WS-2023-0180 (Critical) detected in sympy-1.10.1-py3-none-any.whl

[mend-bolt-for-github[bot]]

WS-2023-0180 - Critical Severity Vulnerability

Vulnerable Library - sympy-1.10.1-py3-none-any.whl

Computer algebra system (CAS) in Python

Library home page: https://files.pythonhosted.org/packages/d0/04/66be21ceb305c66a4b326b0ae44cc4f027a43bc08cac204b48fb45bb3653/sympy-1.10.1-py3-none-any.whl

Path to dependency file: /jupyter-scipy/requirements.txt

Path to vulnerable library: /jupyter-scipy/requirements.txt

Dependency Hierarchy: - :x: **sympy-1.10.1-py3-none-any.whl** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XML External Entity (XXE) injection in sympy in sympy/sympy

Publish Date: 2023-03-29

URL: WS-2023-0180

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/692bf03d-973b-4fbc-b9e4-dd158bdd422b/

Release Date: 2023-03-29

Fix Resolution: sympy - 1.12

---

Step up your Open Source Security Game with Mend here