*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly `uri_validate` are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.
Mend Note: After conducting further research, Mend has determined that versions 3.1.1 through 3.2.1 of oauthlib are vulnerable to CVE-2022-36087.
Vulnerable Library - tweepy-3.9.0-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 34a70744391d98b49e5f0b8be8fc254a3cf2cf43
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-36087
### Vulnerable Library - oauthlib-3.2.0-py3-none-any.whlA generic, spec-compliant, thorough implementation of the OAuth request-signing logic
Library home page: https://files.pythonhosted.org/packages/1d/46/5ee2475e1b46a26ca0fa10d3c1d479577fde6ee289f8c6aa6d7ec33e31fd/oauthlib-3.2.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - tweepy-3.9.0-py2.py3-none-any.whl (Root Library) - requests_oauthlib-1.3.1-py2.py3-none-any.whl - :x: **oauthlib-3.2.0-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 34a70744391d98b49e5f0b8be8fc254a3cf2cf43
Found in base branch: main
### Vulnerability DetailsOAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly `uri_validate` are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds. Mend Note: After conducting further research, Mend has determined that versions 3.1.1 through 3.2.1 of oauthlib are vulnerable to CVE-2022-36087.
Publish Date: 2022-09-09
URL: CVE-2022-36087
### CVSS 3 Score Details (5.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7
Release Date: 2022-09-09
Fix Resolution: oauthlib - 3.2.2