search

vital-ws / python-monorepo

Example of scaffolding and tooling for a Python based monorepo
0 stars 0 forks source link

sentence-transformers-1.0.3.tar.gz: 8 vulnerabilities (highest severity is: 9.8) - autoclosed #9

Closed mend-for-github-com[bot] closed 10 months ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - sentence-transformers-1.0.3.tar.gz

Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (sentence-transformers version) Remediation Possible**
CVE-2022-45907 Critical 9.8 torch-1.8.1-cp37-cp37m-manylinux1_x86_64.whl Transitive 1.0.4
CVE-2022-23491 High 7.5 certifi-2020.12.5-py2.py3-none-any.whl Transitive 1.0.4
CVE-2021-3828 High 7.5 nltk-3.6.2-py3-none-any.whl Transitive 1.0.4
CVE-2021-3842 High 7.5 nltk-3.6.2-py3-none-any.whl Transitive 1.0.4
CVE-2021-33503 High 7.5 urllib3-1.26.4-py2.py3-none-any.whl Transitive 1.0.4
CVE-2021-43854 High 7.5 nltk-3.6.2-py3-none-any.whl Transitive 1.0.4
WS-2022-0437 Medium 6.1 nltk-3.6.2-py3-none-any.whl Transitive 1.0.4
WS-2022-0438 Medium 5.0 nltk-3.6.2-py3-none-any.whl Transitive 1.0.4

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-45907 ### Vulnerable Library - torch-1.8.1-cp37-cp37m-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/56/74/6fc9dee50f7c93d6b7d9644554bdc9692f3023fa5d1de779666e6bf8ae76/torch-1.8.1-cp37-cp37m-manylinux1_x86_64.whl

Dependency Hierarchy: - sentence-transformers-1.0.3.tar.gz (Root Library) - :x: **torch-1.8.1-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e

Found in base branch: master

### Vulnerability Details

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.

Publish Date: 2022-11-26

URL: CVE-2022-45907

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-45907

Release Date: 2022-11-26

Fix Resolution (torch): 1.13.1

Direct dependency fix Resolution (sentence-transformers): 1.0.4

CVE-2022-23491 ### Vulnerable Library - certifi-2020.12.5-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/5e/a0/5f06e1e1d463903cf0c0eebeb751791119ed7a4b3737fdc9a77f1cdfb51f/certifi-2020.12.5-py2.py3-none-any.whl

Dependency Hierarchy: - sentence-transformers-1.0.3.tar.gz (Root Library) - transformers-4.3.0-py3-none-any.whl - requests-2.25.1-py2.py3-none-any.whl - :x: **certifi-2020.12.5-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e

Found in base branch: master

### Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution (certifi): 2022.12.7

Direct dependency fix Resolution (sentence-transformers): 1.0.4

CVE-2021-3828 ### Vulnerable Library - nltk-3.6.2-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/5e/37/9532ddd4b1bbb619333d5708aaad9bf1742f051a664c3c6fa6632a105fd8/nltk-3.6.2-py3-none-any.whl

Dependency Hierarchy: - sentence-transformers-1.0.3.tar.gz (Root Library) - :x: **nltk-3.6.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e

Found in base branch: master

### Vulnerability Details

nltk is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-27

URL: CVE-2021-3828

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3828

Release Date: 2021-09-27

Fix Resolution (nltk): 3.6.4

Direct dependency fix Resolution (sentence-transformers): 1.0.4

CVE-2021-3842 ### Vulnerable Library - nltk-3.6.2-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/5e/37/9532ddd4b1bbb619333d5708aaad9bf1742f051a664c3c6fa6632a105fd8/nltk-3.6.2-py3-none-any.whl

Dependency Hierarchy: - sentence-transformers-1.0.3.tar.gz (Root Library) - :x: **nltk-3.6.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e

Found in base branch: master

### Vulnerability Details

nltk is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2022-01-04

URL: CVE-2021-3842

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x

Release Date: 2022-01-04

Fix Resolution (nltk): 3.6.6

Direct dependency fix Resolution (sentence-transformers): 1.0.4

CVE-2021-33503 ### Vulnerable Library - urllib3-1.26.4-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/09/c6/d3e3abe5b4f4f16cf0dfc9240ab7ce10c2baa0e268989a4e3ec19e90c84e/urllib3-1.26.4-py2.py3-none-any.whl

Dependency Hierarchy: - sentence-transformers-1.0.3.tar.gz (Root Library) - transformers-4.3.0-py3-none-any.whl - requests-2.25.1-py2.py3-none-any.whl - :x: **urllib3-1.26.4-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e

Found in base branch: master

### Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/urllib3/urllib3/security/advisories/GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution (urllib3): 1.26.5

Direct dependency fix Resolution (sentence-transformers): 1.0.4

CVE-2021-43854 ### Vulnerable Library - nltk-3.6.2-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/5e/37/9532ddd4b1bbb619333d5708aaad9bf1742f051a664c3c6fa6632a105fd8/nltk-3.6.2-py3-none-any.whl

Dependency Hierarchy: - sentence-transformers-1.0.3.tar.gz (Root Library) - :x: **nltk-3.6.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e

Found in base branch: master

### Vulnerability Details

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.

Publish Date: 2021-12-23

URL: CVE-2021-43854

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854

Release Date: 2021-12-23

Fix Resolution (nltk): 3.6.6

Direct dependency fix Resolution (sentence-transformers): 1.0.4

WS-2022-0437 ### Vulnerable Library - nltk-3.6.2-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/5e/37/9532ddd4b1bbb619333d5708aaad9bf1742f051a664c3c6fa6632a105fd8/nltk-3.6.2-py3-none-any.whl

Dependency Hierarchy: - sentence-transformers-1.0.3.tar.gz (Root Library) - :x: **nltk-3.6.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e

Found in base branch: master

### Vulnerability Details

In nltk/nltk, a reflected XSS can be achieved by simply creating a URL, which leads to browser hijacking, and sensitive information loss.

Publish Date: 2022-12-23

URL: WS-2022-0437

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/861a8d11-0fe9-4c2f-9112-af3a9559fa87/

Release Date: 2022-12-23

Fix Resolution (nltk): 3.8.1

Direct dependency fix Resolution (sentence-transformers): 1.0.4

WS-2022-0438 ### Vulnerable Library - nltk-3.6.2-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/5e/37/9532ddd4b1bbb619333d5708aaad9bf1742f051a664c3c6fa6632a105fd8/nltk-3.6.2-py3-none-any.whl

Dependency Hierarchy: - sentence-transformers-1.0.3.tar.gz (Root Library) - :x: **nltk-3.6.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e

Found in base branch: master

### Vulnerability Details

In nltk prior to 3.8.1, a user who visits a malicious link with wordnet browser open will execute code on system. This may lead to RCE by inducing user to visit a link.

Publish Date: 2022-12-29

URL: WS-2022-0438

### CVSS 3 Score Details (5.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/cd3957f0-2c9c-416d-bc3a-190a5b7ce4a6/

Release Date: 2022-12-29

Fix Resolution (nltk): 3.8.1

Direct dependency fix Resolution (sentence-transformers): 1.0.4

mend-for-github-com[bot] commented 10 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.