mend-for-github-com[bot]
commented
10 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-24439
### Vulnerable Library - GitPython-3.1.15-py3-none-any.whlPython Git Library
Library home page: https://files.pythonhosted.org/packages/d7/6d/0528adaff6229c5cd85feb84366e1cf3130d86c69d0acea02fe12b5d79c4/GitPython-3.1.15-py3-none-any.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - wandb-0.10.29-py2.py3-none-any.whl - :x: **GitPython-3.1.15-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsAll versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
Publish Date: 2022-12-06
URL: CVE-2022-24439
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2023-47248
### Vulnerable Library - pyarrow-4.0.0-cp37-cp37m-manylinux2014_x86_64.whlPython library for Apache Arrow
Library home page: https://files.pythonhosted.org/packages/f8/58/70e5d957f5ffcb0d67dc79faca766d2d61a8e641b43156c6745c60c8b32b/pyarrow-4.0.0-cp37-cp37m-manylinux2014_x86_64.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - :x: **pyarrow-4.0.0-cp37-cp37m-manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsDeserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings. It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon. If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.
Publish Date: 2023-11-09
URL: CVE-2023-47248
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n
Release Date: 2023-11-09
Fix Resolution (pyarrow): 14.0.1
Direct dependency fix Resolution (simpletransformers): 0.60.7
CVE-2022-22817
### Vulnerable Library - Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whlPython Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/14/e9/9c91f2f5d6102eae2051b28f85f3eaad4bdd9c67ede8c4d71170960391fa/Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - :x: **Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsPIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
Publish Date: 2022-01-10
URL: CVE-2022-22817
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817
Release Date: 2022-01-10
Fix Resolution: Pillow - 9.0.0
CVE-2021-34552
### Vulnerable Library - Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whlPython Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/14/e9/9c91f2f5d6102eae2051b28f85f3eaad4bdd9c67ede8c4d71170960391fa/Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - :x: **Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsPillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.
Publish Date: 2021-07-13
URL: CVE-2021-34552
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow
Release Date: 2021-07-13
Fix Resolution: Pillow-8.3.0
CVE-2021-32798
### Vulnerable Library - notebook-6.3.0-py3-none-any.whlA web-based notebook environment for interactive computing
Library home page: https://files.pythonhosted.org/packages/5d/86/8f951abc6ac651a75a059d2b77fe99fa5df80bf4dc4700c126a0bee486b8/notebook-6.3.0-py3-none-any.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - pydeck-0.6.2-py2.py3-none-any.whl - ipywidgets-7.6.3-py2.py3-none-any.whl - widgetsnbextension-3.5.1-py2.py3-none-any.whl - :x: **notebook-6.3.0-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsThe Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs.
Publish Date: 2021-08-09
URL: CVE-2021-32798
### CVSS 3 Score Details (9.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797
Release Date: 2021-08-09
Fix Resolution (notebook): 6.4.1
Direct dependency fix Resolution (simpletransformers): 0.60.7
CVE-2022-24303
### Vulnerable Library - Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whlPython Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/14/e9/9c91f2f5d6102eae2051b28f85f3eaad4bdd9c67ede8c4d71170960391fa/Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - :x: **Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsPillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.
Publish Date: 2022-03-28
URL: CVE-2022-24303
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-9j59-75qj-795w
Release Date: 2022-03-28
Fix Resolution: Pillow - 9.0.1
CVE-2022-39286
### Vulnerable Library - jupyter_core-4.7.1-py3-none-any.whlJupyter core package. A base package on which Jupyter projects rely.
Library home page: https://files.pythonhosted.org/packages/53/40/5af36bffa0af3ac71d3a6fc6709de10e4f6ff7c01745b8bc4715372189c9/jupyter_core-4.7.1-py3-none-any.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - pydeck-0.6.2-py2.py3-none-any.whl - ipywidgets-7.6.3-py2.py3-none-any.whl - widgetsnbextension-3.5.1-py2.py3-none-any.whl - notebook-6.3.0-py3-none-any.whl - :x: **jupyter_core-4.7.1-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsJupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.
Publish Date: 2022-10-26
URL: CVE-2022-39286
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3363
Release Date: 2022-10-26
Fix Resolution (jupyter-core): 4.11.2
Direct dependency fix Resolution (simpletransformers): 0.60.7
CVE-2022-21699
### Vulnerable Libraries - ipython-7.23.1-py3-none-any.whl, ipython-7.23.0-py3-none-any.whl### ipython-7.23.1-py3-none-any.whl
IPython: Productive Interactive Computing
Library home page: https://files.pythonhosted.org/packages/81/d1/8d0ba7589ea4cbf3e80ef8e20616da2cfc3c33187a64b044372aad517512/ipython-7.23.1-py3-none-any.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - pydeck-0.6.2-py2.py3-none-any.whl - ipywidgets-7.6.3-py2.py3-none-any.whl - :x: **ipython-7.23.1-py3-none-any.whl** (Vulnerable Library) ### ipython-7.23.0-py3-none-any.whl
IPython: Productive Interactive Computing
Library home page: https://files.pythonhosted.org/packages/ab/8b/0cbe2b5ae27dd04df0af5e7bcc132d508b09c22d873f8944343c8f542042/ipython-7.23.0-py3-none-any.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - pydeck-0.6.2-py2.py3-none-any.whl - ipywidgets-7.6.3-py2.py3-none-any.whl - :x: **ipython-7.23.0-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsIPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade.
Publish Date: 2022-01-19
URL: CVE-2022-21699
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x
Release Date: 2022-01-19
Fix Resolution (ipython): 7.31.1
Direct dependency fix Resolution (simpletransformers): 0.60.7
Fix Resolution (ipython): 7.31.1
Direct dependency fix Resolution (simpletransformers): 0.60.7
WS-2022-0097
### Vulnerable Library - Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whlPython Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/14/e9/9c91f2f5d6102eae2051b28f85f3eaad4bdd9c67ede8c4d71170960391fa/Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - :x: **Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsJpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder. If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.
Publish Date: 2022-03-11
URL: WS-2022-0097
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-4fx9-vc88-q2xc
Release Date: 2022-03-11
Fix Resolution: Pillow - 9.0.0
CVE-2023-44271
### Vulnerable Library - Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whlPython Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/14/e9/9c91f2f5d6102eae2051b28f85f3eaad4bdd9c67ede8c4d71170960391fa/Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - :x: **Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Publish Date: 2023-11-03
URL: CVE-2023-44271
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-11-03
Fix Resolution: Pillow - 10.0.0
CVE-2022-34749
### Vulnerable Library - mistune-0.8.4-py2.py3-none-any.whlThe fastest markdown parser in pure Python
Library home page: https://files.pythonhosted.org/packages/09/ec/4b43dae793655b7d8a25f76119624350b4d65eb663459eb9603d7f1f0345/mistune-0.8.4-py2.py3-none-any.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - pydeck-0.6.2-py2.py3-none-any.whl - ipywidgets-7.6.3-py2.py3-none-any.whl - widgetsnbextension-3.5.1-py2.py3-none-any.whl - notebook-6.3.0-py3-none-any.whl - nbconvert-6.0.7-py3-none-any.whl - :x: **mistune-0.8.4-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsIn mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.
Publish Date: 2022-07-25
URL: CVE-2022-34749
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-fw3v-x4f2-v673
Release Date: 2022-07-25
Fix Resolution: mistune - 2.0.3
CVE-2022-45198
### Vulnerable Library - Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whlPython Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/14/e9/9c91f2f5d6102eae2051b28f85f3eaad4bdd9c67ede8c4d71170960391fa/Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - :x: **Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsPillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).
Publish Date: 2022-11-14
URL: CVE-2022-45198
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-11-14
Fix Resolution: Pillow - 9.2.0
CVE-2022-45199
### Vulnerable Library - Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whlPython Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/14/e9/9c91f2f5d6102eae2051b28f85f3eaad4bdd9c67ede8c4d71170960391fa/Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - :x: **Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsPillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.
Publish Date: 2022-11-14
URL: CVE-2022-45199
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-11-14
Fix Resolution: Pillow - 9.3.0
CVE-2021-23437
### Vulnerable Library - Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whlPython Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/14/e9/9c91f2f5d6102eae2051b28f85f3eaad4bdd9c67ede8c4d71170960391fa/Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - :x: **Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsThe package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
Publish Date: 2021-09-03
URL: CVE-2021-23437
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html
Release Date: 2021-09-03
Fix Resolution: Pillow - 8.3.2
CVE-2022-24758
### Vulnerable Library - notebook-6.3.0-py3-none-any.whlA web-based notebook environment for interactive computing
Library home page: https://files.pythonhosted.org/packages/5d/86/8f951abc6ac651a75a059d2b77fe99fa5df80bf4dc4700c126a0bee486b8/notebook-6.3.0-py3-none-any.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - pydeck-0.6.2-py2.py3-none-any.whl - ipywidgets-7.6.3-py2.py3-none-any.whl - widgetsnbextension-3.5.1-py2.py3-none-any.whl - :x: **notebook-6.3.0-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsThe Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.
Publish Date: 2022-03-31
URL: CVE-2022-24758
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/jupyter/notebook/security/advisories/GHSA-m87f-39q9-6f55
Release Date: 2022-03-31
Fix Resolution (notebook): 6.4.10
Direct dependency fix Resolution (simpletransformers): 0.60.7
CVE-2022-42969
### Vulnerable Library - py-1.10.0-py2.py3-none-any.whllibrary with cross-python path, ini-parsing, io, code, log facilities
Library home page: https://files.pythonhosted.org/packages/67/32/6fe01cfc3d1a27c92fdbcdfc3f67856da8cbadf0dd9f2e18055202b2dc62/py-1.10.0-py2.py3-none-any.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - pydeck-0.6.2-py2.py3-none-any.whl - ipykernel-5.5.4-py3-none-any.whl - jupyter_client-6.2.0-py3-none-any.whl - pyzmq-22.0.3-cp37-cp37m-manylinux1_x86_64.whl - :x: **py-1.10.0-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsThe py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
Publish Date: 2022-10-16
URL: CVE-2022-42969
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2023-24816
### Vulnerable Libraries - ipython-7.23.0-py3-none-any.whl, ipython-7.23.1-py3-none-any.whl### ipython-7.23.0-py3-none-any.whl
IPython: Productive Interactive Computing
Library home page: https://files.pythonhosted.org/packages/ab/8b/0cbe2b5ae27dd04df0af5e7bcc132d508b09c22d873f8944343c8f542042/ipython-7.23.0-py3-none-any.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - pydeck-0.6.2-py2.py3-none-any.whl - ipywidgets-7.6.3-py2.py3-none-any.whl - :x: **ipython-7.23.0-py3-none-any.whl** (Vulnerable Library) ### ipython-7.23.1-py3-none-any.whl
IPython: Productive Interactive Computing
Library home page: https://files.pythonhosted.org/packages/81/d1/8d0ba7589ea4cbf3e80ef8e20616da2cfc3c33187a64b044372aad517512/ipython-7.23.1-py3-none-any.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - pydeck-0.6.2-py2.py3-none-any.whl - ipywidgets-7.6.3-py2.py3-none-any.whl - :x: **ipython-7.23.1-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsIPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function `IPython.utils.terminal.set_term_title` be called on Windows in a Python environment where ctypes is not available. The dependency on `ctypes` in `IPython.utils._process_win32` prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool `set_term_title` could be called and hence introduce a vulnerability. Should an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. Users of ipython as a library are advised to upgrade. Users unable to upgrade should ensure that any calls to the `IPython.utils.terminal.set_term_title` function are done with trusted or filtered input.
Publish Date: 2023-02-10
URL: CVE-2023-24816
### CVSS 3 Score Details (7.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-24816
Release Date: 2023-02-10
Fix Resolution (ipython): 8.10.0
Direct dependency fix Resolution (simpletransformers): 0.60.7
Fix Resolution (ipython): 8.10.0
Direct dependency fix Resolution (simpletransformers): 0.60.7
CVE-2021-32559
### Vulnerable Library - pywin32-300-cp35-cp35m-win32.whlPython for Window Extensions
Library home page: https://files.pythonhosted.org/packages/a9/f4/48f406e208db08acd6444867e7673effa2b424b38bc85d336fc98234c2ce/pywin32-300-cp35-cp35m-win32.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - pydeck-0.6.2-py2.py3-none-any.whl - ipykernel-5.5.4-py3-none-any.whl - jupyter_client-6.2.0-py3-none-any.whl - jupyter_core-4.7.1-py3-none-any.whl - :x: **pywin32-300-cp35-cp35m-win32.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsAn integer overflow exists in pywin32 prior to version b301 when adding an access control entry (ACE) to an access control list (ACL) that would cause the size to be greater than 65535 bytes. An attacker who successfully exploited this vulnerability could crash the vulnerable process.
Publish Date: 2021-07-06
URL: CVE-2021-32559
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32559
Release Date: 2021-07-06
Fix Resolution: pywin32 -301
CVE-2022-35918
### Vulnerable Library - streamlit-0.81.1-py2.py3-none-any.whlThe fastest way to build data apps in Python
Library home page: https://files.pythonhosted.org/packages/8f/5c/ab7eb2b8577469981707ae2c8e3709c9fe99cca0026cad4bedaa1d980c56/streamlit-0.81.1-py2.py3-none-any.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - :x: **streamlit-0.81.1-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsStreamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2022-08-01
URL: CVE-2022-35918
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35918
Release Date: 2022-08-01
Fix Resolution (streamlit): 1.11.1
Direct dependency fix Resolution (simpletransformers): 0.60.7
CVE-2022-22815
### Vulnerable Library - Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whlPython Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/14/e9/9c91f2f5d6102eae2051b28f85f3eaad4bdd9c67ede8c4d71170960391fa/Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - :x: **Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability Detailspath_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
Publish Date: 2022-01-10
URL: CVE-2022-22815
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22815
Release Date: 2022-01-10
Fix Resolution: Pillow - 9.0.0
CVE-2022-22816
### Vulnerable Library - Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whlPython Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/14/e9/9c91f2f5d6102eae2051b28f85f3eaad4bdd9c67ede8c4d71170960391fa/Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - streamlit-0.81.1-py2.py3-none-any.whl - :x: **Pillow-8.2.0-cp36-cp36m-macosx_10_10_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability Detailspath_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
Publish Date: 2022-01-10
URL: CVE-2022-22816
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22816
Release Date: 2022-01-10
Fix Resolution: Pillow - 9.0.0
CVE-2023-28117
### Vulnerable Library - sentry_sdk-1.0.0-py2.py3-none-any.whlPython client for Sentry (https://sentry.io)
Library home page: https://files.pythonhosted.org/packages/f3/92/5a33be64990ba815364a8f2dd9e6f51de60d23dfddafb4f1fc5577d4dc64/sentry_sdk-1.0.0-py2.py3-none-any.whl
Dependency Hierarchy: - simpletransformers-0.60.6-py3-none-any.whl (Root Library) - wandb-0.10.29-py2.py3-none-any.whl - :x: **sentry_sdk-1.0.0-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsSentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have `sendDefaultPII` set to `True`; one must use a custom name for either `SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` in one's Django settings; and one must not be configured in one's organization or project settings to use Sentry's data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the `sentry-sdk` will detect the custom cookie names based on one's Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK's filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the `before_send` callback method and for performance related events (transactions) one can use the `before_send_transaction` callback method. Those who want to handle filtering of these values on the server-side can also use Sentry's advanced data scrubbing feature to account for the custom cookie names. Look for the `$http.cookies`, `$http.headers`, `$request.cookies`, or `$request.headers` fields to target with a scrubbing rule.
Publish Date: 2023-03-22
URL: CVE-2023-28117
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/getsentry/sentry-python/security/advisories/GHSA-29pr-6jr8-q5jm
Release Date: 2023-03-22
Fix Resolution (sentry-sdk): 1.14.0
Direct dependency fix Resolution (simpletransformers): 0.60.7