forked from DefectDojo/django-DefectDojo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmany_vulns_new.json
91 lines (91 loc) · 4.34 KB
/
many_vulns_new.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
{
"dependencies":[
{
"name": "adal",
"version": "1.2.2",
"vulns": []
},
{
"name": "aiohttp",
"version": "3.6.2",
"vulns": [
{
"id": "PYSEC-2021-76",
"fix_versions": [
"3.7.4"
],
"description": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows \"pip install aiohttp >= 3.7.4\". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications."
}
]
},
{
"name": "alabaster",
"version": "0.7.12",
"vulns": []
},
{
"name": "azure-devops",
"skip_reason": "Dependency not found on PyPI and could not be audited: azure-devops (0.17.0)"
},
{
"name": "django",
"version": "3.2.9",
"vulns": [
{
"id": "PYSEC-2021-439",
"fix_versions": [
"2.2.25",
"3.1.14",
"3.2.10"
],
"description": "In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths."
}
]
},
{
"name": "lxml",
"version": "4.6.4",
"vulns": [
{
"id": "PYSEC-2021-852",
"fix_versions": [],
"description": "lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available."
}
]
},
{
"name": "twisted",
"version": "18.9.0",
"vulns": [
{
"id": "PYSEC-2019-128",
"fix_versions": [
"19.2.1"
],
"description": "In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF."
},
{
"id": "PYSEC-2020-260",
"fix_versions": [
"20.3.0rc1"
],
"description": "In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request."
},
{
"id": "PYSEC-2019-129",
"fix_versions": [
"19.7.0rc1"
],
"description": "In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections."
},
{
"id": "PYSEC-2020-259",
"fix_versions": [
"20.3.0rc1"
],
"description": "In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request."
}
]
}
]
}