KOSASIH / pi-nexus-autonomous-banking-network

A decentralized, AI-driven system accelerating the Open Mainet Pi Network, connecting global banks for secure, efficient, and autonomous transactions.
https://kosasih.github.io/pi-nexus-autonomous-banking-network/
Apache License 2.0
219 stars 38 forks source link

nltk-3.6.2-py3-none-any.whl: 6 vulnerabilities (highest severity is: 9.8) - autoclosed #1762

Closed mend-bolt-for-github[bot] closed 3 months ago

mend-bolt-for-github[bot] commented 4 months ago
Vulnerable Library - nltk-3.6.2-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/5e/37/9532ddd4b1bbb619333d5708aaad9bf1742f051a664c3c6fa6632a105fd8/nltk-3.6.2-py3-none-any.whl

Path to dependency file: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Path to vulnerable library: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (nltk version) Remediation Possible**
CVE-2024-39705 Critical 9.8 nltk-3.6.2-py3-none-any.whl Direct N/A
CVE-2021-43854 High 7.5 nltk-3.6.2-py3-none-any.whl Direct 3.6.6
CVE-2021-3842 High 7.5 nltk-3.6.2-py3-none-any.whl Direct 3.6.6
CVE-2021-3828 High 7.5 nltk-3.6.2-py3-none-any.whl Direct 3.6.4
WS-2022-0437 Medium 6.1 nltk-3.6.2-py3-none-any.whl Direct 3.8.1
WS-2022-0438 Medium 5.0 nltk-3.6.2-py3-none-any.whl Direct 3.8.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-39705 ### Vulnerable Library - nltk-3.6.2-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/5e/37/9532ddd4b1bbb619333d5708aaad9bf1742f051a664c3c6fa6632a105fd8/nltk-3.6.2-py3-none-any.whl

Path to dependency file: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Path to vulnerable library: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Dependency Hierarchy: - :x: **nltk-3.6.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

### Vulnerability Details

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

Publish Date: 2024-06-27

URL: CVE-2024-39705

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-43854 ### Vulnerable Library - nltk-3.6.2-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/5e/37/9532ddd4b1bbb619333d5708aaad9bf1742f051a664c3c6fa6632a105fd8/nltk-3.6.2-py3-none-any.whl

Path to dependency file: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Path to vulnerable library: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Dependency Hierarchy: - :x: **nltk-3.6.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

### Vulnerability Details

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.

Publish Date: 2021-12-23

URL: CVE-2021-43854

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854

Release Date: 2021-12-23

Fix Resolution: 3.6.6

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3842 ### Vulnerable Library - nltk-3.6.2-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/5e/37/9532ddd4b1bbb619333d5708aaad9bf1742f051a664c3c6fa6632a105fd8/nltk-3.6.2-py3-none-any.whl

Path to dependency file: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Path to vulnerable library: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Dependency Hierarchy: - :x: **nltk-3.6.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

### Vulnerability Details

nltk is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2022-01-04

URL: CVE-2021-3842

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x

Release Date: 2022-01-04

Fix Resolution: 3.6.6

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3828 ### Vulnerable Library - nltk-3.6.2-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/5e/37/9532ddd4b1bbb619333d5708aaad9bf1742f051a664c3c6fa6632a105fd8/nltk-3.6.2-py3-none-any.whl

Path to dependency file: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Path to vulnerable library: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Dependency Hierarchy: - :x: **nltk-3.6.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

### Vulnerability Details

nltk is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-27

URL: CVE-2021-3828

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3828

Release Date: 2021-09-27

Fix Resolution: 3.6.4

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2022-0437 ### Vulnerable Library - nltk-3.6.2-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/5e/37/9532ddd4b1bbb619333d5708aaad9bf1742f051a664c3c6fa6632a105fd8/nltk-3.6.2-py3-none-any.whl

Path to dependency file: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Path to vulnerable library: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Dependency Hierarchy: - :x: **nltk-3.6.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

### Vulnerability Details

In nltk/nltk, a reflected XSS can be achieved by simply creating a URL, which leads to browser hijacking, and sensitive information loss.

Publish Date: 2022-12-23

URL: WS-2022-0437

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/861a8d11-0fe9-4c2f-9112-af3a9559fa87/

Release Date: 2022-12-23

Fix Resolution: 3.8.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2022-0438 ### Vulnerable Library - nltk-3.6.2-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/5e/37/9532ddd4b1bbb619333d5708aaad9bf1742f051a664c3c6fa6632a105fd8/nltk-3.6.2-py3-none-any.whl

Path to dependency file: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Path to vulnerable library: /blockchain_integration/pi_network/pi_network_university/ai_course_recommendations/requirements.txt

Dependency Hierarchy: - :x: **nltk-3.6.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

### Vulnerability Details

In nltk prior to 3.8.1, a user who visits a malicious link with wordnet browser open will execute code on system. This may lead to RCE by inducing user to visit a link.

Publish Date: 2022-12-29

URL: WS-2022-0438

### CVSS 3 Score Details (5.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/cd3957f0-2c9c-416d-bc3a-190a5b7ce4a6/

Release Date: 2022-12-29

Fix Resolution: 3.8.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 3 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.