Closed seanorama closed 1 year ago
Please update the pinned versions to mitigate these CVEs.
Note several PRs from Dependabot to update these.
$ trivy repository --security-checks vuln https://github.com/github/github-team-sync 2023-03-31T23:07:00.173-0500 INFO Vulnerability scanning is enabled Enumerating objects: 171, done. Counting objects: 100% (171/171), done. Compressing objects: 100% (140/140), done. Total 171 (delta 97), reused 63 (delta 27), pack-reused 0 2023-03-31T23:07:04.061-0500 INFO Number of language-specific files: 1 2023-03-31T23:07:04.061-0500 INFO Detecting pipenv vulnerabilities... Pipfile.lock (pipenv) Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 3, HIGH: 3, CRITICAL: 0) ┌──────────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ certifi │ CVE-2022-23491 │ MEDIUM │ 2022.5.18.1 │ 2022.12.07 │ python-certifi: untrusted root certificates │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23491 │ ├──────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ cryptography │ CVE-2023-0286 │ HIGH │ 37.0.2 │ 39.0.1 │ openssl: X.400 address type confusion in X.509 GeneralName │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0286 │ │ ├─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-23931 │ MEDIUM │ │ │ python-cryptography: memory corruption via immutable objects │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-23931 │ │ ├─────────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ GHSA-39hc-v87j-747x │ │ │ 38.0.3 │ Vulnerable OpenSSL included in cryptography wheels │ │ │ │ │ │ │ https://github.com/advisories/GHSA-39hc-v87j-747x │ ├──────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ setuptools │ CVE-2022-40897 │ HIGH │ 62.3.2 │ 65.5.1 │ pypa-setuptools: Regular Expression Denial of Service │ │ │ │ │ │ │ (ReDoS) in package_index.py │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-40897 │ ├──────────────┼─────────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ werkzeug │ CVE-2023-25577 │ │ 2.1.2 │ 2.2.3 │ python-werkzeug: high resource usage when parsing multipart │ │ │ │ │ │ │ form data with many fields... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-25577 │ │ ├─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-23934 │ LOW │ │ │ python-werkzeug: cookie prefixed with = can shadow │ │ │ │ │ │ │ unprefixed cookie │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-23934 │ └──────────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
Please update the pinned versions to mitigate these CVEs.
Note several PRs from Dependabot to update these.