This repository contains the source code, documentation, and resources for Galactic Chain, a high-performance, interoperable blockchain network designed for scalability and security.
A Denial of Service (DoS) vulnerability was discovered in starlette prior to 0.25.0. The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts (form fields or files). Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill. This can be triggered by sending too many small form fields with no content, or too many empty files.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-30798
### Vulnerable Library - starlette-0.14.2-py3-none-any.whl
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-29159
### Vulnerable Library - starlette-0.14.2-py3-none-any.whl
Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2023-0138
### Vulnerable Library - starlette-0.14.2-py3-none-any.whl
starlette before 0.27.0 is vulnerable to Path Traversal. When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is als. which vulnerability.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-47874
### Vulnerable Library - starlette-0.14.2-py3-none-any.whl
Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2023-0037
### Vulnerable Library - starlette-0.14.2-py3-none-any.whlThe little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy: - :x: **starlette-0.14.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
### Vulnerability DetailsA Denial of Service (DoS) vulnerability was discovered in starlette prior to 0.25.0. The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts (form fields or files). Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill. This can be triggered by sending too many small form fields with no content, or too many empty files.
Publish Date: 2023-02-14
URL: WS-2023-0037
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-74m5-2c7w-9w3x
Release Date: 2023-02-14
Fix Resolution: 0.26.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-30798
### Vulnerable Library - starlette-0.14.2-py3-none-any.whlThe little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy: - :x: **starlette-0.14.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
### Vulnerability DetailsThere MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
Publish Date: 2023-04-21
URL: CVE-2023-30798
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30798
Release Date: 2023-04-21
Fix Resolution: 0.26.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-29159
### Vulnerable Library - starlette-0.14.2-py3-none-any.whlThe little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy: - :x: **starlette-0.14.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
### Vulnerability DetailsDirectory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
Publish Date: 2023-06-01
URL: CVE-2023-29159
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px
Release Date: 2023-06-01
Fix Resolution: 0.28.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2023-0138
### Vulnerable Library - starlette-0.14.2-py3-none-any.whlThe little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy: - :x: **starlette-0.14.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
### Vulnerability Detailsstarlette before 0.27.0 is vulnerable to Path Traversal. When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is als. which vulnerability.
Publish Date: 2023-05-16
URL: WS-2023-0138
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px
Release Date: 2023-05-16
Fix Resolution: 0.28.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-47874
### Vulnerable Library - starlette-0.14.2-py3-none-any.whlThe little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy: - :x: **starlette-0.14.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
### Vulnerability DetailsStarlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.
Publish Date: 2024-10-15
URL: CVE-2024-47874
### CVSS 3 Score Details (0.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-47874
Release Date: 2024-10-15
Fix Resolution: 0.40.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)