Closed mend-bolt-for-github[bot] closed 2 years ago
mezidia-inspector[bot]
commented
2 years ago Nice to meet you, @mend-bolt-for-github[bot]. Thank you for creating an issue. There are some tasks for you:
To close issue send comment "close", to reopen - "reopen"
mezidia-inspector[bot]
commented
2 years ago Nice, one of tasks is done
secure-code-warrior-for-github[bot]
commented
2 years ago Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.
mezidia-inspector[bot]
commented
2 years ago Thanks for issue, @mend-bolt-for-github[bot]! @AdamOswald, thank you for closing this issue, I have less work. I will look forward to our next meeting😜
If you want to reopen the issue - type "reopen"
Easy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Vulnerabilities
Details
CVE-2020-6817
### Vulnerable Library - bleach-3.1.0-py37_0.condaEasy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy: - :x: **bleach-3.1.0-py37_0.conda** (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
### Vulnerability DetailsA regular expression denial-of-service (ReDoS) found in Bleach before 3.1.4.
Publish Date: 2020-04-01
URL: CVE-2020-6817
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-04-01
Fix Resolution: bleach - 3.1.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-6816
### Vulnerable Library - bleach-3.1.0-py37_0.condaEasy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy: - :x: **bleach-3.1.0-py37_0.conda** (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
### Vulnerability DetailsIn Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.
Publish Date: 2020-03-24
URL: CVE-2020-6816
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743
Release Date: 2020-03-24
Fix Resolution: bleach - 3.1.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-6802
### Vulnerable Library - bleach-3.1.0-py37_0.condaEasy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy: - :x: **bleach-3.1.0-py37_0.conda** (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
### Vulnerability DetailsIn Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
Publish Date: 2020-03-24
URL: CVE-2020-6802
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-q65m-pv3f-wr5r
Release Date: 2020-03-24
Fix Resolution: 3.1.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2021-0011
### Vulnerable Library - bleach-3.1.0-py37_0.condaEasy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy: - :x: **bleach-3.1.0-py37_0.conda** (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
### Vulnerability DetailsIn Mozilla Bleach before 3.3.0, a mutation XSS in bleach.clean when p, br, style, title, noscript, script, textarea, noframes, iframe, or xmp and either svg or math tags are whitelisted and the keyword argument strip_comments=False.
Publish Date: 2021-02-01
URL: WS-2021-0011
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-vv2x-vrpj-qqpq
Release Date: 2021-02-01
Fix Resolution: bleach - 3.3.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23980
### Vulnerable Library - bleach-3.1.0-py37_0.condaEasy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy: - :x: **bleach-3.1.0-py37_0.conda** (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
### Vulnerability DetailsA flaw was found in bleach before 3.3.0. A mutation XSS affects users calling "bleach.clean". This was fixed in commit 1334134
Publish Date: 2021-01-14
URL: CVE-2021-23980
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://osv.dev/vulnerability/PYSEC-2021-865
Release Date: 2021-01-14
Fix Resolution: bleach - 3.3.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)