search

DEV-REPO-URIEL / WSD-2772

0 stars 0 forks source link

fastapi-0.34.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 8.1) - autoclosed #11

Closed dev-mend-for-github-com[bot] closed 8 months ago

dev-mend-for-github-com[bot] commented 8 months ago
Vulnerable Library - fastapi-0.34.0-py3-none-any.whl

FastAPI framework, high performance, easy to learn, fast to code, ready for production

Library home page: https://files.pythonhosted.org/packages/45/9e/483c79a63ca3062cc844442b1e88293dcf524ca724742538f036e617dca1/fastapi-0.34.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (fastapi version) Fix PR available
CVE-2021-32677 High 8.1 fastapi-0.34.0-py3-none-any.whl Direct 0.109.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-32677 ### Vulnerable Library - fastapi-0.34.0-py3-none-any.whl

FastAPI framework, high performance, easy to learn, fast to code, ready for production

Library home page: https://files.pythonhosted.org/packages/45/9e/483c79a63ca3062cc844442b1e88293dcf524ca724742538f036e617dca1/fastapi-0.34.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **fastapi-0.34.0-py3-none-any.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It's best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround.

Publish Date: 2021-06-09

URL: CVE-2021-32677

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7

Release Date: 2021-06-09

Fix Resolution (fastapi): fastapi - 0.65.2

Direct dependency fix Resolution (fastapi): 0.109.2

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

dev-mend-for-github-com[bot] commented 8 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.