search

KOSASIH / mmsegmentation

OpenMMLab Semantic Segmentation Toolbox and Benchmark.
https://mmsegmentation.readthedocs.io/en/latest/
Apache License 2.0
2 stars 0 forks source link

streamlit-1.23.1-py2.py3-none-any.whl: 8 vulnerabilities (highest severity is: 9.8) #6

Open mend-bolt-for-github[bot] opened 1 year ago

mend-bolt-for-github[bot] commented 1 year ago
Vulnerable Library - streamlit-1.23.1-py2.py3-none-any.whl

A faster way to build and share data apps

Library home page: https://files.pythonhosted.org/packages/d1/8d/e5d5c0573346db3168641f0c662d2d68ba25c2f8d5197b37d67947333465/streamlit-1.23.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8e387a7262658283897e667cd3516ab139260eea

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (streamlit version) Remediation Possible**
CVE-2023-47248 Critical 9.8 pyarrow-12.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Transitive N/A*
CVE-2024-22190 High 7.8 GitPython-3.1.37-py3-none-any.whl Transitive N/A*
CVE-2024-52804 High 7.5 tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl Transitive 1.24.0
CVE-2024-42474 Medium 6.5 streamlit-1.23.1-py2.py3-none-any.whl Direct 1.26.1
CVE-2023-28370 Medium 6.1 tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl Transitive 1.24.0
WS-2023-0296 Medium 5.6 tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl Transitive 1.24.0
CVE-2024-34064 Medium 5.4 Jinja2-3.1.2-py3-none-any.whl Transitive N/A*
CVE-2024-22195 Medium 5.4 Jinja2-3.1.2-py3-none-any.whl Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-47248 ### Vulnerable Library - pyarrow-12.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python library for Apache Arrow

Library home page: https://files.pythonhosted.org/packages/00/bd/4c03789f723337723670e8cf8935b18e170e7af3813ec38e71d2cfb0bd93/pyarrow-12.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - streamlit-1.23.1-py2.py3-none-any.whl (Root Library) - :x: **pyarrow-12.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 8e387a7262658283897e667cd3516ab139260eea

Found in base branch: main

### Vulnerability Details

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings. It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon. If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.

Publish Date: 2023-11-09

URL: CVE-2023-47248

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n

Release Date: 2023-11-09

Fix Resolution: pyarrow - 14.0.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-22190 ### Vulnerable Library - GitPython-3.1.37-py3-none-any.whl

GitPython is a Python library used to interact with Git repositories

Library home page: https://files.pythonhosted.org/packages/8a/7e/20f7e45878b5aed34320fbeeae8f78acc806e7bd708d00b1c6e64b016f5b/GitPython-3.1.37-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - streamlit-1.23.1-py2.py3-none-any.whl (Root Library) - :x: **GitPython-3.1.37-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 8e387a7262658283897e667cd3516ab139260eea

Found in base branch: main

### Vulnerability Details

GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.

Publish Date: 2024-01-11

URL: CVE-2024-22190

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-22190

Release Date: 2024-01-11

Fix Resolution: GitPython - 3.1.41

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-52804 ### Vulnerable Library - tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Library home page: https://files.pythonhosted.org/packages/19/bb/b6c3d1668d2b10ad38a584f3a1ec9737984e274f8b708e09fcbb96427f5c/tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - streamlit-1.23.1-py2.py3-none-any.whl (Root Library) - :x: **tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 8e387a7262658283897e667cd3516ab139260eea

Found in base branch: main

### Vulnerability Details

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.

Publish Date: 2024-11-22

URL: CVE-2024-52804

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-52804

Release Date: 2024-11-22

Fix Resolution (tornado): 6.4.2

Direct dependency fix Resolution (streamlit): 1.24.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-42474 ### Vulnerable Library - streamlit-1.23.1-py2.py3-none-any.whl

A faster way to build and share data apps

Library home page: https://files.pythonhosted.org/packages/d1/8d/e5d5c0573346db3168641f0c662d2d68ba25c2f8d5197b37d67947333465/streamlit-1.23.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **streamlit-1.23.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 8e387a7262658283897e667cd3516ab139260eea

Found in base branch: main

### Vulnerability Details

Streamlit is a data oriented application development framework for python. Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the static file sharing feature is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit. The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows.

Publish Date: 2024-08-12

URL: CVE-2024-42474

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/streamlit/streamlit/security/advisories/GHSA-rxff-vr5r-8cj5

Release Date: 2024-08-12

Fix Resolution: 1.26.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-28370 ### Vulnerable Library - tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Library home page: https://files.pythonhosted.org/packages/19/bb/b6c3d1668d2b10ad38a584f3a1ec9737984e274f8b708e09fcbb96427f5c/tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - streamlit-1.23.1-py2.py3-none-any.whl (Root Library) - :x: **tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 8e387a7262658283897e667cd3516ab139260eea

Found in base branch: main

### Vulnerability Details

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

Publish Date: 2023-05-25

URL: CVE-2023-28370

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-05-25

Fix Resolution (tornado): 6.3.2

Direct dependency fix Resolution (streamlit): 1.24.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2023-0296 ### Vulnerable Library - tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Library home page: https://files.pythonhosted.org/packages/19/bb/b6c3d1668d2b10ad38a584f3a1ec9737984e274f8b708e09fcbb96427f5c/tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - streamlit-1.23.1-py2.py3-none-any.whl (Root Library) - :x: **tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 8e387a7262658283897e667cd3516ab139260eea

Found in base branch: main

### Vulnerability Details

Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths

Publish Date: 2024-11-03

URL: WS-2023-0296

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-qppv-j76h-2rpx

Release Date: 2024-11-03

Fix Resolution (tornado): 6.3.3

Direct dependency fix Resolution (streamlit): 1.24.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-34064 ### Vulnerable Library - Jinja2-3.1.2-py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - streamlit-1.23.1-py2.py3-none-any.whl (Root Library) - pydeck-0.8.1b0-py2.py3-none-any.whl - :x: **Jinja2-3.1.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 8e387a7262658283897e667cd3516ab139260eea

Found in base branch: main

### Vulnerability Details

Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.

Publish Date: 2024-05-06

URL: CVE-2024-34064

### CVSS 3 Score Details (5.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj

Release Date: 2024-05-06

Fix Resolution: Jinja2 - 3.1.4

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-22195 ### Vulnerable Library - Jinja2-3.1.2-py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - streamlit-1.23.1-py2.py3-none-any.whl (Root Library) - pydeck-0.8.1b0-py2.py3-none-any.whl - :x: **Jinja2-3.1.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 8e387a7262658283897e667cd3516ab139260eea

Found in base branch: main

### Vulnerability Details

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

Publish Date: 2024-01-11

URL: CVE-2024-22195

### CVSS 3 Score Details (5.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95

Release Date: 2024-01-11

Fix Resolution: jinja2 - 3.1.3

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
github-actions[bot] commented 1 year ago

Stale issue message