search

IGNF / route-graph-generator

Script collection used to generate routing data for Road2 (https://github.com/IGNF/road2)
https://ignf.github.io/route-graph-generator/
GNU General Public License v3.0
7 stars 3 forks source link

safety check returns some vulnerability #64

Open jmkerloch opened 1 year ago

jmkerloch commented 1 year ago

Python package safety returns some vulnerability:

+==============================================================================+

                                   /$$$$$$            /$$
                                  /$$__  $$          | $$
               /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$
              /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$
             |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$
              \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$
              /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$
             |_______/  \_______/|__/     \_______/   \___/   \____  $$
                                                              /$$  | $$
                                                             |  $$$$$$/
      by pyup.io                                              \______/

+==============================================================================+

 REPORT 

  Safety is using PyUp's free open-source vulnerability database. This
data is 30 days old and limited. 
  For real-time enhanced vulnerability data, fix recommendations, severity
reporting, cybersecurity support, team and project policy management and more
sign up at https://pyup.io or email sales@pyup.io

  Safety v2.3.5 is scanning for Vulnerabilities...
  Scanning dependencies in your environment:

  -> /home/jmkerloch/dev/route-graph-generator/.venv/lib/python3.10/site-packages
  -> /home/jmkerloch/dev/route-graph-generator

  Using non-commercial database
  Found and scanned 76 packages
  Timestamp 2023-06-29 08:06:39
  8 vulnerabilities found
  0 vulnerabilities ignored

+==============================================================================+
 VULNERABILITIES FOUND
+==============================================================================+

-> Vulnerability found in sqlparse version 0.4.2
   Vulnerability ID: 55054
   Affected spec: >=0.1.15,<0.4.4
   ADVISORY: Sqlparse 0.4.4 includes a fix for CVE-2023-30608: Parser
   contains a regular expression that is vulnerable to ReDOS (Regular...
   CVE-2023-30608
   For more information, please visit https://pyup.io/v/55054/f17

-> Vulnerability found in setuptools version 45.2.0
   Vulnerability ID: 52495
   Affected spec: <65.5.1
   ADVISORY: Python Packaging Authority (PyPA) setuptools before 65.5.1
   allows remote attackers to cause a denial of service via HTML in a crafted...
   CVE-2022-40897
   For more information, please visit https://pyup.io/v/52495/f17

-> Vulnerability found in requests version 2.28.2
   Vulnerability ID: 58755
   Affected spec: >=2.3.0,<2.31.0
   ADVISORY: Requests is a HTTP library. Since Requests 2.3.0, Requests
   has been leaking Proxy-Authorization headers to destination servers when...
   CVE-2023-32681
   For more information, please visit https://pyup.io/v/58755/f17

-> Vulnerability found in markdown-it-py version 2.1.0
   Vulnerability ID: 54650
   Affected spec: >=0,<2.2.0
   ADVISORY: Denial of service could be caused to markdown-it-py, before
   v2.2.0, if an attacker was allowed to force null assertions with specially...
   CVE-2023-26303
   For more information, please visit https://pyup.io/v/54650/f17

-> Vulnerability found in markdown-it-py version 2.1.0
   Vulnerability ID: 54651
   Affected spec: >=0,<2.2.0
   ADVISORY: Denial of service could be caused to the command line
   interface of markdown-it-py, before v2.2.0, if an attacker was allowed to...
   CVE-2023-26302
   For more information, please visit https://pyup.io/v/54651/f17

-> Vulnerability found in lxml version 4.6.4
   Vulnerability ID: 43366
   Affected spec: <4.6.5
   ADVISORY: Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to
   version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script...
   CVE-2021-43818
   For more information, please visit https://pyup.io/v/43366/f17

-> Vulnerability found in lxml version 4.6.4
   Vulnerability ID: 50748
   Affected spec: <4.9.1
   ADVISORY: Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer
   Dereference allows attackers to cause a denial of service (or application...
   CVE-2022-2309
   For more information, please visit https://pyup.io/v/50748/f17

-> Vulnerability found in cryptography version 39.0.0
   Vulnerability ID: 53048
   Affected spec: >=1.8,<39.0.1
   ADVISORY: Cryptography 39.0.1 includes a fix for CVE-2023-23931: In
   affected versions 'Cipher.update_into' would accept Python objects which...
   CVE-2023-23931
   For more information, please visit https://pyup.io/v/53048/f17

 Scan was completed. 8 vulnerabilities were found. 

+==============================================================================+
   REMEDIATIONS

  8 vulnerabilities were found in 6 packages. For detailed remediation & fix 
  recommendations, upgrade to a commercial license. 

+==============================================================================+

  Safety is using PyUp's free open-source vulnerability database. This
data is 30 days old and limited. 
  For real-time enhanced vulnerability data, fix recommendations, severity
reporting, cybersecurity support, team and project policy management and more
sign up at https://pyup.io or email sales@pyup.io

+==============================================================================+

We should try to update some requirements.