snowdensb / datagov-deploy Goto Github PK

Vulnerable Library - ansible-2.8.19.tar.gz

Radically simple IT automation

Library home page: https://files.pythonhosted.org/packages/5f/c6/106dbd1fb4965baeff90f8b9263c72cdeb18d66135ebf70c64db43245f84/ansible-2.8.19.tar.gz

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile,/Pipfile

Dependency Hierarchy:

• ❌ ansible-2.8.19.tar.gz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.

Publish Date: 2021-06-09

URL: CVE-2021-3533

CVSS 3 Score Details (2.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3533

Release Date: 2021-06-09

Fix Resolution: ansible - 2.9.23rc1,4.1.0;ansible - 4.1.0

Vulnerable Library - py-1.10.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/67/32/6fe01cfc3d1a27c92fdbcdfc3f67856da8cbadf0dd9f2e18055202b2dc62/py-1.10.0-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

• testinfra-6.0.0-py3-none-any.whl (Root Library)
  • pytest_testinfra-6.1.0-py3-none-any.whl
    • pytest-6.2.2-py3-none-any.whl
      • ❌ py-1.10.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: abbb32b7141b51e1819225365cb3fcc476f68972

Found in base branch: master

Vulnerability Details

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

Publish Date: 2022-10-16

URL: CVE-2022-42969

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - cookiecutter-1.7.2-py2.py3-none-any.whl

A command-line utility that creates projects from project templates, e.g. creating a Python package project from a Python package project template.

Library home page: https://files.pythonhosted.org/packages/95/83/83ebf950ec99b02c61719ccb116462844ba2e873df7c4d40afc962494312/cookiecutter-1.7.2-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

• molecule-3.2.3-py3-none-any.whl (Root Library)
  • ❌ cookiecutter-1.7.2-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Publish Date: 2022-06-08

URL: CVE-2022-24065

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24065

Release Date: 2022-06-08

Fix Resolution: cookiecutter - 2.1.1

Vulnerable Library - urllib3-1.26.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/23/fc/8a49991f7905261f9ca9df5aa9b58363c3c821ce3e7f671895442b7100f2/urllib3-1.26.3-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

• molecule-3.2.3-py3-none-any.whl (Root Library)
  • cookiecutter-1.7.2-py2.py3-none-any.whl
    • requests-2.25.1-py2.py3-none-any.whl
      • ❌ urllib3-1.26.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: abbb32b7141b51e1819225365cb3fcc476f68972

Found in base branch: master

Vulnerability Details

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Publish Date: 2021-03-15

URL: CVE-2021-28363

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5phf-pp7p-vc2r

Release Date: 2021-03-15

Fix Resolution: 1.26.4

Vulnerable Library - paramiko-2.7.2-py2.py3-none-any.whl

SSH2 protocol library

Library home page: https://files.pythonhosted.org/packages/95/19/124e9287b43e6ff3ebb9cdea3e5e8e88475a873c05ccdf8b7e20d2c4201e/paramiko-2.7.2-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

• molecule-3.2.3-py3-none-any.whl (Root Library)
  • ❌ paramiko-2.7.2-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

Publish Date: 2022-03-17

URL: CVE-2022-24302

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.paramiko.org/changelog.html

Release Date: 2022-03-17

Fix Resolution: paramiko - 2.10.1

Vulnerable Library - urllib3-1.26.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/23/fc/8a49991f7905261f9ca9df5aa9b58363c3c821ce3e7f671895442b7100f2/urllib3-1.26.3-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

• molecule-3.2.3-py3-none-any.whl (Root Library)
  • cookiecutter-1.7.2-py2.py3-none-any.whl
    • requests-2.25.1-py2.py3-none-any.whl
      • ❌ urllib3-1.26.3-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution: urllib3 - 1.26.5

Vulnerable Library - certifi-2020.12.5-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/5e/a0/5f06e1e1d463903cf0c0eebeb751791119ed7a4b3737fdc9a77f1cdfb51f/certifi-2020.12.5-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

• molecule-3.2.3-py3-none-any.whl (Root Library)
  • cookiecutter-1.7.2-py2.py3-none-any.whl
    • requests-2.25.1-py2.py3-none-any.whl
      • ❌ certifi-2020.12.5-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution: certifi - 2022.12.07