1048
+ "ruleIndex": 13,
1049
+ "stacks": [],
1050
+ "taxa": []
1051
+ },
1052
+ {
1053
+ "attachments": [],
1054
+ "codeFlows": [],
1055
+ "fixes": [],
1056
+ "graphTraversals": [],
1057
+ "graphs": [],
1058
+ "kind": "fail",
1059
+ "level": "warning",
1060
+ "locations": [
1061
+ {
1062
+ "annotations": [],
1063
+ "id": -1,
1064
+ "logicalLocations": [],
1065
+ "physicalLocation": {
1066
+ "artifactLocation": {
1067
+ "index": -1,
1068
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
1069
+ }
1070
+ },
1071
+ "relationships": []
1072
+ }
1073
+ ],
1074
+ "message": {
1075
+ "arguments": [],
1076
+ "text": "Package 'werkzeug@0.16.1' is vulnerable to 'CVE-2023-23934' (also known as 'PYSEC-2023-57', 'GHSA-px8h-6qxv-m22q')."
1077
+ },
1078
+ "rank": -1,
1079
+ "relatedLocations": [],
1080
+ "ruleId": "CVE-2023-23934",
1081
+ "ruleIndex": 18,
1082
+ "stacks": [],
1083
+ "taxa": []
1084
+ },
1085
+ {
1086
+ "attachments": [],
1087
+ "codeFlows": [],
1088
+ "fixes": [],
1089
+ "graphTraversals": [],
1090
+ "graphs": [],
1091
+ "kind": "fail",
1092
+ "level": "warning",
1093
+ "locations": [
1094
+ {
1095
+ "annotations": [],
1096
+ "id": -1,
1097
+ "logicalLocations": [],
1098
+ "physicalLocation": {
1099
+ "artifactLocation": {
1100
+ "index": -1,
1101
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
1102
+ }
1103
+ },
1104
+ "relationships": []
1105
+ }
1106
+ ],
1107
+ "message": {
1108
+ "arguments": [],
1109
+ "text": "Package 'werkzeug@0.16.1' is vulnerable to 'CVE-2023-25577' (also known as 'PYSEC-2023-58', 'GHSA-xg9f-g7g7-2323')."
1110
+ },
1111
+ "rank": -1,
1112
+ "relatedLocations": [],
1113
+ "ruleId": "CVE-2023-25577",
1114
+ "ruleIndex": 23,
1115
+ "stacks": [],
1116
+ "taxa": []
1117
+ },
1118
+ {
1119
+ "attachments": [],
1120
+ "codeFlows": [],
1121
+ "fixes": [],
1122
+ "graphTraversals": [],
1123
+ "graphs": [],
1124
+ "kind": "fail",
1125
+ "level": "warning",
1126
+ "locations": [
1127
+ {
1128
+ "annotations": [],
1129
+ "id": -1,
1130
+ "logicalLocations": [],
1131
+ "physicalLocation": {
1132
+ "artifactLocation": {
1133
+ "index": -1,
1134
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
1135
+ }
1136
+ },
1137
+ "relationships": []
1138
+ }
1139
+ ],
1140
+ "message": {
1141
+ "arguments": [],
1142
+ "text": "Package 'flask@1.1.1' is vulnerable to 'CVE-2023-30861' (also known as 'PYSEC-2023-62', 'GHSA-m2qf-hxjv-5gpq')."
1143
+ },
1144
+ "rank": -1,
1145
+ "relatedLocations": [],
1146
+ "ruleId": "CVE-2023-30861",
1147
+ "ruleIndex": 16,
1148
+ "stacks": [],
1149
+ "taxa": []
1150
+ },
1151
+ {
1152
+ "attachments": [],
1153
+ "codeFlows": [],
1154
+ "fixes": [],
1155
+ "graphTraversals": [],
1156
+ "graphs": [],
1157
+ "kind": "fail",
1158
+ "level": "warning",
1159
+ "locations": [
1160
+ {
1161
+ "annotations": [],
1162
+ "id": -1,
1163
+ "logicalLocations": [],
1164
+ "physicalLocation": {
1165
+ "artifactLocation": {
1166
+ "index": -1,
1167
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
1168
+ }
1169
+ },
1170
+ "relationships": []
1171
+ }
1172
+ ],
1173
+ "message": {
1174
+ "arguments": [],
1175
+ "text": "Package 'fastecdsa@2.1.3' is vulnerable to 'CVE-2024-21502' (also known as 'PYSEC-2024-39', 'GHSA-ph86-g9r3-5qw4')."
1176
+ },
1177
+ "rank": -1,
1178
+ "relatedLocations": [],
1179
+ "ruleId": "CVE-2024-21502",
1180
+ "ruleIndex": 17,
1181
+ "stacks": [],
1182
+ "taxa": []
1183
+ },
1184
+ {
1185
+ "attachments": [],
1186
+ "codeFlows": [],
1187
+ "fixes": [],
1188
+ "graphTraversals": [],
1189
+ "graphs": [],
1190
+ "kind": "fail",
1191
+ "level": "warning",
1192
+ "locations": [
1193
+ {
1194
+ "annotations": [],
1195
+ "id": -1,
1196
+ "logicalLocations": [],
1197
+ "physicalLocation": {
1198
+ "artifactLocation": {
1199
+ "index": -1,
1200
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
1201
+ }
1202
+ },
1203
+ "relationships": []
1204
+ }
1205
+ ],
1206
+ "message": {
1207
+ "arguments": [],
1208
+ "text": "Package 'idna@2.10' is vulnerable to 'CVE-2024-3651' (also known as 'PYSEC-2024-60', 'GHSA-jjg7-2v4v-x38h')."
1209
+ },
1210
+ "rank": -1,
1211
+ "relatedLocations": [],
1212
+ "ruleId": "CVE-2024-3651",
1213
+ "ruleIndex": 15,
1214
+ "stacks": [],
1215
+ "taxa": []
1216
+ },
1217
+ {
1218
+ "attachments": [],
1219
+ "codeFlows": [],
1220
+ "fixes": [],
1221
+ "graphTraversals": [],
1222
+ "graphs": [],
1223
+ "kind": "fail",
1224
+ "level": "warning",
1225
+ "locations": [
1226
+ {
1227
+ "annotations": [],
1228
+ "id": -1,
1229
+ "logicalLocations": [],
1230
+ "physicalLocation": {
1231
+ "artifactLocation": {
1232
+ "index": -1,
1233
+ "uri": "file:///Users/john.doe/projects/python/poetry/poetry.lock"
1234
+ }
1235
+ },
1236
+ "relationships": []
1237
+ }
1238
+ ],
1239
+ "message": {
1240
+ "arguments": [],
1241
+ "text": "Package 'flask-cors@3.0.8' is vulnerable to 'CVE-2024-6221' (also known as 'PYSEC-2024-71', 'GHSA-hxwh-jpp2-84pm')."
1242
+ },
1243
+ "rank": -1,
1244
+ "relatedLocations": [],
1245
+ "ruleId": "CVE-2024-6221",
1246
+ "ruleIndex": 14,
1247
+ "stacks": [],
1248
+ "taxa": []
1249
+ }
1250
+ ],
1251
+ "runAggregates": [],
1252
+ "taxonomies": [],
1253
+ "threadFlowLocations": [],
1254
+ "tool": {
1255
+ "driver": {
1256
+ "contents": [
1257
+ "localizedData",
1258
+ "nonLocalizedData"
1259
+ ],
1260
+ "informationUri": "https://github.com/google/osv-scanner",
1261
+ "isComprehensive": false,
1262
+ "language": "en-US",
1263
+ "locations": [],
1264
+ "name": "osv-scanner",
1265
+ "notifications": [],
1266
+ "rules": [
1267
+ {
1268
+ "deprecatedIds": [
1269
+ "CVE-2024-34069",
1270
+ "CGA-4f6v-wx38-68gq",
1271
+ "GHSA-2g68-c3qc-8985"
1272
+ ],
1273
+ "fullDescription": {
1274
+ "markdown": "The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.",
1275
+ "text": "The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger."
1276
+ },
1277
+ "help": {
1278
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-34069](https://osv.dev/CVE-2024-34069)**.\n\n## [GHSA-2g68-c3qc-8985](https://osv.dev/GHSA-2g68-c3qc-8985)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-2g68-c3qc-8985 | werkzeug | 3.0.3 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-34069\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1279
+ "text": "**Your dependency is vulnerable to [CVE-2024-34069](https://osv.dev/CVE-2024-34069)**.\n\n## [GHSA-2g68-c3qc-8985](https://osv.dev/GHSA-2g68-c3qc-8985)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-2g68-c3qc-8985 | werkzeug | 3.0.3 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-34069\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1280
+ },
1281
+ "id": "CVE-2024-34069",
1282
+ "name": "CVE-2024-34069",
1283
+ "properties": {
1284
+ "security-severity": "7.5"
1285
+ },
1286
+ "relationships": [],
1287
+ "shortDescription": {
1288
+ "markdown": "CVE-2024-34069: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain",
1289
+ "text": "CVE-2024-34069: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain"
1290
+ }
1291
+ },
1292
+ {
1293
+ "deprecatedIds": [
1294
+ "CVE-2023-29483",
1295
+ "GHSA-3rq5-2g8h-59hc"
1296
+ ],
1297
+ "fullDescription": {
1298
+ "markdown": "eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a \"TuDoor\" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.",
1299
+ "text": "eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a \"TuDoor\" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1."
1300
+ },
1301
+ "help": {
1302
+ "markdown": "**Your dependency is vulnerable to [CVE-2023-29483](https://osv.dev/CVE-2023-29483)**.\n\n## [GHSA-3rq5-2g8h-59hc](https://osv.dev/GHSA-3rq5-2g8h-59hc)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a \"TuDoor\" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | dnspython | 2.0.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-3rq5-2g8h-59hc | eventlet | 0.35.2 |\n| GHSA-3rq5-2g8h-59hc | dnspython | 2.6.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-29483\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1303
+ "text": "**Your dependency is vulnerable to [CVE-2023-29483](https://osv.dev/CVE-2023-29483)**.\n\n## [GHSA-3rq5-2g8h-59hc](https://osv.dev/GHSA-3rq5-2g8h-59hc)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a \"TuDoor\" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | dnspython | 2.0.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-3rq5-2g8h-59hc | eventlet | 0.35.2 |\n| GHSA-3rq5-2g8h-59hc | dnspython | 2.6.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-29483\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1304
+ },
1305
+ "id": "CVE-2023-29483",
1306
+ "name": "CVE-2023-29483",
1307
+ "properties": {
1308
+ "security-severity": "5.9"
1309
+ },
1310
+ "relationships": [],
1311
+ "shortDescription": {
1312
+ "markdown": "CVE-2023-29483: Potential DoS via the Tudoor mechanism in eventlet and dnspython",
1313
+ "text": "CVE-2023-29483: Potential DoS via the Tudoor mechanism in eventlet and dnspython"
1314
+ }
1315
+ },
1316
+ {
1317
+ "deprecatedIds": [
1318
+ "CVE-2024-6866",
1319
+ "GHSA-43qf-4rqw-9q2g"
1320
+ ],
1321
+ "fullDescription": {
1322
+ "markdown": "corydolphin/flask-cors version 5.0.1 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.",
1323
+ "text": "corydolphin/flask-cors version 5.0.1 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks."
1324
+ },
1325
+ "help": {
1326
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-6866](https://osv.dev/CVE-2024-6866)**.\n\n## [GHSA-43qf-4rqw-9q2g](https://osv.dev/GHSA-43qf-4rqw-9q2g)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e corydolphin/flask-cors version 5.0.1 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask-cors | 3.0.8 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-43qf-4rqw-9q2g | flask-cors | 6.0.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-6866\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1327
+ "text": "**Your dependency is vulnerable to [CVE-2024-6866](https://osv.dev/CVE-2024-6866)**.\n\n## [GHSA-43qf-4rqw-9q2g](https://osv.dev/GHSA-43qf-4rqw-9q2g)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e corydolphin/flask-cors version 5.0.1 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask-cors | 3.0.8 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-43qf-4rqw-9q2g | flask-cors | 6.0.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-6866\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1328
+ },
1329
+ "id": "CVE-2024-6866",
1330
+ "name": "CVE-2024-6866",
1331
+ "properties": {
1332
+ "security-severity": "5.3"
1333
+ },
1334
+ "relationships": [],
1335
+ "shortDescription": {
1336
+ "markdown": "CVE-2024-6866: Flask-CORS vulnerable to Improper Handling of Case Sensitivity",
1337
+ "text": "CVE-2024-6866: Flask-CORS vulnerable to Improper Handling of Case Sensitivity"
1338
+ }
1339
+ },
1340
+ {
1341
+ "deprecatedIds": [
1342
+ "CVE-2020-15120",
1343
+ "PYSEC-2020-264",
1344
+ "GHSA-67j9-c52g-w2q9"
1345
+ ],
1346
+ "fullDescription": {
1347
+ "markdown": "### Impact\nAn authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code.\n\nWith the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated.\n\n### Patches\n```diff\n ihatemoney/models.py | 4 ++--\n 1 file changed, 2 insertions(+), 2 deletions(-)\n\ndiff --git a/ihatemoney/models.py b/ihatemoney/models.py\nindex fe7b519..5691c75 100644\n--- a/ihatemoney/models.py\n+++ b/ihatemoney/models.py\n@@ -380,7 +380,7 @@ class Person(db.Model):\n def get_by_name(self, name, project):\n return (\n Person.query.filter(Person.name == name)\n- .filter(Project.id == project.id)\n+ .filter(Person.project_id == project.id)\n .one()\n )\n \n@@ -389,7 +389,7 @@ class Person(db.Model):\n project = g.project\n return (\n Person.query.filter(Person.id == id)\n- .filter(Project.id == project.id)\n+ .filter(Person.project_id == project.id)\n .one()\n )\n \n```\n\n### Workarounds\n\nTo limit the impact, it is possible to disable public project creation by setting `ALLOW_PUBLIC_PROJECT_CREATION = False` in the configuration (see [documentation](https://ihatemoney.readthedocs.io/en/latest/configuration.html)). Existing users will still be able to exploit the flaw, but this will prevent an external attacker from creating a new project.\n\n### For more information\n\n`Person.query.get()` and `Person.query.get_by_name()` were mistakenly running a database join on the Project table without constraining the result.\n\nAs a result, `Person.query.get(42, \"projectfoo\")` would return the Person with id=42, even if it is not associated to the project \"projectfoo\". The only condition is that \"projectfoo\" must exist.\n\nThis flaw can be exploited in several places:\n\n1) API: PUT requests to `/api/projects/\u003cproject\u003e/members/\u003cpersonID\u003e` will succeed even though `\u003cpersonID\u003e` is not a member of `\u003cproject\u003e`.\n\n This allows an authenticated attacker to alter the state of a member (name, weight, activated) in any project. In addition, the altered member will no longer be associated with its original project but will be associated to the attacker project instead, breaking many features of IHateMoney. For instance, bills referencing the altered member will no longer be visible in the original project.\n\n This causes an additional information disclosure and loss of integrity on bills: the attacker will now be able to see, edit and delete bills belonging to the altered member, because IHateMoney now believes that these bills are associated to the attacker project through the altered member.\n\n For instance, assume that `Person(id=42)` is a member of project \"targetProject\", and that the attacker has access to another project \"attackerProject\" with the private code \"attackerPassword\". The attacker can modify `Person(id=42)` with this command:\n\n $ curl -X PUT -d \"name=Pwn3d\u0026activated=1\" --basic -u attackerProject:attackerPassword http://$SERVER/api/projects/attackerProject/members/42\n\n The attacker can now see, edit and delete bills paid by `Person(id=42)` by simply browsing to http://$SERVER/attackerProject/\n\n2) Editing a member through the web interface at `/\u003cproject\u003e/members/\u003cpersonID\u003e/edit` will succeed even though `\u003cpersonID\u003e` is not a member of `\u003cproject\u003e`.\n\n This is very similar to the PUT exploit. Reusing the same example, the attacker needs to login to its \"attackerProject\" project with the private code \"attackerPassword\". It can then alter the state of `Person(id=42)` by accessing the edit form at the following URL:\n\n http://$SERVER/attackerProject/members/42/edit\n\n Again, as a result of the alteration, the altered member will become associated to the project \"attackerProject\", resulting in the same information disclosure and loss of integrity on bills.\n\n3) API: DELETE requests to `/api/projects/\u003cproject\u003e/members/\u003cpersonID\u003e` will similarly allow to delete the member `\u003cpersonID\u003e` even if it belongs to a different project than `\u003cproject\u003e`.\n\n $ curl -X DELETE --basic -u attackerProject:attackerPassword http://$SERVER/api/projects/attackerProject/members/42\n\n The impact is less serious than with PUT, because DELETE only deactivates a member (it does not really delete it).\n\nAll these exploits require authentication: an attacker needs to know a valid project name and its associated \"private code\". Once this requirement is fullfilled, the attacker can exploit this flaw to alter the state of members in any other project, without needing to know the target project name or its private code.\n\n`Person.query.get_by_name()` suffers from the same issue as `Person.query.get()`. It has an additional issue: if multiple Person objects with the same name exist (this is possible if they are associated to different projects), `get_by_name()` will crash with `MultipleResultsFound` because of the call to `one()`.\n\nHowever, since `Person.query.get_by_name()` is currently not used anywhere in IHateMoney, the bug affecting this function has no impact and is not exploitable.",
1348
+ "text": "### Impact\nAn authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code.\n\nWith the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated.\n\n### Patches\n```diff\n ihatemoney/models.py | 4 ++--\n 1 file changed, 2 insertions(+), 2 deletions(-)\n\ndiff --git a/ihatemoney/models.py b/ihatemoney/models.py\nindex fe7b519..5691c75 100644\n--- a/ihatemoney/models.py\n+++ b/ihatemoney/models.py\n@@ -380,7 +380,7 @@ class Person(db.Model):\n def get_by_name(self, name, project):\n return (\n Person.query.filter(Person.name == name)\n- .filter(Project.id == project.id)\n+ .filter(Person.project_id == project.id)\n .one()\n )\n \n@@ -389,7 +389,7 @@ class Person(db.Model):\n project = g.project\n return (\n Person.query.filter(Person.id == id)\n- .filter(Project.id == project.id)\n+ .filter(Person.project_id == project.id)\n .one()\n )\n \n```\n\n### Workarounds\n\nTo limit the impact, it is possible to disable public project creation by setting `ALLOW_PUBLIC_PROJECT_CREATION = False` in the configuration (see [documentation](https://ihatemoney.readthedocs.io/en/latest/configuration.html)). Existing users will still be able to exploit the flaw, but this will prevent an external attacker from creating a new project.\n\n### For more information\n\n`Person.query.get()` and `Person.query.get_by_name()` were mistakenly running a database join on the Project table without constraining the result.\n\nAs a result, `Person.query.get(42, \"projectfoo\")` would return the Person with id=42, even if it is not associated to the project \"projectfoo\". The only condition is that \"projectfoo\" must exist.\n\nThis flaw can be exploited in several places:\n\n1) API: PUT requests to `/api/projects/\u003cproject\u003e/members/\u003cpersonID\u003e` will succeed even though `\u003cpersonID\u003e` is not a member of `\u003cproject\u003e`.\n\n This allows an authenticated attacker to alter the state of a member (name, weight, activated) in any project. In addition, the altered member will no longer be associated with its original project but will be associated to the attacker project instead, breaking many features of IHateMoney. For instance, bills referencing the altered member will no longer be visible in the original project.\n\n This causes an additional information disclosure and loss of integrity on bills: the attacker will now be able to see, edit and delete bills belonging to the altered member, because IHateMoney now believes that these bills are associated to the attacker project through the altered member.\n\n For instance, assume that `Person(id=42)` is a member of project \"targetProject\", and that the attacker has access to another project \"attackerProject\" with the private code \"attackerPassword\". The attacker can modify `Person(id=42)` with this command:\n\n $ curl -X PUT -d \"name=Pwn3d\u0026activated=1\" --basic -u attackerProject:attackerPassword http://$SERVER/api/projects/attackerProject/members/42\n\n The attacker can now see, edit and delete bills paid by `Person(id=42)` by simply browsing to http://$SERVER/attackerProject/\n\n2) Editing a member through the web interface at `/\u003cproject\u003e/members/\u003cpersonID\u003e/edit` will succeed even though `\u003cpersonID\u003e` is not a member of `\u003cproject\u003e`.\n\n This is very similar to the PUT exploit. Reusing the same example, the attacker needs to login to its \"attackerProject\" project with the private code \"attackerPassword\". It can then alter the state of `Person(id=42)` by accessing the edit form at the following URL:\n\n http://$SERVER/attackerProject/members/42/edit\n\n Again, as a result of the alteration, the altered member will become associated to the project \"attackerProject\", resulting in the same information disclosure and loss of integrity on bills.\n\n3) API: DELETE requests to `/api/projects/\u003cproject\u003e/members/\u003cpersonID\u003e` will similarly allow to delete the member `\u003cpersonID\u003e` even if it belongs to a different project than `\u003cproject\u003e`.\n\n $ curl -X DELETE --basic -u attackerProject:attackerPassword http://$SERVER/api/projects/attackerProject/members/42\n\n The impact is less serious than with PUT, because DELETE only deactivates a member (it does not really delete it).\n\nAll these exploits require authentication: an attacker needs to know a valid project name and its associated \"private code\". Once this requirement is fullfilled, the attacker can exploit this flaw to alter the state of members in any other project, without needing to know the target project name or its private code.\n\n`Person.query.get_by_name()` suffers from the same issue as `Person.query.get()`. It has an additional issue: if multiple Person objects with the same name exist (this is possible if they are associated to different projects), `get_by_name()` will crash with `MultipleResultsFound` because of the call to `one()`.\n\nHowever, since `Person.query.get_by_name()` is currently not used anywhere in IHateMoney, the bug affecting this function has no impact and is not exploitable."
1349
+ },
1350
+ "help": {
1351
+ "markdown": "**Your dependency is vulnerable to [CVE-2020-15120](https://osv.dev/CVE-2020-15120)**\n(Also published as: [PYSEC-2020-264](https://osv.dev/PYSEC-2020-264), [GHSA-67j9-c52g-w2q9](https://osv.dev/GHSA-67j9-c52g-w2q9), ).\n\n## [PYSEC-2020-264](https://osv.dev/PYSEC-2020-264)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e In \"I hate money\" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5.\n\n\u003c/details\u003e\n\n## [GHSA-67j9-c52g-w2q9](https://osv.dev/GHSA-67j9-c52g-w2q9)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ### Impact\n\u003e An authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code.\n\u003e \n\u003e With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated.\n\u003e \n\u003e ### Patches\n\u003e ```diff\n\u003e ihatemoney/models.py | 4 ++--\n\u003e 1 file changed, 2 insertions(+), 2 deletions(-)\n\u003e \n\u003e diff --git a/ihatemoney/models.py b/ihatemoney/models.py\n\u003e index fe7b519..5691c75 100644\n\u003e --- a/ihatemoney/models.py\n\u003e +++ b/ihatemoney/models.py\n\u003e @@ -380,7 +380,7 @@ class Person(db.Model):\n\u003e def get_by_name(self, name, project):\n\u003e return (\n\u003e Person.query.filter(Person.name == name)\n\u003e - .filter(Project.id == project.id)\n\u003e + .filter(Person.project_id == project.id)\n\u003e .one()\n\u003e )\n\u003e \n\u003e @@ -389,7 +389,7 @@ class Person(db.Model):\n\u003e project = g.project\n\u003e return (\n\u003e Person.query.filter(Person.id == id)\n\u003e - .filter(Project.id == project.id)\n\u003e + .filter(Person.project_id == project.id)\n\u003e .one()\n\u003e )\n\u003e \n\u003e ```\n\u003e \n\u003e ### Workarounds\n\u003e \n\u003e To limit the impact, it is possible to disable public project creation by setting `ALLOW_PUBLIC_PROJECT_CREATION = False` in the configuration (see [documentation](https://ihatemoney.readthedocs.io/en/latest/configuration.html)). Existing users will still be able to exploit the flaw, but this will prevent an external attacker from creating a new project.\n\u003e \n\u003e ### For more information\n\u003e \n\u003e `Person.query.get()` and `Person.query.get_by_name()` were mistakenly running a database join on the Project table without constraining the result.\n\u003e \n\u003e As a result, `Person.query.get(42, \"projectfoo\")` would return the Person with id=42, even if it is not associated to the project \"projectfoo\". The only condition is that \"projectfoo\" must exist.\n\u003e \n\u003e This flaw can be exploited in several places:\n\u003e \n\u003e 1) API: PUT requests to `/api/projects/\u003cproject\u003e/members/\u003cpersonID\u003e` will succeed even though `\u003cpersonID\u003e` is not a member of `\u003cproject\u003e`.\n\u003e \n\u003e This allows an authenticated attacker to alter the state of a member (name, weight, activated) in any project. In addition, the altered member will no longer be associated with its original project but will be associated to the attacker project instead, breaking many features of IHateMoney. For instance, bills referencing the altered member will no longer be visible in the original project.\n\u003e \n\u003e This causes an additional information disclosure and loss of integrity on bills: the attacker will now be able to see, edit and delete bills belonging to the altered member, because IHateMoney now believes that these bills are associated to the attacker project through the altered member.\n\u003e \n\u003e For instance, assume that `Person(id=42)` is a member of project \"targetProject\", and that the attacker has access to another project \"attackerProject\" with the private code \"attackerPassword\". The attacker can modify `Person(id=42)` with this command:\n\u003e \n\u003e $ curl -X PUT -d \"name=Pwn3d\u0026activated=1\" --basic -u attackerProject:attackerPassword http://$SERVER/api/projects/attackerProject/members/42\n\u003e \n\u003e The attacker can now see, edit and delete bills paid by `Person(id=42)` by simply browsing to http://$SERVER/attackerProject/\n\u003e \n\u003e 2) Editing a member through the web interface at `/\u003cproject\u003e/members/\u003cpersonID\u003e/edit` will succeed even though `\u003cpersonID\u003e` is not a member of `\u003cproject\u003e`.\n\u003e \n\u003e This is very similar to the PUT exploit. Reusing the same example, the attacker needs to login to its \"attackerProject\" project with the private code \"attackerPassword\". It can then alter the state of `Person(id=42)` by accessing the edit form at the following URL:\n\u003e \n\u003e http://$SERVER/attackerProject/members/42/edit\n\u003e \n\u003e Again, as a result of the alteration, the altered member will become associated to the project \"attackerProject\", resulting in the same information disclosure and loss of integrity on bills.\n\u003e \n\u003e 3) API: DELETE requests to `/api/projects/\u003cproject\u003e/members/\u003cpersonID\u003e` will similarly allow to delete the member `\u003cpersonID\u003e` even if it belongs to a different project than `\u003cproject\u003e`.\n\u003e \n\u003e $ curl -X DELETE --basic -u attackerProject:attackerPassword http://$SERVER/api/projects/attackerProject/members/42\n\u003e \n\u003e The impact is less serious than with PUT, because DELETE only deactivates a member (it does not really delete it).\n\u003e \n\u003e All these exploits require authentication: an attacker needs to know a valid project name and its associated \"private code\". Once this requirement is fullfilled, the attacker can exploit this flaw to alter the state of members in any other project, without needing to know the target project name or its private code.\n\u003e \n\u003e `Person.query.get_by_name()` suffers from the same issue as `Person.query.get()`. It has an additional issue: if multiple Person objects with the same name exist (this is possible if they are associated to different projects), `get_by_name()` will crash with `MultipleResultsFound` because of the call to `one()`.\n\u003e \n\u003e However, since `Person.query.get_by_name()` is currently not used anywhere in IHateMoney, the bug affecting this function has no impact and is not exploitable.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | ihatemoney | 4.1.4 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-67j9-c52g-w2q9 | ihatemoney | 4.1.5 |\n| PYSEC-2020-264 | ihatemoney | 4.1.5, 8d77cf5d5646e1d2d8ded13f0660638f57e98471 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-15120\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1352
+ "text": "**Your dependency is vulnerable to [CVE-2020-15120](https://osv.dev/CVE-2020-15120)**\n(Also published as: [PYSEC-2020-264](https://osv.dev/PYSEC-2020-264), [GHSA-67j9-c52g-w2q9](https://osv.dev/GHSA-67j9-c52g-w2q9), ).\n\n## [PYSEC-2020-264](https://osv.dev/PYSEC-2020-264)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e In \"I hate money\" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5.\n\n\u003c/details\u003e\n\n## [GHSA-67j9-c52g-w2q9](https://osv.dev/GHSA-67j9-c52g-w2q9)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ### Impact\n\u003e An authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code.\n\u003e \n\u003e With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated.\n\u003e \n\u003e ### Patches\n\u003e ```diff\n\u003e ihatemoney/models.py | 4 ++--\n\u003e 1 file changed, 2 insertions(+), 2 deletions(-)\n\u003e \n\u003e diff --git a/ihatemoney/models.py b/ihatemoney/models.py\n\u003e index fe7b519..5691c75 100644\n\u003e --- a/ihatemoney/models.py\n\u003e +++ b/ihatemoney/models.py\n\u003e @@ -380,7 +380,7 @@ class Person(db.Model):\n\u003e def get_by_name(self, name, project):\n\u003e return (\n\u003e Person.query.filter(Person.name == name)\n\u003e - .filter(Project.id == project.id)\n\u003e + .filter(Person.project_id == project.id)\n\u003e .one()\n\u003e )\n\u003e \n\u003e @@ -389,7 +389,7 @@ class Person(db.Model):\n\u003e project = g.project\n\u003e return (\n\u003e Person.query.filter(Person.id == id)\n\u003e - .filter(Project.id == project.id)\n\u003e + .filter(Person.project_id == project.id)\n\u003e .one()\n\u003e )\n\u003e \n\u003e ```\n\u003e \n\u003e ### Workarounds\n\u003e \n\u003e To limit the impact, it is possible to disable public project creation by setting `ALLOW_PUBLIC_PROJECT_CREATION = False` in the configuration (see [documentation](https://ihatemoney.readthedocs.io/en/latest/configuration.html)). Existing users will still be able to exploit the flaw, but this will prevent an external attacker from creating a new project.\n\u003e \n\u003e ### For more information\n\u003e \n\u003e `Person.query.get()` and `Person.query.get_by_name()` were mistakenly running a database join on the Project table without constraining the result.\n\u003e \n\u003e As a result, `Person.query.get(42, \"projectfoo\")` would return the Person with id=42, even if it is not associated to the project \"projectfoo\". The only condition is that \"projectfoo\" must exist.\n\u003e \n\u003e This flaw can be exploited in several places:\n\u003e \n\u003e 1) API: PUT requests to `/api/projects/\u003cproject\u003e/members/\u003cpersonID\u003e` will succeed even though `\u003cpersonID\u003e` is not a member of `\u003cproject\u003e`.\n\u003e \n\u003e This allows an authenticated attacker to alter the state of a member (name, weight, activated) in any project. In addition, the altered member will no longer be associated with its original project but will be associated to the attacker project instead, breaking many features of IHateMoney. For instance, bills referencing the altered member will no longer be visible in the original project.\n\u003e \n\u003e This causes an additional information disclosure and loss of integrity on bills: the attacker will now be able to see, edit and delete bills belonging to the altered member, because IHateMoney now believes that these bills are associated to the attacker project through the altered member.\n\u003e \n\u003e For instance, assume that `Person(id=42)` is a member of project \"targetProject\", and that the attacker has access to another project \"attackerProject\" with the private code \"attackerPassword\". The attacker can modify `Person(id=42)` with this command:\n\u003e \n\u003e $ curl -X PUT -d \"name=Pwn3d\u0026activated=1\" --basic -u attackerProject:attackerPassword http://$SERVER/api/projects/attackerProject/members/42\n\u003e \n\u003e The attacker can now see, edit and delete bills paid by `Person(id=42)` by simply browsing to http://$SERVER/attackerProject/\n\u003e \n\u003e 2) Editing a member through the web interface at `/\u003cproject\u003e/members/\u003cpersonID\u003e/edit` will succeed even though `\u003cpersonID\u003e` is not a member of `\u003cproject\u003e`.\n\u003e \n\u003e This is very similar to the PUT exploit. Reusing the same example, the attacker needs to login to its \"attackerProject\" project with the private code \"attackerPassword\". It can then alter the state of `Person(id=42)` by accessing the edit form at the following URL:\n\u003e \n\u003e http://$SERVER/attackerProject/members/42/edit\n\u003e \n\u003e Again, as a result of the alteration, the altered member will become associated to the project \"attackerProject\", resulting in the same information disclosure and loss of integrity on bills.\n\u003e \n\u003e 3) API: DELETE requests to `/api/projects/\u003cproject\u003e/members/\u003cpersonID\u003e` will similarly allow to delete the member `\u003cpersonID\u003e` even if it belongs to a different project than `\u003cproject\u003e`.\n\u003e \n\u003e $ curl -X DELETE --basic -u attackerProject:attackerPassword http://$SERVER/api/projects/attackerProject/members/42\n\u003e \n\u003e The impact is less serious than with PUT, because DELETE only deactivates a member (it does not really delete it).\n\u003e \n\u003e All these exploits require authentication: an attacker needs to know a valid project name and its associated \"private code\". Once this requirement is fullfilled, the attacker can exploit this flaw to alter the state of members in any other project, without needing to know the target project name or its private code.\n\u003e \n\u003e `Person.query.get_by_name()` suffers from the same issue as `Person.query.get()`. It has an additional issue: if multiple Person objects with the same name exist (this is possible if they are associated to different projects), `get_by_name()` will crash with `MultipleResultsFound` because of the call to `one()`.\n\u003e \n\u003e However, since `Person.query.get_by_name()` is currently not used anywhere in IHateMoney, the bug affecting this function has no impact and is not exploitable.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | ihatemoney | 4.1.4 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-67j9-c52g-w2q9 | ihatemoney | 4.1.5 |\n| PYSEC-2020-264 | ihatemoney | 4.1.5, 8d77cf5d5646e1d2d8ded13f0660638f57e98471 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-15120\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1353
+ },
1354
+ "id": "CVE-2020-15120",
1355
+ "name": "CVE-2020-15120",
1356
+ "properties": {
1357
+ "security-severity": "6.9"
1358
+ },
1359
+ "relationships": [],
1360
+ "shortDescription": {
1361
+ "markdown": "CVE-2020-15120: Authorization Bypass in I hate money",
1362
+ "text": "CVE-2020-15120: Authorization Bypass in I hate money"
1363
+ }
1364
+ },
1365
+ {
1366
+ "deprecatedIds": [
1367
+ "CVE-2024-6839",
1368
+ "GHSA-7rxf-gvfg-47g4"
1369
+ ],
1370
+ "fullDescription": {
1371
+ "markdown": "corydolphin/flask-cors version 5.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors.",
1372
+ "text": "corydolphin/flask-cors version 5.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors."
1373
+ },
1374
+ "help": {
1375
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-6839](https://osv.dev/CVE-2024-6839)**.\n\n## [GHSA-7rxf-gvfg-47g4](https://osv.dev/GHSA-7rxf-gvfg-47g4)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e corydolphin/flask-cors version 5.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask-cors | 3.0.8 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-7rxf-gvfg-47g4 | flask-cors | 6.0.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-6839\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1376
+ "text": "**Your dependency is vulnerable to [CVE-2024-6839](https://osv.dev/CVE-2024-6839)**.\n\n## [GHSA-7rxf-gvfg-47g4](https://osv.dev/GHSA-7rxf-gvfg-47g4)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e corydolphin/flask-cors version 5.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask-cors | 3.0.8 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-7rxf-gvfg-47g4 | flask-cors | 6.0.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-6839\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1377
+ },
1378
+ "id": "CVE-2024-6839",
1379
+ "name": "CVE-2024-6839",
1380
+ "properties": {
1381
+ "security-severity": "4.3"
1382
+ },
1383
+ "relationships": [],
1384
+ "shortDescription": {
1385
+ "markdown": "CVE-2024-6839: Flask-CORS improper regex path matching vulnerability",
1386
+ "text": "CVE-2024-6839: Flask-CORS improper regex path matching vulnerability"
1387
+ }
1388
+ },
1389
+ {
1390
+ "deprecatedIds": [
1391
+ "CVE-2024-1681",
1392
+ "GHSA-84pr-m4jr-85g5"
1393
+ ],
1394
+ "fullDescription": {
1395
+ "markdown": "corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.",
1396
+ "text": "corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs."
1397
+ },
1398
+ "help": {
1399
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-1681](https://osv.dev/CVE-2024-1681)**.\n\n## [GHSA-84pr-m4jr-85g5](https://osv.dev/GHSA-84pr-m4jr-85g5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask-cors | 3.0.8 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-84pr-m4jr-85g5 | flask-cors | 4.0.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-1681\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1400
+ "text": "**Your dependency is vulnerable to [CVE-2024-1681](https://osv.dev/CVE-2024-1681)**.\n\n## [GHSA-84pr-m4jr-85g5](https://osv.dev/GHSA-84pr-m4jr-85g5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask-cors | 3.0.8 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-84pr-m4jr-85g5 | flask-cors | 4.0.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-1681\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1401
+ },
1402
+ "id": "CVE-2024-1681",
1403
+ "name": "CVE-2024-1681",
1404
+ "properties": {
1405
+ "security-severity": "5.3"
1406
+ },
1407
+ "relationships": [],
1408
+ "shortDescription": {
1409
+ "markdown": "CVE-2024-1681: flask-cors vulnerable to log injection when the log level is set to debug",
1410
+ "text": "CVE-2024-1681: flask-cors vulnerable to log injection when the log level is set to debug"
1411
+ }
1412
+ },
1413
+ {
1414
+ "deprecatedIds": [
1415
+ "CVE-2024-6844",
1416
+ "GHSA-8vgw-p6qm-5gr7"
1417
+ ],
1418
+ "fullDescription": {
1419
+ "markdown": "A vulnerability in corydolphin/flask-cors version 5.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.",
1420
+ "text": "A vulnerability in corydolphin/flask-cors version 5.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues."
1421
+ },
1422
+ "help": {
1423
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-6844](https://osv.dev/CVE-2024-6844)**.\n\n## [GHSA-8vgw-p6qm-5gr7](https://osv.dev/GHSA-8vgw-p6qm-5gr7)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A vulnerability in corydolphin/flask-cors version 5.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask-cors | 3.0.8 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-8vgw-p6qm-5gr7 | flask-cors | 6.0.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-6844\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1424
+ "text": "**Your dependency is vulnerable to [CVE-2024-6844](https://osv.dev/CVE-2024-6844)**.\n\n## [GHSA-8vgw-p6qm-5gr7](https://osv.dev/GHSA-8vgw-p6qm-5gr7)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A vulnerability in corydolphin/flask-cors version 5.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask-cors | 3.0.8 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-8vgw-p6qm-5gr7 | flask-cors | 6.0.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-6844\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1425
+ },
1426
+ "id": "CVE-2024-6844",
1427
+ "name": "CVE-2024-6844",
1428
+ "properties": {
1429
+ "security-severity": "5.3"
1430
+ },
1431
+ "relationships": [],
1432
+ "shortDescription": {
1433
+ "markdown": "CVE-2024-6844: Flask-CORS allows for inconsistent CORS matching",
1434
+ "text": "CVE-2024-6844: Flask-CORS allows for inconsistent CORS matching"
1435
+ }
1436
+ },
1437
+ {
1438
+ "deprecatedIds": [
1439
+ "CVE-2025-27516",
1440
+ "GHSA-cpwx-vrp4-4pq7"
1441
+ ],
1442
+ "fullDescription": {
1443
+ "markdown": "An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment's attribute lookup.",
1444
+ "text": "An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment's attribute lookup."
1445
+ },
1446
+ "help": {
1447
+ "markdown": "**Your dependency is vulnerable to [CVE-2025-27516](https://osv.dev/CVE-2025-27516)**.\n\n## [GHSA-cpwx-vrp4-4pq7](https://osv.dev/GHSA-cpwx-vrp4-4pq7)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code.\n\u003e \n\u003e To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\u003e \n\u003e Jinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment's attribute lookup.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | jinja2 | 2.10.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-cpwx-vrp4-4pq7 | jinja2 | 3.1.6 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-27516\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1448
+ "text": "**Your dependency is vulnerable to [CVE-2025-27516](https://osv.dev/CVE-2025-27516)**.\n\n## [GHSA-cpwx-vrp4-4pq7](https://osv.dev/GHSA-cpwx-vrp4-4pq7)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code.\n\u003e \n\u003e To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\u003e \n\u003e Jinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment's attribute lookup.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | jinja2 | 2.10.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-cpwx-vrp4-4pq7 | jinja2 | 3.1.6 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-27516\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1449
+ },
1450
+ "id": "CVE-2025-27516",
1451
+ "name": "CVE-2025-27516",
1452
+ "properties": {
1453
+ "security-severity": "5.4"
1454
+ },
1455
+ "relationships": [],
1456
+ "shortDescription": {
1457
+ "markdown": "CVE-2025-27516: Jinja2 vulnerable to sandbox breakout through attr filter selecting format method",
1458
+ "text": "CVE-2025-27516: Jinja2 vulnerable to sandbox breakout through attr filter selecting format method"
1459
+ }
1460
+ },
1461
+ {
1462
+ "deprecatedIds": [
1463
+ "CVE-2024-49766",
1464
+ "GHSA-f9vj-2wh5-fj8j"
1465
+ ],
1466
+ "fullDescription": {
1467
+ "markdown": "On Python \u003c 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python \u003e= 3.11, or not using Windows, are not vulnerable.",
1468
+ "text": "On Python \u003c 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python \u003e= 3.11, or not using Windows, are not vulnerable."
1469
+ },
1470
+ "help": {
1471
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-49766](https://osv.dev/CVE-2024-49766)**.\n\n## [GHSA-f9vj-2wh5-fj8j](https://osv.dev/GHSA-f9vj-2wh5-fj8j)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e On Python \u003c 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python \u003e= 3.11, or not using Windows, are not vulnerable.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-f9vj-2wh5-fj8j | werkzeug | 3.0.6 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-49766\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1472
+ "text": "**Your dependency is vulnerable to [CVE-2024-49766](https://osv.dev/CVE-2024-49766)**.\n\n## [GHSA-f9vj-2wh5-fj8j](https://osv.dev/GHSA-f9vj-2wh5-fj8j)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e On Python \u003c 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python \u003e= 3.11, or not using Windows, are not vulnerable.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-f9vj-2wh5-fj8j | werkzeug | 3.0.6 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-49766\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1473
+ },
1474
+ "id": "CVE-2024-49766",
1475
+ "name": "CVE-2024-49766",
1476
+ "properties": {
1477
+ "security-severity": "6.3"
1478
+ },
1479
+ "relationships": [],
1480
+ "shortDescription": {
1481
+ "markdown": "CVE-2024-49766: Werkzeug safe_join not safe on Windows",
1482
+ "text": "CVE-2024-49766: Werkzeug safe_join not safe on Windows"
1483
+ }
1484
+ },
1485
+ {
1486
+ "deprecatedIds": [
1487
+ "CVE-2020-28493",
1488
+ "PYSEC-2021-66",
1489
+ "SNYK-PYTHON-JINJA2-1012994",
1490
+ "GHSA-g3rq-g295-4j3m"
1491
+ ],
1492
+ "fullDescription": {
1493
+ "markdown": "This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.",
1494
+ "text": "This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory."
1495
+ },
1496
+ "help": {
1497
+ "markdown": "**Your dependency is vulnerable to [CVE-2020-28493](https://osv.dev/CVE-2020-28493)**\n(Also published as: [PYSEC-2021-66](https://osv.dev/PYSEC-2021-66), [GHSA-g3rq-g295-4j3m](https://osv.dev/GHSA-g3rq-g295-4j3m), ).\n\n## [PYSEC-2021-66](https://osv.dev/PYSEC-2021-66)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.\n\n\u003c/details\u003e\n\n## [GHSA-g3rq-g295-4j3m](https://osv.dev/GHSA-g3rq-g295-4j3m)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | jinja2 | 2.10.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-g3rq-g295-4j3m | jinja2 | 2.11.3 |\n| PYSEC-2021-66 | jinja2 | 2.11.3 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-28493\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1498
+ "text": "**Your dependency is vulnerable to [CVE-2020-28493](https://osv.dev/CVE-2020-28493)**\n(Also published as: [PYSEC-2021-66](https://osv.dev/PYSEC-2021-66), [GHSA-g3rq-g295-4j3m](https://osv.dev/GHSA-g3rq-g295-4j3m), ).\n\n## [PYSEC-2021-66](https://osv.dev/PYSEC-2021-66)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.\n\n\u003c/details\u003e\n\n## [GHSA-g3rq-g295-4j3m](https://osv.dev/GHSA-g3rq-g295-4j3m)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | jinja2 | 2.10.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-g3rq-g295-4j3m | jinja2 | 2.11.3 |\n| PYSEC-2021-66 | jinja2 | 2.11.3 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-28493\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1499
+ },
1500
+ "id": "CVE-2020-28493",
1501
+ "name": "CVE-2020-28493",
1502
+ "properties": {
1503
+ "security-severity": "6.9"
1504
+ },
1505
+ "relationships": [],
1506
+ "shortDescription": {
1507
+ "markdown": "CVE-2020-28493: Regular Expression Denial of Service (ReDoS) in Jinja2",
1508
+ "text": "CVE-2020-28493: Regular Expression Denial of Service (ReDoS) in Jinja2"
1509
+ }
1510
+ },
1511
+ {
1512
+ "deprecatedIds": [
1513
+ "CVE-2021-42771",
1514
+ "PYSEC-2021-421",
1515
+ "GHSA-h4m5-qpfp-3mpv"
1516
+ ],
1517
+ "fullDescription": {
1518
+ "markdown": "Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.",
1519
+ "text": "Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution."
1520
+ },
1521
+ "help": {
1522
+ "markdown": "**Your dependency is vulnerable to [CVE-2021-42771](https://osv.dev/CVE-2021-42771)**\n(Also published as: [PYSEC-2021-421](https://osv.dev/PYSEC-2021-421), [GHSA-h4m5-qpfp-3mpv](https://osv.dev/GHSA-h4m5-qpfp-3mpv), ).\n\n## [PYSEC-2021-421](https://osv.dev/PYSEC-2021-421)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.\n\n\u003c/details\u003e\n\n## [GHSA-h4m5-qpfp-3mpv](https://osv.dev/GHSA-h4m5-qpfp-3mpv)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | babel | 2.8.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-h4m5-qpfp-3mpv | babel | 2.9.1 |\n| PYSEC-2021-421 | babel | 2.9.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-42771\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1523
+ "text": "**Your dependency is vulnerable to [CVE-2021-42771](https://osv.dev/CVE-2021-42771)**\n(Also published as: [PYSEC-2021-421](https://osv.dev/PYSEC-2021-421), [GHSA-h4m5-qpfp-3mpv](https://osv.dev/GHSA-h4m5-qpfp-3mpv), ).\n\n## [PYSEC-2021-421](https://osv.dev/PYSEC-2021-421)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.\n\n\u003c/details\u003e\n\n## [GHSA-h4m5-qpfp-3mpv](https://osv.dev/GHSA-h4m5-qpfp-3mpv)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | babel | 2.8.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-h4m5-qpfp-3mpv | babel | 2.9.1 |\n| PYSEC-2021-421 | babel | 2.9.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-42771\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1524
+ },
1525
+ "id": "CVE-2021-42771",
1526
+ "name": "CVE-2021-42771",
1527
+ "properties": {
1528
+ "security-severity": "8.7"
1529
+ },
1530
+ "relationships": [],
1531
+ "shortDescription": {
1532
+ "markdown": "CVE-2021-42771: Directory Traversal in Babel",
1533
+ "text": "CVE-2021-42771: Directory Traversal in Babel"
1534
+ }
1535
+ },
1536
+ {
1537
+ "deprecatedIds": [
1538
+ "CVE-2024-22195",
1539
+ "GHSA-h5c8-rqwp-cp95"
1540
+ ],
1541
+ "fullDescription": {
1542
+ "markdown": "The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix.",
1543
+ "text": "The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix."
1544
+ },
1545
+ "help": {
1546
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-22195](https://osv.dev/CVE-2024-22195)**.\n\n## [GHSA-h5c8-rqwp-cp95](https://osv.dev/GHSA-h5c8-rqwp-cp95)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | jinja2 | 2.10.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-h5c8-rqwp-cp95 | jinja2 | 3.1.3 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-22195\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1547
+ "text": "**Your dependency is vulnerable to [CVE-2024-22195](https://osv.dev/CVE-2024-22195)**.\n\n## [GHSA-h5c8-rqwp-cp95](https://osv.dev/GHSA-h5c8-rqwp-cp95)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | jinja2 | 2.10.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-h5c8-rqwp-cp95 | jinja2 | 3.1.3 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-22195\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1548
+ },
1549
+ "id": "CVE-2024-22195",
1550
+ "name": "CVE-2024-22195",
1551
+ "properties": {
1552
+ "security-severity": "5.4"
1553
+ },
1554
+ "relationships": [],
1555
+ "shortDescription": {
1556
+ "markdown": "CVE-2024-22195: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter",
1557
+ "text": "CVE-2024-22195: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"
1558
+ }
1559
+ },
1560
+ {
1561
+ "deprecatedIds": [
1562
+ "CVE-2024-34064",
1563
+ "CGA-g5xx-83xq-8g5j",
1564
+ "GHSA-h75v-3vvj-5mfj"
1565
+ ],
1566
+ "fullDescription": {
1567
+ "markdown": "The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `\u003e`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.\n\nAccepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe.",
1568
+ "text": "The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `\u003e`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.\n\nAccepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe."
1569
+ },
1570
+ "help": {
1571
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-34064](https://osv.dev/CVE-2024-34064)**.\n\n## [GHSA-h75v-3vvj-5mfj](https://osv.dev/GHSA-h75v-3vvj-5mfj)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `\u003e`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.\n\u003e \n\u003e Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | jinja2 | 2.10.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-h75v-3vvj-5mfj | jinja2 | 3.1.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-34064\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1572
+ "text": "**Your dependency is vulnerable to [CVE-2024-34064](https://osv.dev/CVE-2024-34064)**.\n\n## [GHSA-h75v-3vvj-5mfj](https://osv.dev/GHSA-h75v-3vvj-5mfj)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `\u003e`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.\n\u003e \n\u003e Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | jinja2 | 2.10.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-h75v-3vvj-5mfj | jinja2 | 3.1.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-34064\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1573
+ },
1574
+ "id": "CVE-2024-34064",
1575
+ "name": "CVE-2024-34064",
1576
+ "properties": {
1577
+ "security-severity": "5.4"
1578
+ },
1579
+ "relationships": [],
1580
+ "shortDescription": {
1581
+ "markdown": "CVE-2024-34064: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter",
1582
+ "text": "CVE-2024-34064: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"
1583
+ }
1584
+ },
1585
+ {
1586
+ "deprecatedIds": [
1587
+ "CVE-2023-46136",
1588
+ "PYSEC-2023-221",
1589
+ "GHSA-hrfv-mqp8-q5rw"
1590
+ ],
1591
+ "fullDescription": {
1592
+ "markdown": "Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.\n\nThis allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.\n",
1593
+ "text": "Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.\n\nThis allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.\n"
1594
+ },
1595
+ "help": {
1596
+ "markdown": "**Your dependency is vulnerable to [CVE-2023-46136](https://osv.dev/CVE-2023-46136)**\n(Also published as: [PYSEC-2023-221](https://osv.dev/PYSEC-2023-221), [GHSA-hrfv-mqp8-q5rw](https://osv.dev/GHSA-hrfv-mqp8-q5rw), ).\n\n## [PYSEC-2023-221](https://osv.dev/PYSEC-2023-221)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.\n\n\u003c/details\u003e\n\n## [GHSA-hrfv-mqp8-q5rw](https://osv.dev/GHSA-hrfv-mqp8-q5rw)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.\n\u003e \n\u003e This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-hrfv-mqp8-q5rw | werkzeug | 2.3.8, 3.0.1 |\n| PYSEC-2023-221 | werkzeug | 2.3.8, 3.0.1, f2300208d5e2a5076cbbb4c2aad71096fd040ef9, f3c803b3ade485a45f12b6d6617595350c0f03e2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-46136\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1597
+ "text": "**Your dependency is vulnerable to [CVE-2023-46136](https://osv.dev/CVE-2023-46136)**\n(Also published as: [PYSEC-2023-221](https://osv.dev/PYSEC-2023-221), [GHSA-hrfv-mqp8-q5rw](https://osv.dev/GHSA-hrfv-mqp8-q5rw), ).\n\n## [PYSEC-2023-221](https://osv.dev/PYSEC-2023-221)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.\n\n\u003c/details\u003e\n\n## [GHSA-hrfv-mqp8-q5rw](https://osv.dev/GHSA-hrfv-mqp8-q5rw)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.\n\u003e \n\u003e This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-hrfv-mqp8-q5rw | werkzeug | 2.3.8, 3.0.1 |\n| PYSEC-2023-221 | werkzeug | 2.3.8, 3.0.1, f2300208d5e2a5076cbbb4c2aad71096fd040ef9, f3c803b3ade485a45f12b6d6617595350c0f03e2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-46136\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1598
+ },
1599
+ "id": "CVE-2023-46136",
1600
+ "name": "CVE-2023-46136",
1601
+ "properties": {
1602
+ "security-severity": "7.5"
1603
+ },
1604
+ "relationships": [],
1605
+ "shortDescription": {
1606
+ "markdown": "CVE-2023-46136: Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning",
1607
+ "text": "CVE-2023-46136: Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning"
1608
+ }
1609
+ },
1610
+ {
1611
+ "deprecatedIds": [
1612
+ "CVE-2024-6221",
1613
+ "PYSEC-2024-71",
1614
+ "GHSA-hxwh-jpp2-84pm"
1615
+ ],
1616
+ "fullDescription": {
1617
+ "markdown": "A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.",
1618
+ "text": "A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions."
1619
+ },
1620
+ "help": {
1621
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-6221](https://osv.dev/CVE-2024-6221)**\n(Also published as: [PYSEC-2024-71](https://osv.dev/PYSEC-2024-71), [GHSA-hxwh-jpp2-84pm](https://osv.dev/GHSA-hxwh-jpp2-84pm), ).\n\n## [PYSEC-2024-71](https://osv.dev/PYSEC-2024-71)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A vulnerability in corydolphin/flask-cors up to version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.\n\n\u003c/details\u003e\n\n## [GHSA-hxwh-jpp2-84pm](https://osv.dev/GHSA-hxwh-jpp2-84pm)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask-cors | 3.0.8 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-hxwh-jpp2-84pm | flask-cors | 4.0.2 |\n| PYSEC-2024-71 | flask-cors | 4.0.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-6221\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1622
+ "text": "**Your dependency is vulnerable to [CVE-2024-6221](https://osv.dev/CVE-2024-6221)**\n(Also published as: [PYSEC-2024-71](https://osv.dev/PYSEC-2024-71), [GHSA-hxwh-jpp2-84pm](https://osv.dev/GHSA-hxwh-jpp2-84pm), ).\n\n## [PYSEC-2024-71](https://osv.dev/PYSEC-2024-71)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A vulnerability in corydolphin/flask-cors up to version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.\n\n\u003c/details\u003e\n\n## [GHSA-hxwh-jpp2-84pm](https://osv.dev/GHSA-hxwh-jpp2-84pm)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask-cors | 3.0.8 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-hxwh-jpp2-84pm | flask-cors | 4.0.2 |\n| PYSEC-2024-71 | flask-cors | 4.0.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-6221\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1623
+ },
1624
+ "id": "CVE-2024-6221",
1625
+ "name": "CVE-2024-6221",
1626
+ "properties": {
1627
+ "security-severity": "8.7"
1628
+ },
1629
+ "relationships": [],
1630
+ "shortDescription": {
1631
+ "markdown": "CVE-2024-6221: Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default",
1632
+ "text": "CVE-2024-6221: Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default"
1633
+ }
1634
+ },
1635
+ {
1636
+ "deprecatedIds": [
1637
+ "CVE-2024-3651",
1638
+ "PYSEC-2024-60",
1639
+ "GHSA-jjg7-2v4v-x38h"
1640
+ ],
1641
+ "fullDescription": {
1642
+ "markdown": "### Impact\nA specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.\n\n### Patches\nThe function has been refined to reject such strings without the associated resource consumption in version 3.7.\n\n### Workarounds\nDomain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.\n\n### References\n* https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb",
1643
+ "text": "### Impact\nA specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.\n\n### Patches\nThe function has been refined to reject such strings without the associated resource consumption in version 3.7.\n\n### Workarounds\nDomain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.\n\n### References\n* https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"
1644
+ },
1645
+ "help": {
1646
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-3651](https://osv.dev/CVE-2024-3651)**\n(Also published as: [PYSEC-2024-60](https://osv.dev/PYSEC-2024-60), [GHSA-jjg7-2v4v-x38h](https://osv.dev/GHSA-jjg7-2v4v-x38h), ).\n\n## [PYSEC-2024-60](https://osv.dev/PYSEC-2024-60)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.\n\n\u003c/details\u003e\n\n## [GHSA-jjg7-2v4v-x38h](https://osv.dev/GHSA-jjg7-2v4v-x38h)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ### Impact\n\u003e A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.\n\u003e \n\u003e ### Patches\n\u003e The function has been refined to reject such strings without the associated resource consumption in version 3.7.\n\u003e \n\u003e ### Workarounds\n\u003e Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.\n\u003e \n\u003e ### References\n\u003e * https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | idna | 2.10 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-jjg7-2v4v-x38h | idna | 3.7 |\n| PYSEC-2024-60 | idna | 1d365e17e10d72d0b7876316fc7b9ca0eebdd38d, 3.7 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-3651\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1647
+ "text": "**Your dependency is vulnerable to [CVE-2024-3651](https://osv.dev/CVE-2024-3651)**\n(Also published as: [PYSEC-2024-60](https://osv.dev/PYSEC-2024-60), [GHSA-jjg7-2v4v-x38h](https://osv.dev/GHSA-jjg7-2v4v-x38h), ).\n\n## [PYSEC-2024-60](https://osv.dev/PYSEC-2024-60)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.\n\n\u003c/details\u003e\n\n## [GHSA-jjg7-2v4v-x38h](https://osv.dev/GHSA-jjg7-2v4v-x38h)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ### Impact\n\u003e A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.\n\u003e \n\u003e ### Patches\n\u003e The function has been refined to reject such strings without the associated resource consumption in version 3.7.\n\u003e \n\u003e ### Workarounds\n\u003e Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.\n\u003e \n\u003e ### References\n\u003e * https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | idna | 2.10 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-jjg7-2v4v-x38h | idna | 3.7 |\n| PYSEC-2024-60 | idna | 1d365e17e10d72d0b7876316fc7b9ca0eebdd38d, 3.7 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-3651\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1648
+ },
1649
+ "id": "CVE-2024-3651",
1650
+ "name": "CVE-2024-3651",
1651
+ "properties": {
1652
+ "security-severity": "7.5"
1653
+ },
1654
+ "relationships": [],
1655
+ "shortDescription": {
1656
+ "markdown": "CVE-2024-3651: Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode",
1657
+ "text": "CVE-2024-3651: Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode"
1658
+ }
1659
+ },
1660
+ {
1661
+ "deprecatedIds": [
1662
+ "CVE-2023-30861",
1663
+ "PYSEC-2023-62",
1664
+ "GHSA-m2qf-hxjv-5gpq"
1665
+ ],
1666
+ "fullDescription": {
1667
+ "markdown": "When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on _all_ these conditions being met.\n\n1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\n2. The application sets [`session.permanent = True`](https://flask.palletsprojects.com/en/2.3.x/api/#flask.session.permanent).\n2. The application does not access or modify the session at any point during a request.\n4. [`SESSION_REFRESH_EACH_REQUEST`](https://flask.palletsprojects.com/en/2.3.x/config/#SESSION_REFRESH_EACH_REQUEST) is enabled (the default).\n5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\n\nThis happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.",
1668
+ "text": "When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on _all_ these conditions being met.\n\n1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\n2. The application sets [`session.permanent = True`](https://flask.palletsprojects.com/en/2.3.x/api/#flask.session.permanent).\n2. The application does not access or modify the session at any point during a request.\n4. [`SESSION_REFRESH_EACH_REQUEST`](https://flask.palletsprojects.com/en/2.3.x/config/#SESSION_REFRESH_EACH_REQUEST) is enabled (the default).\n5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\n\nThis happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified."
1669
+ },
1670
+ "help": {
1671
+ "markdown": "**Your dependency is vulnerable to [CVE-2023-30861](https://osv.dev/CVE-2023-30861)**\n(Also published as: [PYSEC-2023-62](https://osv.dev/PYSEC-2023-62), [GHSA-m2qf-hxjv-5gpq](https://osv.dev/GHSA-m2qf-hxjv-5gpq), ).\n\n## [PYSEC-2023-62](https://osv.dev/PYSEC-2023-62)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.\n\u003e \n\u003e 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\n\u003e 2. The application sets `session.permanent = True`\n\u003e 3. The application does not access or modify the session at any point during a request.\n\u003e 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default).\n\u003e 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\n\u003e \n\u003e This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.\n\n\u003c/details\u003e\n\n## [GHSA-m2qf-hxjv-5gpq](https://osv.dev/GHSA-m2qf-hxjv-5gpq)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on _all_ these conditions being met.\n\u003e \n\u003e 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\n\u003e 2. The application sets [`session.permanent = True`](https://flask.palletsprojects.com/en/2.3.x/api/#flask.session.permanent).\n\u003e 2. The application does not access or modify the session at any point during a request.\n\u003e 4. [`SESSION_REFRESH_EACH_REQUEST`](https://flask.palletsprojects.com/en/2.3.x/config/#SESSION_REFRESH_EACH_REQUEST) is enabled (the default).\n\u003e 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\n\u003e \n\u003e This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask | 1.1.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-m2qf-hxjv-5gpq | flask | 2.2.5, 2.3.2 |\n| PYSEC-2023-62 | flask | 2.2.5, 2.3.2, 70f906c51ce49c485f1d355703e9cc3386b1cc2b, afd63b16170b7c047f5758eb910c416511e9c965 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-30861\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1672
+ "text": "**Your dependency is vulnerable to [CVE-2023-30861](https://osv.dev/CVE-2023-30861)**\n(Also published as: [PYSEC-2023-62](https://osv.dev/PYSEC-2023-62), [GHSA-m2qf-hxjv-5gpq](https://osv.dev/GHSA-m2qf-hxjv-5gpq), ).\n\n## [PYSEC-2023-62](https://osv.dev/PYSEC-2023-62)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.\n\u003e \n\u003e 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\n\u003e 2. The application sets `session.permanent = True`\n\u003e 3. The application does not access or modify the session at any point during a request.\n\u003e 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default).\n\u003e 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\n\u003e \n\u003e This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.\n\n\u003c/details\u003e\n\n## [GHSA-m2qf-hxjv-5gpq](https://osv.dev/GHSA-m2qf-hxjv-5gpq)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on _all_ these conditions being met.\n\u003e \n\u003e 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\n\u003e 2. The application sets [`session.permanent = True`](https://flask.palletsprojects.com/en/2.3.x/api/#flask.session.permanent).\n\u003e 2. The application does not access or modify the session at any point during a request.\n\u003e 4. [`SESSION_REFRESH_EACH_REQUEST`](https://flask.palletsprojects.com/en/2.3.x/config/#SESSION_REFRESH_EACH_REQUEST) is enabled (the default).\n\u003e 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\n\u003e \n\u003e This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask | 1.1.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-m2qf-hxjv-5gpq | flask | 2.2.5, 2.3.2 |\n| PYSEC-2023-62 | flask | 2.2.5, 2.3.2, 70f906c51ce49c485f1d355703e9cc3386b1cc2b, afd63b16170b7c047f5758eb910c416511e9c965 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-30861\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1673
+ },
1674
+ "id": "CVE-2023-30861",
1675
+ "name": "CVE-2023-30861",
1676
+ "properties": {
1677
+ "security-severity": "8.7"
1678
+ },
1679
+ "relationships": [],
1680
+ "shortDescription": {
1681
+ "markdown": "CVE-2023-30861: Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header",
1682
+ "text": "CVE-2023-30861: Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header"
1683
+ }
1684
+ },
1685
+ {
1686
+ "deprecatedIds": [
1687
+ "CVE-2024-21502",
1688
+ "PYSEC-2024-39",
1689
+ "GHSA-ph86-g9r3-5qw4"
1690
+ ],
1691
+ "fullDescription": {
1692
+ "markdown": "Versions of the package fastecdsa before 2.3.2 use an Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.",
1693
+ "text": "Versions of the package fastecdsa before 2.3.2 use an Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability."
1694
+ },
1695
+ "help": {
1696
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-21502](https://osv.dev/CVE-2024-21502)**\n(Also published as: [PYSEC-2024-39](https://osv.dev/PYSEC-2024-39), [GHSA-ph86-g9r3-5qw4](https://osv.dev/GHSA-ph86-g9r3-5qw4), ).\n\n## [PYSEC-2024-39](https://osv.dev/PYSEC-2024-39)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.\n\n\u003c/details\u003e\n\n## [GHSA-ph86-g9r3-5qw4](https://osv.dev/GHSA-ph86-g9r3-5qw4)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Versions of the package fastecdsa before 2.3.2 use an Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | fastecdsa | 2.1.3 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-ph86-g9r3-5qw4 | fastecdsa | 2.3.2 |\n| PYSEC-2024-39 | fastecdsa | 2.3.2, 57fc5689c95d649dab7ef60cc99ac64589f01e36 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-21502\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1697
+ "text": "**Your dependency is vulnerable to [CVE-2024-21502](https://osv.dev/CVE-2024-21502)**\n(Also published as: [PYSEC-2024-39](https://osv.dev/PYSEC-2024-39), [GHSA-ph86-g9r3-5qw4](https://osv.dev/GHSA-ph86-g9r3-5qw4), ).\n\n## [PYSEC-2024-39](https://osv.dev/PYSEC-2024-39)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.\n\n\u003c/details\u003e\n\n## [GHSA-ph86-g9r3-5qw4](https://osv.dev/GHSA-ph86-g9r3-5qw4)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Versions of the package fastecdsa before 2.3.2 use an Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | fastecdsa | 2.1.3 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-ph86-g9r3-5qw4 | fastecdsa | 2.3.2 |\n| PYSEC-2024-39 | fastecdsa | 2.3.2, 57fc5689c95d649dab7ef60cc99ac64589f01e36 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-21502\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1698
+ },
1699
+ "id": "CVE-2024-21502",
1700
+ "name": "CVE-2024-21502",
1701
+ "properties": {
1702
+ "security-severity": "7.5"
1703
+ },
1704
+ "relationships": [],
1705
+ "shortDescription": {
1706
+ "markdown": "CVE-2024-21502: Uninitialized Variable in fastecdsa",
1707
+ "text": "CVE-2024-21502: Uninitialized Variable in fastecdsa"
1708
+ }
1709
+ },
1710
+ {
1711
+ "deprecatedIds": [
1712
+ "CVE-2023-23934",
1713
+ "PYSEC-2023-57",
1714
+ "GHSA-px8h-6qxv-m22q"
1715
+ ],
1716
+ "fullDescription": {
1717
+ "markdown": "Browsers may allow \"nameless\" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain.\n\nWerkzeug \u003c= 2.2.2 will parse the cookie `=__Host-test=bad` as `__Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.",
1718
+ "text": "Browsers may allow \"nameless\" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain.\n\nWerkzeug \u003c= 2.2.2 will parse the cookie `=__Host-test=bad` as `__Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key."
1719
+ },
1720
+ "help": {
1721
+ "markdown": "**Your dependency is vulnerable to [CVE-2023-23934](https://osv.dev/CVE-2023-23934)**\n(Also published as: [PYSEC-2023-57](https://osv.dev/PYSEC-2023-57), [GHSA-px8h-6qxv-m22q](https://osv.dev/GHSA-px8h-6qxv-m22q), ).\n\n## [PYSEC-2023-57](https://osv.dev/PYSEC-2023-57)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Werkzeug is a comprehensive WSGI web application library. Browsers may allow \"nameless\" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.\n\n\u003c/details\u003e\n\n## [GHSA-px8h-6qxv-m22q](https://osv.dev/GHSA-px8h-6qxv-m22q)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Browsers may allow \"nameless\" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain.\n\u003e \n\u003e Werkzeug \u003c= 2.2.2 will parse the cookie `=__Host-test=bad` as `__Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-px8h-6qxv-m22q | werkzeug | 2.2.3 |\n| PYSEC-2023-57 | werkzeug | 2.2.3, cf275f42acad1b5950c50ffe8ef58fe62cdce028 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-23934\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1722
+ "text": "**Your dependency is vulnerable to [CVE-2023-23934](https://osv.dev/CVE-2023-23934)**\n(Also published as: [PYSEC-2023-57](https://osv.dev/PYSEC-2023-57), [GHSA-px8h-6qxv-m22q](https://osv.dev/GHSA-px8h-6qxv-m22q), ).\n\n## [PYSEC-2023-57](https://osv.dev/PYSEC-2023-57)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Werkzeug is a comprehensive WSGI web application library. Browsers may allow \"nameless\" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.\n\n\u003c/details\u003e\n\n## [GHSA-px8h-6qxv-m22q](https://osv.dev/GHSA-px8h-6qxv-m22q)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Browsers may allow \"nameless\" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain.\n\u003e \n\u003e Werkzeug \u003c= 2.2.2 will parse the cookie `=__Host-test=bad` as `__Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-px8h-6qxv-m22q | werkzeug | 2.2.3 |\n| PYSEC-2023-57 | werkzeug | 2.2.3, cf275f42acad1b5950c50ffe8ef58fe62cdce028 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-23934\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1723
+ },
1724
+ "id": "CVE-2023-23934",
1725
+ "name": "CVE-2023-23934",
1726
+ "properties": {
1727
+ "security-severity": "2.6"
1728
+ },
1729
+ "relationships": [],
1730
+ "shortDescription": {
1731
+ "markdown": "CVE-2023-23934: Incorrect parsing of nameless cookies leads to __Host- cookies bypass",
1732
+ "text": "CVE-2023-23934: Incorrect parsing of nameless cookies leads to __Host- cookies bypass"
1733
+ }
1734
+ },
1735
+ {
1736
+ "deprecatedIds": [
1737
+ "CVE-2024-56326",
1738
+ "GHSA-q2x7-8rv6-6q7h"
1739
+ ],
1740
+ "fullDescription": {
1741
+ "markdown": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.",
1742
+ "text": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox."
1743
+ },
1744
+ "help": {
1745
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-56326](https://osv.dev/CVE-2024-56326)**.\n\n## [GHSA-q2x7-8rv6-6q7h](https://osv.dev/GHSA-q2x7-8rv6-6q7h)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\u003e \n\u003e To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\u003e \n\u003e Jinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | jinja2 | 2.10.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-q2x7-8rv6-6q7h | jinja2 | 3.1.5 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-56326\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1746
+ "text": "**Your dependency is vulnerable to [CVE-2024-56326](https://osv.dev/CVE-2024-56326)**.\n\n## [GHSA-q2x7-8rv6-6q7h](https://osv.dev/GHSA-q2x7-8rv6-6q7h)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\u003e \n\u003e To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\u003e \n\u003e Jinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | jinja2 | 2.10.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-q2x7-8rv6-6q7h | jinja2 | 3.1.5 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-56326\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1747
+ },
1748
+ "id": "CVE-2024-56326",
1749
+ "name": "CVE-2024-56326",
1750
+ "properties": {
1751
+ "security-severity": "7.8"
1752
+ },
1753
+ "relationships": [],
1754
+ "shortDescription": {
1755
+ "markdown": "CVE-2024-56326: Jinja has a sandbox breakout through indirect reference to format method",
1756
+ "text": "CVE-2024-56326: Jinja has a sandbox breakout through indirect reference to format method"
1757
+ }
1758
+ },
1759
+ {
1760
+ "deprecatedIds": [
1761
+ "CVE-2024-49767",
1762
+ "GHSA-q34m-jh98-gwm2"
1763
+ ],
1764
+ "fullDescription": {
1765
+ "markdown": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.",
1766
+ "text": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application."
1767
+ },
1768
+ "help": {
1769
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-49767](https://osv.dev/CVE-2024-49767)**.\n\n## [GHSA-q34m-jh98-gwm2](https://osv.dev/GHSA-q34m-jh98-gwm2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\u003e \n\u003e \n\u003e The `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-q34m-jh98-gwm2 | werkzeug | 3.0.6 |\n| GHSA-q34m-jh98-gwm2 | quart | 0.20.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-49767\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1770
+ "text": "**Your dependency is vulnerable to [CVE-2024-49767](https://osv.dev/CVE-2024-49767)**.\n\n## [GHSA-q34m-jh98-gwm2](https://osv.dev/GHSA-q34m-jh98-gwm2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\u003e \n\u003e \n\u003e The `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-q34m-jh98-gwm2 | werkzeug | 3.0.6 |\n| GHSA-q34m-jh98-gwm2 | quart | 0.20.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-49767\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1771
+ },
1772
+ "id": "CVE-2024-49767",
1773
+ "name": "CVE-2024-49767",
1774
+ "properties": {
1775
+ "security-severity": "7.5"
1776
+ },
1777
+ "relationships": [],
1778
+ "shortDescription": {
1779
+ "markdown": "CVE-2024-49767: Werkzeug possible resource exhaustion when parsing file data in forms",
1780
+ "text": "CVE-2024-49767: Werkzeug possible resource exhaustion when parsing file data in forms"
1781
+ }
1782
+ },
1783
+ {
1784
+ "deprecatedIds": [
1785
+ "CVE-2022-40023",
1786
+ "PYSEC-2022-260",
1787
+ "GHSA-v973-fxgf-6xhp"
1788
+ ],
1789
+ "fullDescription": {
1790
+ "markdown": "Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.",
1791
+ "text": "Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin."
1792
+ },
1793
+ "help": {
1794
+ "markdown": "**Your dependency is vulnerable to [CVE-2022-40023](https://osv.dev/CVE-2022-40023)**\n(Also published as: [PYSEC-2022-260](https://osv.dev/PYSEC-2022-260), [GHSA-v973-fxgf-6xhp](https://osv.dev/GHSA-v973-fxgf-6xhp), ).\n\n## [PYSEC-2022-260](https://osv.dev/PYSEC-2022-260)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.\n\n\u003c/details\u003e\n\n## [GHSA-v973-fxgf-6xhp](https://osv.dev/GHSA-v973-fxgf-6xhp)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | mako | 1.1.3 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-v973-fxgf-6xhp | mako | 1.2.2 |\n| PYSEC-2022-260 | mako | 1.2.2, 925760291d6efec64fda6e9dd1fd9cfbd5be068c |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-40023\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1795
+ "text": "**Your dependency is vulnerable to [CVE-2022-40023](https://osv.dev/CVE-2022-40023)**\n(Also published as: [PYSEC-2022-260](https://osv.dev/PYSEC-2022-260), [GHSA-v973-fxgf-6xhp](https://osv.dev/GHSA-v973-fxgf-6xhp), ).\n\n## [PYSEC-2022-260](https://osv.dev/PYSEC-2022-260)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.\n\n\u003c/details\u003e\n\n## [GHSA-v973-fxgf-6xhp](https://osv.dev/GHSA-v973-fxgf-6xhp)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | mako | 1.1.3 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-v973-fxgf-6xhp | mako | 1.2.2 |\n| PYSEC-2022-260 | mako | 1.2.2, 925760291d6efec64fda6e9dd1fd9cfbd5be068c |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-40023\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1796
+ },
1797
+ "id": "CVE-2022-40023",
1798
+ "name": "CVE-2022-40023",
1799
+ "properties": {
1800
+ "security-severity": "8.7"
1801
+ },
1802
+ "relationships": [],
1803
+ "shortDescription": {
1804
+ "markdown": "CVE-2022-40023: mako is vulnerable to Regular Expression Denial of Service",
1805
+ "text": "CVE-2022-40023: mako is vulnerable to Regular Expression Denial of Service"
1806
+ }
1807
+ },
1808
+ {
1809
+ "deprecatedIds": [
1810
+ "CVE-2020-25032",
1811
+ "PYSEC-2020-43",
1812
+ "GHSA-xc3p-ff3m-f46v"
1813
+ ],
1814
+ "fullDescription": {
1815
+ "markdown": "An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows `../` directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.",
1816
+ "text": "An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows `../` directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format."
1817
+ },
1818
+ "help": {
1819
+ "markdown": "**Your dependency is vulnerable to [CVE-2020-25032](https://osv.dev/CVE-2020-25032)**\n(Also published as: [PYSEC-2020-43](https://osv.dev/PYSEC-2020-43), [GHSA-xc3p-ff3m-f46v](https://osv.dev/GHSA-xc3p-ff3m-f46v), ).\n\n## [PYSEC-2020-43](https://osv.dev/PYSEC-2020-43)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.\n\n\u003c/details\u003e\n\n## [GHSA-xc3p-ff3m-f46v](https://osv.dev/GHSA-xc3p-ff3m-f46v)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows `../` directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask-cors | 3.0.8 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-xc3p-ff3m-f46v | flask-cors | 3.0.9 |\n| PYSEC-2020-43 | flask-cors | 3.0.9 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-25032\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1820
+ "text": "**Your dependency is vulnerable to [CVE-2020-25032](https://osv.dev/CVE-2020-25032)**\n(Also published as: [PYSEC-2020-43](https://osv.dev/PYSEC-2020-43), [GHSA-xc3p-ff3m-f46v](https://osv.dev/GHSA-xc3p-ff3m-f46v), ).\n\n## [PYSEC-2020-43](https://osv.dev/PYSEC-2020-43)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.\n\n\u003c/details\u003e\n\n## [GHSA-xc3p-ff3m-f46v](https://osv.dev/GHSA-xc3p-ff3m-f46v)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows `../` directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | flask-cors | 3.0.8 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-xc3p-ff3m-f46v | flask-cors | 3.0.9 |\n| PYSEC-2020-43 | flask-cors | 3.0.9 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-25032\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1821
+ },
1822
+ "id": "CVE-2020-25032",
1823
+ "name": "CVE-2020-25032",
1824
+ "properties": {
1825
+ "security-severity": "8.7"
1826
+ },
1827
+ "relationships": [],
1828
+ "shortDescription": {
1829
+ "markdown": "CVE-2020-25032: Flask-Cors Directory Traversal vulnerability",
1830
+ "text": "CVE-2020-25032: Flask-Cors Directory Traversal vulnerability"
1831
+ }
1832
+ },
1833
+ {
1834
+ "deprecatedIds": [
1835
+ "CVE-2023-25577",
1836
+ "PYSEC-2023-58",
1837
+ "GHSA-xg9f-g7g7-2323"
1838
+ ],
1839
+ "fullDescription": {
1840
+ "markdown": "Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage.\n\nThis allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.",
1841
+ "text": "Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage.\n\nThis allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers."
1842
+ },
1843
+ "help": {
1844
+ "markdown": "**Your dependency is vulnerable to [CVE-2023-25577](https://osv.dev/CVE-2023-25577)**\n(Also published as: [PYSEC-2023-58](https://osv.dev/PYSEC-2023-58), [GHSA-xg9f-g7g7-2323](https://osv.dev/GHSA-xg9f-g7g7-2323), ).\n\n## [PYSEC-2023-58](https://osv.dev/PYSEC-2023-58)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.\n\n\u003c/details\u003e\n\n## [GHSA-xg9f-g7g7-2323](https://osv.dev/GHSA-xg9f-g7g7-2323)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage.\n\u003e \n\u003e This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-xg9f-g7g7-2323 | werkzeug | 2.2.3 |\n| PYSEC-2023-58 | werkzeug | 2.2.3, 517cac5a804e8c4dc4ed038bb20dacd038e7a9f1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-25577\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1845
+ "text": "**Your dependency is vulnerable to [CVE-2023-25577](https://osv.dev/CVE-2023-25577)**\n(Also published as: [PYSEC-2023-58](https://osv.dev/PYSEC-2023-58), [GHSA-xg9f-g7g7-2323](https://osv.dev/GHSA-xg9f-g7g7-2323), ).\n\n## [PYSEC-2023-58](https://osv.dev/PYSEC-2023-58)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.\n\n\u003c/details\u003e\n\n## [GHSA-xg9f-g7g7-2323](https://osv.dev/GHSA-xg9f-g7g7-2323)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage.\n\u003e \n\u003e This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-xg9f-g7g7-2323 | werkzeug | 2.2.3 |\n| PYSEC-2023-58 | werkzeug | 2.2.3, 517cac5a804e8c4dc4ed038bb20dacd038e7a9f1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-25577\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1846
+ },
1847
+ "id": "CVE-2023-25577",
1848
+ "name": "CVE-2023-25577",
1849
+ "properties": {
1850
+ "security-severity": "7.5"
1851
+ },
1852
+ "relationships": [],
1853
+ "shortDescription": {
1854
+ "markdown": "CVE-2023-25577: High resource usage when parsing multipart form data with many fields",
1855
+ "text": "CVE-2023-25577: High resource usage when parsing multipart form data with many fields"
1856
+ }
1857
+ },
1858
+ {
1859
+ "deprecatedIds": [
1860
+ "CVE-2022-29361",
1861
+ "PYSEC-2022-203"
1862
+ ],
1863
+ "fullDescription": {
1864
+ "markdown": "",
1865
+ "text": ""
1866
+ },
1867
+ "help": {
1868
+ "markdown": "**Your dependency is vulnerable to [CVE-2022-29361](https://osv.dev/CVE-2022-29361)**.\n\n## [PYSEC-2022-203](https://osv.dev/PYSEC-2022-203)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ** DISPUTED ** Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| PYSEC-2022-203 | werkzeug | 2.1.1, 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-29361\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1869
+ "text": "**Your dependency is vulnerable to [CVE-2022-29361](https://osv.dev/CVE-2022-29361)**.\n\n## [PYSEC-2022-203](https://osv.dev/PYSEC-2022-203)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ** DISPUTED ** Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/poetry/poetry.lock | werkzeug | 0.16.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| PYSEC-2022-203 | werkzeug | 2.1.1, 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/poetry/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-29361\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1870
+ },
1871
+ "id": "CVE-2022-29361",
1872
+ "name": "CVE-2022-29361",
1873
+ "relationships": [],
1874
+ "shortDescription": {
1875
+ "markdown": "CVE-2022-29361",
1876
+ "text": "CVE-2022-29361"
1877
+ }
1878
+ }
1879
+ ],
1880
+ "supportedTaxonomies": [],
1881
+ "taxa": [],
1882
+ "version": "2.2.0"
1883
+ },
1884
+ "extensions": []
1885
+ },
1886
+ "translations": [],
1887
+ "versionControlProvenance": [],
1888
+ "webRequests": [],
1889
+ "webResponses": []
1890
+ }
1891
+ ],
1892
+ "properties": {}
1893
+ }