The following vulnerabilities were identified:
CVE-2022-24439 - All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
Recommendation:
Upgrade GitPython from 3.1.29 to 3.1.30 to fix the vulnerability. Root dependencies for gitpython -
mkdocs-git-revision-date-localized-plugin 1.1.0
gitpython 3.1.29
WS-2022-0438 - In nltk prior to 3.8.1, a user who visits a malicious link with wordnet browser open will execute code on system. This may lead to RCE by inducing user to visit a link.
Recommendation:
Upgrade to version nltk - 3.8.1
WS-2022-0437 - In nltk/nltk, a reflected XSS can be achieved by simply creating a URL, which leads to browser hijacking, and sensitive information loss.
Recommendation:
Upgrade to version nltk - 3.8.1
Reproduction steps
N/A
Expected vs. actual results
Expect to get the mentioned components upgraded.
Minimal code example
No response
Error messages
No response
Compiler and operating system
Not related to compiler
Library version
See the description
Validation
[ ] The bug also occurs if the latest version from the develop branch is used.
Description
The following vulnerabilities were identified: CVE-2022-24439 - All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. Recommendation: Upgrade GitPython from 3.1.29 to 3.1.30 to fix the vulnerability. Root dependencies for gitpython - mkdocs-git-revision-date-localized-plugin 1.1.0 gitpython 3.1.29
WS-2022-0438 - In nltk prior to 3.8.1, a user who visits a malicious link with wordnet browser open will execute code on system. This may lead to RCE by inducing user to visit a link. Recommendation: Upgrade to version nltk - 3.8.1
WS-2022-0437 - In nltk/nltk, a reflected XSS can be achieved by simply creating a URL, which leads to browser hijacking, and sensitive information loss. Recommendation: Upgrade to version nltk - 3.8.1
Reproduction steps
N/A
Expected vs. actual results
Expect to get the mentioned components upgraded.
Minimal code example
No response
Error messages
No response
Compiler and operating system
Not related to compiler
Library version
See the description
Validation
developbranch is used.