Nanmozhi22
commented
2 weeks ago I will work on this issue to fix this
Closed Nanmozhi22 closed 2 weeks ago
Nanmozhi22
commented
2 weeks ago I will work on this issue to fix this
Nanmozhi22
commented
2 weeks ago Submitted Internal PR for review
timvink
commented
2 weeks ago This is not a vulnerability in this plugin.
Nanmozhi22
commented
2 weeks ago Thank you for your response! While I understand that the vulnerability may not directly affect this plugin, updating to a non-vulnerable version of pandas is a precautionary measure to ensure the security of all users.
Details:
Vulnerability: CVE-2024-42992 allows arbitrary file read, which could potentially be exploited in certain scenarios. Suggested Fix: Update pandas to version 2.1.0rc0, 2.0.0rc0, or 0.15.2.
Additional Context:
This vulnerability issue was identified by our Mend bot because we are using this plugin in one of our documentation websites. To address this issue on our end, we had to update the pandas version in our requirements.txt. We would like to contribute to the community by making this change in the plugin itself to benefit all users.
Maintaining up-to-date dependencies is crucial for security, and I believe this update would benefit all users of the plugin.
Thank you for considering this request.
timvink
commented
2 weeks ago I appreciate your concern for security, and trying to help out with this plugin.
But I think plugins like this one should specify the minimal required version of dependencies, rather than enforcing the very latest (and most secure) releases.
If you pip install table-reader now, and you don't already have pandas, you will get the latest and greatest already.
If you pip install table-reader and you already have pandas installed in your python environment, there is probably a good reason for that. Perhaps the code base does not work with pandas 2.0 yet.
In other words, you want to avoid dependency hell by specifying loose dependencies. Users requiring secure environments can always add an requirement on pandas or do pip install -U pandas, or use python tooling to upgrade their environment to the latest versions.
Nanmozhi22
commented
2 weeks ago Thank you for your prompt response and for clarifying your approach to dependency management.
I understand your perspective on specifying minimal required versions to avoid dependency conflicts. I appreciate the flexibility this provides for users to manage their own environments.
For our specific use case, we will ensure that our environment meets our security requirements by manually updating dependencies as needed.
Thanks again for your assistance.
The pandas library version 2.2.2 has been identified to contain an arbitrary file read vulnerability. This vulnerability allows attackers to read arbitrary files on the system where the library is used.
Vulnerable Library:
pandas-2.2.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Powerful data structures for data analysis, time series, and statistics Library home page
Path to Dependency File: /tmp/ws-scm/alm-docs/requirements.txt
Path to Vulnerable Library: /tmp/ws-scm/alm-docs/requirements.txt Dependency Hierarchy:
mkdocs_table_reader_plugin-2.2.1-py3-none-any.whl (Root Library)
❌ pandas-2.2.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library) Vulnerability Details:
Publish Date: 2024-08-23 URL: CVE-2024-42992 CVSS 3 Score: 7.5 Base Score Metrics:
Exploitability Metrics: Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Impact Metrics: Confidentiality Impact: High Integrity Impact: None Availability Impact: None For more information on CVSS3 Scores, click here.
Suggested Fix:
Type: Upgrade version Fix Resolution: Upgrade to pandas versions 2.1.0rc0, 2.0.0rc0, or 0.15.2. Origin:
CVE-2024-42992 Release Date: 2024-08-23