search

AdiRashkes / python-tda-bug-hunt-2

0 stars 0 forks source link

lyrebird-0.10.5-py3-none-any.whl: 4 vulnerabilities (highest severity is: 9.1) #5

Open dev-mend-for-github-com[bot] opened 1 year ago

dev-mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - lyrebird-0.10.5-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: a0bcf5d7b8ad6b58c9e81f8f4b97e6bad7570749

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (lyrebird version) Remediation Available
CVE-2020-36242 High 9.1 cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl Transitive 2.10.0
CVE-2018-14505 High 8.8 mitmproxy-4.0.3-py3-none-any.whl Transitive 0.11.0
CVE-2018-10903 High 7.5 cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl Transitive 0.11.0
CVE-2020-25659 Medium 5.9 cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl Transitive 1.18.0

Details

CVE-2020-36242 ### Vulnerable Library - cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/fa/f4/3cde3604972dfa2b0fea85b9711948bb4fb70ab64095322aef35071bd254/cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - lyrebird-0.10.5-py3-none-any.whl (Root Library) - mitmproxy-4.0.3-py3-none-any.whl - :x: **cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: a0bcf5d7b8ad6b58c9e81f8f4b97e6bad7570749

Found in base branch: main

### Vulnerability Details

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

Publish Date: 2021-02-07

URL: CVE-2020-36242

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-02-07

Fix Resolution (cryptography): 3.3.2

Direct dependency fix Resolution (lyrebird): 2.10.0

:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2018-14505 ### Vulnerable Library - mitmproxy-4.0.3-py3-none-any.whl

An interactive, SSL/TLS-capable intercepting proxy for HTTP/1, HTTP/2, and WebSockets.

Library home page: https://files.pythonhosted.org/packages/5c/29/58bcdda72202c8cc1e1ec0192d67ecbb60999ebcb27059c254e37e52219e/mitmproxy-4.0.3-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - lyrebird-0.10.5-py3-none-any.whl (Root Library) - :x: **mitmproxy-4.0.3-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: a0bcf5d7b8ad6b58c9e81f8f4b97e6bad7570749

Found in base branch: main

### Vulnerability Details

mitmweb in mitmproxy v4.0.3 allows DNS Rebinding attacks, related to tools/web/app.py.

Publish Date: 2018-07-22

URL: CVE-2018-14505

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14505

Release Date: 2018-07-22

Fix Resolution (mitmproxy): 4.0.4

Direct dependency fix Resolution (lyrebird): 0.11.0

:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2018-10903 ### Vulnerable Library - cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/fa/f4/3cde3604972dfa2b0fea85b9711948bb4fb70ab64095322aef35071bd254/cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - lyrebird-0.10.5-py3-none-any.whl (Root Library) - mitmproxy-4.0.3-py3-none-any.whl - :x: **cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: a0bcf5d7b8ad6b58c9e81f8f4b97e6bad7570749

Found in base branch: main

### Vulnerability Details

A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.

Publish Date: 2018-07-30

URL: CVE-2018-10903

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10903

Release Date: 2018-07-30

Fix Resolution (cryptography): 2.3

Direct dependency fix Resolution (lyrebird): 0.11.0

:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2020-25659 ### Vulnerable Library - cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/fa/f4/3cde3604972dfa2b0fea85b9711948bb4fb70ab64095322aef35071bd254/cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - lyrebird-0.10.5-py3-none-any.whl (Root Library) - mitmproxy-4.0.3-py3-none-any.whl - :x: **cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: a0bcf5d7b8ad6b58c9e81f8f4b97e6bad7570749

Found in base branch: main

### Vulnerability Details

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Publish Date: 2021-01-11

URL: CVE-2020-25659

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/pyca/cryptography/security/advisories/GHSA-hggm-jpg3-v476

Release Date: 2021-01-11

Fix Resolution (cryptography): 3.2

Direct dependency fix Resolution (lyrebird): 1.18.0

:rescue_worker_helmet: Automatic Remediation is available for this issue

:rescue_worker_helmet: Automatic Remediation is available for this issue.

dev-mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

dev-mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.