search

Seagate / cortx-rgw

Ceph is a distributed object, block, and file storage platform. This repo is a fork of that repo that the CORTX community uses to stage our changes for the purposes of creating and maintaining a motr SAL backend for RGW.
https://github.com/Seagate/cortx
Other
5 stars 32 forks source link

CVE-2023-25399 (Medium) detected in scipy-1.1.0-cp37-cp37m-manylinux1_x86_64.whl, scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl - autoclosed #587

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 1 year ago

CVE-2023-25399 - Medium Severity Vulnerability

Vulnerable Libraries - scipy-1.1.0-cp37-cp37m-manylinux1_x86_64.whl, scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

scipy-1.1.0-cp37-cp37m-manylinux1_x86_64.whl

SciPy: Scientific Library for Python

Library home page: https://files.pythonhosted.org/packages/40/de/0c22c6754370ba6b1fa8e53bd6e514d4a41a181125d405a501c215cbdbd6/scipy-1.1.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /src/pybind/mgr/diskprediction_local/requirements.txt

Path to vulnerable library: /src/pybind/mgr/diskprediction_local/requirements.txt,/src/pybind/rbd,/src/pybind/rgw,/src/tools/cephfs/shell

Dependency Hierarchy: - :x: **scipy-1.1.0-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)

scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

SciPy: Scientific Library for Python

Library home page: https://files.pythonhosted.org/packages/58/4f/11f34cfc57ead25752a7992b069c36f5d18421958ebd6466ecd849aeaf86/scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /src/pybind/mgr/requirements.txt

Path to vulnerable library: /src/pybind/mgr/requirements.txt

Dependency Hierarchy: - :x: **scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: aa78617d024ccd26801e43c6980f939cf8bded5f

Found in base branch: main

Vulnerability Details

A refcounting issue which leads to potential memory leak was discovered in scipy commit 8627df31ab in Py_FindObjects() function.

Publish Date: 2023-07-05

URL: CVE-2023-25399

CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25399

Release Date: 2023-07-05

Fix Resolution: 1.10.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.