Giter VIP home page Giter VIP logo

ansible-rstudio-connect's People

Contributors

damianbudelewski avatar edeediong avatar koralowiec avatar mend-bolt-for-github[bot] avatar renovate-bot avatar renovate[bot] avatar shmileee avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

ansible-rstudio-connect's Issues

CVE-2024-34064 (Medium) detected in Jinja2-3.1.3-py3-none-any.whl

CVE-2024-34064 - Medium Severity Vulnerability

Vulnerable Library - Jinja2-3.1.3-py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/30/6d/6de6be2d02603ab56e72997708809e8a5b0fbfee080735109b40a3564843/Jinja2-3.1.3-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • โŒ Jinja2-3.1.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Jinja is an extensible templating engine. The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, >, or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the xmlattr filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe. This vulnerability is fixed in 3.1.4.

Publish Date: 2024-05-06

URL: CVE-2024-34064

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h75v-3vvj-5mfj

Release Date: 2024-05-06

Fix Resolution: Jinja2 - 3.1.4

Step up your Open Source Security Game with Mend here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

  • chore(deps): update dependency cryptography to v42.0.7
  • chore(deps): update dependency molecule-plugins to v23.5.3
  • chore(deps): update dependency rich to v13.7.1
  • chore(deps): update dependency wcmatch to v8.5.2
  • chore(deps): update dependency jsonschema to v4.22.0
  • chore(deps): update dependency pluggy to v1.5.0
  • chore(deps): update dependency pycparser to v2.22
  • chore(deps): update dependency pygments to v2.18.0
  • chore(deps): update dependency referencing to v0.35.1
  • chore(deps): update dependency rpds-py to v0.18.1
  • chore(deps): update dependency urllib3 to v2.2.1
  • chore(deps): update dependency ansible-compat to v24
  • chore(deps): update dependency certifi to v2024
  • chore(deps): update dependency molecule to v24
  • chore(deps): update dependency packaging to v24
  • ๐Ÿ” Create all rate-limited PRs at once ๐Ÿ”

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions
.github/workflows/ci.yml
  • actions/checkout v4
  • actions/setup-python v5
  • actions/checkout v4
  • actions/setup-python v5
.github/workflows/release.yml
  • actions/checkout v4
  • robertdebock/galaxy-action 1.2.1
pip_requirements
requirements.txt
  • ansible-compat ==4.1.11
  • ansible-core ==2.16.3
  • attrs ==23.2.0
  • bracex ==2.4
  • certifi ==2023.11.17
  • cffi ==1.16.0
  • charset-normalizer ==3.3.2
  • click ==8.1.7
  • click-help-colors ==0.9.4
  • cryptography ==42.0.5
  • distro ==1.9.0
  • docker ==7.0.0
  • enrich ==1.2.7
  • idna ==3.6
  • Jinja2 ==3.1.3
  • jsonschema ==4.20.0
  • jsonschema-specifications ==2023.12.1
  • markdown-it-py ==3.0.0
  • MarkupSafe ==2.1.3
  • mdurl ==0.1.2
  • molecule ==6.0.3
  • molecule-plugins ==23.5.0
  • packaging ==23.2
  • pluggy ==1.3.0
  • pycparser ==2.21
  • Pygments ==2.17.2
  • PyYAML ==6.0.1
  • referencing ==0.32.1
  • requests ==2.31.0
  • resolvelib ==1.0.1
  • rich ==13.7.0
  • rpds-py ==0.16.2
  • selinux ==0.3.0
  • subprocess-tee ==0.4.1
  • urllib3 ==2.1.0
  • wcmatch ==8.5
  • Check this box to trigger a request for Renovate to run again on this repository

CVE-2023-50782 (Medium) detected in cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl - autoclosed

CVE-2023-50782 - Medium Severity Vulnerability

Vulnerable Library - cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/62/bd/69628ab50368b1beb900eb1de5c46f8137169b75b2458affe95f2f470501/cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • โŒ cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 77565e720bce707667363f4aee2aff3b8a878dff

Found in base branch: main

Vulnerability Details

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Publish Date: 2024-02-05

URL: CVE-2023-50782

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3ww4-gg4f-jr7f

Release Date: 2024-02-05

Fix Resolution: 42.0.0

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.