pydantic-0.30-cp37-cp37m-manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 3.3)

[dev-mend-for-github-com[bot]]

Vulnerable Library - pydantic-0.30-cp37-cp37m-manylinux1_x86_64.whl

Data validation and settings management using python 3.6 type hinting

Library home page: https://files.pythonhosted.org/packages/18/e1/64d31e36716aac5ee9224f0db2151f86c1bcd1adbc49939be07136223d34/pydantic-0.30-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 362d83c2cee2ce4f84741d69b436cb3806f0605b

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (pydantic version)	Remediation Possible**
CVE-2021-29510	Low	3.3	pydantic-0.30-cp37-cp37m-manylinux1_x86_64.whl	Direct	1.6.2	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-29510

### Vulnerable Library - pydantic-0.30-cp37-cp37m-manylinux1_x86_64.whl

Data validation and settings management using python 3.6 type hinting

Library home page: https://files.pythonhosted.org/packages/18/e1/64d31e36716aac5ee9224f0db2151f86c1bcd1adbc49939be07136223d34/pydantic-0.30-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **pydantic-0.30-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 362d83c2cee2ce4f84741d69b436cb3806f0605b

Found in base branch: main

### Vulnerability Details

Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patched with fixes available in the following versions: v1.8.2, v1.7.4, v1.6.2. All these versions are available on pypi(https://pypi.org/project/pydantic/#history), and will be available on conda-forge(https://anaconda.org/conda-forge/pydantic) soon. See the changelog(https://pydantic-docs.helpmanual.io/) for details. If you absolutely can't upgrade, you can work around this risk using a validator(https://pydantic-docs.helpmanual.io/usage/validators/) to catch these values. This is not an ideal solution (in particular you'll need a slightly different function for datetimes), instead of a hack like this you should upgrade pydantic. If you are not using v1.8.x, v1.7.x or v1.6.x and are unable to upgrade to a fixed version of pydantic, please create an issue at https://github.com/samuelcolvin/pydantic/issues requesting a back-port, and we will endeavour to release a patch for earlier versions of pydantic.

Publish Date: 2021-05-13

URL: CVE-2021-29510

### CVSS 3 Score Details (3.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh

Release Date: 2021-05-13

Fix Resolution: 1.6.2

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

---

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

[dev-mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[dev-mend-for-github-com[bot]]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.