search

KOSASIH / pi-nexus-autonomous-banking-network

A decentralized, AI-driven system accelerating the Open Mainet Pi Network, connecting global banks for secure, efficient, and autonomous transactions.
https://kosasih.github.io/pi-nexus-autonomous-banking-network/
Apache License 2.0
125 stars 23 forks source link

astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl: 2 vulnerabilities (highest severity is: 8.4) - autoclosed #1749

Closed mend-bolt-for-github[bot] closed 1 month ago

mend-bolt-for-github[bot] commented 1 month ago
Vulnerable Library - astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Astronomy and astrophysics core library

Library home page: https://files.pythonhosted.org/packages/39/6e/04fba8c047000e3d9f09879f4e24ff805edbc4bb3943ec3a31e18ed6cad4/astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /sidra_chain_integration/src/space_exploration/project/Lynx/requirements.txt

Path to vulnerable library: /sidra_chain_integration/src/space_exploration/project/Lynx/requirements.txt

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (astropy version) Remediation Possible**
CVE-2023-41334 High 8.4 astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl Direct 5.3.3
WS-2023-0378 High 7.8 astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl Direct 5.3.3

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-41334 ### Vulnerable Library - astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Astronomy and astrophysics core library

Library home page: https://files.pythonhosted.org/packages/39/6e/04fba8c047000e3d9f09879f4e24ff805edbc4bb3943ec3a31e18ed6cad4/astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /sidra_chain_integration/src/space_exploration/project/Lynx/requirements.txt

Path to vulnerable library: /sidra_chain_integration/src/space_exploration/project/Lynx/requirements.txt

Dependency Hierarchy: - :x: **astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

### Vulnerability Details

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.

Publish Date: 2024-03-18

URL: CVE-2023-41334

### CVSS 3 Score Details (8.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf

Release Date: 2024-03-18

Fix Resolution: 5.3.3

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2023-0378 ### Vulnerable Library - astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Astronomy and astrophysics core library

Library home page: https://files.pythonhosted.org/packages/39/6e/04fba8c047000e3d9f09879f4e24ff805edbc4bb3943ec3a31e18ed6cad4/astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /sidra_chain_integration/src/space_exploration/project/Lynx/requirements.txt

Path to vulnerable library: /sidra_chain_integration/src/space_exploration/project/Lynx/requirements.txt

Dependency Hierarchy: - :x: **astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

### Vulnerability Details

A Remote Code Execution can be acheived via TranformGraph().to_dot_graph function in astropy prior to 5.3.3. Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen. Although an error will be raised, the command or script will be executed successfully.

Publish Date: 2023-10-13

URL: WS-2023-0378

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.com/bounties/c183c24b-cd8d-456a-b7ad-737f4cb24e87/

Release Date: 2023-10-13

Fix Resolution: 5.3.3

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 1 month ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.