search

classicvalues / Morpheus

Morpheus SDK
Apache License 2.0
1 stars 0 forks source link

sympy-1.10.1-py3-none-any.whl: 1 vulnerabilities (highest severity is: 9.8) #15

Open mend-bolt-for-github[bot] opened 1 year ago

mend-bolt-for-github[bot] commented 1 year ago
Vulnerable Library - sympy-1.10.1-py3-none-any.whl

Computer algebra system (CAS) in Python

Library home page: https://files.pythonhosted.org/packages/d0/04/66be21ceb305c66a4b326b0ae44cc4f027a43bc08cac204b48fb45bb3653/sympy-1.10.1-py3-none-any.whl

Path to dependency file: /models/validation-inference-scripts/phishing-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/phishing-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/phishing-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (sympy version) Remediation Possible**
WS-2023-0180 Critical 9.8 sympy-1.10.1-py3-none-any.whl Direct 1.12

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2023-0180 ### Vulnerable Library - sympy-1.10.1-py3-none-any.whl

Computer algebra system (CAS) in Python

Library home page: https://files.pythonhosted.org/packages/d0/04/66be21ceb305c66a4b326b0ae44cc4f027a43bc08cac204b48fb45bb3653/sympy-1.10.1-py3-none-any.whl

Path to dependency file: /models/validation-inference-scripts/phishing-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/phishing-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/phishing-models/requirements.txt

Dependency Hierarchy: - :x: **sympy-1.10.1-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

### Vulnerability Details

XML External Entity (XXE) injection in sympy in sympy/sympy

Publish Date: 2023-03-29

URL: WS-2023-0180

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/692bf03d-973b-4fbc-b9e4-dd158bdd422b/

Release Date: 2023-03-29

Fix Resolution: 1.12

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)