Closed litios closed 3 months ago
👋 Hi @litios, normally we don't have a lower bound with no upper bound on an advisory unless the advisory is about a malicious package. However, I'm accepting the contribution with 2.14.1
as the most recent affected version and you'll still get credit on the advisory for alerting us to the fact that 2.14.1
is vulnerable.
Hi @litios! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!
Hi @shelbyc, thanks! That makes sense :)
I would like to point out that this advisory relates to several others that all follow pickle deserialization attacks, tracked in this issue
I warned the upstream developers that most certainly the rest of the advisories need an update too due to the quick release cycle of the project. Let me know if there is anything else I can help with.
Updates
Comments Versions above 2.13.1 are affected, tested on 2.14.1.