This project forked from cisagov/pe-reports
Automated process to build and distribute Posture & Exposure Reports' bi-weekly to customers.
License: Creative Commons Zero v1.0 Universal
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "mend-for-github-com[bot]")
There is an error with this repository's WhiteSource configuration file that needs to be fixed. As a precaution, scans will stop until it is resolved.
Errors:
Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whlPython Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
Publish Date: 2022-01-10
URL: CVE-2022-22815
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22815
Release Date: 2022-01-10
Fix Resolution: 9.0.1
⛑️ Automatic Remediation will be attempted for this issue.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
This repository currently has no open or pending branches.
requirements-dev.txt
requirements.txt
setup.py
Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whlPython Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Publish Date: 2023-11-03
URL: CVE-2023-44271
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2023-11-03
Fix Resolution: Pillow - 10.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - wheel-0.36.2-py2.py3-none-any.whlA built-package format for Python
Library home page: https://files.pythonhosted.org/packages/65/63/39d04c74222770ed1589c0eaba06c05891801219272420b40311cd60c880/wheel-0.36.2-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/pe-reports
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (wheel version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-40898 | High |
7.5 | wheel-0.36.2-py2.py3-none-any.whl | Direct | 0.38.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2022-40898A built-package format for Python
Library home page: https://files.pythonhosted.org/packages/65/63/39d04c74222770ed1589c0eaba06c05891801219272420b40311cd60c880/wheel-0.36.2-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
Publish Date: 2022-12-23
URL: CVE-2022-40898
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-12-23
Fix Resolution: 0.38.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Library - lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whlPowerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/30/c0/d0526314971fc661b083ab135747dc68446a3022686da8c16d25fcf6ef07/lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl
Path to dependency file: /tmp/ws-scm/pe-reports
Path to library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in HEAD commit: b88c2819f6d6bfdf7b2f405780532afea3624181
Found in base branch: develop
BSD
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/c1b42523-1f36-4225-8682-7dbc5e496a7f
GPL
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/c1b42523-1f36-4225-8682-7dbc5e496a7f
⛔ License Policy Violation - No GPL
Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whlPython Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
Publish Date: 2021-09-03
URL: CVE-2021-23437
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html
Release Date: 2021-09-03
Fix Resolution: 8.3.2
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whlPython Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.
Publish Date: 2022-11-14
URL: CVE-2022-45199
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-11-14
Fix Resolution: Pillow - 9.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whlPython Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).
Publish Date: 2022-11-14
URL: CVE-2022-45198
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-11-14
Fix Resolution: 9.2.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - numpy-1.21.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whlNumPy is the fundamental package for array computing with Python.
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
** DISPUTED ** Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values. NOTE: The vendor does not agree this is a vulnerability; the negative dimensions can only be created by an already privileged user (or internally).
Publish Date: 2021-12-17
URL: CVE-2021-41496
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-41496
Release Date: 2021-12-17
Fix Resolution: autovizwidget - 0.12.7;numpy - 1.22.0rc1;numcodecs - 0.6.2;numpy-base - 1.11.3;numpy - 1.17.4
Vulnerable Library - wheel-0.36.2-py2.py3-none-any.whlA built-package format for Python
Library home page: https://files.pythonhosted.org/packages/65/63/39d04c74222770ed1589c0eaba06c05891801219272420b40311cd60c880/wheel-0.36.2-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
Publish Date: 2022-12-23
URL: CVE-2022-40898
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-12-23
Fix Resolution: 0.38.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whlPowerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/30/c0/d0526314971fc661b083ab135747dc68446a3022686da8c16d25fcf6ef07/lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (lxml version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-2309 | High |
7.5 | lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl | Direct | 4.9.1 | ✅ |
| CVE-2021-43818 | High |
7.1 | lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl | Direct | 4.6.5 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2022-2309Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/30/c0/d0526314971fc661b083ab135747dc68446a3022686da8c16d25fcf6ef07/lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
Publish Date: 2022-07-05
URL: CVE-2022-2309
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-07-05
Fix Resolution: 4.9.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-43818Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/30/c0/d0526314971fc661b083ab135747dc68446a3022686da8c16d25fcf6ef07/lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
Publish Date: 2021-12-13
URL: CVE-2021-43818
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-55x5-fj6c-h6m8
Release Date: 2021-12-13
Fix Resolution: 4.6.5
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Vulnerable Library - setuptools-57.4.0-py3-none-any.whlEasily download, build, install, upgrade, and uninstall Python packages
Library home page: https://files.pythonhosted.org/packages/bd/25/5bdf7f1adeebd4e3fa76b2e2f045ae53ee208e40a4231ad0f0c3007e4353/setuptools-57.4.0-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
Publish Date: 2022-12-23
URL: CVE-2022-40897
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
Release Date: 2022-12-23
Fix Resolution: 65.5.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whlPowerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/30/c0/d0526314971fc661b083ab135747dc68446a3022686da8c16d25fcf6ef07/lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
Publish Date: 2022-07-05
URL: CVE-2022-2309
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-07-05
Fix Resolution: 4.9.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whlPython Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.
If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.
Publish Date: 2022-03-11
URL: WS-2022-0097
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-4fx9-vc88-q2xc
Release Date: 2022-03-11
Fix Resolution: 9.0.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whlPython Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used,
Publish Date: 2022-01-10
URL: CVE-2022-22817
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817
Release Date: 2022-01-10
Fix Resolution: Pillow - 9.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - setuptools-57.4.0-py3-none-any.whlEasily download, build, install, upgrade, and uninstall Python packages
Library home page: https://files.pythonhosted.org/packages/bd/25/5bdf7f1adeebd4e3fa76b2e2f045ae53ee208e40a4231ad0f0c3007e4353/setuptools-57.4.0-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (setuptools version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-40897 | Medium |
5.9 | setuptools-57.4.0-py3-none-any.whl | Direct | 65.5.1 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2022-40897Easily download, build, install, upgrade, and uninstall Python packages
Library home page: https://files.pythonhosted.org/packages/bd/25/5bdf7f1adeebd4e3fa76b2e2f045ae53ee208e40a4231ad0f0c3007e4353/setuptools-57.4.0-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
Publish Date: 2022-12-23
URL: CVE-2022-40897
Base Score Metrics:
Type: Upgrade version
Origin: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
Release Date: 2022-12-23
Fix Resolution: 65.5.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whlPython Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (Pillow version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-22817 | Critical |
9.8 | Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | Pillow - 9.0.0 | ✅ |
| CVE-2022-24303 | Critical |
9.1 | Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | Pillow - 9.0.1 | ✅ |
| CVE-2023-50447 | High |
8.1 | Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | pillow - 10.2.0 | ✅ |
| WS-2022-0097 | High |
7.5 | Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | 9.0.1 | ✅ |
| CVE-2023-44271 | High |
7.5 | Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | Pillow - 10.0.0 | ✅ |
| CVE-2022-45199 | High |
7.5 | Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | 9.3.0 | ✅ |
| CVE-2022-45198 | High |
7.5 | Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | 9.2.0 | ✅ |
| CVE-2021-23437 | High |
7.5 | Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | 8.3.2 | ✅ |
| CVE-2022-22816 | Medium |
6.5 | Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | 9.0.1 | ✅ |
| CVE-2022-22815 | Medium |
6.5 | Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | 9.0.1 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2022-22817Python Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
Publish Date: 2022-01-10
URL: CVE-2022-22817
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817
Release Date: 2022-01-10
Fix Resolution: Pillow - 9.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-24303Python Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.
Publish Date: 2022-03-28
URL: CVE-2022-24303
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9j59-75qj-795w
Release Date: 2022-03-28
Fix Resolution: Pillow - 9.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-50447Python Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
Publish Date: 2024-01-19
URL: CVE-2023-50447
Base Score Metrics:
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2024/01/20/1
Release Date: 2024-01-19
Fix Resolution: pillow - 10.2.0
⛑️ Automatic Remediation will be attempted for this issue.
WS-2022-0097Python Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.
If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.
Publish Date: 2022-03-11
URL: WS-2022-0097
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4fx9-vc88-q2xc
Release Date: 2022-03-11
Fix Resolution: 9.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-44271Python Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Publish Date: 2023-11-03
URL: CVE-2023-44271
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-11-03
Fix Resolution: Pillow - 10.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-45199Python Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.
Publish Date: 2022-11-14
URL: CVE-2022-45199
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-11-14
Fix Resolution: 9.3.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-45198Python Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).
Publish Date: 2022-11-14
URL: CVE-2022-45198
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-11-14
Fix Resolution: 9.2.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-23437Python Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
Publish Date: 2021-09-03
URL: CVE-2021-23437
Base Score Metrics:
Type: Upgrade version
Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html
Release Date: 2021-09-03
Fix Resolution: 8.3.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-22816Python Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
Publish Date: 2022-01-10
URL: CVE-2022-22816
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22816
Release Date: 2022-01-10
Fix Resolution: 9.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-22815Python Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
Publish Date: 2022-01-10
URL: CVE-2022-22815
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22815
Release Date: 2022-01-10
Fix Resolution: 9.0.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Vulnerable Library - numpy-1.21.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whlNumPy is the fundamental package for array computing with Python.
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141
Publish Date: 2021-12-17
URL: CVE-2021-34141
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
Release Date: 2021-12-17
Fix Resolution: 1.22.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whlPython Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.
Publish Date: 2022-03-28
URL: CVE-2022-24303
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-9j59-75qj-795w
Release Date: 2022-03-28
Fix Resolution: Pillow - 9.0.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whlPowerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/30/c0/d0526314971fc661b083ab135747dc68446a3022686da8c16d25fcf6ef07/lxml-4.6.3-cp37-cp37m-manylinux2014_x86_64.whl
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
Publish Date: 2021-12-13
URL: CVE-2021-43818
CVSS 3 Score Details (7.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-55x5-fj6c-h6m8
Release Date: 2021-12-13
Fix Resolution: 4.6.5
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - numpy-1.21.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whlNumPy is the fundamental package for array computing with Python.
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (numpy version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2021-34141 | Medium |
5.3 | numpy-1.21.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Direct | 1.22.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2021-34141NumPy is the fundamental package for array computing with Python.
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Publish Date: 2021-12-17
URL: CVE-2021-34141
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
Release Date: 2021-12-17
Fix Resolution: 1.22.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whlPython Imaging Library (Fork)
Path to dependency file: /tmp/ws-scm/pe-reports
Path to vulnerable library: /tmp/ws-scm/pe-reports
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
Publish Date: 2022-01-10
URL: CVE-2022-22816
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22816
Release Date: 2022-01-10
Fix Resolution: 9.0.1
⛑️ Automatic Remediation will be attempted for this issue.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
