Open dev-mend-for-github-com[bot] opened 1 year ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - lyrebird-0.10.5-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: a0bcf5d7b8ad6b58c9e81f8f4b97e6bad7570749
Vulnerabilities
Details
CVE-2020-36242
### Vulnerable Library - cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whlcryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/fa/f4/3cde3604972dfa2b0fea85b9711948bb4fb70ab64095322aef35071bd254/cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - lyrebird-0.10.5-py3-none-any.whl (Root Library) - mitmproxy-4.0.3-py3-none-any.whl - :x: **cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: a0bcf5d7b8ad6b58c9e81f8f4b97e6bad7570749
Found in base branch: main
### Vulnerability DetailsIn the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
Publish Date: 2021-02-07
URL: CVE-2020-36242
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-02-07
Fix Resolution (cryptography): 3.3.2
Direct dependency fix Resolution (lyrebird): 2.10.0
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2018-14505
### Vulnerable Library - mitmproxy-4.0.3-py3-none-any.whlAn interactive, SSL/TLS-capable intercepting proxy for HTTP/1, HTTP/2, and WebSockets.
Library home page: https://files.pythonhosted.org/packages/5c/29/58bcdda72202c8cc1e1ec0192d67ecbb60999ebcb27059c254e37e52219e/mitmproxy-4.0.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - lyrebird-0.10.5-py3-none-any.whl (Root Library) - :x: **mitmproxy-4.0.3-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: a0bcf5d7b8ad6b58c9e81f8f4b97e6bad7570749
Found in base branch: main
### Vulnerability Detailsmitmweb in mitmproxy v4.0.3 allows DNS Rebinding attacks, related to tools/web/app.py.
Publish Date: 2018-07-22
URL: CVE-2018-14505
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14505
Release Date: 2018-07-22
Fix Resolution (mitmproxy): 4.0.4
Direct dependency fix Resolution (lyrebird): 0.11.0
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2018-10903
### Vulnerable Library - cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whlcryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/fa/f4/3cde3604972dfa2b0fea85b9711948bb4fb70ab64095322aef35071bd254/cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - lyrebird-0.10.5-py3-none-any.whl (Root Library) - mitmproxy-4.0.3-py3-none-any.whl - :x: **cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: a0bcf5d7b8ad6b58c9e81f8f4b97e6bad7570749
Found in base branch: main
### Vulnerability DetailsA flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.
Publish Date: 2018-07-30
URL: CVE-2018-10903
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10903
Release Date: 2018-07-30
Fix Resolution (cryptography): 2.3
Direct dependency fix Resolution (lyrebird): 0.11.0
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2020-25659
### Vulnerable Library - cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whlcryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/fa/f4/3cde3604972dfa2b0fea85b9711948bb4fb70ab64095322aef35071bd254/cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - lyrebird-0.10.5-py3-none-any.whl (Root Library) - mitmproxy-4.0.3-py3-none-any.whl - :x: **cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: a0bcf5d7b8ad6b58c9e81f8f4b97e6bad7570749
Found in base branch: main
### Vulnerability Detailspython-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.
Publish Date: 2021-01-11
URL: CVE-2020-25659
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/pyca/cryptography/security/advisories/GHSA-hggm-jpg3-v476
Release Date: 2021-01-11
Fix Resolution (cryptography): 3.2
Direct dependency fix Resolution (lyrebird): 1.18.0
:rescue_worker_helmet: Automatic Remediation is available for this issue:rescue_worker_helmet: Automatic Remediation is available for this issue.