search

vital-ws / python-monorepo

Example of scaffolding and tooling for a Python based monorepo
0 stars 0 forks source link

tornado-6.1-cp35-cp35m-manylinux2014_aarch64.whl: 2 vulnerabilities (highest severity is: 6.1) - autoclosed #48

Closed mend-for-github-com[bot] closed 4 months ago

mend-for-github-com[bot] commented 7 months ago
Vulnerable Library - tornado-6.1-cp35-cp35m-manylinux2014_aarch64.whl

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Library home page: https://files.pythonhosted.org/packages/5d/ec/e1d6725557800974d8097c727ca5a393e246f299e305d8bc5f3f581e80ff/tornado-6.1-cp35-cp35m-manylinux2014_aarch64.whl

Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (tornado version) Remediation Possible**
CVE-2023-28370 Medium 6.1 tornado-6.1-cp35-cp35m-manylinux2014_aarch64.whl Direct 6.3.2
WS-2023-0296 Medium 5.6 tornado-6.1-cp35-cp35m-manylinux2014_aarch64.whl Direct 6.3.3

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-28370 ### Vulnerable Library - tornado-6.1-cp35-cp35m-manylinux2014_aarch64.whl

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Library home page: https://files.pythonhosted.org/packages/5d/ec/e1d6725557800974d8097c727ca5a393e246f299e305d8bc5f3f581e80ff/tornado-6.1-cp35-cp35m-manylinux2014_aarch64.whl

Dependency Hierarchy: - :x: **tornado-6.1-cp35-cp35m-manylinux2014_aarch64.whl** (Vulnerable Library)

Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e

Found in base branch: master

### Vulnerability Details

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

Publish Date: 2023-05-25

URL: CVE-2023-28370

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-05-25

Fix Resolution: 6.3.2

WS-2023-0296 ### Vulnerable Library - tornado-6.1-cp35-cp35m-manylinux2014_aarch64.whl

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Library home page: https://files.pythonhosted.org/packages/5d/ec/e1d6725557800974d8097c727ca5a393e246f299e305d8bc5f3f581e80ff/tornado-6.1-cp35-cp35m-manylinux2014_aarch64.whl

Dependency Hierarchy: - :x: **tornado-6.1-cp35-cp35m-manylinux2014_aarch64.whl** (Vulnerable Library)

Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e

Found in base branch: master

### Vulnerability Details

Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths

Publish Date: 2023-08-15

URL: WS-2023-0296

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-qppv-j76h-2rpx

Release Date: 2023-08-15

Fix Resolution: 6.3.3

mend-for-github-com[bot] commented 4 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.