CVE-2022-40898: Vulnerability due to transitive dependency

mpenning / ciscoconfparse

Parse, Audit, Query, Build, and Modify Arista / Cisco / Juniper / Palo Alto / F5 configurations.

http://www.pennington.net/py/ciscoconfparse/

GNU General Public License v3.0

789 stars 219 forks source link

CVE-2022-40898: Vulnerability due to transitive dependency #257

Closed syn-4ck closed 1 year ago

syn-4ck commented 1 year ago

A high severity vulnerability is detected by Snyk in ciscoconfparse package due to pyroma@4.1 › wheel@0.30.0.

Could you review the dependency and bump the version (I think that the latest is still vulnerable) or try to pin the wheel package in version 0.38.0? Thanks in advance.

Regards.

mpenning commented 1 year ago

This technically is not a ciscoconfparse vulnerability. The wheel package is not unique to ciscoconfparse.

I don't think this CVE matters much for ciscoconfparse, but the latest git HEAD commit hash (79ef365dad5aa3ac047a3b71d7aa68ec1a60221a) has upgraded package dependencies... we need wheel > 0.38.0 to fix CVE-2022-40898.

Version 1.7.2 will include the modified requirements.txt to manually upgrade the wheel package version.