diff --git a/data/insecure_full.json b/data/insecure_full.json index cab6cf3d..8f443e44 100644 --- a/data/insecure_full.json +++ b/data/insecure_full.json @@ -1,8 +1,55 @@ { "$meta": { "advisory": "PyUp.io metadata", - "timestamp": 1641016806 + "timestamp": 1643695207 }, + "aadhaar-py": [ + { + "advisory": "Aadhaar-py 2.0.1 updates its dependency 'pillow' to v9.0.0 to include security fixes.", + "cve": "PVE-2022-44524", + "id": "pyup.io-44604", + "specs": [ + "<2.0.1" + ], + "v": "<2.0.1" + }, + { + "advisory": "Aadhaar-py 2.0.1 updates its dependency 'pillow' to v9.0.0 to include security fixes.", + "cve": "CVE-2022-22817", + "id": "pyup.io-44605", + "specs": [ + "<2.0.1" + ], + "v": "<2.0.1" + }, + { + "advisory": "Aadhaar-py 2.0.1 updates its dependency 'pillow' to v9.0.0 to include security fixes.", + "cve": "CVE-2022-22816", + "id": "pyup.io-44606", + "specs": [ + "<2.0.1" + ], + "v": "<2.0.1" + }, + { + "advisory": "Aadhaar-py 2.0.1 updates its dependency 'pillow' to v9.0.0 to include security fixes.", + "cve": "CVE-2022-22815", + "id": "pyup.io-44607", + "specs": [ + "<2.0.1" + ], + "v": "<2.0.1" + }, + { + "advisory": "Aadhaar-py 2.0.1 updates its dependency 'pillow' to v9.0.0 to include security fixes.", + "cve": "PVE-2021-44525", + "id": "pyup.io-44561", + "specs": [ + "<2.0.1" + ], + "v": "<2.0.1" + } + ], "abiflows": [ { "advisory": "Abiflows version 0.6 includes security patches for several functions. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/abinit/abiflows/commit/479b957c3b1abe41d85aaff2d14439605ddc5d0b#diff-5a814c49249ffdc2d551933c1bec95c4b2fe64d0619470085c5fef247fea2309", @@ -61,18 +108,18 @@ ], "adversarial-robustness-toolbox": [ { - "advisory": "Adversarial-robustness-toolbox version 1.6.1 updates its dependency \"Pillow\" to a secure version. See CVE-2021-28678.", - "cve": "CVE-2021-28678", - "id": "pyup.io-41782", + "advisory": "Adversarial-robustness-toolbox version 1.6.1 updates its dependency \"Pillow\" to a secure version. See CVE-2021-28675.", + "cve": "CVE-2021-28675", + "id": "pyup.io-41781", "specs": [ "<1.6.1" ], "v": "<1.6.1" }, { - "advisory": "Adversarial-robustness-toolbox version 1.6.1 updates its dependency \"Pillow\" to a secure version. See CVE-2021-28675.", - "cve": "CVE-2021-28675", - "id": "pyup.io-41781", + "advisory": "Adversarial-robustness-toolbox version 1.6.1 updates its dependency \"Pillow\" to a secure version. See CVE-2021-28678.", + "cve": "CVE-2021-28678", + "id": "pyup.io-41782", "specs": [ "<1.6.1" ], @@ -99,7 +146,7 @@ ], "aegea": [ { - "advisory": "Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.", + "advisory": "Aegea 2.2.7 updates the minimum requirement for its dependency 'paramiko' to v2.4.2 to include a security fix.", "cve": "CVE-2018-1000805", "id": "pyup.io-37611", "specs": [ @@ -139,18 +186,18 @@ "v": "<101.0.1" }, { - "advisory": "Agraph-python 101.0.3 updates urllib3 to 1.24.2 for security reasons.", - "cve": "CVE-2019-11324", - "id": "pyup.io-37085", + "advisory": "Agraph-python 101.0.3 updates numpy to 1.16.0 for security reasons.", + "cve": "PVE-2021-43014", + "id": "pyup.io-43014", "specs": [ "<101.0.3" ], "v": "<101.0.3" }, { - "advisory": "Agraph-python 101.0.3 updates numpy to 1.16.0 for security reasons.", - "cve": "PVE-2021-43014", - "id": "pyup.io-43014", + "advisory": "Agraph-python 101.0.3 updates urllib3 to 1.24.2 for security reasons.", + "cve": "CVE-2019-11324", + "id": "pyup.io-37085", "specs": [ "<101.0.3" ], @@ -160,8 +207,8 @@ "ai-python": [ { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41199", - "id": "pyup.io-43002", + "cve": "CVE-2021-41203", + "id": "pyup.io-43051", "specs": [ "<0.8.1" ], @@ -169,8 +216,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41196", - "id": "pyup.io-43050", + "cve": "CVE-2021-41217", + "id": "pyup.io-43054", "specs": [ "<0.8.1" ], @@ -178,8 +225,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41203", - "id": "pyup.io-43051", + "cve": "CVE-2021-41214", + "id": "pyup.io-43055", "specs": [ "<0.8.1" ], @@ -187,8 +234,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41200", - "id": "pyup.io-43052", + "cve": "CVE-2021-41219", + "id": "pyup.io-43056", "specs": [ "<0.8.1" ], @@ -196,8 +243,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41217", - "id": "pyup.io-43054", + "cve": "CVE-2021-41218", + "id": "pyup.io-43067", "specs": [ "<0.8.1" ], @@ -205,8 +252,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41214", - "id": "pyup.io-43055", + "cve": "CVE-2021-41216", + "id": "pyup.io-43068", "specs": [ "<0.8.1" ], @@ -214,8 +261,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41219", - "id": "pyup.io-43056", + "cve": "CVE-2021-41215", + "id": "pyup.io-43069", "specs": [ "<0.8.1" ], @@ -223,8 +270,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41226", - "id": "pyup.io-43057", + "cve": "CVE-2021-41212", + "id": "pyup.io-43074", "specs": [ "<0.8.1" ], @@ -232,8 +279,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41227", - "id": "pyup.io-43058", + "cve": "CVE-2021-41201", + "id": "pyup.io-43077", "specs": [ "<0.8.1" ], @@ -241,8 +288,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41225", - "id": "pyup.io-43059", + "cve": "CVE-2021-41197", + "id": "pyup.io-43078", "specs": [ "<0.8.1" ], @@ -250,8 +297,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41209", - "id": "pyup.io-43061", + "cve": "CVE-2021-41195", + "id": "pyup.io-43079", "specs": [ "<0.8.1" ], @@ -259,17 +306,17 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41213", - "id": "pyup.io-43062", + "cve": "CVE-2021-41206", + "id": "pyup.io-43072", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { - "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41204", - "id": "pyup.io-43063", + "advisory": "Ai-python 0.8.1 updates its dependency 'pillow' to v8.3.2 to include security fixes.", + "cve": "PVE-2021-41277", + "id": "pyup.io-43084", "specs": [ "<0.8.1" ], @@ -277,17 +324,17 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41228", - "id": "pyup.io-43064", + "cve": "CVE-2021-41210", + "id": "pyup.io-43081", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { - "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41222", - "id": "pyup.io-43065", + "advisory": "Ai-python 0.8.1 updates its dependency 'pillow' to v8.3.2 to include security fixes.", + "cve": "CVE-2021-23437", + "id": "pyup.io-43083", "specs": [ "<0.8.1" ], @@ -295,8 +342,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41224", - "id": "pyup.io-43066", + "cve": "CVE-2021-41200", + "id": "pyup.io-43052", "specs": [ "<0.8.1" ], @@ -304,8 +351,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41218", - "id": "pyup.io-43067", + "cve": "CVE-2021-41211", + "id": "pyup.io-43053", "specs": [ "<0.8.1" ], @@ -313,8 +360,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41216", - "id": "pyup.io-43068", + "cve": "CVE-2021-41226", + "id": "pyup.io-43057", "specs": [ "<0.8.1" ], @@ -322,8 +369,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41215", - "id": "pyup.io-43069", + "cve": "CVE-2021-41227", + "id": "pyup.io-43058", "specs": [ "<0.8.1" ], @@ -331,8 +378,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41220", - "id": "pyup.io-43070", + "cve": "CVE-2021-41225", + "id": "pyup.io-43059", "specs": [ "<0.8.1" ], @@ -340,8 +387,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41206", - "id": "pyup.io-43072", + "cve": "CVE-2021-41221", + "id": "pyup.io-43060", "specs": [ "<0.8.1" ], @@ -349,8 +396,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41205", - "id": "pyup.io-43073", + "cve": "CVE-2021-41209", + "id": "pyup.io-43061", "specs": [ "<0.8.1" ], @@ -358,8 +405,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41212", - "id": "pyup.io-43074", + "cve": "CVE-2021-41213", + "id": "pyup.io-43062", "specs": [ "<0.8.1" ], @@ -367,8 +414,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41202", - "id": "pyup.io-43076", + "cve": "CVE-2021-41204", + "id": "pyup.io-43063", "specs": [ "<0.8.1" ], @@ -376,8 +423,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41201", - "id": "pyup.io-43077", + "cve": "CVE-2021-41228", + "id": "pyup.io-43064", "specs": [ "<0.8.1" ], @@ -385,8 +432,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41197", - "id": "pyup.io-43078", + "cve": "CVE-2021-41222", + "id": "pyup.io-43065", "specs": [ "<0.8.1" ], @@ -394,8 +441,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41195", - "id": "pyup.io-43079", + "cve": "CVE-2021-41224", + "id": "pyup.io-43066", "specs": [ "<0.8.1" ], @@ -403,8 +450,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41208", - "id": "pyup.io-43071", + "cve": "CVE-2021-41220", + "id": "pyup.io-43070", "specs": [ "<0.8.1" ], @@ -412,8 +459,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41211", - "id": "pyup.io-43053", + "cve": "CVE-2021-41208", + "id": "pyup.io-43071", "specs": [ "<0.8.1" ], @@ -421,8 +468,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41221", - "id": "pyup.io-43060", + "cve": "CVE-2021-41205", + "id": "pyup.io-43073", "specs": [ "<0.8.1" ], @@ -439,8 +486,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41198", - "id": "pyup.io-43080", + "cve": "CVE-2021-41202", + "id": "pyup.io-43076", "specs": [ "<0.8.1" ], @@ -448,8 +495,8 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41210", - "id": "pyup.io-43081", + "cve": "CVE-2021-41198", + "id": "pyup.io-43080", "specs": [ "<0.8.1" ], @@ -457,26 +504,26 @@ }, { "advisory": "Ai-python 0.8.1 updates its dependency 'pillow' to v8.3.2 to include security fixes.", - "cve": "CVE-2021-23437", - "id": "pyup.io-43083", + "cve": "CVE-2021-34552", + "id": "pyup.io-43082", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { - "advisory": "Ai-python 0.8.1 updates its dependency 'pillow' to v8.3.2 to include security fixes.", - "cve": "PVE-2021-41277", - "id": "pyup.io-43084", + "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", + "cve": "CVE-2021-41196", + "id": "pyup.io-43050", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { - "advisory": "Ai-python 0.8.1 updates its dependency 'pillow' to v8.3.2 to include security fixes.", - "cve": "CVE-2021-34552", - "id": "pyup.io-43082", + "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", + "cve": "CVE-2021-41199", + "id": "pyup.io-43002", "specs": [ "<0.8.1" ], @@ -523,7 +570,7 @@ "v": "<1.6.0" }, { - "advisory": "Aiida-core 1.6.5 updates 'PyYAML' to v5.4 to fix critical security issues.", + "advisory": "Aiida-core 1.6.5 updates its dependency 'pyyaml' to v5.4 to include security fixes.", "cve": "CVE-2019-20477", "id": "pyup.io-41169", "specs": [ @@ -552,7 +599,7 @@ ], "aioapns": [ { - "advisory": "Certificate hostname validation in aioapns version 1.10 was enabled by default for security reasons. It can be turned off by using no_cert_validation option.", + "advisory": "Certificate hostname validation in aioapns version 1.10 is enabled by default for security reasons. It can be turned off by using no_cert_validation option.", "cve": "PVE-2021-38620", "id": "pyup.io-38620", "specs": [ @@ -636,13 +683,31 @@ ], "aiohttp-jinja2": [ { - "advisory": "Aiohttp-jinja2 1.1.1 bumps minimal supported ``jinja2`` version to 2.10.1 to avoid a security vulnerability problem.", - "cve": "PVE-2021-37095", + "advisory": "Aiohttp-jinja2 1.1.1 updates minimal supported 'Jinja2' version to 2.10.1 to include security fixes.", + "cve": "CVE-2014-1402", "id": "pyup.io-37095", "specs": [ "<1.1.1" ], "v": "<1.1.1" + }, + { + "advisory": "Aiohttp-jinja2 1.1.1 updates minimal supported 'Jinja2' version to 2.10.1 to include security fixes.", + "cve": "CVE-2016-10745", + "id": "pyup.io-44431", + "specs": [ + "<1.1.1" + ], + "v": "<1.1.1" + }, + { + "advisory": "Aiohttp-jinja2 1.1.1 updates minimal supported 'Jinja2' version to 2.10.1 to include security fixes.", + "cve": "CVE-2019-10906", + "id": "pyup.io-44432", + "specs": [ + "<1.1.1" + ], + "v": "<1.1.1" } ], "aiohttp-swagger": [ @@ -1014,6 +1079,15 @@ } ], "analytics-zoo": [ + { + "advisory": "Analytics-zoo 0.11.1 updates its dependency 'log4j' to v2.17.0 to fix critical and severe vulnerabilities.\r\nhttps://github.com/intel-analytics/analytics-zoo/commit/be893d0c173563df923b54578774bd4226d0bbd9", + "cve": "CVE-2021-44228", + "id": "pyup.io-43615", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, { "advisory": "Analytics-zoo 0.11.1 updates its dependency 'log4j' to v2.17.0 to fix critical and severe vulnerabilities.\r\nhttps://github.com/intel-analytics/analytics-zoo/commit/be893d0c173563df923b54578774bd4226d0bbd9", "cve": "CVE-2021-45105", @@ -1033,24 +1107,24 @@ "v": "<0.11.1" }, { - "advisory": "Analytics-zoo 0.11.1 updates its dependency 'log4j' to v2.17.0 to fix critical and severe vulnerabilities.\r\nhttps://github.com/intel-analytics/analytics-zoo/commit/be893d0c173563df923b54578774bd4226d0bbd9", - "cve": "CVE-2021-44228", - "id": "pyup.io-43615", + "advisory": "Analytics-zoo 0.11.2 updates its dependency 'log4j' to v2.17.1 to fix a medium severity vulnerability.\r\nhttps://github.com/intel-analytics/analytics-zoo/commit/c75cfc1076adbefa4f5fe0185bff4e7cf3f99b82", + "cve": "CVE-2021-44832", + "id": "pyup.io-44464", "specs": [ - "<0.11.1" + "<0.11.2" ], - "v": "<0.11.1" + "v": "<0.11.2" } ], - "anncolvar": [ + "anchorpy": [ { - "advisory": "anncolvar 0.4 updates requirements.txt to fix security issues.", - "cve": "PVE-2021-36803", - "id": "pyup.io-36803", + "advisory": "Anchorpy 0.6.4 updates its dependency 'ipython' to v8.0.1 to include a security fix.", + "cve": "CVE-2022-21699", + "id": "pyup.io-44648", "specs": [ - "<0.4" + "<0.6.4" ], - "v": "<0.4" + "v": "<0.6.4" } ], "annotator": [ @@ -1536,139 +1610,85 @@ ], "ansible-tower-cli": [ { - "advisory": "Ansible-tower-cli is vulnerable to CVE-2020-10744: The provided fix for CVE-2020-1733 was insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 and previous versions are affected. Also Ansible Tower 3.4.5, 3.5.6 and 3.6.4 and previous versions.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744", - "cve": "CVE-2020-10744", - "id": "pyup.io-42863", - "specs": [ - "<3.4.5" - ], - "v": "<3.4.5" - }, - { - "advisory": "Ansible-tower-cli 3.6.4 includes a fix for CVE-2020-1735: A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735", + "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1735.", "cve": "CVE-2020-1735", "id": "pyup.io-42878", "specs": [ - "<3.6.4" + "<3.2.0" ], - "v": "<3.6.4" + "v": "<3.2.0" }, { - "advisory": "Ansible-tower-cli 3.6.4 includes a fix for CVE-2020-1733: A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 && mkdir -p \"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc//cmdline'.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733", + "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1733.", "cve": "CVE-2020-1733", "id": "pyup.io-42880", "specs": [ - "<3.6.4" - ], - "v": "<3.6.4" - }, - { - "advisory": "Ansible-tower-cli 3.6.4 includes a fix for CVE-2020-1736: A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736", - "cve": "CVE-2020-1736", - "id": "pyup.io-42876", - "specs": [ - "<3.6.4" + "<3.2.0" ], - "v": "<3.6.4" + "v": "<3.2.0" }, { - "advisory": "Ansible-tower-cli 3.6.4 includes a fix for CVE-2020-1740: A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740", + "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1740.", "cve": "CVE-2020-1740", "id": "pyup.io-42870", "specs": [ - "<3.6.4" + "<3.2.0" ], - "v": "<3.6.4" + "v": "<3.2.0" }, { - "advisory": "Ansible-tower-cli 3.6.4 includes a fix for CVE-2020-1739: A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739", + "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1739.", "cve": "CVE-2020-1739", "id": "pyup.io-42872", "specs": [ - "<3.6.4" + "<3.2.0" ], - "v": "<3.6.4" + "v": "<3.2.0" }, { - "advisory": "Ansible-tower-cli 3.6.4 includes a fix for CVE-2020-1738: A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738", + "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1738.", "cve": "CVE-2020-1738", "id": "pyup.io-42874", "specs": [ - "<3.6.4" - ], - "v": "<3.6.4" - }, - { - "advisory": "Ansible-tower-cli 3.7 includes a fix for CVE-2021-3583: A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1968412", - "cve": "CVE-2021-3583", - "id": "pyup.io-42925", - "specs": [ - "<3.7" - ], - "v": "<3.7" - }, - { - "advisory": "Ansible-tower-cli 3.8 includes a fix for CVE-2021-3532: A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw also affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1956464", - "cve": "CVE-2021-3532", - "id": "pyup.io-42922", - "specs": [ - "<3.8" - ], - "v": "<3.8" - }, - { - "advisory": "Ansible-tower-cli 3.8 includes a fix for CVE-2021-3533: A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw also affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1956477", - "cve": "CVE-2021-3533", - "id": "pyup.io-42927", - "specs": [ - "<3.8" + "<3.2.0" ], - "v": "<3.8" + "v": "<3.2.0" }, { - "advisory": "Ansible-tower-cli 3.8.2 includes a fix for CVE-2021-3447: A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker could take advantage of this information to steal those credentials, provided it had access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1939349", + "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2021-3447.", "cve": "CVE-2021-3447", "id": "pyup.io-42861", "specs": [ - "<3.8.2" - ], - "v": "<3.8.2" - }, - { - "advisory": "Ansible-tower-cli 3.3.6 includes a fix for CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.", - "cve": "CVE-2020-10684", - "id": "pyup.io-42865", - "specs": [ - "<=3.3.5" + "<3.2.0" ], - "v": "<=3.3.5" + "v": "<3.2.0" }, { - "advisory": "Ansible-tower-cli 3.1.0 includes a fix for CVE-2019-14864: Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, are not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used to send tasks results events to collectors. This would disclose and collect any sensitive data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864", - "cve": "CVE-2019-14864", - "id": "pyup.io-42883", + "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2021-3583.", + "cve": "CVE-2021-3583", + "id": "pyup.io-42925", "specs": [ - ">=3.0.0,<3.1.0" + "<3.2.0" ], - "v": ">=3.0.0,<3.1.0" + "v": "<3.2.0" }, { - "advisory": "Ansible-tower-cli 3.1.0 includes a fix for CVE-2021-20178: A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1914774", - "cve": "CVE-2021-20178", - "id": "pyup.io-42859", + "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1736.", + "cve": "CVE-2020-1736", + "id": "pyup.io-42876", "specs": [ - ">=3.0.0,<3.1.0" + "<3.2.0" ], - "v": ">=3.0.0,<3.1.0" + "v": "<3.2.0" }, { - "advisory": "Ansible-tower-cli 3.1.0 includes a fix for CVE-2021-20191: Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1916813", - "cve": "CVE-2021-20191", - "id": "pyup.io-42857", + "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-10684.", + "cve": "CVE-2020-10684", + "id": "pyup.io-42865", "specs": [ - ">=3.0.0,<3.1.0" + "<3.2.0" ], - "v": ">=3.0.0,<3.1.0" + "v": "<3.2.0" } ], "ansible-vault": [ @@ -1695,70 +1715,52 @@ ], "ansitoimg": [ { - "advisory": "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.", - "cve": "CVE-2021-27923", - "id": "pyup.io-40993", - "specs": [ - "<2021.0.1" - ], - "v": "<2021.0.1" - }, - { - "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2020-35655: In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", - "cve": "CVE-2020-35655", - "id": "pyup.io-40994", + "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", + "cve": "CVE-2021-27921", + "id": "pyup.io-40611", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { - "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2020-35653: In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.", - "cve": "CVE-2020-35653", - "id": "pyup.io-40995", + "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", + "cve": "CVE-2021-27922", + "id": "pyup.io-40612", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { - "advisory": "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.", + "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "cve": "CVE-2021-27923", - "id": "pyup.io-40607", - "specs": [ - "<2021.0.1" - ], - "v": "<2021.0.1" - }, - { - "advisory": "Ansitoimg 2021.0.1 updates the 'Pillow' dependency to >= 8.1.1 due to a high severity security vulnerability (CVE-2020-35654).", - "cve": "CVE-2020-35654", - "id": "pyup.io-40609", + "id": "pyup.io-40993", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { - "advisory": "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.", - "cve": "CVE-2021-27921", - "id": "pyup.io-40611", + "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", + "cve": "CVE-2020-35655", + "id": "pyup.io-40994", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { - "advisory": "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.", - "cve": "CVE-2021-27922", - "id": "pyup.io-40612", + "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", + "cve": "CVE-2020-35653", + "id": "pyup.io-40995", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { - "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2020-35654: In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.", + "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "cve": "CVE-2020-35654", "id": "pyup.io-40996", "specs": [ @@ -1769,7 +1771,7 @@ ], "anymotion-sdk": [ { - "advisory": "An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.", + "advisory": "Anymotion-sdk 1.2.5 updates its dependency 'urllib3' to v1.26.5 to include a security fix.", "cve": "CVE-2021-33503", "id": "pyup.io-40842", "specs": [ @@ -1849,8 +1851,8 @@ "apache-flink": [ { "advisory": "Apache-flink 1.14.2 updates its dependency 'log4j' to v2.16.0 to fix critical vulnerabilities.\r\nhttps://github.com/apache/flink/commit/361ce6591069b2f7317f1c181cdaf7965615415c", - "cve": "CVE-2021-45046", - "id": "pyup.io-43417", + "cve": "CVE-2021-44228", + "id": "pyup.io-43416", "specs": [ "<1.14.2" ], @@ -1858,15 +1860,24 @@ }, { "advisory": "Apache-flink 1.14.2 updates its dependency 'log4j' to v2.16.0 to fix critical vulnerabilities.\r\nhttps://github.com/apache/flink/commit/361ce6591069b2f7317f1c181cdaf7965615415c", - "cve": "CVE-2021-44228", - "id": "pyup.io-43416", + "cve": "CVE-2021-45046", + "id": "pyup.io-43417", "specs": [ "<1.14.2" ], "v": "<1.14.2" }, { - "advisory": "Apache-flink 1.14.2 and prior includes a version of 'log4j' affected by severe vulnerabilities.", + "advisory": "Apache-flink 1.14.2 and prior includes a version of 'log4j' affected by a medium severity vulnerability.", + "cve": "CVE-2021-44832", + "id": "pyup.io-44453", + "specs": [ + "<=1.14.2" + ], + "v": "<=1.14.2" + }, + { + "advisory": "Apache-flink 1.14.2 and prior includes a version of 'log4j' affected by a severe vulnerability.", "cve": "CVE-2021-45105", "id": "pyup.io-43436", "specs": [ @@ -2052,8 +2063,26 @@ "v": "<0.36.0" }, { - "advisory": "Apache-superset 0.36.0 updates NPM dependencies to include security fixes.\r\nhttps://github.com/apache/superset/pull/9106/commits/788faad7f33e1b69afcee0f01c9fc7cdccb7f81f", - "cve": "PVE-2021-42732", + "advisory": "Apache-superset 0.36.0 updates its NPM dependency 'serialize-javascript' to v2.1.2 to include security fixes.\r\nhttps://github.com/apache/superset/pull/9106/commits/788faad7f33e1b69afcee0f01c9fc7cdccb7f81f", + "cve": "CVE-2019-16769", + "id": "pyup.io-44577", + "specs": [ + "<0.36.0" + ], + "v": "<0.36.0" + }, + { + "advisory": "Apache-superset 0.36.0 updates its NPM dependency 'serialize-javascript' to v2.1.2 to include security fixes.\r\nhttps://github.com/apache/superset/pull/9106/commits/788faad7f33e1b69afcee0f01c9fc7cdccb7f81f", + "cve": "CVE-2019-16772", + "id": "pyup.io-44578", + "specs": [ + "<0.36.0" + ], + "v": "<0.36.0" + }, + { + "advisory": "Apache-superset 0.36.0 updates its NPM dependency 'chownr' to v1.1.1 to include a security fix.\r\nhttps://github.com/apache/superset/pull/9106/commits/788faad7f33e1b69afcee0f01c9fc7cdccb7f81f", + "cve": "CVE-2017-18869", "id": "pyup.io-42732", "specs": [ "<0.36.0" @@ -2202,6 +2231,17 @@ "v": "<0.9.2" } ], + "approzium": [ + { + "advisory": "Approzium 0.2.1 adds further checks on the call returned from AWS to prevent exploits like the ones described here:\r\nhttps://googleprojectzero.blogspot.com/2020/10/enter-the-vault-auth-issues-hashicorp-vault.html\r\nNOTE: This is a security precaution, there isn't any known exploit affecting this package.", + "cve": "PVE-2022-44510", + "id": "pyup.io-44510", + "specs": [ + "<0.2.1" + ], + "v": "<0.2.1" + } + ], "appwrite": [ { "advisory": "Appwrite (SDK for Python) version 0.2.0 adds support for appwrite 0.8.0. Appwrite 0.7.1 fixed an XSS vulnerability in the appwrite console.", @@ -2242,6 +2282,17 @@ "v": "<=0.2.2" } ], + "archivy": [ + { + "advisory": "Archivy 1.6.2 improves CSRF protection for delete actions.\r\nhttps://github.com/archivy/archivy/commit/796c3ae318eea183fc88c87ec5a27355b0f6a99d", + "cve": "PVE-2022-44511", + "id": "pyup.io-44511", + "specs": [ + "<1.6.2" + ], + "v": "<1.6.2" + } + ], "archmage": [ { "advisory": "Directory traversal vulnerability in arCHMage 0.2.4 allows remote attackers to write to arbitrary files via a .. (dot dot) in a CHM file.", @@ -2253,6 +2304,17 @@ "v": "<0.3.1" } ], + "arrnounced": [ + { + "advisory": "Arrnounced 0.4 replaces XML parser with defusedxml to prevent XML attacks.\r\nhttps://github.com/weannounce/arrnounced/commit/5a1d186b32162b317b1762b8602342b0b3050bda", + "cve": "PVE-2022-43754", + "id": "pyup.io-43754", + "specs": [ + "<0.4" + ], + "v": "<0.4" + } + ], "asciidoc": [ { "advisory": "Asciidoc 8.6.6 removes the use of 'eval()' on untrusted input to disallow malicious code execution.", @@ -2350,6 +2412,17 @@ "v": "<0.4.0" } ], + "audible": [ + { + "advisory": "Audible 0.6.0 switched to 'auth_code_flow' when login, giving an auth code instead of an access token. This helps to improve the exposure of sensitive information and also authentication.\r\nhttps://github.com/mkb79/Audible/commit/85b45e91c8e4c608e410253d840b33ef85320e40", + "cve": "PVE-2022-44680", + "id": "pyup.io-44680", + "specs": [ + "<0.6.0" + ], + "v": "<0.6.0" + } + ], "auditree-framework": [ { "advisory": "Auditree-framework 1.19.0 fixes minor security issues found by the 'bandit'.", @@ -2383,7 +2456,7 @@ ], "austin-tui": [ { - "advisory": "Austin-tui 1.1.1 updates its dependency 'lxml' to v4.7.1 to include a security fix.", + "advisory": "Austin-tui 1.1.1 updates its dependency 'lxml' to v4.6.5 to include a security fix.", "cve": "CVE-2021-43818", "id": "pyup.io-43620", "specs": [ @@ -2412,6 +2485,17 @@ "v": "<0.3.1" } ], + "auto-optional": [ + { + "advisory": "Auto-optional 0.3.2 updates its dependency 'mkdocs' to v1.2.3 to include a security fix.", + "cve": "CVE-2021-40978", + "id": "pyup.io-44586", + "specs": [ + "<0.3.2" + ], + "v": "<0.3.2" + } + ], "auto-surprise": [ { "advisory": "Auto-surprise 0.1.7 includes bot security version updates.", @@ -2455,8 +2539,8 @@ "autocrop": [ { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", - "cve": "CVE-2020-5310", - "id": "pyup.io-42932", + "cve": "CVE-2020-35654", + "id": "pyup.io-42938", "specs": [ "<1.1.1" ], @@ -2464,8 +2548,8 @@ }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", - "cve": "CVE-2020-11538", - "id": "pyup.io-42934", + "cve": "CVE-2020-35653", + "id": "pyup.io-42939", "specs": [ "<1.1.1" ], @@ -2473,17 +2557,17 @@ }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", - "cve": "CVE-2020-10378", - "id": "pyup.io-42936", + "cve": "CVE-2020-35655", + "id": "pyup.io-42940", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { - "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", - "cve": "CVE-2020-10994", - "id": "pyup.io-42937", + "advisory": "Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "cve": "CVE-2020-15999", + "id": "pyup.io-42851", "specs": [ "<1.1.1" ], @@ -2491,8 +2575,8 @@ }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", - "cve": "CVE-2020-35653", - "id": "pyup.io-42939", + "cve": "CVE-2020-10378", + "id": "pyup.io-42936", "specs": [ "<1.1.1" ], @@ -2500,8 +2584,8 @@ }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", - "cve": "CVE-2020-35655", - "id": "pyup.io-42940", + "cve": "CVE-2020-5310", + "id": "pyup.io-42932", "specs": [ "<1.1.1" ], @@ -2518,8 +2602,8 @@ }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", - "cve": "CVE-2020-10379", - "id": "pyup.io-42935", + "cve": "CVE-2020-11538", + "id": "pyup.io-42934", "specs": [ "<1.1.1" ], @@ -2527,8 +2611,8 @@ }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", - "cve": "CVE-2020-35654", - "id": "pyup.io-42938", + "cve": "CVE-2020-10379", + "id": "pyup.io-42935", "specs": [ "<1.1.1" ], @@ -2536,8 +2620,8 @@ }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", - "cve": "CVE-2020-15999", - "id": "pyup.io-42851", + "cve": "CVE-2020-10994", + "id": "pyup.io-42937", "specs": [ "<1.1.1" ], @@ -2575,6 +2659,42 @@ "<1.1.1" ], "v": "<1.1.1" + }, + { + "advisory": "Aws-analytics-reference-architecture 1.8.8 updates its dependency 'log4j' and its references to v2.17.0 to fix critical security vulnerabilities.\r\nhttps://github.com/aws-samples/aws-analytics-reference-architecture/commit/c2c18615602c48f19be5a34dde6a8569f2fdfe0d", + "cve": "CVE-2021-44228", + "id": "pyup.io-43972", + "specs": [ + "<1.8.8" + ], + "v": "<1.8.8" + }, + { + "advisory": "Aws-analytics-reference-architecture 1.8.8 updates its dependency 'log4j' and its references to v2.17.0 to fix critical security vulnerabilities.\r\nhttps://github.com/aws-samples/aws-analytics-reference-architecture/commit/c2c18615602c48f19be5a34dde6a8569f2fdfe0d", + "cve": "CVE-2021-45046", + "id": "pyup.io-44479", + "specs": [ + "<1.8.8" + ], + "v": "<1.8.8" + }, + { + "advisory": "Aws-analytics-reference-architecture 1.8.8 updates its dependency 'log4j' and its references to v2.17.0 to fix critical security vulnerabilities.\r\nhttps://github.com/aws-samples/aws-analytics-reference-architecture/commit/c2c18615602c48f19be5a34dde6a8569f2fdfe0d", + "cve": "CVE-2021-45105", + "id": "pyup.io-44480", + "specs": [ + "<1.8.8" + ], + "v": "<1.8.8" + }, + { + "advisory": "Aws-analytics-reference-architecture 1.11.0 and prior includes a version of 'log4j' affected by a medium severity vulnerability.", + "cve": "CVE-2021-44832", + "id": "pyup.io-44481", + "specs": [ + "<=1.11.0" + ], + "v": "<=1.11.0" } ], "aws-encryption-sdk": [ @@ -2608,26 +2728,6 @@ "<4.0.0" ], "v": "<4.0.0" - }, - { - "advisory": "Aws-encryption-sdk-cli 4.1.0 no longer supports Python 3.5. The mentioned Python version doesn't receive security updates anymore.", - "cve": "PVE-2021-42631", - "id": "pyup.io-42631", - "specs": [ - "<4.1.0" - ], - "v": "<4.1.0" - } - ], - "aws-glue-schema-registry": [ - { - "advisory": "Aws-glue-schema-registry fixes security vulnerability in transitive dependencies.", - "cve": "PVE-2021-42757", - "id": "pyup.io-42757", - "specs": [ - "<1.1.5" - ], - "v": "<1.1.5" } ], "aws-parallelcluster": [ @@ -2911,7 +3011,7 @@ ], "bento-lib": [ { - "advisory": "Bento-lib 3.0.1 includes security fix to prevent data leak in error messages from data structure queries by default and adds 'secure_errors' param for data structure querying methods.", + "advisory": "Bento-lib 3.0.1 includes security fix to prevent data leak in error messages from data structure queries by default and adds 'secure_errors' param for data structure querying methods.\r\nhttps://github.com/bento-platform/bento_lib/commit/991ee4fd406e3397435d1c8c02f1d0c48b9ec594\r\nhttps://github.com/bento-platform/bento_lib/commit/046a023abe8de0c3e13963a0c236df4f34ade244", "cve": "PVE-2021-41035", "id": "pyup.io-41035", "specs": [ @@ -3321,7 +3421,7 @@ "v": "<1.0.0a20" }, { - "advisory": "transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.", + "advisory": "Boss-cli 1.0.0alpha.18 updates its dependency 'paramiko' to v2.4.1 to include a security fix.", "cve": "CVE-2018-7750", "id": "pyup.io-36543", "specs": [ @@ -3548,7 +3648,16 @@ "v": "<1.16.2" }, { - "advisory": "Bzt 1.16.2 and prior includes a version of 'jmeter' (5.4.2) affected by severe vulnerabilities.", + "advisory": "Bzt 1.16.2 and prior includes a version of 'jmeter' (5.4.2) affected by a medium severity vulnerability.", + "cve": "CVE-2021-44832", + "id": "pyup.io-44454", + "specs": [ + "<=1.16.2" + ], + "v": "<=1.16.2" + }, + { + "advisory": "Bzt 1.16.2 and prior includes a version of 'jmeter' (5.4.2) affected by a severe vulnerability.", "cve": "CVE-2021-45105", "id": "pyup.io-43435", "specs": [ @@ -3652,31 +3761,40 @@ ], "cancat": [ { - "advisory": "Cancat 1.9.3.4 and prior uses a version of Arduino IDE that depends on a version of 'log4j' containing severe and critical vulnerabilities.", + "advisory": "Cancat 2.0.0 and prior uses a version of Arduino IDE that depends on a version of 'log4j' containing severe and critical vulnerabilities.", + "cve": "CVE-2021-45046", + "id": "pyup.io-43585", + "specs": [ + "<=2.0.0" + ], + "v": "<=2.0.0" + }, + { + "advisory": "Cancat 2.0.0 and prior uses a version of Arduino IDE that depends on a version of 'log4j' containing severe and critical vulnerabilities.", "cve": "CVE-2021-45105", "id": "pyup.io-43586", "specs": [ - "<=1.9.3.4" + "<=2.0.0" ], - "v": "<=1.9.3.4" + "v": "<=2.0.0" }, { - "advisory": "Cancat 1.9.3.4 and prior uses a version of Arduino IDE that depends on a version of 'log4j' containing severe and critical vulnerabilities.", - "cve": "CVE-2021-45046", - "id": "pyup.io-43585", + "advisory": "Cancat 2.0.0 and prior uses a version of Arduino IDE that depends on a version of 'log4j' containing severe and critical vulnerabilities.", + "cve": "CVE-2021-44832", + "id": "pyup.io-44459", "specs": [ - "<=1.9.3.4" + "<=2.0.0" ], - "v": "<=1.9.3.4" + "v": "<=2.0.0" }, { - "advisory": "Cancat 1.9.3.4 and prior uses a version of Arduino IDE that depends on a version of 'log4j' containing severe and critical vulnerabilities.", + "advisory": "Cancat 2.0.0 and prior uses a version of Arduino IDE that depends on a version of 'log4j' containing severe and critical vulnerabilities.", "cve": "CVE-2021-44228", "id": "pyup.io-43587", "specs": [ - "<=1.9.3.4" + "<=2.0.0" ], - "v": "<=1.9.3.4" + "v": "<=2.0.0" } ], "candig-server": [ @@ -3690,8 +3808,8 @@ "v": "<0.9.0" }, { - "advisory": "candig-server 0.9.2 changes: Jinja2 package has been updated to resolve security vulnerability issues.", - "cve": "PVE-2021-37218", + "advisory": "Candig-server 0.9.2 updates its dependency 'Jinja2' to v2.10.1 to include a security fix.", + "cve": "CVE-2019-10906", "id": "pyup.io-37218", "specs": [ "<0.9.2" @@ -3821,6 +3939,15 @@ "<0.0.83" ], "v": "<0.0.83" + }, + { + "advisory": "Cdk-ecr-deployment 2.0.7 updates 'containerd' and 'opencontainers' images to include security fixes.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/74e8412f370f4ab00be5b5a1f509c2615a874a46", + "cve": "PVE-2022-44474", + "id": "pyup.io-44474", + "specs": [ + "<2.0.7" + ], + "v": "<2.0.7" } ], "cedar-backup3": [ @@ -3854,7 +3981,7 @@ "v": "<5.2.0" }, { - "advisory": "Celery 5.2.2 includes a fix for CVE-2021-23727: Celery before 5.2.2. by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.\r\nhttps://github.com/celery/celery/blob/master/Changelog.rst#522", + "advisory": "Celery 5.2.2 includes a fix for CVE-2021-23727: Celery before 5.2.2. by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.", "cve": "CVE-2021-23727", "id": "pyup.io-43738", "specs": [ @@ -4122,9 +4249,9 @@ ], "chatbot-ner": [ { - "advisory": "Chatbot-ner 0.5.8 updates its dependency 'NLTK' to v3.4.5 to include a security fix.", - "cve": "CVE-2019-14751", - "id": "pyup.io-42431", + "advisory": "Chatbot-ner 0.5.8 updates its dependency 'django' to v1.11.26 to include security fixes.", + "cve": "CVE-2019-14232", + "id": "pyup.io-42434", "specs": [ "<0.5.8" ], @@ -4140,9 +4267,9 @@ "v": "<0.5.8" }, { - "advisory": "Chatbot-ner 0.5.8 updates its dependency 'django' to v1.11.26 to include security fixes.", - "cve": "CVE-2019-14232", - "id": "pyup.io-42434", + "advisory": "Chatbot-ner 0.5.8 updates its dependency 'NLTK' to v3.4.5 to include a security fix.", + "cve": "CVE-2019-14751", + "id": "pyup.io-42431", "specs": [ "<0.5.8" ], @@ -4166,15 +4293,6 @@ ], "v": "<0.5.8" }, - { - "advisory": "Chatbot-ner 0.6.0 updates its dependency 'Django' to v1.11.26 to include security fixes.", - "cve": "CVE-2019-14234", - "id": "pyup.io-38515", - "specs": [ - "<0.6.0" - ], - "v": "<0.6.0" - }, { "advisory": "Chatbot-ner 0.6.0 updates its dependency 'Django' to v1.11.27 to include security fixes.", "cve": "CVE-2019-14232", @@ -4202,6 +4320,15 @@ ], "v": "<0.6.0" }, + { + "advisory": "Chatbot-ner 0.6.0 updates its dependency 'Django' to v1.11.26 to include security fixes.", + "cve": "CVE-2019-14234", + "id": "pyup.io-38515", + "specs": [ + "<0.6.0" + ], + "v": "<0.6.0" + }, { "advisory": "Chatbot-ner 0.6.0 updates its dependency 'nltk' to v3.4.5 to include a security fix.", "cve": "CVE-2019-14751", @@ -4298,17194 +4425,22568 @@ ], "chia": [ { - "advisory": "Chia 2.4.0 updates tensorflow and tensorflow-addons versions to include mitigations against vulnerabilities.", - "cve": "PVE-2021-41298", - "id": "pyup.io-41298", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29550", + "id": "pyup.io-44255", "specs": [ "<2.4.0" ], "v": "<2.4.0" - } - ], - "chia-blockchain": [ + }, { - "advisory": "Consideration of the new consensus algorithm in chia-blockchain version 1.0beta19 resulted in a much higher security level against all attacks.", - "cve": "PVE-2021-39444", - "id": "pyup.io-39444", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29551", + "id": "pyup.io-44256", "specs": [ - "<1.0b19" + "<2.4.0" ], - "v": "<1.0b19" + "v": "<2.4.0" }, { - "advisory": "Chia-blockchain 1.0b27 updates its GUI to handle CVE-2020-28477.\r\nhttps://github.com/Chia-Network/chia-blockchain/commit/45c85c0030a9b07bd3d07fc0e7f7afc540b53009", - "cve": "CVE-2020-28477", - "id": "pyup.io-42341", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29552", + "id": "pyup.io-44257", "specs": [ - "<1.0b27" + "<2.4.0" ], - "v": "<1.0b27" + "v": "<2.4.0" }, { - "advisory": "Chia-blockchain 1.0b27 updates its dependency 'pyyaml' to v5.4.1 to include a security fix.", - "cve": "CVE-2020-14343", - "id": "pyup.io-42367", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29553", + "id": "pyup.io-44258", "specs": [ - "<1.0b27" + "<2.4.0" ], - "v": "<1.0b27" + "v": "<2.4.0" }, { - "advisory": "Chia-blockchain 1.0beta10 includes various vulnerability fixes.", - "cve": "PVE-2021-38700", - "id": "pyup.io-38700", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29554", + "id": "pyup.io-44259", "specs": [ - "<1.0beta10" + "<2.4.0" ], - "v": "<1.0beta10" + "v": "<2.4.0" }, { - "advisory": "Node peers in chia-blockchain 1.0beta14 are gossiped between nodes with logic to keep connected nodes on disparate internet networks to partially protect from eclipse attacks.", - "cve": "PVE-2021-38844", - "id": "pyup.io-38844", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29555", + "id": "pyup.io-44260", "specs": [ - "<1.0beta14" + "<2.4.0" ], - "v": "<1.0beta14" + "v": "<2.4.0" }, { - "advisory": "Chia-blockchain 1.0beta8 removes the ability to pass in sk_seed to plotting. This increases security.", - "cve": "PVE-2021-38582", - "id": "pyup.io-38582", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29556", + "id": "pyup.io-44261", "specs": [ - "<1.0beta8" + "<2.4.0" ], - "v": "<1.0beta8" + "v": "<2.4.0" }, { - "advisory": "The Windows BLS Signature library in chia-blockchain 1.0beta9 uses libsodium for additional security. Additionally, this version includes various fixes for various node dependency security vulnerabilities.", - "cve": "PVE-2021-38629", - "id": "pyup.io-38629", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29557", + "id": "pyup.io-44262", "specs": [ - "<1.0beta9" + "<2.4.0" ], - "v": "<1.0beta9" + "v": "<2.4.0" }, { - "advisory": "Chia-blockchain 1.0rc5 updates the 'aiohttp' dependency to 3.7.4 to address a low severity [security issue] (CVE-2021-21330).", - "cve": "CVE-2021-21330", - "id": "pyup.io-39672", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29558", + "id": "pyup.io-44263", "specs": [ - "<1.0rc5" + "<2.4.0" ], - "v": "<1.0rc5" + "v": "<2.4.0" }, { - "advisory": "Chia-blockchain 1.0rc6 improves defense against many DDoS attacks by rate limiting for the full node. It also changes 'chia keys add' command to take secret words a prompt on the command line or stdin instead of command line arguments.", - "cve": "PVE-2021-39703", - "id": "pyup.io-39703", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29559", + "id": "pyup.io-44264", "specs": [ - "<1.0rc6" + "<2.4.0" ], - "v": "<1.0rc6" - } - ], - "chiavdf": [ + "v": "<2.4.0" + }, { - "advisory": "Chiavdf 1.0 includes a fix to prevent potential grinding attacks.", - "cve": "PVE-2021-39691", - "id": "pyup.io-39691", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29560", + "id": "pyup.io-44265", "specs": [ - "<1.0" + "<2.4.0" ], - "v": "<1.0" - } - ], - "choochoo": [ + "v": "<2.4.0" + }, { - "advisory": "Choochoo 0.40.0 updates its dependency React to the latest version \"hopefully\" removing several npm vulnerabilities.", - "cve": "PVE-2021-41273", - "id": "pyup.io-41273", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29561", + "id": "pyup.io-44266", "specs": [ - "<0.40.0" + "<2.4.0" ], - "v": "<0.40.0" - } - ], - "ciftify": [ + "v": "<2.4.0" + }, { - "advisory": "Ciftify version 2.3.3 includes security patches for several functions. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/edickie/ciftify/commit/7ac66dc2efc78bae272a0e1e713c81756f780969#diff-d55ace9e33dabdeba89768d93ae8fe97cf6d2ba4936fc5ab472b7bf749270b63", - "cve": "CVE-2020-1747", - "id": "pyup.io-41312", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29562", + "id": "pyup.io-44267", "specs": [ - "<2.3.3" + "<2.4.0" ], - "v": "<2.3.3" - } - ], - "cinder": [ + "v": "<2.4.0" + }, { - "advisory": "Cinder versions 14.1.0, 15.2.0 and 16.1.0 include a fix for CVE-2020-10755: An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the 'connection_info' element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API.\r\nhttps://wiki.openstack.org/wiki/OSSN/OSSN-0086", - "cve": "CVE-2020-10755", - "id": "pyup.io-38408", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29563", + "id": "pyup.io-44268", "specs": [ - "<14.1.0", - ">=15.0.0.0rc1,<15.2.0", - ">=16.0.0.0b1,<16.1.0" + "<2.4.0" ], - "v": "<14.1.0,>=15.0.0.0rc1,<15.2.0,>=16.0.0.0b1,<16.1.0" + "v": "<2.4.0" }, { - "advisory": "The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.1 and 1:2014.1-0 before 1:2014.1-0ubuntu1.1 for Ubuntu 13.10 and 14.04 LTS does not properly set the sudo configuration, which makes it easier for attackers to gain privileges by leveraging another vulnerability.", - "cve": "CVE-2013-1068", - "id": "pyup.io-25651", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29564", + "id": "pyup.io-44269", "specs": [ - "<2013.2.3" + "<2.4.0" ], - "v": "<2013.2.3" - } - ], - "cipher.googlepam": [ + "v": "<2.4.0" + }, { - "advisory": "In cipher.googlepam before 1.5.1 do not use the same cache key for all users. Previously when one user logged in successfully, others could not log in using their own passwords -- but the first user could now use her password to log in as anyone else.", - "cve": "PVE-2021-25652", - "id": "pyup.io-25652", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29565", + "id": "pyup.io-44270", "specs": [ - "<1.5.1" + "<2.4.0" ], - "v": "<1.5.1" - } - ], - "circuit-maintenance-parser": [ + "v": "<2.4.0" + }, { - "advisory": "Circuit-maintenance-parser 1.1.0 updates the 'Pydantic' dependency version due to security advisory (GHSA-5jqp-qgf6-3pvh).", - "cve": "PVE-2021-41103", - "id": "pyup.io-41103", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29566", + "id": "pyup.io-44271", "specs": [ - "<1.1.0" + "<2.4.0" ], - "v": "<1.1.0" - } - ], - "circup": [ + "v": "<2.4.0" + }, { - "advisory": "Circup 0.0.6 includes an unspecified security fix.", - "cve": "PVE-2021-37936", - "id": "pyup.io-37936", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29568", + "id": "pyup.io-44272", "specs": [ - "<0.0.6" + "<2.4.0" ], - "v": "<0.0.6" - } - ], - "ck": [ + "v": "<2.4.0" + }, { - "advisory": "Ck 1.7.1 fixes a server vulnerability (action with ; can run various CMD commands).", - "cve": "PVE-2021-40221", - "id": "pyup.io-40221", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29569", + "id": "pyup.io-44273", "specs": [ - "<1.7.1" + "<2.4.0" ], - "v": "<1.7.1" - } - ], - "ckan": [ + "v": "<2.4.0" + }, { - "advisory": "ckan 1.5.1 fixes a security issue affecting CKAN v1.5 and before.", - "cve": "PVE-2021-34556", - "id": "pyup.io-34556", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29570", + "id": "pyup.io-44274", "specs": [ - "<1.5.1" + "<2.4.0" ], - "v": "<1.5.1" + "v": "<2.4.0" }, { - "advisory": "Ckan 1.8.1 fixes a possible XSS vulnerability on html input.\r\nhttps://github.com/ckan/ckan/pull/703", - "cve": "PVE-2021-34558", - "id": "pyup.io-34558", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29569", + "id": "pyup.io-44275", "specs": [ - "<1.8.1" + "<2.4.0" ], - "v": "<1.8.1" + "v": "<2.4.0" }, { - "advisory": "Ckan 2.6.9 fixes a code injection issue in the autocomplete module. See .", - "cve": "PVE-2021-39613", - "id": "pyup.io-39613", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29570", + "id": "pyup.io-44276", "specs": [ - "<2.6.9" + "<2.4.0" ], - "v": "<2.6.9" - } - ], - "clam": [ + "v": "<2.4.0" + }, { - "advisory": "clam 0.9.10 contains security fixes, better protection against possible code injection.", - "cve": "PVE-2021-25653", - "id": "pyup.io-25653", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29569", + "id": "pyup.io-44277", "specs": [ - "<0.9.10" + "<2.4.0" ], - "v": "<0.9.10" + "v": "<2.4.0" }, { - "advisory": "Clam 0.9.11 fixes a RCE vulnerability in its dispatcher.\r\nhttps://github.com/proycon/clam/commit/f89ba22a3b74f0b86ce9d8190ce28b6da7331813", - "cve": "PVE-2021-25654", - "id": "pyup.io-25654", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29571", + "id": "pyup.io-44278", "specs": [ - "<0.9.11" + "<2.4.0" ], - "v": "<0.9.11" - } - ], - "clearsilver": [ + "v": "<2.4.0" + }, { - "advisory": "Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.", - "cve": "CVE-2011-4357", - "id": "pyup.io-25655", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29572", + "id": "pyup.io-44279", "specs": [ - "<0.10.5" + "<2.4.0" ], - "v": "<0.10.5" - } - ], - "cliboa": [ + "v": "<2.4.0" + }, { - "advisory": "Cliboa 2.0.0b0 updates its dependency 'urllib3' to v1.26.5 to include a security fix.", - "cve": "CVE-2021-33503", - "id": "pyup.io-42681", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29573", + "id": "pyup.io-44280", "specs": [ - "<2.0.0b0" + "<2.4.0" ], - "v": "<2.0.0b0" - } - ], - "clickhouse-driver": [ + "v": "<2.4.0" + }, { - "advisory": "clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow.", - "cve": "CVE-2020-26759", - "id": "pyup.io-42290", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29574", + "id": "pyup.io-44281", "specs": [ - "<0.1.5" + "<2.4.0" ], - "v": "<0.1.5" - } - ], - "client-sdk-python": [ + "v": "<2.4.0" + }, { - "advisory": "Client-sdk-python 4.7.0 upgrades eth-hash to 0.2.0 with pycryptodome 3.6.6 which resolves a vulnerability.", - "cve": "PVE-2021-37584", - "id": "pyup.io-37584", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29575", + "id": "pyup.io-44282", "specs": [ - "<4.7.0" + "<2.4.0" ], - "v": "<4.7.0" - } - ], - "clipster-desktop": [ + "v": "<2.4.0" + }, { - "advisory": "Clipster-desktop 0.3.0 includes various improvements to make the host more secure:\r\n* All clips are encrypted locally in the client before transmission to the server. \r\n* Server host can't decrypt clips: it never learns the users' password.\r\n* Password is not stored in cleartext anymore. Instead password hash is used.", - "cve": "PVE-2021-39388", - "id": "pyup.io-39388", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29576", + "id": "pyup.io-44283", "specs": [ - "<0.3.0" + "<2.4.0" ], - "v": "<0.3.0" - } - ], - "cliquery": [ + "v": "<2.4.0" + }, { - "advisory": "Cliquery 1.10.0 updates the 'lxml' dependency from 4.6.2 to 4.6.3 to fix a security vulnerability.", - "cve": "CVE-2021-28957", - "id": "pyup.io-40090", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29577", + "id": "pyup.io-44284", "specs": [ - "<1.10.0" + "<2.4.0" ], - "v": "<1.10.0" + "v": "<2.4.0" }, { - "advisory": "Cliquery 1.9.3 updates the 'lxml' dependency from 4.3.0 to 4.6.2 to include security fixes.", - "cve": "CVE-2020-27783", - "id": "pyup.io-39423", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29578", + "id": "pyup.io-44285", "specs": [ - "<1.9.3" + "<2.4.0" ], - "v": "<1.9.3" + "v": "<2.4.0" }, { - "advisory": "Cliquery 1.9.3 updates the 'lxml' dependency from 4.3.0 to 4.6.2 to include security fixes.", - "cve": "PVE-2021-39195", - "id": "pyup.io-43643", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29579", + "id": "pyup.io-44286", "specs": [ - "<1.9.3" + "<2.4.0" ], - "v": "<1.9.3" - } - ], - "cloudmarker": [ + "v": "<2.4.0" + }, { - "advisory": "Cloudmarker 0.0.5 adds the `FirewallRuleEvent` plugin to detect insecure firewall rules.", - "cve": "PVE-2021-37138", - "id": "pyup.io-37138", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29580", + "id": "pyup.io-44287", "specs": [ - "<0.0.5" + "<2.4.0" ], - "v": "<0.0.5" - } - ], - "cloudwatch-to-graphite": [ + "v": "<2.4.0" + }, { - "advisory": "Cloudwatch-to-graphite version 0.11.0 includes a security patch for the function 'get_config' in 'leadbutt.py'. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/crccheck/cloudwatch-to-graphite/commit/5875100c54a54a9c90cf2fe782cc3df147d32053#diff-ddb0922eafb2fa54199e50bb13de6178b1755e780387144df032f9e26512f15e", - "cve": "CVE-2020-1747", - "id": "pyup.io-41313", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29581", + "id": "pyup.io-44288", "specs": [ - "<0.11.0" + "<2.4.0" ], - "v": "<0.11.0" - } - ], - "cloverly-python-module": [ + "v": "<2.4.0" + }, { - "advisory": "Cloverly-python-module 0.2.0 adds a clear session function for security purposes.", - "cve": "PVE-2021-41085", - "id": "pyup.io-41085", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29582", + "id": "pyup.io-44289", "specs": [ - "<0.2.0" + "<2.4.0" ], - "v": "<0.2.0" - } - ], - "cmdlr": [ + "v": "<2.4.0" + }, { - "advisory": "cmdlr 4.1.0 resists malicious js attack in `run_in_nodejs`", - "cve": "PVE-2021-36854", - "id": "pyup.io-36854", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29584", + "id": "pyup.io-44291", "specs": [ - "<4.1.0" + "<2.4.0" ], - "v": "<4.1.0" - } - ], - "cmsplugin-filer": [ + "v": "<2.4.0" + }, { - "advisory": "Cmsplugin-filer 0.10.2 includes a fix for a XSS vulnerability in 'firstof' in folder template. Users with Django>1.7 aren't affected.\r\nhttps://github.com/divio/cmsplugin-filer/pull/185", - "cve": "PVE-2021-25656", - "id": "pyup.io-25656", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29585", + "id": "pyup.io-44292", "specs": [ - "<0.10.2" + "<2.4.0" ], - "v": "<0.10.2" - } - ], - "cnx-publishing": [ + "v": "<2.4.0" + }, { - "advisory": "Cnx-publishing 0.17.6 updates its dependency 'urllib3' to v1.25.8 to include a security fix.", - "cve": "CVE-2020-7212", - "id": "pyup.io-38128", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29586", + "id": "pyup.io-44293", "specs": [ - "<0.17.6" + "<2.4.0" ], - "v": "<0.17.6" - } - ], - "coapthon": [ + "v": "<2.4.0" + }, { - "advisory": "The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client) when they receive crafted CoAP messages.", - "cve": "CVE-2018-12680", - "id": "pyup.io-42251", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29587", + "id": "pyup.io-44294", "specs": [ - "==3.1", - "==4.0.0", - "==4.0.1", - "==4.0.2" + "<2.4.0" ], - "v": "==3.1,==4.0.0,==4.0.1,==4.0.2" - } - ], - "cobbler": [ + "v": "<2.4.0" + }, { - "advisory": "Cobbler has local privilege escalation via the use of insecure location for PYTHON_EGG_CACHE. No information was provided about fixes or affected versions. See: CVE-2011-4954.", - "cve": "CVE-2011-4954", - "id": "pyup.io-37739", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29588", + "id": "pyup.io-44295", "specs": [ - ">0" + "<2.4.0" ], - "v": ">0" - } - ], - "cockroachdb": [ + "v": "<2.4.0" + }, { - "advisory": "cockroachdb 0.3.2 updated urllib3 to remove security vulnerability.", - "cve": "PVE-2021-37264", - "id": "pyup.io-37264", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29589", + "id": "pyup.io-44296", "specs": [ - "<0.3.2" + "<2.4.0" ], - "v": "<0.3.2" - } - ], - "codalab": [ + "v": "<2.4.0" + }, { - "advisory": "codalab before 0.2.33 was using a version of gunicorn that had security vulnerabilities.", - "cve": "PVE-2021-36386", - "id": "pyup.io-36386", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29590", + "id": "pyup.io-44297", "specs": [ - "<0.2.33" + "<2.4.0" ], - "v": "<0.2.33" + "v": "<2.4.0" }, { - "advisory": "Codalab 0.5.12 fixes a vulnerability. No description of the vulnerability was included.", - "cve": "PVE-2021-38927", - "id": "pyup.io-38927", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29591", + "id": "pyup.io-44298", "specs": [ - "<0.5.12" + "<2.4.0" ], - "v": "<0.5.12" + "v": "<2.4.0" }, { - "advisory": "Codalab 0.5.33 includes a fix for some front-end vulnerabilities (with `npm audit fix`).", - "cve": "PVE-2021-39434", - "id": "pyup.io-39434", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29592", + "id": "pyup.io-44299", "specs": [ - "<0.5.33" + "<2.4.0" ], - "v": "<0.5.33" - } - ], - "code42cli": [ + "v": "<2.4.0" + }, { - "advisory": "Code42cli 1.3.0 starts to support a secure transporting of data with the TLS-TCP protocol.", - "cve": "PVE-2021-42534", - "id": "pyup.io-42534", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29593", + "id": "pyup.io-44300", "specs": [ - "<1.3.0" + "<2.4.0" ], - "v": "<1.3.0" - } - ], - "codecov": [ + "v": "<2.4.0" + }, { - "advisory": "Codecov 2.0.16 fixes a reported command injection vulnerability.", - "cve": "PVE-2021-37934", - "id": "pyup.io-37934", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29583", + "id": "pyup.io-44290", "specs": [ - "<2.0.16" + "<2.4.0" ], - "v": "<2.0.16" + "v": "<2.4.0" }, { - "advisory": "Codecov 2.0.17 fixes a reported command injection vulnerability.", - "cve": "PVE-2021-38075", - "id": "pyup.io-38075", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29594", + "id": "pyup.io-44301", "specs": [ - "<2.0.17" + "<2.4.0" ], - "v": "<2.0.17" - } - ], - "codeforcesapipy": [ + "v": "<2.4.0" + }, { - "advisory": "Codeforcesapipy 2.0.8 updates the 'lxml' dependency to 4.6.3 to resolve security issues.", - "cve": "CVE-2021-28957", - "id": "pyup.io-40099", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29595", + "id": "pyup.io-44302", "specs": [ - "<2.0.8" + "<2.4.0" ], - "v": "<2.0.8" - } - ], - "cohen3": [ + "v": "<2.4.0" + }, { - "advisory": "Cohen3 version 0.8.3 updates its dependency \"requests\" to include a security fix.", - "cve": "CVE-2018-18074", - "id": "pyup.io-42040", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29596", + "id": "pyup.io-44303", "specs": [ - "<0.8.3" + "<2.4.0" ], - "v": "<0.8.3" + "v": "<2.4.0" }, { - "advisory": "Cohen3 version 0.9.1 updates its dependency \"urlib3\" to v1.24.2 to include a security fix.", - "cve": "CVE-2019-11324", - "id": "pyup.io-42039", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29597", + "id": "pyup.io-44304", "specs": [ - "<0.9.1" + "<2.4.0" ], - "v": "<0.9.1" - } - ], - "coinbasepro": [ + "v": "<2.4.0" + }, { - "advisory": "Coinbasepro 0.1.0 updates requests version to >=2.20.0 to address a security vulnerability.", - "cve": "CVE-2018-18074", - "id": "pyup.io-36975", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29598", + "id": "pyup.io-44305", "specs": [ - "<0.1.0" + "<2.4.0" ], - "v": "<0.1.0" - } - ], - "coincurve": [ + "v": "<2.4.0" + }, { - "advisory": "coincurve before 8.0.0 does not support the new GitHub and PyPI security requirements. \r\nBinary wheels on macOS for Python 3.5 now uses Homebrew Python for compilation due to new security requirements.", - "cve": "PVE-2021-36299", - "id": "pyup.io-36299", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29599", + "id": "pyup.io-44306", "specs": [ - "<8.0.0" + "<2.4.0" ], - "v": "<8.0.0" - } - ], - "coinstac": [ + "v": "<2.4.0" + }, { - "advisory": "Coinstac 5.2.1 includes various security fixes and package updates.", - "cve": "PVE-2021-40091", - "id": "pyup.io-40091", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29600", + "id": "pyup.io-44307", "specs": [ - "<5.2.1" + "<2.4.0" ], - "v": "<5.2.1" - } - ], - "colander": [ + "v": "<2.4.0" + }, { - "advisory": "colander 1.7.0 - The URL validator regex has been updated to no longer be vulnerable to a\r\n catastrophic backtracking that would have led to an infinite loop.", - "cve": "PVE-2021-36856", - "id": "pyup.io-36856", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29601", + "id": "pyup.io-44308", "specs": [ - "<1.7.0" + "<2.4.0" ], - "v": "<1.7.0" + "v": "<2.4.0" }, { - "advisory": "In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.", - "cve": "CVE-2017-18361", - "id": "pyup.io-42247", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29602", + "id": "pyup.io-44309", "specs": [ - "<=1.6" + "<2.4.0" ], - "v": "<=1.6" - } - ], - "collective-contact-core": [ + "v": "<2.4.0" + }, { - "advisory": "collective-contact-core before 1.10", - "cve": "PVE-2021-36089", - "id": "pyup.io-36089", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29603", + "id": "pyup.io-44310", "specs": [ - "<1.10" + "<2.4.0" ], - "v": "<1.10" - } - ], - "collective-easyform": [ + "v": "<2.4.0" + }, { - "advisory": "Collective-easyform version 3.0.5 doesn't resolves entities in the modeleditor and removes processing instructions (commit #254).", - "cve": "PVE-2021-41911", - "id": "pyup.io-41911", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29604", + "id": "pyup.io-44311", "specs": [ - "<3.0.5" + "<2.4.0" ], - "v": "<3.0.5" - } - ], - "collective-indexing": [ + "v": "<2.4.0" + }, { - "advisory": "Collective-indexing version 2.1 includes a fix that prevents out-of-sync security indexes on Solr. Now, reindexObjectSecurity operations are handled by the queue.\r\nhttps://github.com/plone/collective.indexing/pull/17", - "cve": "PVE-2021-41879", - "id": "pyup.io-41879", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29605", + "id": "pyup.io-44312", "specs": [ - "<2.1" + "<2.4.0" ], - "v": "<2.1" - } - ], - "collective-noticeboard": [ + "v": "<2.4.0" + }, { - "advisory": "collective-noticeboard before 0.7.1 has a security issue, anonymous users could modify notes positions.", - "cve": "PVE-2021-35879", - "id": "pyup.io-35879", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29606", + "id": "pyup.io-44313", "specs": [ - "<0.7.1" + "<2.4.0" ], - "v": "<0.7.1" - } - ], - "collective.contact.core": [ + "v": "<2.4.0" + }, { - "advisory": "Collective.contact.core 1.10 fixes a security issue related to AddContact. The vulnerability was found in its dependency Plone CMS. See CVE-2016-7138.\r\nhttps://github.com/collective/collective.contact.core/pull/25", - "cve": "CVE-2016-7138", - "id": "pyup.io-25657", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29607", + "id": "pyup.io-44314", "specs": [ - "<1.10" + "<2.4.0" ], - "v": "<1.10" - } - ], - "collective.documentviewer": [ + "v": "<2.4.0" + }, { - "advisory": "Collective.documentviewer 1.5.1 fixes a security issue on file resources permissions.\r\nhttps://github.com/collective/collective.documentviewer/commit/7222b0d30b1976d3f6773553bd6948c39efcbc20", - "cve": "PVE-2021-25658", - "id": "pyup.io-25658", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29608", + "id": "pyup.io-44315", "specs": [ - "<1.5.1" + "<2.4.0" ], - "v": "<1.5.1" - } - ], - "collective.easyform": [ + "v": "<2.4.0" + }, { - "advisory": "The modeleditor in collective.easyform 3.0.5 no longer resolves entities, and it removes processing instructions. This increases the security.", - "cve": "PVE-2021-39144", - "id": "pyup.io-39144", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29609", + "id": "pyup.io-44316", "specs": [ - "<3.0.5" + "<2.4.0" ], - "v": "<3.0.5" - } - ], - "collective.js.datatables": [ + "v": "<2.4.0" + }, { - "advisory": "Collective.js.datatables 4.1.1 updates Datatables to 1.10.11, due to a XSS vulnerability in 1.10.4.", - "cve": "CVE-2015-6384", - "id": "pyup.io-25659", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29610", + "id": "pyup.io-44317", "specs": [ - "<4.1.1" + "<2.4.0" ], - "v": "<4.1.1" - } - ], - "collective.noticeboard": [ + "v": "<2.4.0" + }, { - "advisory": "Collective.noticeboard 0.7.1 fixes a security issue, anonymous users could modify notes positions.", - "cve": "PVE-2021-25660", - "id": "pyup.io-25660", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29611", + "id": "pyup.io-44318", "specs": [ - "<0.7.1" + "<2.4.0" ], - "v": "<0.7.1" - } - ], - "collective.portlet.twitter": [ + "v": "<2.4.0" + }, { - "advisory": "Collective.portlet.twitter 1.0b3 fixes a potential XSS (arbitrary injection) issue by escaping and quoting all attributes being set on the rendered portlet.\r\nhttps://github.com/collective/collective.portlet.twitter/pull/2", - "cve": "PVE-2021-25661", - "id": "pyup.io-25661", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29612", + "id": "pyup.io-44319", "specs": [ - "<1.0b3" + "<2.4.0" ], - "v": "<1.0b3" - } - ], - "collective.tablepage": [ + "v": "<2.4.0" + }, { - "advisory": "collective.tablepage 0.3 fixes a security problem: data inside text cells were transformed to HTML without any check.", - "cve": "PVE-2021-25664", - "id": "pyup.io-25664", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29613", + "id": "pyup.io-44320", "specs": [ - "<0.3" + "<2.4.0" ], - "v": "<0.3" - } - ], - "collective.xmpp.chat": [ + "v": "<2.4.0" + }, { - "advisory": "collective.xmpp.chat 0.3.1 updates convers.js to 0.6.3 which includes an important security fix.", - "cve": "PVE-2021-25666", - "id": "pyup.io-25666", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29614", + "id": "pyup.io-44321", "specs": [ - "<0.3.1" + "<2.4.0" ], - "v": "<0.3.1" - } - ], - "collins-client": [ + "v": "<2.4.0" + }, { - "advisory": "Collins 2.1.0 has a very important security patch.\r\n\r\nCollins has a feature that allows you to [encrypt certain attributes](http://tumblr.github.io/collins/configuration.htmlfeatures) on every asset. It also had a permission that restricted which users could read those encrypted tags. It did NOT have a permission that restricted which users could modify encrypted tags.\r\n\r\n*It is strongly recommended that you upgrade to collins 2.1.0 if you are using the encrypted tags feature, as well as rotate any values stored in encrypted tags.*\r\n\r\nThe severity of this vulnerability depends heavily upon how you use collins in your infrastructure. If you do not use the encrypted tags feature, you are not vulnerable to this problem. If you do use the encrypted tags feature, you will need to explore your automation and consider how vulnerable you are.\r\n\r\nIf, for example, your infrastructure has automation that regularly sets the root password on servers to match a value that is in collins, an attacker without the ability to read the current password could set it to a value that they know, wait for the automation to change the password, and then gain root on a server.\r\n\r\nThis change is backwards compatible with collins v2.0.0, though once you upgrade it will stop any writes to encrypted tags by users that have not been granted `feature.canWriteEncryptedTags` permission. We have also renamed `feature.canSeePasswords` to `feature.canSeeEncryptedTags`, but collins will continue to respect the value of `feature.canSeePasswords` if `feature.canSeeEncryptedTags` is not set. Once `feature.canSeeEncryptedTags` is set, collins will ignore the value of `feature.canSeePasswords`.", - "cve": "PVE-2021-25667", - "id": "pyup.io-25667", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29615", + "id": "pyup.io-44322", "specs": [ - "<2.1.0" + "<2.4.0" ], - "v": "<2.1.0" - } - ], - "colonyscanalyser": [ + "v": "<2.4.0" + }, { - "advisory": "Colonyscanalyser 0.2.0 adds snyk security checks for dependencies.", - "cve": "PVE-2021-37635", - "id": "pyup.io-37635", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29616", + "id": "pyup.io-44323", "specs": [ - "<0.2.0" + "<2.4.0" ], - "v": "<0.2.0" - } - ], - "compliance-trestle": [ + "v": "<2.4.0" + }, { - "advisory": "Compliance-trestle 0.15.0 upgrades the 'pydantic' to 1.8.2 for an security issue.", - "cve": "PVE-2021-40566", - "id": "pyup.io-40566", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29617", + "id": "pyup.io-44324", "specs": [ - "<0.15.0" + "<2.4.0" ], - "v": "<0.15.0" + "v": "<2.4.0" }, { - "advisory": "Compliance-trestle 0.26.0 removes user names from logs.\r\nhttps://github.com/IBM/compliance-trestle/commit/4d075b89776552a1f58751674e2056ac7afac3cc", - "cve": "PVE-2021-42185", - "id": "pyup.io-42185", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29618", + "id": "pyup.io-44325", "specs": [ - "<0.26.0" + "<2.4.0" ], - "v": "<0.26.0" - } - ], - "concrete-datastore": [ + "v": "<2.4.0" + }, { - "advisory": "Concrete-datastore 1.22.0 adds useful checks to the url_format to avoid template injections.", - "cve": "PVE-2021-39449", - "id": "pyup.io-39449", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29619", + "id": "pyup.io-44326", "specs": [ - "<1.22.0" + "<2.4.0" ], - "v": "<1.22.0" + "v": "<2.4.0" }, { - "advisory": "Concrete-datastore 1.23.0 adds checks on the url_format for reset password view to avoid template injections.", - "cve": "PVE-2021-39709", - "id": "pyup.io-39709", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37636", + "id": "pyup.io-44328", "specs": [ - "<1.23.0" + "<2.4.0" ], - "v": "<1.23.0" - } - ], - "conference-scheduler-cli": [ + "v": "<2.4.0" + }, { - "advisory": "In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.", - "cve": "CVE-2018-14572", - "id": "pyup.io-36425", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37637", + "id": "pyup.io-44329", "specs": [ - "<=0.10.1" + "<2.4.0" ], - "v": "<=0.10.1" - } - ], - "confidant": [ + "v": "<2.4.0" + }, { - "advisory": "Confidant 1.1.13 includes a security fix. It was discovered when adding tests after a refactor of some of the KMS authentication code that confidant wasn't properly checking the expiration of KMS auth tokens. If tokens were able to be exfiltrated from a service, they could be used indefinitely. Also, any tokens that are expired will now correctly fail to authenticate.", - "cve": "PVE-2021-26670", - "id": "pyup.io-26670", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37638", + "id": "pyup.io-44330", "specs": [ - "<1.1.13" + "<2.4.0" ], - "v": "<1.1.13" + "v": "<2.4.0" }, { - "advisory": "confidant 1.1.14 contains a security fix: While preparing for the 1.1 stable release Lyft found a KMS authentication vulnerability in the unreleased 1.1 branch while performing an audit of the code. The vulnerability was introduced while adding the scoped auth key feature (for limiting authentication keys and services to specific AWS accounts), where the key was not properly checked after decryption. This check is an additional verification to add additional safety on-top of the IAM policy of your KMS keys. If IAM policy allows users to use KMS keys without limits on encryption context, a KMS key that wasn't intended to be used for auth, could be used for auth.", - "cve": "PVE-2021-25668", - "id": "pyup.io-25668", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37635", + "id": "pyup.io-44327", "specs": [ - "<1.1.14" + "<2.4.0" ], - "v": "<1.1.14" + "v": "<2.4.0" }, { - "advisory": "Confidant v1.10.0 upgrades gevent and greenlet to address CVE-2016-5180 and gevent/gevent#477.", - "cve": "CVE-2016-5180", - "id": "pyup.io-38504", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37640", + "id": "pyup.io-44332", "specs": [ - "<1.10.0" + "<2.4.0" ], - "v": "<1.10.0" + "v": "<2.4.0" }, { - "advisory": "Confidant 1.6.0 updates python-saml to address CVE-2016-1000252.", - "cve": "CVE-2016-1000252", - "id": "pyup.io-38505", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37641", + "id": "pyup.io-44333", "specs": [ - "<1.6.0" + "<2.4.0" ], - "v": "<1.6.0" + "v": "<2.4.0" }, { - "advisory": "In confidant 5.0.0, requirements have been updated to resolve some reported security vulnerabilities in a few of the frozen requirements. A library affecting user sessions was upgraded which will cause users to be logged out after upgrade, which means if you're doing a rolling upgrade, that during the upgrade, you may have users that seemingly randomly get logged out. After a finished upgrade, users should only be logged out once, if they're currently logged in.", - "cve": "PVE-2021-37471", - "id": "pyup.io-37471", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37642", + "id": "pyup.io-44334", "specs": [ - "<5.0.0" + "<2.4.0" ], - "v": "<5.0.0" + "v": "<2.4.0" }, { - "advisory": "Confidant 6.3.0 adds support for keeping track of when credentials should be rotated. It therefore adds three new fields to the Credential model, two of which improve the security (`last_decrypted_date` and `last_rotation_date`). The former explicitly stores when someone viewed a credential. Certain credentials can potentially be highly vulnerable and could benefit from being rotated the moment the credential pair is viewed. The latter stores when a credential was last rotated. Some credentials might need to periodically be rotated for security purposes.", - "cve": "PVE-2021-38560", - "id": "pyup.io-38560", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37643", + "id": "pyup.io-44335", "specs": [ - "<6.3.0" + "<2.4.0" ], - "v": "<6.3.0" - } - ], - "confidence": [ + "v": "<2.4.0" + }, { - "advisory": "confidence before 0.4 has a security vulnerability from using ``yaml.load``. \r\nconfidence >=0.4 now uses ``yaml.safe_load``", - "cve": "PVE-2021-36308", - "id": "pyup.io-36308", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37644", + "id": "pyup.io-44336", "specs": [ - "<0.4" + "<2.4.0" ], - "v": "<0.4" - } - ], - "confire": [ + "v": "<2.4.0" + }, { - "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Due to the user-specific configuration being loaded from \"~/.confire.yaml\" using the yaml.load function, a YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.", - "cve": "CVE-2017-16763", - "id": "pyup.io-35721", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37645", + "id": "pyup.io-44337", "specs": [ - "<=0.2.0" + "<2.4.0" ], - "v": "<=0.2.0" - } - ], - "confluent-kafka": [ + "v": "<2.4.0" + }, { - "advisory": "Confluent-kafka 1.1.0 securely clears the private key data from memory after last use.", - "cve": "PVE-2021-37508", - "id": "pyup.io-37508", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37639", + "id": "pyup.io-44331", "specs": [ - "<1.1.0" + "<2.4.0" ], - "v": "<1.1.0" + "v": "<2.4.0" }, { - "advisory": "Confluent-kafka 1.3.0 includes a fix for CVE-2019-17543: LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"", - "cve": "CVE-2019-17543", - "id": "pyup.io-38072", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37647", + "id": "pyup.io-44339", "specs": [ - "<1.3.0" + "<2.4.0" ], - "v": "<1.3.0" + "v": "<2.4.0" }, { - "advisory": "Confluent-kafka 1.4.0 includes two security issues in the SASL SCRAM protocol handler:\r\n * The client nonce, which is expected to be a random string, was a static string.\r\n * If `sasl.username` and `sasl.password` contained characters that needed escaping, a buffer overflow and heap corruption would occur. This was protected, but too late, by an assertion.", - "cve": "PVE-2021-38165", - "id": "pyup.io-38165", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37648", + "id": "pyup.io-44340", "specs": [ - "<1.4.0" + "<2.4.0" ], - "v": "<1.4.0" - } - ], - "conn-check": [ + "v": "<2.4.0" + }, { - "advisory": "conn-check 1.0.18 ensures pyOpenSSL is always used instead of the ssl modules, see https://urllib3.readthedocs.org/en/latest/security.htmlpyopenssl.", - "cve": "PVE-2021-25669", - "id": "pyup.io-25669", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37649", + "id": "pyup.io-44341", "specs": [ - "<1.0.18" + "<2.4.0" ], - "v": "<1.0.18" - } - ], - "container-service-extension": [ + "v": "<2.4.0" + }, { - "advisory": "container-service-extension 1.2.5 adds K8s vulnerability patching", - "cve": "PVE-2021-36876", - "id": "pyup.io-36876", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37650", + "id": "pyup.io-44342", "specs": [ - "<1.2.5" + "<2.4.0" ], - "v": "<1.2.5" + "v": "<2.4.0" }, { - "advisory": "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.", - "cve": "CVE-2019-5736", - "id": "pyup.io-37100", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37651", + "id": "pyup.io-44343", "specs": [ - "<1.2.7" + "<2.4.0" ], - "v": "<1.2.7" + "v": "<2.4.0" }, { - "advisory": "Container-service-extension 2.5.0b1 updates the hardcoded_password_string: false positives and test environment password strings marked not vulnerable.", - "cve": "PVE-2021-37529", - "id": "pyup.io-37529", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37646", + "id": "pyup.io-44338", "specs": [ - "<2.5.0b1" + "<2.4.0" ], - "v": "<2.5.0b1" - } - ], - "contentful": [ + "v": "<2.4.0" + }, { - "advisory": "Contentful 1.11.3 updates 'requests' version due to a vulnerability found in versions '2.19' and below.", - "cve": "CVE-2018-18074", - "id": "pyup.io-36633", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37652", + "id": "pyup.io-44344", "specs": [ - "<1.11.3" + "<2.4.0" ], - "v": "<1.11.3" + "v": "<2.4.0" }, { - "advisory": "Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py.", - "cve": "CVE-2020-13258", - "id": "pyup.io-38314", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37653", + "id": "pyup.io-44345", "specs": [ - "<=1.12.3" + "<2.4.0" ], - "v": "<=1.12.3" - } - ], - "contentful-management": [ + "v": "<2.4.0" + }, { - "advisory": "Contentful-management 2.5.0 updates 'requests' version due to a vulnerability found in previous versions.", - "cve": "CVE-2018-18074", - "id": "pyup.io-36599", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37654", + "id": "pyup.io-44346", "specs": [ - "<2.5.0" + "<2.4.0" ], - "v": "<2.5.0" - } - ], - "contestms": [ + "v": "<2.4.0" + }, { - "advisory": "contestms 1.2.0 fixes several security bugs around an unsafe use of isolate. These won't be backported to 1.1, so make sure you update.", - "cve": "PVE-2021-34249", - "id": "pyup.io-34249", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37655", + "id": "pyup.io-44347", "specs": [ - "<1.2.0" + "<2.4.0" ], - "v": "<1.2.0" - } - ], - "cookie-manager": [ + "v": "<2.4.0" + }, { - "advisory": "Cookie-manager 1.0.3 bumps dependency versions to fix a security issue.", - "cve": "PVE-2021-38106", - "id": "pyup.io-38106", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37656", + "id": "pyup.io-44348", "specs": [ - "<1.0.3" + "<2.4.0" ], - "v": "<1.0.3" + "v": "<2.4.0" }, { - "advisory": "Cookie-manager 1.1.0 bumps Bleach to patch a vulnerability.", - "cve": "PVE-2021-38153", - "id": "pyup.io-38153", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37657", + "id": "pyup.io-44349", "specs": [ - "<1.1.0" + "<2.4.0" ], - "v": "<1.1.0" + "v": "<2.4.0" }, { - "advisory": "Cookie-manager 1.2.1 fixes a security vulnerability discovered and patched in a dependency. See Bleach 3.3.0 for further details.", - "cve": "PVE-2021-40165", - "id": "pyup.io-40165", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37658", + "id": "pyup.io-44350", "specs": [ - "<1.2.1" + "<2.4.0" ], - "v": "<1.2.1" - } - ], - "cookiecutter": [ + "v": "<2.4.0" + }, { - "advisory": "Cookiecutter 0.1.0 fixes insecure gitlab_token retrieval - see: https://github.com/NathanUrwin/cookiecutter-git/issues/6", - "cve": "PVE-2021-34683", - "id": "pyup.io-34683", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37659", + "id": "pyup.io-44351", "specs": [ - "<0.1.0" + "<2.4.0" ], - "v": "<0.1.0" + "v": "<2.4.0" }, { - "advisory": "Cookiecutter 1.1.0 sets explicitly the list of allowed hosts for security reasons.", - "cve": "PVE-2021-37672", - "id": "pyup.io-37672", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37660", + "id": "pyup.io-44352", "specs": [ - "<1.1.0" + "<2.4.0" ], - "v": "<1.1.0" - } - ], - "coordination-network-toolkit": [ + "v": "<2.4.0" + }, { - "advisory": "An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.", - "cve": "CVE-2021-33503", - "id": "pyup.io-40624", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37661", + "id": "pyup.io-44353", "specs": [ - "<1.0.2" + "<2.4.0" ], - "v": "<1.0.2" - } - ], - "copyparty": [ + "v": "<2.4.0" + }, { - "advisory": "The maintainers of Copyparty report that they \"hopefully\" have fixed a bug in version 0.12.3 where malicious POSTs through an nginx reverse-proxy could put the connection in a bad state, causing the next legit request to fail with bad headers", - "cve": "PVE-2021-41050", - "id": "pyup.io-41050", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37662", + "id": "pyup.io-44354", "specs": [ - "<0.12.3" + "<2.4.0" ], - "v": "<0.12.3" - } - ], - "cortex": [ + "v": "<2.4.0" + }, { - "advisory": "cortex before 0.32.0", - "cve": "PVE-2021-40128", - "id": "pyup.io-40128", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37663", + "id": "pyup.io-44355", "specs": [ - "<0.32.0" + "<2.4.0" ], - "v": "<0.32.0" - } - ], - "cosmos-wfm": [ + "v": "<2.4.0" + }, { - "advisory": "cosmos-wfm before 2.1.1 is vulnerable to an attack where malicious hackers can run arbitrary code if they have file system (even external mounts!)+network access on the machine running luigid (executed by the user that you run luigid with).", - "cve": "PVE-2021-34181", - "id": "pyup.io-34181", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37665", + "id": "pyup.io-44357", "specs": [ - "<2.1.1" + "<2.4.0" ], - "v": "<2.1.1" - } - ], - "coveralls": [ + "v": "<2.4.0" + }, { - "advisory": "coveralls 0.1.1 removes repo_token from verbose output for security reasons.", - "cve": "PVE-2021-25671", - "id": "pyup.io-25671", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37666", + "id": "pyup.io-44358", "specs": [ - "<0.1.1" + "<2.4.0" ], - "v": "<0.1.1" - } - ], - "covert": [ + "v": "<2.4.0" + }, { - "advisory": "Covert 0.2.1 ensures that all authentication tokens are unique, also for repeated public keys.\r\nhttps://github.com/covert-encryption/covert/commit/1a40aa80bb9f0401e2eb59d93df5e531c4ec1623", - "cve": "PVE-2021-42679", - "id": "pyup.io-42679", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37667", + "id": "pyup.io-44359", "specs": [ - "<0.2.1" + "<2.4.0" ], - "v": "<0.2.1" - } - ], - "cplay-ng": [ + "v": "<2.4.0" + }, { - "advisory": "cplay-ng 1.50 fixes insecure /tmp handling.", - "cve": "PVE-2021-25672", - "id": "pyup.io-25672", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37664", + "id": "pyup.io-44356", "specs": [ - "<1.50" + "<2.4.0" ], - "v": "<1.50" - } - ], - "crate-docs-theme": [ + "v": "<2.4.0" + }, { - "advisory": "Crate-docs-theme 0.13.0 updates/removes Bootstrap and jQuery packages (nine vulnerabilities detected).", - "cve": "PVE-2021-39529", - "id": "pyup.io-39529", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37668", + "id": "pyup.io-44360", "specs": [ - "<0.13.0" + "<2.4.0" ], - "v": "<0.13.0" - } - ], - "creavel": [ + "v": "<2.4.0" + }, { - "advisory": "creavel before 0.11.0 has a unspecified security issue and is vulnerable via unknown vectors.", - "cve": "PVE-2021-25673", - "id": "pyup.io-25673", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37669", + "id": "pyup.io-44361", "specs": [ - "<0.11.0" + "<2.4.0" ], - "v": "<0.11.0" + "v": "<2.4.0" }, { - "advisory": "creavel 0.14.0 fixes jinja2 security by using SandboxedEnvironment.", - "cve": "PVE-2021-25674", - "id": "pyup.io-25674", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37670", + "id": "pyup.io-44362", "specs": [ - "<0.14.0" + "<2.4.0" ], - "v": "<0.14.0" - } - ], - "credstash": [ + "v": "<2.4.0" + }, { - "advisory": "Credstash 1.16.0 updates its dependency pyyaml to a version >=4.2b1 to include a security fix.", - "cve": "CVE-2017-18342", - "id": "pyup.io-37852", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37671", + "id": "pyup.io-44363", "specs": [ - "<1.16.0" + "<2.4.0" ], - "v": "<1.16.0" - } - ], - "creopyson": [ + "v": "<2.4.0" + }, { - "advisory": "Creopyson 0.4.2 modifies the pipenv config for the bleach security alert.", - "cve": "PVE-2021-37964", - "id": "pyup.io-37964", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37673", + "id": "pyup.io-44365", "specs": [ - "<0.4.2" + "<2.4.0" ], - "v": "<0.4.2" - } - ], - "cromwell-tools": [ + "v": "<2.4.0" + }, { - "advisory": "Cromwell-tools 1.0.0 updates requests to v2.20.0 to avoid security issues.", - "cve": "CVE-2018-18074", - "id": "pyup.io-36659", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37674", + "id": "pyup.io-44366", "specs": [ - "<1.0.0" + "<2.4.0" ], - "v": "<1.0.0" - } - ], - "crossbar": [ + "v": "<2.4.0" + }, { - "advisory": "In crossbar before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.", - "cve": "PVE-2021-25675", - "id": "pyup.io-25675", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37675", + "id": "pyup.io-44367", "specs": [ - "<0.15.0" + "<2.4.0" ], - "v": "<0.15.0" + "v": "<2.4.0" }, { - "advisory": "crossbar 0.6.4 fixes a WAMP-CRA timing attack very, very unlikely to be exploitable.", - "cve": "PVE-2021-25676", - "id": "pyup.io-25676", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37676", + "id": "pyup.io-44368", "specs": [ - "<0.6.4" + "<2.4.0" ], - "v": "<0.6.4" + "v": "<2.4.0" }, { - "advisory": "Crossbar 20.12.3 fixes a dependency on Autobahn v20.12.3, which in turn fixes a potential security issue when enabling the Web status page ('enable_webstatus') on WebSocket-WAMP listening transports.", - "cve": "PVE-2021-39329", - "id": "pyup.io-39329", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37677", + "id": "pyup.io-44369", "specs": [ - "<20.12.3" + "<2.4.0" ], - "v": "<20.12.3" - } - ], - "croud": [ + "v": "<2.4.0" + }, { - "advisory": "Croud 0.3.0 includes a fix for CVE-2017-18342, an arbitrary code execution vulnerability in yaml.load().\r\nhttps://github.com/crate/croud/commit/821f2ba47285f5b5ad3e2e2782c44f867da931ee", - "cve": "CVE-2017-18342", - "id": "pyup.io-42353", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37678", + "id": "pyup.io-44370", "specs": [ - "<0.3.0" + "<2.4.0" ], - "v": "<0.3.0" - } - ], - "crypt": [ + "v": "<2.4.0" + }, { - "advisory": "crypt is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": "PVE-2021-34981", - "id": "pyup.io-34981", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37679", + "id": "pyup.io-44371", "specs": [ - ">0", - "<0" + "<2.4.0" ], - "v": ">0,<0" - } - ], - "cryptacular": [ + "v": "<2.4.0" + }, { - "advisory": "crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.", - "cve": "CVE-2011-2483", - "id": "pyup.io-42230", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37680", + "id": "pyup.io-44372", "specs": [ - "<1.2" + "<2.4.0" ], - "v": "<1.2" + "v": "<2.4.0" }, { - "advisory": "crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.", - "cve": "PVE-2021-25677", - "id": "pyup.io-25677", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37681", + "id": "pyup.io-44373", "specs": [ - "<1.2" + "<2.4.0" ], - "v": "<1.2" - } - ], - "crypto-candlesticks": [ + "v": "<2.4.0" + }, { - "advisory": "Crypto-candlesticks 0.1.5 fixes a vulnerability in the 'jinja2' dependency.", - "cve": "PVE-2021-39697", - "id": "pyup.io-39697", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37682", + "id": "pyup.io-44374", "specs": [ - "<0.1.5" + "<2.4.0" ], - "v": "<0.1.5" - } - ], - "cryptography": [ + "v": "<2.4.0" + }, { - "advisory": "cryptography 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.", - "cve": "PVE-2021-25678", - "id": "pyup.io-25678", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37683", + "id": "pyup.io-44375", "specs": [ - "<0.9.1" + "<2.4.0" ], - "v": "<0.9.1" + "v": "<2.4.0" }, { - "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)** for the report.", - "cve": "PVE-2021-25679", - "id": "pyup.io-25679", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37672", + "id": "pyup.io-44364", "specs": [ - "<1.0.2" + "<2.4.0" ], - "v": "<1.0.2" + "v": "<2.4.0" }, { - "advisory": "HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.", - "cve": "CVE-2016-9243", - "id": "pyup.io-25680", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37684", + "id": "pyup.io-44376", "specs": [ - "<1.5.3" + "<2.4.0" ], - "v": "<1.5.3" + "v": "<2.4.0" }, { - "advisory": "Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing.", - "cve": "PVE-2021-39252", - "id": "pyup.io-39252", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37685", + "id": "pyup.io-44377", "specs": [ - "<3.3" + "<2.4.0" ], - "v": "<3.3" + "v": "<2.4.0" }, { - "advisory": "In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. See: CVE-2020-36242.", - "cve": "CVE-2020-36242", - "id": "pyup.io-39606", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37686", + "id": "pyup.io-44378", "specs": [ - "<3.3.2" + "<2.4.0" ], - "v": "<3.3.2" + "v": "<2.4.0" }, { - "advisory": "Cryptography 3.2 was released with the warning that its maintainers became aware of a Bleichenbacher vulnerability that they were only partly able to mitigate. See: CVE-2020-25659.", - "cve": "CVE-2020-25659", - "id": "pyup.io-38932", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37687", + "id": "pyup.io-44379", "specs": [ - "<=3.2" + "<2.4.0" ], - "v": "<=3.2" + "v": "<2.4.0" }, { - "advisory": "A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903.", - "cve": "CVE-2018-10903", - "id": "pyup.io-36351", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37688", + "id": "pyup.io-44380", "specs": [ - ">=1.9.0,<2.3" + "<2.4.0" ], - "v": ">=1.9.0,<2.3" - } - ], - "cryptography-vectors": [ + "v": "<2.4.0" + }, { - "advisory": "cryptography-vectors 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.", - "cve": "PVE-2021-25681", - "id": "pyup.io-25681", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37689", + "id": "pyup.io-44381", "specs": [ - "<0.9.1" + "<2.4.0" ], - "v": "<0.9.1" + "v": "<2.4.0" }, { - "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)** for the report.", - "cve": "PVE-2021-25682", - "id": "pyup.io-25682", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37690", + "id": "pyup.io-44382", "specs": [ - "<1.0.2" + "<2.4.0" ], - "v": "<1.0.2" + "v": "<2.4.0" }, { - "advisory": "HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.", - "cve": "CVE-2016-9243", - "id": "pyup.io-25683", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-37691", + "id": "pyup.io-44383", "specs": [ - "<1.5.3" + "<2.4.0" ], - "v": "<1.5.3" - } - ], - "cssutils": [ + "v": "<2.4.0" + }, { - "advisory": "In cssutils before 0.9.6a2 comments added by ``cssutils.resolveImports`` only use the import rules' href and not the absolute href of the referenced sheets anymore (might have been a possible security hole when showing a full local path to a sheet in a combined but not minified sheet)", - "cve": "PVE-2021-25684", - "id": "pyup.io-25684", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2019-20838", + "id": "pyup.io-41298", "specs": [ - "<0.9.6a2" + "<2.4.0" ], - "v": "<0.9.6a2" - } - ], - "cstar": [ + "v": "<2.4.0" + }, { - "advisory": "Cstar 0.5.0 fixes a security problem in a dependency (spotify). See: .", - "cve": "PVE-2021-39224", - "id": "pyup.io-39224", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-13790", + "id": "pyup.io-44174", "specs": [ - "<0.5.0" + "<2.4.0" ], - "v": "<0.5.0" - } - ], - "cumin": [ + "v": "<2.4.0" + }, { - "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Cumin before r5238 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) widgets or (2) pages.", - "cve": "CVE-2012-1575", - "id": "pyup.io-35357", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-14155", + "id": "pyup.io-44175", "specs": [ - "=0.56.1, to avoid a security vulnerability.", - "cve": "PVE-2021-40620", - "id": "pyup.io-40620", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-15212", + "id": "pyup.io-44198", "specs": [ - "<0.4.1" + "<2.4.0" ], - "v": "<0.4.1" - } - ], - "datasette-css-properties": [ + "v": "<2.4.0" + }, { - "advisory": "Datasette-css-properties 0.2 makes the '.css' pages send the 'x-content-type-options: nosniff' header to protect against browsers incorrectly rendering the CSS as HTML which could be an XSS security hole.\r\nhttps://github.com/simonw/datasette-css-properties/commit/faf181430667af0e4f4954163fefcc32e8fdbd9c", - "cve": "PVE-2021-39422", - "id": "pyup.io-39422", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-15213", + "id": "pyup.io-44199", "specs": [ - "<0.2" + "<2.4.0" ], - "v": "<0.2" - } - ], - "datasette-graphql": [ + "v": "<2.4.0" + }, { - "advisory": "Satasette-graphql before 1.2 included a plugin that could expose schema details of databases that should not be visible, though not their actual row content. See: .", - "cve": "PVE-2021-39174", - "id": "pyup.io-39174", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-15214", + "id": "pyup.io-44200", "specs": [ - "<1.2" + "<2.4.0" ], - "v": "<1.2" - } - ], - "datasette-indieauth": [ + "v": "<2.4.0" + }, { - "advisory": "Datasette-indieauth before 1.1 trusts the \"me\" field returned by the authorization server without verifying it.", - "cve": "PVE-2021-39164", - "id": "pyup.io-39164", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-15265", + "id": "pyup.io-44201", "specs": [ - "<1.1" + "<2.4.0" ], - "v": "<1.1" - } - ], - "datasette-insert": [ + "v": "<2.4.0" + }, { - "advisory": "Datasette-insert 0.6 is locked down by default. This plugin no longer defaults to allowing all, reducing the risk that someone may deploy it without sufficient security.", - "cve": "PVE-2021-38644", - "id": "pyup.io-38644", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-15266", + "id": "pyup.io-44202", "specs": [ - "<0.6" + "<2.4.0" ], - "v": "<0.6" - } - ], - "datasette-query-links": [ + "v": "<2.4.0" + }, { - "advisory": "Datasette-query-links 0.1.1 fixes an XSS security bug.\r\nhttps://github.com/simonw/datasette-query-links/issues/2", - "cve": "PVE-2021-41092", - "id": "pyup.io-41092", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-15358", + "id": "pyup.io-44203", "specs": [ - "<0.1.1" + "<2.4.0" ], - "v": "<0.1.1" - } - ], - "datasette-seaborn": [ + "v": "<2.4.0" + }, { - "advisory": "The maintainers or the datasette-seaborn package acknowledge that version 0.1a0 is buggy and probably not secure.", - "cve": "PVE-2021-38782", - "id": "pyup.io-38782", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-26266", + "id": "pyup.io-44204", "specs": [ - "==0.1a0" + "<2.4.0" ], - "v": "==0.1a0" - } - ], - "dateable-chronos": [ + "v": "<2.4.0" + }, { - "advisory": "Dateable-chronos 0.8 includes a fix for a XSS vulnerability in the get_view_day method.\r\nhttps://github.com/collective/dateable.chronos/commit/fd91af02186e61b3e161a2f620da9422eb228c71", - "cve": "PVE-2021-35988", - "id": "pyup.io-35988", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-26267", + "id": "pyup.io-44205", "specs": [ - "<0.8" + "<2.4.0" ], - "v": "<0.8" - } - ], - "dateable.chronos": [ + "v": "<2.4.0" + }, { - "advisory": "Dateable.chronos 0.8 includes a fix for a XSS vulnerability in the get_view_day method.\r\nhttps://github.com/collective/dateable.chronos/commit/fd91af02186e61b3e161a2f620da9422eb228c71", - "cve": "PVE-2021-25685", - "id": "pyup.io-25685", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-26268", + "id": "pyup.io-44206", "specs": [ - "<0.8" + "<2.4.0" ], - "v": "<0.8" - } - ], - "datera-cinder": [ + "v": "<2.4.0" + }, { - "advisory": "Datera-cinder 2018.10.30.0 updates the required 'requests' version to >=2.20.0 to include a fix for CVE-2018-18074.", - "cve": "CVE-2018-18074", - "id": "pyup.io-37204", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-26270", + "id": "pyup.io-44207", "specs": [ - "<2018.10.30.0" + "<2.4.0" ], - "v": "<2018.10.30.0" - } - ], - "datumaro": [ + "v": "<2.4.0" + }, { - "advisory": "Datumaro version 0.1.10 includes a fix for an arbitrary code execution vulnerability: Cifar implementation is based on pickle, which can run arbitrary code on unpickling.\r\nhttps://github.com/openvinotoolkit/datumaro/issues/327", - "cve": "PVE-2021-41817", - "id": "pyup.io-41817", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-26271", + "id": "pyup.io-44208", "specs": [ - "<0.1.10" + "<2.4.0" ], - "v": "<0.1.10" - } - ], - "dawgie": [ + "v": "<2.4.0" + }, { - "advisory": "Dawgie 1.2.3 includes a vulnerability fix.", - "cve": "PVE-2021-40122", - "id": "pyup.io-40122", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-8169", + "id": "pyup.io-44209", "specs": [ - "<1.2.3" + "<2.4.0" ], - "v": "<1.2.3" + "v": "<2.4.0" }, { - "advisory": "Dawgie 1.2.9 adds clean methods to limit malicious code.", - "cve": "PVE-2021-40121", - "id": "pyup.io-40121", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-8177", + "id": "pyup.io-44210", "specs": [ - "<1.2.9" + "<2.4.0" ], - "v": "<1.2.9" - } - ], - "dbcat": [ + "v": "<2.4.0" + }, { - "advisory": "Dbcat 0.3.1 updates its dependency 'cryptography' to v3.4.4 to include a security fix.", - "cve": "CVE-2020-36242", - "id": "pyup.io-42696", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-8231", + "id": "pyup.io-44211", "specs": [ - "<0.3.1" + "<2.4.0" ], - "v": "<0.3.1" - } - ], - "dbt-core": [ + "v": "<2.4.0" + }, { - "advisory": "Dbt-core 0.20.0rc1 updates its dependency 'jinja2' to v2.11.3 to include a security fix.", - "cve": "CVE-2020-28493", - "id": "pyup.io-42229", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-8286", + "id": "pyup.io-44213", "specs": [ - "<0.20.0rc1" + "<2.4.0" ], - "v": "<0.20.0rc1" - } - ], - "dbtos3": [ + "v": "<2.4.0" + }, { - "advisory": "Dbtos3 version 0.0.2a0 includes security fixes related to dependencies' updates.", - "cve": "PVE-2021-42017", - "id": "pyup.io-42017", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2020-8284", + "id": "pyup.io-44212", "specs": [ - "<0.0.2a0" + "<2.4.0" ], - "v": "<0.0.2a0" - } - ], - "ddtrace": [ + "v": "<2.4.0" + }, { - "advisory": "ddtrace 0.11.0 removes the `sql.query` tag from SQL spans, so that the content is properly obfuscated in the Agent. This security fix is required to prevent wrong data collection of reported SQL queries. This issue impacts only MySQL integrations and NOT `psycopg2` or `sqlalchemy` while using the PostgreSQL driver.", - "cve": "PVE-2021-35790", - "id": "pyup.io-35790", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-22876", + "id": "pyup.io-44214", "specs": [ - "<0.11.0" + "<2.4.0" ], - "v": "<0.11.0" - } - ], - "debianized-jupyterhub": [ + "v": "<2.4.0" + }, { - "advisory": "debianized-jupyterhub 0.9.51 updates to release 0.9.5 + NB 5.7.7 (fix for Open Redirect vulnerability)", - "cve": "PVE-2021-37002", - "id": "pyup.io-37002", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-22897", + "id": "pyup.io-44215", "specs": [ - "<0.9.51" + "<2.4.0" ], - "v": "<0.9.51" - } - ], - "debops": [ + "v": "<2.4.0" + }, { - "advisory": "Debops 0.8.0 installs upstream NodeSource APT packages by default. This is due to `no security support in Debian Stable`__, therefore an upstream packages should be considered more secure. The upstream NodeJS packages include a compatible NPM release, therefore it won't be separately installed from GitHub.", - "cve": "PVE-2021-36371", - "id": "pyup.io-36371", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-22898", + "id": "pyup.io-44216", "specs": [ - "<0.8.0" + "<2.4.0" ], - "v": "<0.8.0" + "v": "<2.4.0" }, { - "advisory": "Debops 1.0.0:\r\n\r\n- The :command:`lxc-prepare-ssh` script will read the public SSH keys from specific files (``root`` key file, and the ``$SUDO_USER`` key file) and will not accept any custom files to read from, to avoid possible security issues. Each public SSH key listed in the key files is validated before being added to the container's ``root`` account.\r\n\r\n- The :command:`lxc-new-unprivileged` script will similarly not accept any custom files as initial LXC container configuration to fix any potential security holes when used via :command:`sudo`. The default LXC configuration file used by the script can be configured in :file:`/etc/lxc/lxc.conf` configuration file.\r\n\r\n- (:ref:`debops.php` role) New APT signing keys` have been created for his Debian APT repository with PHP packages, due to security concerns. The :ref:`debops.php` role will remove the old APT GPG key and add the new one automatically. See: .", - "cve": "PVE-2021-37159", - "id": "pyup.io-37159", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-22901", + "id": "pyup.io-44217", "specs": [ - "<1.0.0" + "<2.4.0" ], - "v": "<1.0.0" + "v": "<2.4.0" }, { - "advisory": "The :command:\"lxc-prepare-ssh\" script in debops 1.1.0 will no longer install SSH keys from the LXC host \"root\" account on the LXC container \"root\" account. That could cause confusion and unintended security breaches when other services (for example backup scripts or remote command execution tools) install their own SSH keys on the LXC host and they are subsequently copied inside of the LXC containers created on that host.\r\nhttps://github.com/debops/debops/commit/6dd088e413ef4c5dac23d94bb338ae19398985e2", - "cve": "PVE-2021-37404", - "id": "pyup.io-37404", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29513", + "id": "pyup.io-44218", "specs": [ - "<1.1.0" + "<2.4.0" ], - "v": "<1.1.0" + "v": "<2.4.0" }, { - "advisory": "Debops 1.2.0 includes a security patch for CVE-2019-11043: In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.", - "cve": "CVE-2019-11043", - "id": "pyup.io-37733", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29514", + "id": "pyup.io-44219", "specs": [ - "<1.2.0" + "<2.4.0" ], - "v": "<1.2.0" + "v": "<2.4.0" }, { - "advisory": "Debops 1.7.0 includes a change in its RoundCube configuration. RoundCube will use the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.", - "cve": "PVE-2021-37732", - "id": "pyup.io-37732", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29515", + "id": "pyup.io-44220", "specs": [ - "<1.7.0" + "<2.4.0" ], - "v": "<1.7.0" + "v": "<2.4.0" }, { - "advisory": "RoundCube in debops 2.0.0 uses the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.", - "cve": "PVE-2021-26403", - "id": "pyup.io-26403", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29516", + "id": "pyup.io-44221", "specs": [ - "<2.0.0" + "<2.4.0" ], - "v": "<2.0.0" - } - ], - "decaptcha": [ + "v": "<2.4.0" + }, { - "advisory": "decaptcha 1.0.0 includes a patch for security vulnerability: pin pillow>=6.2.0", - "cve": "PVE-2021-37892", - "id": "pyup.io-37892", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29517", + "id": "pyup.io-44222", "specs": [ - "<1.0.0" + "<2.4.0" ], - "v": "<1.0.0" + "v": "<2.4.0" }, { - "advisory": "decaptcha 1.0.1 includes a patch for security vulnerability: tensorflow==1.15.0", - "cve": "PVE-2021-37891", - "id": "pyup.io-37891", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29518", + "id": "pyup.io-44223", "specs": [ - "<1.0.1" + "<2.4.0" ], - "v": "<1.0.1" - } - ], - "deeposlandia": [ + "v": "<2.4.0" + }, { - "advisory": "Deeposlandia 0.6 updates its dependencies, especially `Tensorflow`, due to vulnerability issues.", - "cve": "PVE-2021-38133", - "id": "pyup.io-38133", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29519", + "id": "pyup.io-44224", "specs": [ - "<0.6" + "<2.4.0" ], - "v": "<0.6" + "v": "<2.4.0" }, { - "advisory": "Deeposlandia 0.6.2 updates pillow to 7.1.1 to fix a moderate-severity vulnerability in pillow <6.2.2.", - "cve": "PVE-2021-38285", - "id": "pyup.io-38285", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29520", + "id": "pyup.io-44225", "specs": [ - "<0.6.2" + "<2.4.0" ], - "v": "<0.6.2" - } - ], - "definitions": [ + "v": "<2.4.0" + }, { - "advisory": "There is a vulnerability in load() method in definitions/parser.py in the Danijar Hafner definitions package for Python. It can execute arbitrary python commands resulting in command execution.", - "cve": "CVE-2018-20325", - "id": "pyup.io-36752", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29521", + "id": "pyup.io-44226", "specs": [ - "<=0.2.0" + "<2.4.0" ], - "v": "<=0.2.0" - } - ], - "defusedexpat": [ + "v": "<2.4.0" + }, { - "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", - "cve": "CVE-2013-1664", - "id": "pyup.io-33054", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29522", + "id": "pyup.io-44227", "specs": [ - "<0.3" + "<2.4.0" ], - "v": "<0.3" + "v": "<2.4.0" }, { - "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", - "cve": "CVE-2013-1665", - "id": "pyup.io-33055", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29523", + "id": "pyup.io-44228", "specs": [ - "<0.3" + "<2.4.0" ], - "v": "<0.3" - } - ], - "defusedxml": [ + "v": "<2.4.0" + }, { - "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", - "cve": "CVE-2013-1664", - "id": "pyup.io-33056", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29524", + "id": "pyup.io-44229", "specs": [ - "<0.4" + "<2.4.0" ], - "v": "<0.4" + "v": "<2.4.0" }, { - "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", - "cve": "CVE-2013-1665", - "id": "pyup.io-33057", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29525", + "id": "pyup.io-44230", "specs": [ - "<0.4" + "<2.4.0" ], - "v": "<0.4" - } - ], - "deis": [ + "v": "<2.4.0" + }, { - "advisory": "Deis 1.4.0 disables SSLv3 in its router module to handle CVE-2014-3566.\r\nhttps://github.com/deis/deis/commit/93bb0fd9cb33e5b8bdcfdc277d15d61b938a88d4", - "cve": "CVE-2014-3566", - "id": "pyup.io-25691", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29526", + "id": "pyup.io-44231", "specs": [ - "<1.4.0" + "<2.4.0" ], - "v": "<1.4.0" - } - ], - "deltachat": [ + "v": "<2.4.0" + }, { - "advisory": "Deltachat 1.0.0b17 fixes SQL/injection malformed Chat-Group-Name breakage.", - "cve": "PVE-2021-40086", - "id": "pyup.io-40086", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29527", + "id": "pyup.io-44232", "specs": [ - "<1.0.0b17" + "<2.4.0" ], - "v": "<1.0.0b17" + "v": "<2.4.0" }, { - "advisory": "deltachat 1.0.0beta.2 has several security fixes", - "cve": "PVE-2021-37922", - "id": "pyup.io-37922", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29528", + "id": "pyup.io-44233", "specs": [ - "<1.0.0beta.2" + "<2.4.0" ], - "v": "<1.0.0beta.2" + "v": "<2.4.0" }, { - "advisory": "Deltachat 1.51.0 improves and harden secure join feature.", - "cve": "PVE-2021-40084", - "id": "pyup.io-40084", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29529", + "id": "pyup.io-44234", "specs": [ - "<1.51.0" + "<2.4.0" ], - "v": "<1.51.0" - } - ], - "deluge": [ + "v": "<2.4.0" + }, { - "advisory": "Deluge 2.0.0 updates SSL/TLS Protocol parameters for better security.", - "cve": "PVE-2021-37155", - "id": "pyup.io-37155", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29530", + "id": "pyup.io-44235", "specs": [ - "<2.0.0" + "<2.4.0" ], - "v": "<2.0.0" - } - ], - "descarteslabs": [ + "v": "<2.4.0" + }, { - "advisory": "Descarteslabs 1.8.1 upgrades the 'requests' dependency (>=2.25.1, <3) to fix a security issue.", - "cve": "PVE-2021-40827", - "id": "pyup.io-40827", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29531", + "id": "pyup.io-44236", "specs": [ - "<1.8.1" + "<2.4.0" ], - "v": "<1.8.1" - } - ], - "destringcare": [ + "v": "<2.4.0" + }, { - "advisory": "Destringcare 0.0.4 removes its dependency 'pycrypto' to fix security vulnerabilities.", - "cve": "CVE-2013-7459", - "id": "pyup.io-37228", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29532", + "id": "pyup.io-44237", "specs": [ - "<0.0.4" + "<2.4.0" ], - "v": "<0.0.4" + "v": "<2.4.0" }, { - "advisory": "Destringcare 0.0.4 removes its dependency 'pycrypto' to fix security vulnerabilities.", - "cve": "CVE-2018-6594", - "id": "pyup.io-42205", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29533", + "id": "pyup.io-44238", "specs": [ - "<0.0.4" + "<2.4.0" ], - "v": "<0.0.4" - } - ], - "determined": [ + "v": "<2.4.0" + }, { - "advisory": "Determined 0.12.12rc0 upgrades lodash to fix a vulnerability.", - "cve": "PVE-2021-38656", - "id": "pyup.io-38656", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29535", + "id": "pyup.io-44240", "specs": [ - "<0.12.12rc0" + "<2.4.0" ], - "v": "<0.12.12rc0" + "v": "<2.4.0" }, { - "advisory": "Determined 0.12.7 resolves new node security vulnerabilities (fd34fec) and updates link to support secure blank targets (d1146d3).", - "cve": "PVE-2021-38415", - "id": "pyup.io-38415", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29536", + "id": "pyup.io-44241", "specs": [ - "<0.12.7" + "<2.4.0" ], - "v": "<0.12.7" + "v": "<2.4.0" }, { - "advisory": "Determined 0.14.0 updates the 'storybook' dependency to resolve a GitHub security vulnerability for 'highlight.js'.", - "cve": "PVE-2021-39625", - "id": "pyup.io-39625", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29537", + "id": "pyup.io-44242", "specs": [ - "<0.14.0" + "<2.4.0" ], - "v": "<0.14.0" + "v": "<2.4.0" }, { - "advisory": "Determined 0.16.0.dev0 upgrades the 'ws' dependency to patch a security vulnerability.", - "cve": "PVE-2021-40670", - "id": "pyup.io-40670", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29538", + "id": "pyup.io-44243", "specs": [ - "<0.16.0.dev0" + "<2.4.0" ], - "v": "<0.16.0.dev0" + "v": "<2.4.0" }, { - "advisory": "Determined 0.16.4 includes a fix to prevent log html injection via unicode.", - "cve": "PVE-2021-41255", - "id": "pyup.io-41255", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29539", + "id": "pyup.io-44244", "specs": [ - "<0.16.4" + "<2.4.0" ], - "v": "<0.16.4" + "v": "<2.4.0" }, { - "advisory": "Determined 0.17.0rc0 switches from debian:10.3-slim to ubuntu:20.04 and unattended-upgrades, to get better security upgrades.\r\nhttps://github.com/determined-ai/determined/pull/2914", - "cve": "PVE-2021-42148", - "id": "pyup.io-42148", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29540", + "id": "pyup.io-44245", "specs": [ - "<0.17.0rc0" + "<2.4.0" ], - "v": "<0.17.0rc0" + "v": "<2.4.0" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41196", - "id": "pyup.io-43315", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29541", + "id": "pyup.io-44246", "specs": [ - "<0.17.4rc0" + "<2.4.0" ], - "v": "<0.17.4rc0" + "v": "<2.4.0" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41203", - "id": "pyup.io-43316", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29542", + "id": "pyup.io-44247", "specs": [ - "<0.17.4rc0" + "<2.4.0" ], - "v": "<0.17.4rc0" + "v": "<2.4.0" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41200", - "id": "pyup.io-43317", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29543", + "id": "pyup.io-44248", "specs": [ - "<0.17.4rc0" + "<2.4.0" ], - "v": "<0.17.4rc0" + "v": "<2.4.0" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41214", - "id": "pyup.io-43319", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29544", + "id": "pyup.io-44249", "specs": [ - "<0.17.4rc0" + "<2.4.0" ], - "v": "<0.17.4rc0" + "v": "<2.4.0" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41219", - "id": "pyup.io-43320", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29545", + "id": "pyup.io-44250", "specs": [ - "<0.17.4rc0" + "<2.4.0" ], - "v": "<0.17.4rc0" + "v": "<2.4.0" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41225", - "id": "pyup.io-43321", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29546", + "id": "pyup.io-44251", "specs": [ - "<0.17.4rc0" + "<2.4.0" ], - "v": "<0.17.4rc0" + "v": "<2.4.0" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41209", - "id": "pyup.io-43325", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29547", + "id": "pyup.io-44252", "specs": [ - "<0.17.4rc0" + "<2.4.0" ], - "v": "<0.17.4rc0" + "v": "<2.4.0" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41204", - "id": "pyup.io-43327", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29548", + "id": "pyup.io-44253", "specs": [ - "<0.17.4rc0" + "<2.4.0" ], - "v": "<0.17.4rc0" + "v": "<2.4.0" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41218", - "id": "pyup.io-43331", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29549", + "id": "pyup.io-44254", "specs": [ - "<0.17.4rc0" + "<2.4.0" ], - "v": "<0.17.4rc0" + "v": "<2.4.0" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41216", - "id": "pyup.io-43332", + "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", + "cve": "CVE-2021-29534", + "id": "pyup.io-44239", "specs": [ - "<0.17.4rc0" + "<2.4.0" ], - "v": "<0.17.4rc0" - }, + "v": "<2.4.0" + } + ], + "chia-blockchain": [ { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41215", - "id": "pyup.io-43333", + "advisory": "Consideration of the new consensus algorithm in chia-blockchain version 1.0beta19 resulted in a much higher security level against all attacks.", + "cve": "PVE-2021-39444", + "id": "pyup.io-39444", "specs": [ - "<0.17.4rc0" + "<1.0b19" ], - "v": "<0.17.4rc0" + "v": "<1.0b19" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41206", - "id": "pyup.io-43335", + "advisory": "Chia-blockchain 1.0b27 updates its GUI to handle CVE-2020-28477.\r\nhttps://github.com/Chia-Network/chia-blockchain/commit/45c85c0030a9b07bd3d07fc0e7f7afc540b53009", + "cve": "CVE-2020-28477", + "id": "pyup.io-42341", "specs": [ - "<0.17.4rc0" + "<1.0b27" ], - "v": "<0.17.4rc0" + "v": "<1.0b27" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41212", - "id": "pyup.io-43337", + "advisory": "Chia-blockchain 1.0b27 updates its dependency 'pyyaml' to v5.4.1 to include a security fix.", + "cve": "CVE-2020-14343", + "id": "pyup.io-42367", "specs": [ - "<0.17.4rc0" + "<1.0b27" ], - "v": "<0.17.4rc0" + "v": "<1.0b27" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41210", - "id": "pyup.io-43338", + "advisory": "Chia-blockchain 1.0beta10 includes various vulnerability fixes.", + "cve": "PVE-2021-38700", + "id": "pyup.io-38700", "specs": [ - "<0.17.4rc0" + "<1.0beta10" ], - "v": "<0.17.4rc0" + "v": "<1.0beta10" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41207", - "id": "pyup.io-43339", + "advisory": "Node peers in chia-blockchain 1.0beta14 are gossiped between nodes with logic to keep connected nodes on disparate internet networks to partially protect from eclipse attacks.", + "cve": "PVE-2021-38844", + "id": "pyup.io-38844", "specs": [ - "<0.17.4rc0" + "<1.0beta14" ], - "v": "<0.17.4rc0" + "v": "<1.0beta14" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41197", - "id": "pyup.io-43342", + "advisory": "Chia-blockchain 1.0beta8 removes the ability to pass in sk_seed to plotting. This increases security.", + "cve": "PVE-2021-38582", + "id": "pyup.io-38582", "specs": [ - "<0.17.4rc0" + "<1.0beta8" ], - "v": "<0.17.4rc0" + "v": "<1.0beta8" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41195", - "id": "pyup.io-43343", + "advisory": "The Windows BLS Signature library in chia-blockchain 1.0beta9 uses libsodium for additional security. Additionally, this version includes various fixes for various node dependency security vulnerabilities.", + "cve": "PVE-2021-38629", + "id": "pyup.io-38629", "specs": [ - "<0.17.4rc0" + "<1.0beta9" ], - "v": "<0.17.4rc0" + "v": "<1.0beta9" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41198", - "id": "pyup.io-43344", + "advisory": "Chia-blockchain 1.0rc5 updates the 'aiohttp' dependency to 3.7.4 to address a low severity [security issue] (CVE-2021-21330).", + "cve": "CVE-2021-21330", + "id": "pyup.io-39672", "specs": [ - "<0.17.4rc0" + "<1.0rc5" ], - "v": "<0.17.4rc0" + "v": "<1.0rc5" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41217", - "id": "pyup.io-43318", + "advisory": "Chia-blockchain 1.0rc6 improves defense against many DDoS attacks by rate limiting for the full node. It also changes 'chia keys add' command to take secret words a prompt on the command line or stdin instead of command line arguments.", + "cve": "PVE-2021-39703", + "id": "pyup.io-39703", "specs": [ - "<0.17.4rc0" + "<1.0rc6" ], - "v": "<0.17.4rc0" - }, + "v": "<1.0rc6" + } + ], + "chiavdf": [ { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41226", - "id": "pyup.io-43322", + "advisory": "Chiavdf 1.0 includes a fix to prevent potential grinding attacks.", + "cve": "PVE-2021-39691", + "id": "pyup.io-39691", "specs": [ - "<0.17.4rc0" + "<1.0" ], - "v": "<0.17.4rc0" - }, + "v": "<1.0" + } + ], + "choochoo": [ { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41227", - "id": "pyup.io-43323", + "advisory": "Choochoo 0.40.0 updates its dependency React to the latest version \"hopefully\" removing several npm vulnerabilities.", + "cve": "PVE-2021-41273", + "id": "pyup.io-41273", "specs": [ - "<0.17.4rc0" + "<0.40.0" ], - "v": "<0.17.4rc0" - }, + "v": "<0.40.0" + } + ], + "ciftify": [ { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41221", - "id": "pyup.io-43324", + "advisory": "Ciftify version 2.3.3 includes security patches for several functions. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/edickie/ciftify/commit/7ac66dc2efc78bae272a0e1e713c81756f780969#diff-d55ace9e33dabdeba89768d93ae8fe97cf6d2ba4936fc5ab472b7bf749270b63", + "cve": "CVE-2020-1747", + "id": "pyup.io-41312", "specs": [ - "<0.17.4rc0" + "<2.3.3" ], - "v": "<0.17.4rc0" - }, + "v": "<2.3.3" + } + ], + "cinder": [ { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41213", - "id": "pyup.io-43326", + "advisory": "Cinder versions 14.1.0, 15.2.0 and 16.1.0 include a fix for CVE-2020-10755: An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the 'connection_info' element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API.\r\nhttps://wiki.openstack.org/wiki/OSSN/OSSN-0086", + "cve": "CVE-2020-10755", + "id": "pyup.io-38408", "specs": [ - "<0.17.4rc0" + "<14.1.0", + ">=15.0.0.0rc1,<15.2.0", + ">=16.0.0.0b1,<16.1.0" ], - "v": "<0.17.4rc0" + "v": "<14.1.0,>=15.0.0.0rc1,<15.2.0,>=16.0.0.0b1,<16.1.0" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41228", - "id": "pyup.io-43328", - "specs": [ - "<0.17.4rc0" - ], - "v": "<0.17.4rc0" - }, - { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41222", - "id": "pyup.io-43329", + "advisory": "The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.1 and 1:2014.1-0 before 1:2014.1-0ubuntu1.1 for Ubuntu 13.10 and 14.04 LTS does not properly set the sudo configuration, which makes it easier for attackers to gain privileges by leveraging another vulnerability.", + "cve": "CVE-2013-1068", + "id": "pyup.io-25651", "specs": [ - "<0.17.4rc0" + "<2013.2.3" ], - "v": "<0.17.4rc0" - }, + "v": "<2013.2.3" + } + ], + "cipher.googlepam": [ { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41224", - "id": "pyup.io-43330", + "advisory": "In cipher.googlepam before 1.5.1 do not use the same cache key for all users. Previously when one user logged in successfully, others could not log in using their own passwords -- but the first user could now use her password to log in as anyone else.", + "cve": "PVE-2021-25652", + "id": "pyup.io-25652", "specs": [ - "<0.17.4rc0" + "<1.5.1" ], - "v": "<0.17.4rc0" - }, + "v": "<1.5.1" + } + ], + "circuit-maintenance-parser": [ { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41208", - "id": "pyup.io-43334", + "advisory": "Circuit-maintenance-parser 1.1.0 updates the 'Pydantic' dependency version due to security advisory (GHSA-5jqp-qgf6-3pvh).", + "cve": "PVE-2021-41103", + "id": "pyup.io-41103", "specs": [ - "<0.17.4rc0" + "<1.1.0" ], - "v": "<0.17.4rc0" - }, + "v": "<1.1.0" + } + ], + "circup": [ { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41205", - "id": "pyup.io-43336", + "advisory": "Circup 0.0.6 includes an unspecified security fix.", + "cve": "PVE-2021-37936", + "id": "pyup.io-37936", "specs": [ - "<0.17.4rc0" + "<0.0.6" ], - "v": "<0.17.4rc0" - }, + "v": "<0.0.6" + } + ], + "ck": [ { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41202", - "id": "pyup.io-43340", + "advisory": "Ck 1.7.1 fixes a server vulnerability (action with ; can run various CMD commands).", + "cve": "PVE-2021-40221", + "id": "pyup.io-40221", "specs": [ - "<0.17.4rc0" + "<1.7.1" ], - "v": "<0.17.4rc0" - }, + "v": "<1.7.1" + } + ], + "ckan": [ { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41201", - "id": "pyup.io-43341", + "advisory": "ckan 1.5.1 fixes a security issue affecting CKAN v1.5 and before.", + "cve": "PVE-2021-34556", + "id": "pyup.io-34556", "specs": [ - "<0.17.4rc0" + "<1.5.1" ], - "v": "<0.17.4rc0" + "v": "<1.5.1" }, { - "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41199", - "id": "pyup.io-42944", + "advisory": "Ckan 1.8.1 fixes a possible XSS vulnerability on html input.\r\nhttps://github.com/ckan/ckan/pull/703", + "cve": "PVE-2021-34558", + "id": "pyup.io-34558", "specs": [ - "<0.17.4rc0" + "<1.8.1" ], - "v": "<0.17.4rc0" + "v": "<1.8.1" }, { - "advisory": "Determined 0.17.5 updates its dependency 'swagger-ui' to v4.1.0 to include a fix for a XSS vulnerability.\r\nhttps://github.com/determined-ai/determined/pull/3234", - "cve": "PVE-2021-43348", - "id": "pyup.io-43348", - "specs": [ - "<0.17.5" - ], - "v": "<0.17.5" - } - ], - "devito": [ - { - "advisory": "Devito version 4.3-beta includes a fix to handle ARM processors vulnerabilities.\r\nhttps://github.com/devitocodes/devito/pull/1515", - "cve": "PVE-2021-42102", - "id": "pyup.io-42102", + "advisory": "Ckan 2.6.9 fixes a code injection issue in the autocomplete module. See .", + "cve": "PVE-2021-39613", + "id": "pyup.io-39613", "specs": [ - "<4.3-beta" + "<2.6.9" ], - "v": "<4.3-beta" + "v": "<2.6.9" } ], - "devpi-ldap": [ + "clam": [ { - "advisory": "Devpi-ldap version 2.0.0 includes a security patch for the function 'init' in 'devpi_ldap/main.py'. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\n https://github.com/devpi/devpi-ldap/commit/8da2b3c1ed44e8223ce006a3737dc6a8446e945d#diff-ecbfd22333fa5942c9fe7a999189222d1ca71d72a1a89d7a1f55d559671eb200", - "cve": "CVE-2020-1747", - "id": "pyup.io-41316", + "advisory": "clam 0.9.10 contains security fixes, better protection against possible code injection.", + "cve": "PVE-2021-25653", + "id": "pyup.io-25653", "specs": [ - "<2.0.0" + "<0.9.10" ], - "v": "<2.0.0" - } - ], - "diffpriv": [ + "v": "<0.9.10" + }, { - "advisory": "Diffpriv 1.0.0rc1 includes a security fix: with the 'diff' and 'enc' modules, parameters were stored in Python memory, and never removed. This commit deletes these parameters and helps prevent attackers from gaining access to these parameters, which can help them gain access to the original text and/or data.", - "cve": "PVE-2021-40539", - "id": "pyup.io-40539", + "advisory": "Clam 0.9.11 fixes a RCE vulnerability in its dispatcher.\r\nhttps://github.com/proycon/clam/commit/f89ba22a3b74f0b86ce9d8190ce28b6da7331813", + "cve": "PVE-2021-25654", + "id": "pyup.io-25654", "specs": [ - "<1.0.0rc1" + "<0.9.11" ], - "v": "<1.0.0rc1" + "v": "<0.9.11" } ], - "digitalmarketplace-utils": [ + "clearsilver": [ { - "advisory": "Digitalmarketplace-utils versions before v22.0.0 included vulnerabilities where untrusted input might result in susceptibility to a cross-site scripting (XSS) exploit.\r\nhttps://github.com/Crown-Commercial-Service/digitalmarketplace-utils/pull/286", - "cve": "PVE-2021-39653", - "id": "pyup.io-39653", + "advisory": "Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.", + "cve": "CVE-2011-4357", + "id": "pyup.io-25655", "specs": [ - "<22.0.0" + "<0.10.5" ], - "v": "<22.0.0" + "v": "<0.10.5" } ], - "dirac": [ + "cliboa": [ { - "advisory": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "cve": "CVE-2021-23841", - "id": "pyup.io-42328", + "advisory": "Cliboa 2.0.0b0 updates its dependency 'urllib3' to v1.26.5 to include a security fix.", + "cve": "CVE-2021-33503", + "id": "pyup.io-42681", "specs": [ - "<2.1" + "<2.0.0b0" ], - "v": "<2.1" + "v": "<2.0.0b0" } ], - "directory-client-core": [ + "clickhouse-driver": [ { - "advisory": "Directory-client-core 5.1.1 upgrades a vulnerable Django version to Django 1.11.22.", - "cve": "PVE-2021-38689", - "id": "pyup.io-38689", + "advisory": "clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow.", + "cve": "CVE-2020-26759", + "id": "pyup.io-42290", "specs": [ - "<5.1.1" + "<0.1.5" ], - "v": "<5.1.1" + "v": "<0.1.5" } ], - "directory-components": [ - { - "advisory": "Directory-components 25.0.1 includes an update to fix the lodash vulnerability.", - "cve": "PVE-2021-37298", - "id": "pyup.io-37298", - "specs": [ - "<25.0.1" - ], - "v": "<25.0.1" - }, + "client-sdk-python": [ { - "advisory": "The `django_language` and `country` cookies in directory-components 33.0.0 set as secure and http-only.", - "cve": "PVE-2021-37475", - "id": "pyup.io-37475", + "advisory": "Client-sdk-python 4.7.0 upgrades eth-hash to 0.2.0 with pycryptodome 3.6.6 which resolves a vulnerability.", + "cve": "PVE-2021-37584", + "id": "pyup.io-37584", "specs": [ - "<33.0.0" + "<4.7.0" ], - "v": "<33.0.0" + "v": "<4.7.0" } ], - "dirsearch": [ + "clipster-desktop": [ { - "advisory": "Dirsearch 0.4.2 fixes a CSV Injection vulnerability. See also: .", - "cve": "PVE-2021-40799", - "id": "pyup.io-40799", + "advisory": "Clipster-desktop 0.3.0 includes various improvements to make the host more secure:\r\n* All clips are encrypted locally in the client before transmission to the server. \r\n* Server host can't decrypt clips: it never learns the users' password.\r\n* Password is not stored in cleartext anymore. Instead password hash is used.", + "cve": "PVE-2021-39388", + "id": "pyup.io-39388", "specs": [ - "<0.4.2" + "<0.3.0" ], - "v": "<0.4.2" + "v": "<0.3.0" } ], - "discogs-client": [ + "cliquery": [ { - "advisory": "Discogs-client 2.2.2 updates dependency 'requests' to v2.20.0 to resolve security vulnerabilities.", - "cve": "CVE-2014-1829", - "id": "pyup.io-42494", + "advisory": "Cliquery 1.10.0 updates the 'lxml' dependency from 4.6.2 to 4.6.3 to fix a security vulnerability.", + "cve": "CVE-2021-28957", + "id": "pyup.io-40090", "specs": [ - "<2.2.2" + "<1.10.0" ], - "v": "<2.2.2" + "v": "<1.10.0" }, { - "advisory": "Discogs-client 2.2.2 updates dependency 'PyYAML' to v4.2b1 to resolve security vulnerabilities.", - "cve": "CVE-2017-18342", - "id": "pyup.io-42495", + "advisory": "Cliquery 1.9.3 updates the 'lxml' dependency from 4.3.0 to 4.6.2 to include security fixes.", + "cve": "CVE-2020-27783", + "id": "pyup.io-39423", "specs": [ - "<2.2.2" + "<1.9.3" ], - "v": "<2.2.2" + "v": "<1.9.3" }, { - "advisory": "Discogs-client 2.2.2 updates dependency 'requests' to v2.20.0 to resolve security vulnerabilities.", - "cve": "CVE-2018-18074", - "id": "pyup.io-36787", + "advisory": "Cliquery 1.9.3 updates the 'lxml' dependency from 4.3.0 to 4.6.2 to include security fixes.", + "cve": "PVE-2021-39195", + "id": "pyup.io-43643", "specs": [ - "<2.2.2" + "<1.9.3" ], - "v": "<2.2.2" + "v": "<1.9.3" } ], - "discord-ext-slash": [ + "cloudmarker": [ { - "advisory": "For some extra security, Discord-ext-slash 0.2.3 looks up commands by both their name and guild ID if their command ID fails to return any results (it returns a warning with 'SlashWarning' both times, and returns an error if still no command is found.)", - "cve": "PVE-2021-39641", - "id": "pyup.io-39641", + "advisory": "Cloudmarker 0.0.5 adds the `FirewallRuleEvent` plugin to detect insecure firewall rules.", + "cve": "PVE-2021-37138", + "id": "pyup.io-37138", "specs": [ - "<0.2.3" + "<0.0.5" ], - "v": "<0.2.3" + "v": "<0.0.5" } ], - "discordpie": [ + "cloudwatch-to-graphite": [ { - "advisory": "Discordpie 0.5.1 includes a security patch. No details are given.", - "cve": "PVE-2021-38343", - "id": "pyup.io-38343", + "advisory": "Cloudwatch-to-graphite version 0.11.0 includes a security patch for the function 'get_config' in 'leadbutt.py'. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\nhttps://github.com/crccheck/cloudwatch-to-graphite/commit/5875100c54a54a9c90cf2fe782cc3df147d32053#diff-ddb0922eafb2fa54199e50bb13de6178b1755e780387144df032f9e26512f15e", + "cve": "CVE-2020-1747", + "id": "pyup.io-41313", "specs": [ - "<0.5.1" + "<0.11.0" ], - "v": "<0.5.1" + "v": "<0.11.0" } ], - "dispatch": [ + "cloverly-python-module": [ { - "advisory": "Dispatch 1.3.16 updates its dependency 'Django' to v3.1.8 to include security fixes.", - "cve": "CVE-2021-28658", - "id": "pyup.io-43729", + "advisory": "Cloverly-python-module 0.2.0 adds a clear session function for security purposes.", + "cve": "PVE-2021-41085", + "id": "pyup.io-41085", "specs": [ - "<1.3.16" + "<0.2.0" ], - "v": "<1.3.16" - }, + "v": "<0.2.0" + } + ], + "cmdlr": [ { - "advisory": "Dispatch 1.3.16 updates its dependency 'Django' to v3.1.8 to include security fixes.", - "cve": "CVE-2021-23336", - "id": "pyup.io-40402", + "advisory": "cmdlr 4.1.0 resists malicious js attack in `run_in_nodejs`", + "cve": "PVE-2021-36854", + "id": "pyup.io-36854", "specs": [ - "<1.3.16" + "<4.1.0" ], - "v": "<1.3.16" + "v": "<4.1.0" } ], - "divina": [ + "cmsplugin-filer": [ { - "advisory": "Divina 0.1 adds a security group with ssh access enabled on partitioning EC2.", - "cve": "PVE-2021-41294", - "id": "pyup.io-41294", + "advisory": "Cmsplugin-filer 0.10.2 includes a fix for a XSS vulnerability in 'firstof' in folder template. Users with Django>1.7 aren't affected.\r\nhttps://github.com/divio/cmsplugin-filer/pull/185", + "cve": "PVE-2021-25656", + "id": "pyup.io-25656", "specs": [ - "<0.1" + "<0.10.2" ], - "v": "<0.1" - }, + "v": "<0.10.2" + } + ], + "cnx-publishing": [ { - "advisory": "Divina 2021.8.1 adds a security group with ssh access enabled for the EC2 partitioning.", - "cve": "PVE-2021-41237", - "id": "pyup.io-41237", + "advisory": "Cnx-publishing 0.17.6 updates its dependency 'urllib3' to v1.25.8 to include a security fix.", + "cve": "CVE-2020-7212", + "id": "pyup.io-38128", "specs": [ - "<2021.8.1" + "<0.17.6" ], - "v": "<2021.8.1" + "v": "<0.17.6" } ], - "diycrate": [ + "coapthon": [ { - "advisory": "Diycrate version 0.2.11.0 includes a security patch for the function 'oauth_dance' in 'diycrate/oauth_utils.py'. It contained requests calls with verify=False, disabling SSL certificate checks.\r\nhttps://github.com/jheld/diycrate/commit/40e51a586f16da215a3ff8096cfa64e23b0fa5cb#diff-7772b99d74abcfaa2bf013c9a4647b2b42cec23f84a79a5d4de0ef6973720971", - "cve": "PVE-2021-41317", - "id": "pyup.io-41317", + "advisory": "The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client) when they receive crafted CoAP messages.", + "cve": "CVE-2018-12680", + "id": "pyup.io-42251", "specs": [ - "<0.2.11.0" + "==3.1", + "==4.0.0", + "==4.0.1", + "==4.0.2" ], - "v": "<0.2.11.0" + "v": "==3.1,==4.0.0,==4.0.1,==4.0.2" } ], - "djangae": [ + "cobbler": [ { - "advisory": "djangae before 0.9.4 uses Django 1.7 which is no longer supported (EOL, with known security issues).", - "cve": "PVE-2021-25693", - "id": "pyup.io-25693", + "advisory": "Cobbler has local privilege escalation via the use of insecure location for PYTHON_EGG_CACHE. No information was provided about fixes or affected versions. See: CVE-2011-4954.", + "cve": "CVE-2011-4954", + "id": "pyup.io-37739", "specs": [ - "<0.9.4" + ">0" ], - "v": "<0.9.4" + "v": ">0" } ], - "django": [ + "cockroachdb": [ { - "advisory": "The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected \"static media files,\" which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.", - "cve": "CVE-2009-2659", - "id": "pyup.io-25694", + "advisory": "cockroachdb 0.3.2 updated urllib3 to remove security vulnerability.", + "cve": "PVE-2021-37264", + "id": "pyup.io-37264", "specs": [ - "<1.0" + "<0.3.2" ], - "v": "<1.0" - }, + "v": "<0.3.2" + } + ], + "codalab": [ { - "advisory": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.", - "cve": "CVE-2009-3695", - "id": "pyup.io-25695", + "advisory": "codalab before 0.2.33 was using a version of gunicorn that had security vulnerabilities.", + "cve": "PVE-2021-36386", + "id": "pyup.io-36386", "specs": [ - "<1.0.4", - ">=1.1,<1.1.1" + "<0.2.33" ], - "v": "<1.0.4,>=1.1,<1.1.1" + "v": "<0.2.33" }, { - "advisory": "The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.", - "cve": "CVE-2010-4535", - "id": "pyup.io-33059", + "advisory": "Codalab 0.5.12 fixes a vulnerability. No description of the vulnerability was included.", + "cve": "PVE-2021-38927", + "id": "pyup.io-38927", "specs": [ - "<1.1.3", - ">=1.2,<1.2.4" + "<0.5.12" ], - "v": "<1.1.3,>=1.2,<1.2.4" + "v": "<0.5.12" }, { - "advisory": "The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.", - "cve": "CVE-2010-4534", - "id": "pyup.io-33058", + "advisory": "Codalab 0.5.33 includes a fix for some front-end vulnerabilities (with `npm audit fix`).", + "cve": "PVE-2021-39434", + "id": "pyup.io-39434", "specs": [ - "<1.1.3", - ">=1.2,<1.2.4" + "<0.5.33" ], - "v": "<1.1.3,>=1.2,<1.2.4" - }, + "v": "<0.5.33" + } + ], + "codecov": [ { - "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.", - "cve": "CVE-2011-0697", - "id": "pyup.io-33061", + "advisory": "Codecov 2.0.16 fixes a reported command injection vulnerability.", + "cve": "PVE-2021-37934", + "id": "pyup.io-37934", "specs": [ - "<1.1.4" + "<2.0.16" ], - "v": "<1.1.4" + "v": "<2.0.16" }, { - "advisory": "Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a \"combination of browser plugins and redirects,\" a related issue to CVE-2011-0447.", - "cve": "CVE-2011-0696", - "id": "pyup.io-33060", + "advisory": "Codecov 2.0.17 fixes a reported command injection vulnerability.", + "cve": "PVE-2021-38075", + "id": "pyup.io-38075", "specs": [ - "<1.1.4", - ">=1.2,<1.2.5" + "<2.0.17" ], - "v": "<1.1.4,>=1.2,<1.2.5" - }, + "v": "<2.0.17" + } + ], + "codeforcesapipy": [ { - "advisory": "Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.", - "cve": "CVE-2011-0698", - "id": "pyup.io-33062", + "advisory": "Codeforcesapipy 2.0.8 updates the 'lxml' dependency to 4.6.3 to resolve security issues.", + "cve": "CVE-2021-28957", + "id": "pyup.io-40099", "specs": [ - "<1.1.4", - ">=1.2,<1.2.5" + "<2.0.8" ], - "v": "<1.1.4,>=1.2,<1.2.5" - }, + "v": "<2.0.8" + } + ], + "cohen3": [ { - "advisory": "Django 1.11.x before 1.11.19 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", - "cve": "CVE-2019-6975", - "id": "pyup.io-36885", + "advisory": "Cohen3 version 0.8.3 updates its dependency \"requests\" to include a security fix.", + "cve": "CVE-2018-18074", + "id": "pyup.io-42040", "specs": [ - "<1.11.19,>=1.11.0" + "<0.8.3" ], - "v": "<1.11.19,>=1.11.0" + "v": "<0.8.3" }, { - "advisory": "An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.", - "cve": "CVE-2019-12781", - "id": "pyup.io-37261", + "advisory": "Cohen3 version 0.9.1 updates its dependency \"urlib3\" to v1.24.2 to include a security fix.", + "cve": "CVE-2019-11324", + "id": "pyup.io-42039", "specs": [ - "<1.11.22,>1.11", - "<2.1.10,>2.1", - "<2.2.3,>2.2" + "<0.9.1" ], - "v": "<1.11.22,>1.11,<2.1.10,>2.1,<2.2.3,>2.2" - }, + "v": "<0.9.1" + } + ], + "coinbasepro": [ { - "advisory": "Django 1.11.22 fixes a security issue in 1.11.21.", - "cve": "PVE-2021-37259", - "id": "pyup.io-37259", + "advisory": "Coinbasepro 0.1.0 updates requests version to >=2.20.0 to address a security vulnerability.", + "cve": "CVE-2018-18074", + "id": "pyup.io-36975", "specs": [ - "<1.11.22,>1.11.21" + "<0.1.0" ], - "v": "<1.11.22,>1.11.21" - }, + "v": "<0.1.0" + } + ], + "coincurve": [ { - "advisory": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) See CVE-2019-19844.", - "cve": "CVE-2019-19844", - "id": "pyup.io-37771", + "advisory": "coincurve before 8.0.0 does not support the new GitHub and PyPI security requirements. \r\nBinary wheels on macOS for Python 3.5 now uses Homebrew Python for compilation due to new security requirements.", + "cve": "PVE-2021-36299", + "id": "pyup.io-36299", "specs": [ - "<1.11.27", - ">=2.0a1,<2.2.9", - ">=3.0a1,<3.0.1" + "<8.0.0" ], - "v": "<1.11.27,>=2.0a1,<2.2.9,>=3.0a1,<3.0.1" - }, + "v": "<8.0.0" + } + ], + "coinstac": [ { - "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.", - "cve": "CVE-2010-3082", - "id": "pyup.io-25701", + "advisory": "Coinstac 5.2.1 includes various security fixes and package updates.", + "cve": "PVE-2021-40091", + "id": "pyup.io-40091", "specs": [ - "<1.2.2" + "<5.2.1" ], - "v": "<1.2.2" - }, + "v": "<5.2.1" + } + ], + "colander": [ { - "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.", - "cve": "CVE-2011-4138", - "id": "pyup.io-33065", + "advisory": "colander 1.7.0 - The URL validator regex has been updated to no longer be vulnerable to a\r\n catastrophic backtracking that would have led to an infinite loop.", + "cve": "PVE-2021-36856", + "id": "pyup.io-36856", "specs": [ - "<1.2.7", - ">=1.3,<1.3.1" + "<1.7.0" ], - "v": "<1.2.7,>=1.3,<1.3.1" + "v": "<1.7.0" }, { - "advisory": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.", - "cve": "CVE-2011-4140", - "id": "pyup.io-33066", + "advisory": "In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.", + "cve": "CVE-2017-18361", + "id": "pyup.io-42247", "specs": [ - "<1.2.7", - ">=1.3,<1.3.1" + "<=1.6" ], - "v": "<1.2.7,>=1.3,<1.3.1" - }, + "v": "<=1.6" + } + ], + "collective-contact-core": [ { - "advisory": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.", - "cve": "CVE-2011-4136", - "id": "pyup.io-33063", + "advisory": "collective-contact-core before 1.10", + "cve": "PVE-2021-36089", + "id": "pyup.io-36089", "specs": [ - "<1.2.7", - ">=1.3,<1.3.1" + "<1.10" ], - "v": "<1.2.7,>=1.3,<1.3.1" - }, + "v": "<1.10" + } + ], + "collective-easyform": [ { - "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.", - "cve": "CVE-2011-4137", - "id": "pyup.io-33064", + "advisory": "Collective-easyform version 3.0.5 doesn't resolves entities in the modeleditor and removes processing instructions (commit #254).", + "cve": "PVE-2021-41911", + "id": "pyup.io-41911", "specs": [ - "<1.2.7", - ">=1.3,<1.3.1" + "<3.0.5" ], - "v": "<1.2.7,>=1.3,<1.3.1" - }, + "v": "<3.0.5" + } + ], + "collective-indexing": [ { - "advisory": "The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.", - "cve": "CVE-2012-3442", - "id": "pyup.io-33067", + "advisory": "Collective-indexing version 2.1 includes a fix that prevents out-of-sync security indexes on Solr. Now, reindexObjectSecurity operations are handled by the queue.\r\nhttps://github.com/plone/collective.indexing/pull/17", + "cve": "PVE-2021-41879", + "id": "pyup.io-41879", "specs": [ - "<1.3.2", - ">=1.4,<1.4.1" + "<2.1" ], - "v": "<1.3.2,>=1.4,<1.4.1" - }, + "v": "<2.1" + } + ], + "collective-noticeboard": [ { - "advisory": "The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.", - "cve": "CVE-2012-3444", - "id": "pyup.io-33069", + "advisory": "collective-noticeboard before 0.7.1 has a security issue, anonymous users could modify notes positions.", + "cve": "PVE-2021-35879", + "id": "pyup.io-35879", "specs": [ - "<1.3.2", - ">=1.4,<1.4.1" + "<0.7.1" ], - "v": "<1.3.2,>=1.4,<1.4.1" - }, + "v": "<0.7.1" + } + ], + "collective.contact.core": [ { - "advisory": "The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.", - "cve": "CVE-2012-3443", - "id": "pyup.io-33068", + "advisory": "Collective.contact.core 1.10 fixes a security issue related to AddContact. The vulnerability was found in its dependency Plone CMS. See CVE-2016-7138.\r\nhttps://github.com/collective/collective.contact.core/pull/25", + "cve": "CVE-2016-7138", + "id": "pyup.io-25657", "specs": [ - "<1.3.2", - ">=1.4,<1.4.1" + "<1.10" ], - "v": "<1.3.2,>=1.4,<1.4.1" - }, + "v": "<1.10" + } + ], + "collective.documentviewer": [ { - "advisory": "The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.", - "cve": "CVE-2012-4520", - "id": "pyup.io-25709", + "advisory": "Collective.documentviewer 1.5.1 fixes a security issue on file resources permissions.\r\nhttps://github.com/collective/collective.documentviewer/commit/7222b0d30b1976d3f6773553bd6948c39efcbc20", + "cve": "PVE-2021-25658", + "id": "pyup.io-25658", "specs": [ - "<1.3.4", - ">=1.4,<1.4.2" + "<1.5.1" ], - "v": "<1.3.4,>=1.4,<1.4.2" - }, + "v": "<1.5.1" + } + ], + "collective.easyform": [ { - "advisory": "The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. See: CVE-2014-0483.", - "cve": "CVE-2014-0483", - "id": "pyup.io-35516", + "advisory": "The modeleditor in collective.easyform 3.0.5 no longer resolves entities, and it removes processing instructions. This increases the security.\r\nhttps://github.com/collective/collective.easyform/commit/261ea800fbe3bd650a83b1fe7558ba51bd7d0c9e", + "cve": "PVE-2021-39144", + "id": "pyup.io-39144", "specs": [ - "<1.4.14", - ">=1.5,<1.5.9", - ">=1.6,<1.6.6", - ">=1.7,<1.7rc3" + "<3.0.5" ], - "v": "<1.4.14,>=1.5,<1.5.9,>=1.6,<1.6.6,>=1.7,<1.7rc3" - }, + "v": "<3.0.5" + } + ], + "collective.js.datatables": [ { - "advisory": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL.", - "cve": "CVE-2015-0220", - "id": "pyup.io-33071", + "advisory": "Collective.js.datatables 4.1.1 updates Datatables to 1.10.11, due to a XSS vulnerability in 1.10.4.", + "cve": "CVE-2015-6384", + "id": "pyup.io-25659", "specs": [ - "<1.4.18", - ">=1.6,<1.6.10", - ">=1.7,<1.7.3" + "<4.1.1" ], - "v": "<1.4.18,>=1.6,<1.6.10,>=1.7,<1.7.3" - }, + "v": "<4.1.1" + } + ], + "collective.noticeboard": [ { - "advisory": "The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.", - "cve": "CVE-2015-0221", - "id": "pyup.io-33072", + "advisory": "Collective.noticeboard 0.7.1 fixes a security issue, anonymous users could modify notes positions.", + "cve": "PVE-2021-25660", + "id": "pyup.io-25660", "specs": [ - "<1.4.18", - ">=1.6,<1.6.10", - ">=1.7,<1.7.3" + "<0.7.1" ], - "v": "<1.4.18,>=1.6,<1.6.10,>=1.7,<1.7.3" - }, + "v": "<0.7.1" + } + ], + "collective.portlet.twitter": [ { - "advisory": "Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.", - "cve": "CVE-2015-0219", - "id": "pyup.io-33070", + "advisory": "Collective.portlet.twitter 1.0b3 fixes a potential XSS (arbitrary injection) issue by escaping and quoting all attributes being set on the rendered portlet.\r\nhttps://github.com/collective/collective.portlet.twitter/pull/2", + "cve": "PVE-2021-25661", + "id": "pyup.io-25661", "specs": [ - "<1.4.18", - ">=1.7,<1.7.3", - ">=1.6,<1.6.10" + "<1.0b3" ], - "v": "<1.4.18,>=1.7,<1.7.3,>=1.6,<1.6.10" - }, + "v": "<1.0b3" + } + ], + "collective.tablepage": [ { - "advisory": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.", - "cve": "CVE-2016-2512", - "id": "pyup.io-33073", + "advisory": "collective.tablepage 0.3 fixes a security problem: data inside text cells were transformed to HTML without any check.", + "cve": "PVE-2021-25664", + "id": "pyup.io-25664", "specs": [ - "<1.8.10", - ">=1.9,<1.9.3" + "<0.3" ], - "v": "<1.8.10,>=1.9,<1.9.3" - }, + "v": "<0.3" + } + ], + "collective.xmpp.chat": [ { - "advisory": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.", - "cve": "CVE-2016-2513", - "id": "pyup.io-33074", + "advisory": "collective.xmpp.chat 0.3.1 updates convers.js to 0.6.3 which includes an important security fix.", + "cve": "PVE-2021-25666", + "id": "pyup.io-25666", "specs": [ - "<1.8.10", - ">=1.9,<1.9.3" + "<0.3.1" ], - "v": "<1.8.10,>=1.9,<1.9.3" - }, + "v": "<0.3.1" + } + ], + "collins-client": [ { - "advisory": "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.", - "cve": "CVE-2018-16984", - "id": "pyup.io-36522", + "advisory": "Collins 2.1.0 has a very important security patch.\r\n\r\nCollins has a feature that allows you to [encrypt certain attributes](http://tumblr.github.io/collins/configuration.htmlfeatures) on every asset. It also had a permission that restricted which users could read those encrypted tags. It did NOT have a permission that restricted which users could modify encrypted tags.\r\n\r\n*It is strongly recommended that you upgrade to collins 2.1.0 if you are using the encrypted tags feature, as well as rotate any values stored in encrypted tags.*\r\n\r\nThe severity of this vulnerability depends heavily upon how you use collins in your infrastructure. If you do not use the encrypted tags feature, you are not vulnerable to this problem. If you do use the encrypted tags feature, you will need to explore your automation and consider how vulnerable you are.\r\n\r\nIf, for example, your infrastructure has automation that regularly sets the root password on servers to match a value that is in collins, an attacker without the ability to read the current password could set it to a value that they know, wait for the automation to change the password, and then gain root on a server.\r\n\r\nThis change is backwards compatible with collins v2.0.0, though once you upgrade it will stop any writes to encrypted tags by users that have not been granted `feature.canWriteEncryptedTags` permission. We have also renamed `feature.canSeePasswords` to `feature.canSeeEncryptedTags`, but collins will continue to respect the value of `feature.canSeePasswords` if `feature.canSeeEncryptedTags` is not set. Once `feature.canSeeEncryptedTags` is set, collins will ignore the value of `feature.canSeePasswords`.", + "cve": "PVE-2021-25667", + "id": "pyup.io-25667", "specs": [ - "<2.1.2,>=2.1" + "<2.1.0" ], - "v": "<2.1.2,>=2.1" - }, + "v": "<2.1.0" + } + ], + "colonyscanalyser": [ { - "advisory": "django before 2.1.2 fixes a security bug in 2.1.x. \r\nIf an admin user has the change permission to the user model, only part of the\r\npassword hash is displayed in the change form. Admin users with the view (but\r\nnot change) permission to the user model were displayed the entire hash.", - "cve": "CVE-2018-16984", - "id": "pyup.io-36517", + "advisory": "Colonyscanalyser 0.2.0 adds snyk security checks for dependencies.", + "cve": "PVE-2021-37635", + "id": "pyup.io-37635", "specs": [ - "<2.1.2,>=2.1.0" + "<0.2.0" ], - "v": "<2.1.2,>=2.1.0" - }, + "v": "<0.2.0" + } + ], + "compliance-trestle": [ { - "advisory": "Django 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", - "cve": "CVE-2019-6975", - "id": "pyup.io-36883", + "advisory": "Compliance-trestle 0.15.0 upgrades the 'pydantic' to 1.8.2 for an security issue.", + "cve": "PVE-2021-40566", + "id": "pyup.io-40566", "specs": [ - "<2.1.6,>=2.1.0" + "<0.15.0" ], - "v": "<2.1.6,>=2.1.0" + "v": "<0.15.0" }, { - "advisory": "Django versions 2.2.24, 3.1.12, and 3.2.4 include a fix for CVE-2021-33203: Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories. See CVE-2021-33203.\r\nhttps://www.djangoproject.com/weblog/2021/jun/02/security-releases/\r\nhttps://docs.djangoproject.com/en/3.2/releases/security/\r\nhttps://groups.google.com/forum/#%21forum/django-announce", - "cve": "CVE-2021-33203", - "id": "pyup.io-40637", + "advisory": "Compliance-trestle 0.26.0 removes user names from logs.\r\nhttps://github.com/IBM/compliance-trestle/commit/4d075b89776552a1f58751674e2056ac7afac3cc", + "cve": "PVE-2021-42185", + "id": "pyup.io-42185", "specs": [ - "<2.2.24", - ">=3.0a1,<3.1.12", - ">=3.2a1,<3.2.4" + "<0.26.0" ], - "v": "<2.2.24,>=3.0a1,<3.1.12,>=3.2a1,<3.2.4" - }, + "v": "<0.26.0" + } + ], + "concrete-datastore": [ { - "advisory": "Django versions 2.2.25, 3.1.14 and 3.2.10 include a fix for CVE-2021-44420: In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.\r\nhttps://www.djangoproject.com/weblog/2021/dec/07/security-releases/", - "cve": "CVE-2021-44420", - "id": "pyup.io-43041", + "advisory": "Concrete-datastore 1.22.0 adds useful checks to the url_format to avoid template injections.", + "cve": "PVE-2021-39449", + "id": "pyup.io-39449", "specs": [ - "<2.2.25", - ">=3.2a1,<3.2.10", - ">=3.1a1,<3.1.14" + "<1.22.0" ], - "v": "<2.2.25,>=3.2a1,<3.2.10,>=3.1a1,<3.1.14" + "v": "<1.22.0" }, { - "advisory": "django 1.11.15 fixes a phishing security issue in 1.11.14 if the :class:`~django.middleware.common.CommonMiddleware` and the :setting:`APPEND_SLASH` setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash. See: CVE-2018-14574.", - "cve": "CVE-2018-14574", - "id": "pyup.io-36359", + "advisory": "Concrete-datastore 1.23.0 adds checks on the url_format for reset password view to avoid template injections.", + "cve": "PVE-2021-39709", + "id": "pyup.io-39709", "specs": [ - "==1.11.14" + "<1.23.0" ], - "v": "==1.11.14" - }, + "v": "<1.23.0" + } + ], + "conference-scheduler-cli": [ { - "advisory": "Django 1.11.21 fixes a security issue in 1.11.20: CVE-2019-12308 (AdminURLFieldWidget XSS).", - "cve": "CVE-2019-12308", - "id": "pyup.io-37186", + "advisory": "In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.", + "cve": "CVE-2018-14572", + "id": "pyup.io-36425", "specs": [ - "==1.11.20" + "<=0.10.1" ], - "v": "==1.11.20" - }, + "v": "<=0.10.1" + } + ], + "confidant": [ { - "advisory": "Django 1.11.23 fixes CVE-2019-14235 in 1.11.22.", - "cve": "CVE-2019-14235", - "id": "pyup.io-39599", + "advisory": "Confidant 1.1.13 includes a security fix. It was discovered when adding tests after a refactor of some of the KMS authentication code that confidant wasn't properly checking the expiration of KMS auth tokens. If tokens were able to be exfiltrated from a service, they could be used indefinitely. Also, any tokens that are expired will now correctly fail to authenticate.", + "cve": "PVE-2021-26670", + "id": "pyup.io-26670", "specs": [ - "==1.11.22" + "<1.1.13" ], - "v": "==1.11.22" + "v": "<1.1.13" }, { - "advisory": "Django 1.11.23 fixes CVE-2019-14233 in 1.11.22.", - "cve": "CVE-2019-14233", - "id": "pyup.io-39601", + "advisory": "confidant 1.1.14 contains a security fix: While preparing for the 1.1 stable release Lyft found a KMS authentication vulnerability in the unreleased 1.1 branch while performing an audit of the code. The vulnerability was introduced while adding the scoped auth key feature (for limiting authentication keys and services to specific AWS accounts), where the key was not properly checked after decryption. This check is an additional verification to add additional safety on-top of the IAM policy of your KMS keys. If IAM policy allows users to use KMS keys without limits on encryption context, a KMS key that wasn't intended to be used for auth, could be used for auth.", + "cve": "PVE-2021-25668", + "id": "pyup.io-25668", "specs": [ - "==1.11.22" + "<1.1.14" ], - "v": "==1.11.22" + "v": "<1.1.14" }, { - "advisory": "Django 1.11.23 fixes CVE-2019-14234 in 1.11.22.", - "cve": "CVE-2019-14234", - "id": "pyup.io-39600", + "advisory": "Confidant v1.10.0 upgrades gevent and greenlet to address CVE-2016-5180 and gevent/gevent#477.", + "cve": "CVE-2016-5180", + "id": "pyup.io-38504", "specs": [ - "==1.11.22" + "<1.10.0" ], - "v": "==1.11.22" + "v": "<1.10.0" }, { - "advisory": "Django 1.11.23 fixes the following security issue in 1.11.22: CVE-2019-14232.", - "cve": "CVE-2019-14232", - "id": "pyup.io-37326", + "advisory": "Confidant 1.6.0 updates python-saml to address CVE-2016-1000252.", + "cve": "CVE-2016-1000252", + "id": "pyup.io-38505", "specs": [ - "==1.11.22" + "<1.6.0" ], - "v": "==1.11.22" + "v": "<1.6.0" }, { - "advisory": "Django 1.11.27 fixes CVE-2019-19844 in 1.11.26: potential account hijack via password reset form.", - "cve": "CVE-2019-19844", - "id": "pyup.io-37663", + "advisory": "In confidant 5.0.0, requirements have been updated to resolve some reported security vulnerabilities in a few of the frozen requirements. A library affecting user sessions was upgraded which will cause users to be logged out after upgrade, which means if you're doing a rolling upgrade, that during the upgrade, you may have users that seemingly randomly get logged out. After a finished upgrade, users should only be logged out once, if they're currently logged in.", + "cve": "PVE-2021-37471", + "id": "pyup.io-37471", "specs": [ - "==1.11.26" + "<5.0.0" ], - "v": "==1.11.26" + "v": "<5.0.0" }, { - "advisory": "Django 1.11.28 fixes a security issue in 1.11.27. Potential SQL injection via `StringAgg(delimiter)`. See: CVE-2020-7471.", - "cve": "CVE-2020-7471", - "id": "pyup.io-37817", + "advisory": "Confidant 6.3.0 adds support for keeping track of when credentials should be rotated. It therefore adds three new fields to the Credential model, two of which improve the security (`last_decrypted_date` and `last_rotation_date`). The former explicitly stores when someone viewed a credential. Certain credentials can potentially be highly vulnerable and could benefit from being rotated the moment the credential pair is viewed. The latter stores when a credential was last rotated. Some credentials might need to periodically be rotated for security purposes.", + "cve": "PVE-2021-38560", + "id": "pyup.io-38560", "specs": [ - "==1.11.27" + "<6.3.0" ], - "v": "==1.11.27" - }, + "v": "<6.3.0" + } + ], + "confidence": [ { - "advisory": "django 2.0.8 fixes a security issue and several bugs in 2.0.7 if the :class:`~django.middleware.common.CommonMiddleware` and the\r\n:setting:`APPEND_SLASH` setting are both enabled, and if the project has a\r\nURL pattern that accepts any path ending in a slash. See: CVE-2018-14574.", - "cve": "CVE-2018-14574", - "id": "pyup.io-36358", + "advisory": "confidence before 0.4 has a security vulnerability from using ``yaml.load``. \r\nconfidence >=0.4 now uses ``yaml.safe_load``", + "cve": "PVE-2021-36308", + "id": "pyup.io-36308", "specs": [ - "==2.0.7" + "<0.4" ], - "v": "==2.0.7" - }, + "v": "<0.4" + } + ], + "confire": [ { - "advisory": "Django 2.1.11 fixes a security issue in 2.1.10:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``", - "cve": "CVE-2019-14232", - "id": "pyup.io-37325", + "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Due to the user-specific configuration being loaded from \"~/.confire.yaml\" using the yaml.load function, a YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.", + "cve": "CVE-2017-16763", + "id": "pyup.io-35721", "specs": [ - "==2.1.10" + "<=0.2.0" ], - "v": "==2.1.10" - }, + "v": "<=0.2.0" + } + ], + "confluent-kafka": [ { - "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``", - "cve": "CVE-2019-14233", - "id": "pyup.io-39598", + "advisory": "Confluent-kafka 1.1.0 securely clears the private key data from memory after last use.", + "cve": "PVE-2021-37508", + "id": "pyup.io-37508", "specs": [ - "==2.1.10" + "<1.1.0" ], - "v": "==2.1.10" + "v": "<1.1.0" }, { - "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``", - "cve": "CVE-2019-14235", - "id": "pyup.io-39596", + "advisory": "Confluent-kafka 1.3.0 includes a fix for CVE-2019-17543: LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"", + "cve": "CVE-2019-17543", + "id": "pyup.io-38072", "specs": [ - "==2.1.10" + "<1.3.0" ], - "v": "==2.1.10" + "v": "<1.3.0" }, { - "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``", - "cve": "CVE-2019-14234", - "id": "pyup.io-39597", + "advisory": "Confluent-kafka 1.4.0 includes two security issues in the SASL SCRAM protocol handler:\r\n * The client nonce, which is expected to be a random string, was a static string.\r\n * If `sasl.username` and `sasl.password` contained characters that needed escaping, a buffer overflow and heap corruption would occur. This was protected, but too late, by an assertion.", + "cve": "PVE-2021-38165", + "id": "pyup.io-38165", "specs": [ - "==2.1.10" + "<1.4.0" ], - "v": "==2.1.10" - }, + "v": "<1.4.0" + } + ], + "conn-check": [ { - "advisory": "Django 2.1.15 fixes CVE-2019-19118 in 2.1.14: Privilege escalation in the Django admin.", - "cve": "CVE-2019-19118", - "id": "pyup.io-37657", + "advisory": "conn-check 1.0.18 ensures pyOpenSSL is always used instead of the ssl modules, see https://urllib3.readthedocs.org/en/latest/security.htmlpyopenssl.", + "cve": "PVE-2021-25669", + "id": "pyup.io-25669", "specs": [ - "==2.1.14" + "<1.0.18" ], - "v": "==2.1.14" - }, + "v": "<1.0.18" + } + ], + "container-service-extension": [ { - "advisory": "Django 2.1.9 fixes security issues in 2.1.8: CVE-2019-12308 (AdminURLFieldWidget XSS).", - "cve": "CVE-2019-12308", - "id": "pyup.io-37185", + "advisory": "container-service-extension 1.2.5 adds K8s vulnerability patching", + "cve": "PVE-2021-36876", + "id": "pyup.io-36876", "specs": [ - "==2.1.8" + "<1.2.5" ], - "v": "==2.1.8" + "v": "<1.2.5" }, { - "advisory": "Django 2.2.2 fixes security issues in 2.2.1: CVE-2019-12308 (AdminURLFieldWidget XSS).", - "cve": "CVE-2019-12308", - "id": "pyup.io-37184", + "advisory": "Container-service-extension 1.2.7 updates docker images to include a fix for CVE-2019-5736.\r\nhttps://github.com/vmware/container-service-extension/commit/1f03f960871afe8774541747712d4a72f6378839", + "cve": "CVE-2019-5736", + "id": "pyup.io-37100", "specs": [ - "==2.2.1" + "<1.2.7" ], - "v": "==2.2.1" + "v": "<1.2.7" }, { - "advisory": "Django 2.2.18 fixes a security issue with severity \"low\" in 2.2.17 (CVE-2021-3281).", - "cve": "CVE-2021-3281", - "id": "pyup.io-39523", + "advisory": "Container-service-extension 2.5.0b1 updates the hardcoded_password_string: false positives and test environment password strings marked not vulnerable.", + "cve": "PVE-2021-37529", + "id": "pyup.io-37529", "specs": [ - "==2.2.17" + "<2.5.0b1" ], - "v": "==2.2.17" - }, + "v": "<2.5.0b1" + } + ], + "contentful": [ { - "advisory": "Django 2.2.3 fixes CVE-2019-12781 in 2.2.2: incorrect HTTP detection with reverse-proxy connecting via HTTPS.", - "cve": "CVE-2019-12781", - "id": "pyup.io-37324", + "advisory": "Contentful 1.11.3 updates 'requests' version due to a vulnerability found in versions '2.19' and below.", + "cve": "CVE-2018-18074", + "id": "pyup.io-36633", "specs": [ - "==2.2.2" + "<1.11.3" ], - "v": "==2.2.2" + "v": "<1.11.3" }, { - "advisory": "Django 2.2.24 fixes security issue in 2.2.23 (CVE-2021-33571).", - "cve": "PVE-2021-40597", - "id": "pyup.io-40597", + "advisory": "Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py.", + "cve": "CVE-2020-13258", + "id": "pyup.io-38314", "specs": [ - "==2.2.23" + "<=1.12.3" ], - "v": "==2.2.23" - }, + "v": "<=1.12.3" + } + ], + "contentful-management": [ { - "advisory": "Django 2.2.24 fixes security issue in 2.2.23 (CVE-2021-33203).", - "cve": "PVE-2021-40586", - "id": "pyup.io-40586", + "advisory": "Contentful-management 2.5.0 updates 'requests' version due to a vulnerability found in previous versions.", + "cve": "CVE-2018-18074", + "id": "pyup.io-36599", "specs": [ - "==2.2.23" + "<2.5.0" ], - "v": "==2.2.23" - }, - { - "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``", - "cve": "CVE-2019-14233", - "id": "pyup.io-39593", + "v": "<2.5.0" + } + ], + "contestms": [ + { + "advisory": "contestms 1.2.0 fixes several security bugs around an unsafe use of isolate. These won't be backported to 1.1, so make sure you update.", + "cve": "PVE-2021-34249", + "id": "pyup.io-34249", "specs": [ - "==2.2.3" + "<1.2.0" ], - "v": "==2.2.3" - }, + "v": "<1.2.0" + } + ], + "cookie-manager": [ { - "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``", - "cve": "CVE-2019-14234", - "id": "pyup.io-39592", + "advisory": "Cookie-manager 1.0.3 bumps dependency versions to fix a security issue.", + "cve": "PVE-2021-38106", + "id": "pyup.io-38106", "specs": [ - "==2.2.3" + "<1.0.3" ], - "v": "==2.2.3" + "v": "<1.0.3" }, { - "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``", - "cve": "CVE-2019-14235", - "id": "pyup.io-39591", + "advisory": "Cookie-manager 1.1.0 updates its dependency Bleach to include a security fix.", + "cve": "CVE-2020-6817", + "id": "pyup.io-38153", "specs": [ - "==2.2.3" + "<1.1.0" ], - "v": "==2.2.3" + "v": "<1.1.0" }, { - "advisory": "Django 2.2.4 fixes a security issue in 2.2.3:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``", - "cve": "CVE-2019-14232", - "id": "pyup.io-37323", + "advisory": "Cookie-manager 1.2.1 fixes a security vulnerability discovered and patched in a dependency. See Bleach 3.3.0 for further details.", + "cve": "PVE-2021-40165", + "id": "pyup.io-40165", "specs": [ - "==2.2.3" + "<1.2.1" ], - "v": "==2.2.3" - }, + "v": "<1.2.1" + } + ], + "cookiecutter": [ { - "advisory": "Django 2.2.8 fixes CVE-2019-19118 in 2.2.7: Privilege escalation in the Django admin.", - "cve": "CVE-2019-19118", - "id": "pyup.io-37656", + "advisory": "Cookiecutter 0.1.0 fixes insecure gitlab_token retrieval - see: https://github.com/NathanUrwin/cookiecutter-git/issues/6", + "cve": "PVE-2021-34683", + "id": "pyup.io-34683", "specs": [ - "==2.2.7" + "<0.1.0" ], - "v": "==2.2.7" + "v": "<0.1.0" }, { - "advisory": "Django 2.2.9 fixes CVE-2019-19844 in 2.2.8: potential account hijack via password reset form.", - "cve": "CVE-2019-19844", - "id": "pyup.io-37662", + "advisory": "Cookiecutter 1.1.0 sets explicitly the list of allowed hosts for security reasons.", + "cve": "PVE-2021-37672", + "id": "pyup.io-37672", "specs": [ - "==2.2.8" + "<1.1.0" ], - "v": "==2.2.8" - }, + "v": "<1.1.0" + } + ], + "coordination-network-toolkit": [ { - "advisory": "Django 2.2.10 fixes a security issue in 2.2.9. Potential SQL injection via `StringAgg(delimiter)`. See CVE-2020-7471.", - "cve": "CVE-2020-7471", - "id": "pyup.io-37816", + "advisory": "Coordination-network-toolkit 1.0.2 updates its dependency 'urllib3' to v1.26.5 to include a security fix.", + "cve": "CVE-2021-33503", + "id": "pyup.io-40624", "specs": [ - "==2.2.9" + "<1.0.2" ], - "v": "==2.2.9" - }, + "v": "<1.0.2" + } + ], + "copyparty": [ { - "advisory": "Django 3.0.1 fixes CVE-2019-19844 in 3.0: potential account hijack via password reset form.", - "cve": "CVE-2019-19844", - "id": "pyup.io-37661", + "advisory": "The maintainers of Copyparty report that they \"hopefully\" have fixed a bug in version 0.12.3 where malicious POSTs through an nginx reverse-proxy could put the connection in a bad state, causing the next legit request to fail with bad headers", + "cve": "PVE-2021-41050", + "id": "pyup.io-41050", "specs": [ - "==3.0" + "<0.12.3" ], - "v": "==3.0" - }, + "v": "<0.12.3" + } + ], + "cortex": [ { - "advisory": "Django 3.0.12 fixes a security issue with severity \"low\" in 3.0.11 (CVE-2021-3281).", - "cve": "CVE-2021-3281", - "id": "pyup.io-39522", + "advisory": "cortex before 0.32.0", + "cve": "PVE-2021-40128", + "id": "pyup.io-40128", "specs": [ - "==3.0.11" + "<0.32.0" ], - "v": "==3.0.11" - }, + "v": "<0.32.0" + } + ], + "cosmos-wfm": [ { - "advisory": "Django 3.0.3 fixes a security issue and several bugs in 3.0.2. Potential SQL injection via `StringAgg(delimiter)`. See: CVE-2020-7471.", - "cve": "CVE-2020-7471", - "id": "pyup.io-37815", + "advisory": "cosmos-wfm before 2.1.1 is vulnerable to an attack where malicious hackers can run arbitrary code if they have file system (even external mounts!)+network access on the machine running luigid (executed by the user that you run luigid with).", + "cve": "PVE-2021-34181", + "id": "pyup.io-34181", "specs": [ - "==3.0.2" + "<2.1.1" ], - "v": "==3.0.2" - }, + "v": "<2.1.1" + } + ], + "cova": [ { - "advisory": "Django 3.1.12 fixes two security issues in 3.1.11 (CVE-2021-33571).", - "cve": "PVE-2021-40598", - "id": "pyup.io-40598", + "advisory": "Cova 0.7.4 updates its dependency 'dask' to v2021.10.0 to include a security fix.", + "cve": "CVE-2021-42343", + "id": "pyup.io-44672", "specs": [ - "==3.1.11" + "<0.7.4" ], - "v": "==3.1.11" - }, + "v": "<0.7.4" + } + ], + "coveralls": [ { - "advisory": "Django 3.1.12 fixes two security issues in 3.1.11 (CVE-2021-33203).", - "cve": "PVE-2021-40585", - "id": "pyup.io-40585", + "advisory": "coveralls 0.1.1 removes repo_token from verbose output for security reasons.", + "cve": "PVE-2021-25671", + "id": "pyup.io-25671", "specs": [ - "==3.1.11" + "<0.1.1" ], - "v": "==3.1.11" - }, + "v": "<0.1.1" + } + ], + "covert": [ { - "advisory": "Django 3.1.6 fixes a security issue with severity \"low\" and a bug in 3.1.5 (CVE-2021-3281).", - "cve": "CVE-2021-3281", - "id": "pyup.io-39521", + "advisory": "Covert 0.2.1 ensures that all authentication tokens are unique, also for repeated public keys.\r\nhttps://github.com/covert-encryption/covert/commit/1a40aa80bb9f0401e2eb59d93df5e531c4ec1623", + "cve": "PVE-2021-42679", + "id": "pyup.io-42679", "specs": [ - "==3.1.5" + "<0.2.1" ], - "v": "==3.1.5" + "v": "<0.2.1" }, { - "advisory": "Django 3.2.4 fixes two security issues and several bugs in 3.2.3 (CVE-2021-33203).", - "cve": "PVE-2021-40584", - "id": "pyup.io-40584", + "advisory": "Covert 0.6.0 fixes an indistinguishability flaw in the ephemeral keys: encrypted archives could be easily distinguishable from random.\r\nhttps://github.com/covert-encryption/covert/issues/55", + "cve": "PVE-2022-44428", + "id": "pyup.io-44428", "specs": [ - "==3.2.3" + "<0.6.0" ], - "v": "==3.2.3" - }, + "v": "<0.6.0" + } + ], + "cplay-ng": [ { - "advisory": "Django 3.2.4 fixes two security issues and several bugs in 3.2.3 (CVE-2021-3357).", - "cve": "PVE-2021-40599", - "id": "pyup.io-40599", + "advisory": "cplay-ng 1.50 fixes insecure /tmp handling.", + "cve": "PVE-2021-25672", + "id": "pyup.io-25672", "specs": [ - "==3.2.3" + "<1.50" ], - "v": "==3.2.3" - }, + "v": "<1.50" + } + ], + "crate-docs-theme": [ { - "advisory": "Django 1.10.3 fixes two security issues and several bugs in 1.10.2.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================", - "cve": "PVE-2021-25722", - "id": "pyup.io-25722", + "advisory": "Crate-docs-theme 0.13.0 updates/removes Bootstrap and jQuery packages (nine vulnerabilities detected).", + "cve": "PVE-2021-39529", + "id": "pyup.io-39529", "specs": [ - ">=1.10,<1.10.3" + "<0.13.0" ], - "v": ">=1.10,<1.10.3" - }, + "v": "<0.13.0" + } + ], + "creavel": [ { - "advisory": "Django version 1.10.7, 1.9.13 and 1.8.18 include a fix for CVE-2017-7233: Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely 'django.utils.http.is_safe_url()') considered some numeric URLs \"safe\" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on 'is_safe_url()' to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.\r\nhttps://www.djangoproject.com/weblog/2017/apr/04/security-releases/", - "cve": "CVE-2017-7233", - "id": "pyup.io-33300", + "advisory": "creavel before 0.11.0 has a unspecified security issue and is vulnerable via unknown vectors.", + "cve": "PVE-2021-25673", + "id": "pyup.io-25673", "specs": [ - ">=1.10,<1.10.7", - ">=1.9.0,<1.9.13", - ">=1.8.0,<1.8.18" + "<0.11.0" ], - "v": ">=1.10,<1.10.7,>=1.9.0,<1.9.13,>=1.8.0,<1.8.18" + "v": "<0.11.0" }, { - "advisory": "Django 1.10.8 fixes a security issue in 1.10.7. In older versions, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with 'DEBUG = True' (which makes this page accessible) in your production settings. See also: CVE-2017-12794, described as \"Possible XSS in traceback section of technical 500 debug page\".", - "cve": "CVE-2017-12794", - "id": "pyup.io-34918", + "advisory": "creavel 0.14.0 fixes jinja2 security by using SandboxedEnvironment.", + "cve": "PVE-2021-25674", + "id": "pyup.io-25674", "specs": [ - ">=1.10.7,<1.10.8" + "<0.14.0" ], - "v": ">=1.10.7,<1.10.8" - }, + "v": "<0.14.0" + } + ], + "credstash": [ { - "advisory": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.", - "cve": "CVE-2020-7471", - "id": "pyup.io-37970", + "advisory": "Credstash 1.16.0 updates its dependency pyyaml to a version >=4.2b1 to include a security fix.", + "cve": "CVE-2017-18342", + "id": "pyup.io-37852", "specs": [ - ">=1.11,<1.11.28", - ">=2.2,<2.2.10", - ">=3.0,<3.0.3" + "<1.16.0" ], - "v": ">=1.11,<1.11.28,>=2.2,<2.2.10,>=3.0,<3.0.3" - }, + "v": "<1.16.0" + } + ], + "creopyson": [ { - "advisory": "Django 1.11.5 fixes a security issue and several bugs in 1.11.4.\r\n\r\nCVE-2017-12794: Possible XSS in traceback section of technical 500 debug page\r\n=============================================================================\r\n\r\nIn older versions, HTML autoescaping was disabled in a portion of the template\r\nfor the technical 500 debug page. Given the right circumstances, this allowed\r\na cross-site scripting attack. This vulnerability shouldn't affect most\r\nproduction sites since you shouldn't run with ``DEBUG = True`` (which makes\r\nthis page accessible) in your production settings.", - "cve": "CVE-2017-12794", - "id": "pyup.io-34917", + "advisory": "Creopyson 0.4.2 modifies the pipenv config for the bleach security alert.", + "cve": "PVE-2021-37964", + "id": "pyup.io-37964", "specs": [ - ">=1.11,<1.11.5" + "<0.4.2" ], - "v": ">=1.11,<1.11.5" - }, + "v": "<0.4.2" + } + ], + "cromwell-tools": [ { - "advisory": "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.", - "cve": "CVE-2019-12308", - "id": "pyup.io-37191", + "advisory": "Cromwell-tools 1.0.0 updates requests to v2.20.0 to avoid security issues.", + "cve": "CVE-2018-18074", + "id": "pyup.io-36659", "specs": [ - ">=1.11.0,<1.11.21", - ">=2.1,<2.1.9", - ">=2.2,<2.2.2" + "<1.0.0" ], - "v": ">=1.11.0,<1.11.21,>=2.1,<2.1.9,>=2.2,<2.2.2" - }, + "v": "<1.0.0" + } + ], + "crossbar": [ { - "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", - "cve": "CVE-2019-14232", - "id": "pyup.io-37329", + "advisory": "In crossbar before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.", + "cve": "PVE-2021-25675", + "id": "pyup.io-25675", "specs": [ - ">=1.11.0,<1.11.23", - ">=2.1.0,<2.1.11", - ">=2.2.0,<2.2.4" + "<0.15.0" ], - "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" + "v": "<0.15.0" }, { - "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.", - "cve": "CVE-2019-14234", - "id": "pyup.io-37357", + "advisory": "crossbar 0.6.4 fixes a WAMP-CRA timing attack very, very unlikely to be exploitable.", + "cve": "PVE-2021-25676", + "id": "pyup.io-25676", "specs": [ - ">=1.11.0,<1.11.23", - ">=2.1.0,<2.1.11", - ">=2.2.0,<2.2.4" + "<0.6.4" ], - "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" + "v": "<0.6.4" }, { - "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.", - "cve": "CVE-2019-14233", - "id": "pyup.io-37330", + "advisory": "Crossbar 20.12.3 fixes a dependency on Autobahn v20.12.3, which in turn fixes a potential security issue when enabling the Web status page ('enable_webstatus') on WebSocket-WAMP listening transports.", + "cve": "PVE-2021-39329", + "id": "pyup.io-39329", "specs": [ - ">=1.11.0,<1.11.23", - ">=2.1.0,<2.1.11", - ">=2.2.0,<2.2.4" + "<20.12.3" ], - "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" - }, + "v": "<20.12.3" + } + ], + "croud": [ { - "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.", - "cve": "CVE-2019-14235", - "id": "pyup.io-37331", + "advisory": "Croud 0.3.0 includes a fix for CVE-2017-18342, an arbitrary code execution vulnerability in yaml.load().\r\nhttps://github.com/crate/croud/commit/821f2ba47285f5b5ad3e2e2782c44f867da931ee", + "cve": "CVE-2017-18342", + "id": "pyup.io-42353", "specs": [ - ">=1.11.0,<1.11.23", - ">=2.1.0,<2.1.11", - ">=2.2.0,<2.2.4" + "<0.3.0" ], - "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" - }, + "v": "<0.3.0" + } + ], + "crypt": [ { - "advisory": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL Injections if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. See: CVE-2020-9402.", - "cve": "CVE-2020-9402", - "id": "pyup.io-38010", + "advisory": "crypt is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", + "cve": "PVE-2021-34981", + "id": "pyup.io-34981", "specs": [ - ">=1.11.0,<1.11.29", - ">=2.2.0,<2.2.11", - ">=3.0.0,<3.0.4" + ">0", + "<0" ], - "v": ">=1.11.0,<1.11.29,>=2.2.0,<2.2.11,>=3.0.0,<3.0.4" - }, + "v": ">0,<0" + } + ], + "cryptacular": [ { - "advisory": "CVE-2018-6188: Information leakage in ``AuthenticationForm``\r\n============================================================\r\n\r\nA regression in Django 1.11.8 made\r\n:class:`~django.contrib.auth.forms.AuthenticationForm` run its\r\n``confirm_login_allowed()`` method even if an incorrect password is entered.\r\nThis can leak information about a user, depending on what messages\r\n``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't\r\noverridden, an attacker enter an arbitrary username and see if that user has\r\nbeen set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,\r\nmore sensitive details could be leaked.\r\n\r\nThis issue is fixed with the caveat that ``AuthenticationForm`` can no longer\r\nraise the \"This account is inactive.\" error if the authentication backend\r\nrejects inactive users (the default authentication backend, ``ModelBackend``,\r\nhas done that since Django 1.10). This issue will be revisited for Django 2.1\r\nas a fix to address the caveat will likely be too invasive for inclusion in\r\nolder versions.", - "cve": "CVE-2018-6188", - "id": "pyup.io-35174", + "advisory": "crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.", + "cve": "CVE-2011-2483", + "id": "pyup.io-42230", "specs": [ - ">=1.11.8,<1.11.10" + "<1.2" ], - "v": ">=1.11.8,<1.11.10" + "v": "<1.2" }, { - "advisory": "django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. A remote user can redirect the target user's browser to an arbitrary site.", - "cve": "CVE-2018-14574", - "id": "pyup.io-36368", + "advisory": "crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.", + "cve": "PVE-2021-25677", + "id": "pyup.io-25677", "specs": [ - ">=1.11a1,<1.11.15", - ">=2.0a1,<2.0.8" + "<1.2" ], - "v": ">=1.11a1,<1.11.15,>=2.0a1,<2.0.8" - }, + "v": "<1.2" + } + ], + "cryptice": [ { - "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.", - "cve": "CVE-2019-3498", - "id": "pyup.io-36771", + "advisory": "Cryptice 2.0 improves user data validation to avoid security issues.\r\nhttps://github.com/RenardDev/CryptICE/commit/2a8627747ab1a180e1466a21cf2fb6a9f665489a", + "cve": "PVE-2022-43753", + "id": "pyup.io-43753", "specs": [ - ">=1.11a1,<1.11.18" + "<2.0" ], - "v": ">=1.11a1,<1.11.18" - }, + "v": "<2.0" + } + ], + "crypto-candlesticks": [ { - "advisory": "The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.", - "cve": "CVE-2013-0305", - "id": "pyup.io-33111", + "advisory": "Crypto-candlesticks 0.1.5 fixes a vulnerability in the 'jinja2' dependency.", + "cve": "PVE-2021-39697", + "id": "pyup.io-39697", "specs": [ - ">=1.3,<1.3.6", - ">=1.4,<1.4.4", - ">=1.5,<1.5.1" + "<0.1.5" ], - "v": ">=1.3,<1.3.6,>=1.4,<1.4.4,>=1.5,<1.5.1" - }, + "v": "<0.1.5" + } + ], + "cryptography": [ { - "advisory": "The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.", - "cve": "CVE-2013-0306", - "id": "pyup.io-33112", + "advisory": "cryptography 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.", + "cve": "PVE-2021-25678", + "id": "pyup.io-25678", "specs": [ - ">=1.3,<1.3.6", - ">=1.4,<1.4.4", - ">=1.5,<1.5.1" + "<0.9.1" ], - "v": ">=1.3,<1.3.6,>=1.4,<1.4.4,>=1.5,<1.5.1" + "v": "<0.9.1" }, { - "advisory": "The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.", - "cve": "CVE-2015-5964", - "id": "pyup.io-25728", + "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)** for the report.", + "cve": "PVE-2021-25679", + "id": "pyup.io-25679", "specs": [ - ">=1.4,<1.4.22", - ">=1.7,<1.7.10" + "<1.0.2" ], - "v": ">=1.4,<1.4.22,>=1.7,<1.7.10" + "v": "<1.0.2" }, { - "advisory": "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.", - "cve": "CVE-2015-5963", - "id": "pyup.io-25727", + "advisory": "HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.", + "cve": "CVE-2016-9243", + "id": "pyup.io-25680", "specs": [ - ">=1.4,<1.4.22", - ">=1.7,<1.7.10", - ">=1.8,<1.8.4" + "<1.5.3" ], - "v": ">=1.4,<1.4.22,>=1.7,<1.7.10,>=1.8,<1.8.4" + "v": "<1.5.3" }, { - "advisory": "The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by \"the login view in django.contrib.auth.views\" and the javascript: scheme.", - "cve": "CVE-2013-6044", - "id": "pyup.io-42237", + "advisory": "Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing.", + "cve": "PVE-2021-39252", + "id": "pyup.io-39252", "specs": [ - ">=1.4,<1.4.6", - ">=1.5,<1.5.2", - ">1.6,<1.6b2" + "<3.3" ], - "v": ">=1.4,<1.4.6,>=1.5,<1.5.2,>1.6,<1.6b2" + "v": "<3.3" }, { - "advisory": "Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField. See: CVE-2013-4249.", - "cve": "CVE-2013-4249", - "id": "pyup.io-35456", + "advisory": "In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. See: CVE-2020-36242.", + "cve": "CVE-2020-36242", + "id": "pyup.io-39606", "specs": [ - ">=1.5,<1.5.2", - ">=1.6,<1.6b2" + "<3.3.2" ], - "v": ">=1.5,<1.5.2,>=1.6,<1.6b2" + "v": "<3.3.2" }, { - "advisory": "The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.", - "cve": "CVE-2013-1443", - "id": "pyup.io-25729", + "advisory": "Cryptography 3.2 was released with the warning that its maintainers became aware of a Bleichenbacher vulnerability that they were only partly able to mitigate. See: CVE-2020-25659.", + "cve": "CVE-2020-25659", + "id": "pyup.io-38932", "specs": [ - ">=1.6,<1.6-beta-4", - ">=1.4,<1.4.8", - ">=1.5,<1.5.4" + "<=3.2" ], - "v": ">=1.6,<1.6-beta-4,>=1.4,<1.4.8,>=1.5,<1.5.4" + "v": "<=3.2" }, { - "advisory": "ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.", - "cve": "CVE-2015-0222", - "id": "pyup.io-25730", + "advisory": "A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903.", + "cve": "CVE-2018-10903", + "id": "pyup.io-36351", "specs": [ - ">=1.7,<1.7.3", - ">=1.6,<1.6.10" + ">=1.9.0,<2.3" ], - "v": ">=1.7,<1.7.3,>=1.6,<1.6.10" - }, + "v": ">=1.9.0,<2.3" + } + ], + "cryptography-vectors": [ { - "advisory": "The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.", - "cve": "CVE-2015-2316", - "id": "pyup.io-25731", + "advisory": "cryptography-vectors 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.", + "cve": "PVE-2021-25681", + "id": "pyup.io-25681", "specs": [ - ">=1.7,<1.7.7", - ">=1.6,<1.6.11", - ">=1.8a1,<1.8c1" + "<0.9.1" ], - "v": ">=1.7,<1.7.7,>=1.6,<1.6.11,>=1.8a1,<1.8c1" + "v": "<0.9.1" }, { - "advisory": "The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.", - "cve": "CVE-2015-5143", - "id": "pyup.io-25725", + "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)** for the report.", + "cve": "PVE-2021-25682", + "id": "pyup.io-25682", "specs": [ - ">=1.7,<1.7.9", - ">=1.5,<1.7", - ">=1.4,<1.4.21" + "<1.0.2" ], - "v": ">=1.7,<1.7.9,>=1.5,<1.7,>=1.4,<1.4.21" + "v": "<1.0.2" }, { - "advisory": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.", - "cve": "CVE-2016-9014", + "advisory": "HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.", + "cve": "CVE-2016-9243", + "id": "pyup.io-25683", + "specs": [ + "<1.5.3" + ], + "v": "<1.5.3" + } + ], + "cssutils": [ + { + "advisory": "In cssutils before 0.9.6a2 comments added by ``cssutils.resolveImports`` only use the import rules' href and not the absolute href of the referenced sheets anymore (might have been a possible security hole when showing a full local path to a sheet in a combined but not minified sheet)", + "cve": "PVE-2021-25684", + "id": "pyup.io-25684", + "specs": [ + "<0.9.6a2" + ], + "v": "<0.9.6a2" + } + ], + "cstar": [ + { + "advisory": "Cstar 0.5.0 fixes a security problem in a dependency (spotify). See: .", + "cve": "PVE-2021-39224", + "id": "pyup.io-39224", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" + } + ], + "cumin": [ + { + "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Cumin before r5238 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) widgets or (2) pages.", + "cve": "CVE-2012-1575", + "id": "pyup.io-35357", + "specs": [ + "=0.56.1, to avoid a security vulnerability.", + "cve": "PVE-2021-40620", + "id": "pyup.io-40620", + "specs": [ + "<0.4.1" + ], + "v": "<0.4.1" + } + ], + "datasette-css-properties": [ + { + "advisory": "Datasette-css-properties 0.2 makes the '.css' pages send the 'x-content-type-options: nosniff' header to protect against browsers incorrectly rendering the CSS as HTML which could be an XSS security hole.\r\nhttps://github.com/simonw/datasette-css-properties/commit/faf181430667af0e4f4954163fefcc32e8fdbd9c", + "cve": "PVE-2021-39422", + "id": "pyup.io-39422", + "specs": [ + "<0.2" + ], + "v": "<0.2" + } + ], + "datasette-graphql": [ + { + "advisory": "Satasette-graphql before 1.2 included a plugin that could expose schema details of databases that should not be visible, though not their actual row content. See: .", + "cve": "PVE-2021-39174", + "id": "pyup.io-39174", + "specs": [ + "<1.2" + ], + "v": "<1.2" + } + ], + "datasette-indieauth": [ + { + "advisory": "Datasette-indieauth before 1.1 trusts the \"me\" field returned by the authorization server without verifying it.", + "cve": "PVE-2021-39164", + "id": "pyup.io-39164", + "specs": [ + "<1.1" + ], + "v": "<1.1" + } + ], + "datasette-insert": [ + { + "advisory": "Datasette-insert 0.6 is locked down by default. This plugin no longer defaults to allowing all, reducing the risk that someone may deploy it without sufficient security.", + "cve": "PVE-2021-38644", + "id": "pyup.io-38644", + "specs": [ + "<0.6" + ], + "v": "<0.6" + } + ], + "datasette-query-links": [ + { + "advisory": "Datasette-query-links 0.1.1 fixes an XSS security bug.\r\nhttps://github.com/simonw/datasette-query-links/issues/2", + "cve": "PVE-2021-41092", + "id": "pyup.io-41092", + "specs": [ + "<0.1.1" + ], + "v": "<0.1.1" + } + ], + "datasette-seaborn": [ + { + "advisory": "The maintainers or the datasette-seaborn package acknowledge that version 0.1a0 is buggy and probably not secure.", + "cve": "PVE-2021-38782", + "id": "pyup.io-38782", + "specs": [ + "==0.1a0" + ], + "v": "==0.1a0" + } + ], + "dateable-chronos": [ + { + "advisory": "Dateable-chronos 0.8 includes a fix for a XSS vulnerability in the get_view_day method.\r\nhttps://github.com/collective/dateable.chronos/commit/fd91af02186e61b3e161a2f620da9422eb228c71", + "cve": "PVE-2021-35988", + "id": "pyup.io-35988", + "specs": [ + "<0.8" + ], + "v": "<0.8" + } + ], + "dateable.chronos": [ + { + "advisory": "Dateable.chronos 0.8 includes a fix for a XSS vulnerability in the get_view_day method.\r\nhttps://github.com/collective/dateable.chronos/commit/fd91af02186e61b3e161a2f620da9422eb228c71", + "cve": "PVE-2021-25685", + "id": "pyup.io-25685", + "specs": [ + "<0.8" + ], + "v": "<0.8" + } + ], + "datera-cinder": [ + { + "advisory": "Datera-cinder 2018.10.30.0 updates the required 'requests' version to >=2.20.0 to include a fix for CVE-2018-18074.", + "cve": "CVE-2018-18074", + "id": "pyup.io-37204", + "specs": [ + "<2018.10.30.0" + ], + "v": "<2018.10.30.0" + } + ], + "datumaro": [ + { + "advisory": "Datumaro version 0.1.10 includes a fix for an arbitrary code execution vulnerability: Cifar implementation is based on pickle, which can run arbitrary code on unpickling.\r\nhttps://github.com/openvinotoolkit/datumaro/issues/327", + "cve": "PVE-2021-41817", + "id": "pyup.io-41817", + "specs": [ + "<0.1.10" + ], + "v": "<0.1.10" + } + ], + "dawgie": [ + { + "advisory": "Dawgie 1.2.3 includes a vulnerability fix.", + "cve": "PVE-2021-40122", + "id": "pyup.io-40122", + "specs": [ + "<1.2.3" + ], + "v": "<1.2.3" + }, + { + "advisory": "Dawgie 1.2.9 adds clean methods to limit malicious code.", + "cve": "PVE-2021-40121", + "id": "pyup.io-40121", + "specs": [ + "<1.2.9" + ], + "v": "<1.2.9" + } + ], + "db-able": [ + { + "advisory": "Db-able 2.1.4 updates its NPM dependency 'shelljs' to v0.8.5 to include a security fix.", + "cve": "CVE-2022-0144", + "id": "pyup.io-44568", + "specs": [ + "<2.1.4" + ], + "v": "<2.1.4" + } + ], + "dbcat": [ + { + "advisory": "Dbcat 0.3.1 updates its dependency 'cryptography' to v3.4.4 to include a security fix.", + "cve": "CVE-2020-36242", + "id": "pyup.io-42696", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" + } + ], + "dbt-core": [ + { + "advisory": "Dbt-core 0.20.0rc1 updates its dependency 'jinja2' to v2.11.3 to include a security fix.", + "cve": "CVE-2020-28493", + "id": "pyup.io-42229", + "specs": [ + "<0.20.0rc1" + ], + "v": "<0.20.0rc1" + } + ], + "dbtos3": [ + { + "advisory": "Dbtos3 version 0.0.2a0 includes security fixes related to dependencies' updates.", + "cve": "PVE-2021-42017", + "id": "pyup.io-42017", + "specs": [ + "<0.0.2a0" + ], + "v": "<0.0.2a0" + } + ], + "ddtrace": [ + { + "advisory": "ddtrace 0.11.0 removes the `sql.query` tag from SQL spans, so that the content is properly obfuscated in the Agent. This security fix is required to prevent wrong data collection of reported SQL queries. This issue impacts only MySQL integrations and NOT `psycopg2` or `sqlalchemy` while using the PostgreSQL driver.", + "cve": "PVE-2021-35790", + "id": "pyup.io-35790", + "specs": [ + "<0.11.0" + ], + "v": "<0.11.0" + } + ], + "debianized-jupyterhub": [ + { + "advisory": "Debianized-jupyterhub 0.9.5.1 updates its dependency 'notebook' to 5.7.7 to include a security fix.", + "cve": "CVE-2019-10255", + "id": "pyup.io-37002", + "specs": [ + "<0.9.5.1" + ], + "v": "<0.9.5.1" + } + ], + "debops": [ + { + "advisory": "Debops 0.8.0 installs upstream NodeSource APT packages by default. This is due to `no security support in Debian Stable`__, therefore an upstream packages should be considered more secure. The upstream NodeJS packages include a compatible NPM release, therefore it won't be separately installed from GitHub.", + "cve": "PVE-2021-36371", + "id": "pyup.io-36371", + "specs": [ + "<0.8.0" + ], + "v": "<0.8.0" + }, + { + "advisory": "Debops 1.0.0:\r\n\r\n- The :command:`lxc-prepare-ssh` script will read the public SSH keys from specific files (``root`` key file, and the ``$SUDO_USER`` key file) and will not accept any custom files to read from, to avoid possible security issues. Each public SSH key listed in the key files is validated before being added to the container's ``root`` account.\r\n\r\n- The :command:`lxc-new-unprivileged` script will similarly not accept any custom files as initial LXC container configuration to fix any potential security holes when used via :command:`sudo`. The default LXC configuration file used by the script can be configured in :file:`/etc/lxc/lxc.conf` configuration file.\r\n\r\n- (:ref:`debops.php` role) New APT signing keys` have been created for his Debian APT repository with PHP packages, due to security concerns. The :ref:`debops.php` role will remove the old APT GPG key and add the new one automatically. See: .", + "cve": "PVE-2021-37159", + "id": "pyup.io-37159", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + }, + { + "advisory": "The :command:\"lxc-prepare-ssh\" script in debops 1.1.0 will no longer install SSH keys from the LXC host \"root\" account on the LXC container \"root\" account. That could cause confusion and unintended security breaches when other services (for example backup scripts or remote command execution tools) install their own SSH keys on the LXC host and they are subsequently copied inside of the LXC containers created on that host.\r\nhttps://github.com/debops/debops/commit/6dd088e413ef4c5dac23d94bb338ae19398985e2", + "cve": "PVE-2021-37404", + "id": "pyup.io-37404", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Debops 1.2.0 includes a security patch for CVE-2019-11043: In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.", + "cve": "CVE-2019-11043", + "id": "pyup.io-37733", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + }, + { + "advisory": "Debops 1.7.0 includes a change in its RoundCube configuration. RoundCube will use the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.", + "cve": "PVE-2021-37732", + "id": "pyup.io-37732", + "specs": [ + "<1.7.0" + ], + "v": "<1.7.0" + }, + { + "advisory": "RoundCube in debops 2.0.0 uses the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.", + "cve": "PVE-2021-26403", + "id": "pyup.io-26403", + "specs": [ + "<2.0.0" + ], + "v": "<2.0.0" + } + ], + "decaptcha": [ + { + "advisory": "decaptcha 1.0.0 includes a patch for security vulnerability: pin pillow>=6.2.0", + "cve": "PVE-2021-37892", + "id": "pyup.io-37892", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + }, + { + "advisory": "decaptcha 1.0.1 includes a patch for security vulnerability: tensorflow==1.15.0", + "cve": "PVE-2021-37891", + "id": "pyup.io-37891", + "specs": [ + "<1.0.1" + ], + "v": "<1.0.1" + } + ], + "deeposlandia": [ + { + "advisory": "Deeposlandia 0.6 updates its dependency 'Tensorflow' to v1.15 to include security fixes.", + "cve": "CVE-2019-16778", + "id": "pyup.io-38133", + "specs": [ + "<0.6" + ], + "v": "<0.6" + }, + { + "advisory": "Deeposlandia 0.6 updates its dependency 'Tensorflow' to v1.15 to include security fixes.", + "cve": "PVE-2021-37524", + "id": "pyup.io-43828", + "specs": [ + "<0.6" + ], + "v": "<0.6" + }, + { + "advisory": "Deeposlandia 0.6.2 updates pillow to 7.1.1 to fix a moderate-severity vulnerability in pillow <6.2.2.", + "cve": "PVE-2021-38285", + "id": "pyup.io-38285", + "specs": [ + "<0.6.2" + ], + "v": "<0.6.2" + } + ], + "definitions": [ + { + "advisory": "There is a vulnerability in load() method in definitions/parser.py in the Danijar Hafner definitions package for Python. It can execute arbitrary python commands resulting in command execution.", + "cve": "CVE-2018-20325", + "id": "pyup.io-36752", + "specs": [ + "<=0.2.0" + ], + "v": "<=0.2.0" + } + ], + "defusedexpat": [ + { + "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", + "cve": "CVE-2013-1664", + "id": "pyup.io-33054", + "specs": [ + "<0.3" + ], + "v": "<0.3" + }, + { + "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", + "cve": "CVE-2013-1665", + "id": "pyup.io-33055", + "specs": [ + "<0.3" + ], + "v": "<0.3" + } + ], + "defusedxml": [ + { + "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", + "cve": "CVE-2013-1664", + "id": "pyup.io-33056", + "specs": [ + "<0.4" + ], + "v": "<0.4" + }, + { + "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", + "cve": "CVE-2013-1665", + "id": "pyup.io-33057", + "specs": [ + "<0.4" + ], + "v": "<0.4" + } + ], + "deis": [ + { + "advisory": "Deis 1.4.0 disables SSLv3 in its router module to handle CVE-2014-3566.\r\nhttps://github.com/deis/deis/commit/93bb0fd9cb33e5b8bdcfdc277d15d61b938a88d4", + "cve": "CVE-2014-3566", + "id": "pyup.io-25691", + "specs": [ + "<1.4.0" + ], + "v": "<1.4.0" + } + ], + "deltachat": [ + { + "advisory": "Deltachat 1.0.0b17 fixes SQL/injection malformed Chat-Group-Name breakage.", + "cve": "PVE-2021-40086", + "id": "pyup.io-40086", + "specs": [ + "<1.0.0b17" + ], + "v": "<1.0.0b17" + }, + { + "advisory": "deltachat 1.0.0beta.2 has several security fixes", + "cve": "PVE-2021-37922", + "id": "pyup.io-37922", + "specs": [ + "<1.0.0beta.2" + ], + "v": "<1.0.0beta.2" + }, + { + "advisory": "Deltachat 1.51.0 improves and harden secure join feature.", + "cve": "PVE-2021-40084", + "id": "pyup.io-40084", + "specs": [ + "<1.51.0" + ], + "v": "<1.51.0" + } + ], + "deluge": [ + { + "advisory": "Deluge 2.0.0 updates SSL/TLS Protocol parameters for better security.", + "cve": "PVE-2021-37155", + "id": "pyup.io-37155", + "specs": [ + "<2.0.0" + ], + "v": "<2.0.0" + } + ], + "descarteslabs": [ + { + "advisory": "Descarteslabs 1.8.1 upgrades the 'requests' dependency (>=2.25.1, <3) to fix a security issue.", + "cve": "PVE-2021-40827", + "id": "pyup.io-40827", + "specs": [ + "<1.8.1" + ], + "v": "<1.8.1" + } + ], + "destringcare": [ + { + "advisory": "Destringcare 0.0.4 removes its dependency 'pycrypto' to fix security vulnerabilities.", + "cve": "CVE-2013-7459", + "id": "pyup.io-37228", + "specs": [ + "<0.0.4" + ], + "v": "<0.0.4" + }, + { + "advisory": "Destringcare 0.0.4 removes its dependency 'pycrypto' to fix security vulnerabilities.", + "cve": "CVE-2018-6594", + "id": "pyup.io-42205", + "specs": [ + "<0.0.4" + ], + "v": "<0.0.4" + } + ], + "determined": [ + { + "advisory": "Determined 0.12.12rc0 upgrades lodash to fix a vulnerability.", + "cve": "PVE-2021-38656", + "id": "pyup.io-38656", + "specs": [ + "<0.12.12rc0" + ], + "v": "<0.12.12rc0" + }, + { + "advisory": "Determined 0.12.7 resolves new node security vulnerabilities (fd34fec) and updates link to support secure blank targets (d1146d3).", + "cve": "PVE-2021-38415", + "id": "pyup.io-38415", + "specs": [ + "<0.12.7" + ], + "v": "<0.12.7" + }, + { + "advisory": "Determined 0.14.0 updates the 'storybook' dependency to resolve a GitHub security vulnerability for 'highlight.js'.", + "cve": "PVE-2021-39625", + "id": "pyup.io-39625", + "specs": [ + "<0.14.0" + ], + "v": "<0.14.0" + }, + { + "advisory": "Determined 0.16.0.dev0 upgrades the 'ws' dependency to patch a security vulnerability.", + "cve": "PVE-2021-40670", + "id": "pyup.io-40670", + "specs": [ + "<0.16.0.dev0" + ], + "v": "<0.16.0.dev0" + }, + { + "advisory": "Determined 0.16.4 includes a fix to prevent log html injection via unicode.", + "cve": "PVE-2021-41255", + "id": "pyup.io-41255", + "specs": [ + "<0.16.4" + ], + "v": "<0.16.4" + }, + { + "advisory": "Determined 0.17.0rc0 switches from debian:10.3-slim to ubuntu:20.04 and unattended-upgrades, to get better security upgrades.\r\nhttps://github.com/determined-ai/determined/pull/2914", + "cve": "PVE-2021-42148", + "id": "pyup.io-42148", + "specs": [ + "<0.17.0rc0" + ], + "v": "<0.17.0rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41218", + "id": "pyup.io-43331", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41210", + "id": "pyup.io-43338", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41198", + "id": "pyup.io-43344", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41199", + "id": "pyup.io-42944", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41196", + "id": "pyup.io-43315", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41203", + "id": "pyup.io-43316", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41200", + "id": "pyup.io-43317", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41217", + "id": "pyup.io-43318", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41214", + "id": "pyup.io-43319", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41219", + "id": "pyup.io-43320", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41225", + "id": "pyup.io-43321", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41226", + "id": "pyup.io-43322", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41221", + "id": "pyup.io-43324", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41209", + "id": "pyup.io-43325", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41213", + "id": "pyup.io-43326", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41204", + "id": "pyup.io-43327", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41228", + "id": "pyup.io-43328", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41222", + "id": "pyup.io-43329", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41224", + "id": "pyup.io-43330", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41216", + "id": "pyup.io-43332", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41227", + "id": "pyup.io-43323", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41208", + "id": "pyup.io-43334", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41206", + "id": "pyup.io-43335", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41205", + "id": "pyup.io-43336", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41212", + "id": "pyup.io-43337", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41207", + "id": "pyup.io-43339", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41202", + "id": "pyup.io-43340", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41201", + "id": "pyup.io-43341", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41197", + "id": "pyup.io-43342", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41195", + "id": "pyup.io-43343", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", + "cve": "CVE-2021-41215", + "id": "pyup.io-43333", + "specs": [ + "<0.17.4rc0" + ], + "v": "<0.17.4rc0" + }, + { + "advisory": "Determined 0.17.5 updates its dependency 'swagger-ui' to v4.1.0 to include a fix for a XSS vulnerability.\r\nhttps://github.com/determined-ai/determined/pull/3234", + "cve": "PVE-2021-43348", + "id": "pyup.io-43348", + "specs": [ + "<0.17.5" + ], + "v": "<0.17.5" + }, + { + "advisory": "Determined 0.17.6 updates env images for security reasons.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", + "cve": "PVE-2022-44642", + "id": "pyup.io-44642", + "specs": [ + "<0.17.6" + ], + "v": "<0.17.6" + } + ], + "devito": [ + { + "advisory": "Devito version 4.3-beta includes a fix to handle ARM processors vulnerabilities.\r\nhttps://github.com/devitocodes/devito/pull/1515", + "cve": "PVE-2021-42102", + "id": "pyup.io-42102", + "specs": [ + "<4.3-beta" + ], + "v": "<4.3-beta" + } + ], + "devpi-ldap": [ + { + "advisory": "Devpi-ldap version 2.0.0 includes a security patch for the function 'init' in 'devpi_ldap/main.py'. Use of unsafe yaml load allows instantiation of arbitrary objects. Consider yaml.safe_load()\r\n https://github.com/devpi/devpi-ldap/commit/8da2b3c1ed44e8223ce006a3737dc6a8446e945d#diff-ecbfd22333fa5942c9fe7a999189222d1ca71d72a1a89d7a1f55d559671eb200", + "cve": "CVE-2020-1747", + "id": "pyup.io-41316", + "specs": [ + "<2.0.0" + ], + "v": "<2.0.0" + } + ], + "diffpriv": [ + { + "advisory": "Diffpriv 1.0.0rc1 includes a security fix: with the 'diff' and 'enc' modules, parameters were stored in Python memory, and never removed. This commit deletes these parameters and helps prevent attackers from gaining access to these parameters, which can help them gain access to the original text and/or data.", + "cve": "PVE-2021-40539", + "id": "pyup.io-40539", + "specs": [ + "<1.0.0rc1" + ], + "v": "<1.0.0rc1" + } + ], + "diffsync": [ + { + "advisory": "Diffsync 1.4.0 updates its dependency 'pydantic' minimum version to v1.7.4 to include a security fix.", + "cve": "CVE-2021-29510", + "id": "pyup.io-44673", + "specs": [ + "<1.4.0" + ], + "v": "<1.4.0" + } + ], + "digitalmarketplace-utils": [ + { + "advisory": "Digitalmarketplace-utils versions before v22.0.0 included vulnerabilities where untrusted input might result in susceptibility to a cross-site scripting (XSS) exploit.\r\nhttps://github.com/Crown-Commercial-Service/digitalmarketplace-utils/pull/286", + "cve": "PVE-2021-39653", + "id": "pyup.io-39653", + "specs": [ + "<22.0.0" + ], + "v": "<22.0.0" + } + ], + "dirac": [ + { + "advisory": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "cve": "CVE-2021-23841", + "id": "pyup.io-42328", + "specs": [ + "<2.1" + ], + "v": "<2.1" + }, + { + "advisory": "Dirac 8.0.0a13 fixes an arbitrary code execution vulnerability in JEncode.\r\nhttps://github.com/DIRACGrid/DIRAC/pull/5810", + "cve": "PVE-2022-44691", + "id": "pyup.io-44691", + "specs": [ + "<8.0.0a13" + ], + "v": "<8.0.0a13" + } + ], + "directory-client-core": [ + { + "advisory": "Directory-client-core 5.1.1 upgrades a vulnerable Django version to Django 1.11.22.", + "cve": "PVE-2021-38689", + "id": "pyup.io-38689", + "specs": [ + "<5.1.1" + ], + "v": "<5.1.1" + } + ], + "directory-components": [ + { + "advisory": "Directory-components 25.0.1 includes an update to fix the lodash vulnerability.", + "cve": "PVE-2021-37298", + "id": "pyup.io-37298", + "specs": [ + "<25.0.1" + ], + "v": "<25.0.1" + }, + { + "advisory": "The `django_language` and `country` cookies in directory-components 33.0.0 set as secure and http-only.", + "cve": "PVE-2021-37475", + "id": "pyup.io-37475", + "specs": [ + "<33.0.0" + ], + "v": "<33.0.0" + } + ], + "dirsearch": [ + { + "advisory": "Dirsearch 0.4.2 fixes a CSV Injection vulnerability. See also: .", + "cve": "PVE-2021-40799", + "id": "pyup.io-40799", + "specs": [ + "<0.4.2" + ], + "v": "<0.4.2" + } + ], + "discogs-client": [ + { + "advisory": "Discogs-client 2.2.2 updates dependency 'PyYAML' to v4.2b1 to resolve security vulnerabilities.", + "cve": "CVE-2017-18342", + "id": "pyup.io-42495", + "specs": [ + "<2.2.2" + ], + "v": "<2.2.2" + }, + { + "advisory": "Discogs-client 2.2.2 updates dependency 'requests' to v2.20.0 to resolve security vulnerabilities.", + "cve": "CVE-2018-18074", + "id": "pyup.io-36787", + "specs": [ + "<2.2.2" + ], + "v": "<2.2.2" + }, + { + "advisory": "Discogs-client 2.2.2 updates dependency 'requests' to v2.20.0 to resolve security vulnerabilities.", + "cve": "CVE-2014-1829", + "id": "pyup.io-42494", + "specs": [ + "<2.2.2" + ], + "v": "<2.2.2" + } + ], + "discord-ext-slash": [ + { + "advisory": "For some extra security, Discord-ext-slash 0.2.3 looks up commands by both their name and guild ID if their command ID fails to return any results (it returns a warning with 'SlashWarning' both times, and returns an error if still no command is found.)", + "cve": "PVE-2021-39641", + "id": "pyup.io-39641", + "specs": [ + "<0.2.3" + ], + "v": "<0.2.3" + } + ], + "discordpie": [ + { + "advisory": "Discordpie 0.5.1 includes a security patch. No details are given.", + "cve": "PVE-2021-38343", + "id": "pyup.io-38343", + "specs": [ + "<0.5.1" + ], + "v": "<0.5.1" + } + ], + "dispatch": [ + { + "advisory": "Dispatch 1.3.16 updates its dependency 'Django' to v3.1.8 to include security fixes.", + "cve": "CVE-2021-23336", + "id": "pyup.io-40402", + "specs": [ + "<1.3.16" + ], + "v": "<1.3.16" + }, + { + "advisory": "Dispatch 1.3.16 updates its dependency 'Django' to v3.1.8 to include security fixes.", + "cve": "CVE-2021-28658", + "id": "pyup.io-43729", + "specs": [ + "<1.3.16" + ], + "v": "<1.3.16" + } + ], + "divina": [ + { + "advisory": "Divina 0.1 adds a security group with ssh access enabled on partitioning EC2.", + "cve": "PVE-2021-41294", + "id": "pyup.io-41294", + "specs": [ + "<0.1" + ], + "v": "<0.1" + }, + { + "advisory": "Divina 2021.8.1 adds a security group with ssh access enabled for the EC2 partitioning.", + "cve": "PVE-2021-41237", + "id": "pyup.io-41237", + "specs": [ + "<2021.8.1" + ], + "v": "<2021.8.1" + } + ], + "diycrate": [ + { + "advisory": "Diycrate version 0.2.11.0 includes a security patch for the function 'oauth_dance' in 'diycrate/oauth_utils.py'. It contained requests calls with verify=False, disabling SSL certificate checks.\r\nhttps://github.com/jheld/diycrate/commit/40e51a586f16da215a3ff8096cfa64e23b0fa5cb#diff-7772b99d74abcfaa2bf013c9a4647b2b42cec23f84a79a5d4de0ef6973720971", + "cve": "PVE-2021-41317", + "id": "pyup.io-41317", + "specs": [ + "<0.2.11.0" + ], + "v": "<0.2.11.0" + } + ], + "djangae": [ + { + "advisory": "djangae before 0.9.4 uses Django 1.7 which is no longer supported (EOL, with known security issues).", + "cve": "PVE-2021-25693", + "id": "pyup.io-25693", + "specs": [ + "<0.9.4" + ], + "v": "<0.9.4" + } + ], + "django": [ + { + "advisory": "The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected \"static media files,\" which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.", + "cve": "CVE-2009-2659", + "id": "pyup.io-25694", + "specs": [ + "<1.0" + ], + "v": "<1.0" + }, + { + "advisory": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.", + "cve": "CVE-2009-3695", + "id": "pyup.io-25695", + "specs": [ + "<1.0.4", + ">=1.1,<1.1.1" + ], + "v": "<1.0.4,>=1.1,<1.1.1" + }, + { + "advisory": "The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.", + "cve": "CVE-2010-4535", + "id": "pyup.io-33059", + "specs": [ + "<1.1.3", + ">=1.2,<1.2.4" + ], + "v": "<1.1.3,>=1.2,<1.2.4" + }, + { + "advisory": "The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.", + "cve": "CVE-2010-4534", + "id": "pyup.io-33058", + "specs": [ + "<1.1.3", + ">=1.2,<1.2.4" + ], + "v": "<1.1.3,>=1.2,<1.2.4" + }, + { + "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.", + "cve": "CVE-2011-0697", + "id": "pyup.io-33061", + "specs": [ + "<1.1.4" + ], + "v": "<1.1.4" + }, + { + "advisory": "Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a \"combination of browser plugins and redirects,\" a related issue to CVE-2011-0447.", + "cve": "CVE-2011-0696", + "id": "pyup.io-33060", + "specs": [ + "<1.1.4", + ">=1.2,<1.2.5" + ], + "v": "<1.1.4,>=1.2,<1.2.5" + }, + { + "advisory": "Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.", + "cve": "CVE-2011-0698", + "id": "pyup.io-33062", + "specs": [ + "<1.1.4", + ">=1.2,<1.2.5" + ], + "v": "<1.1.4,>=1.2,<1.2.5" + }, + { + "advisory": "Django 1.11.x before 1.11.19 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", + "cve": "CVE-2019-6975", + "id": "pyup.io-36885", + "specs": [ + "<1.11.19,>=1.11.0" + ], + "v": "<1.11.19,>=1.11.0" + }, + { + "advisory": "An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.", + "cve": "CVE-2019-12781", + "id": "pyup.io-37261", + "specs": [ + "<1.11.22,>1.11", + "<2.1.10,>2.1", + "<2.2.3,>2.2" + ], + "v": "<1.11.22,>1.11,<2.1.10,>2.1,<2.2.3,>2.2" + }, + { + "advisory": "Django 1.11.22 fixes a security issue in 1.11.21.", + "cve": "PVE-2021-37259", + "id": "pyup.io-37259", + "specs": [ + "<1.11.22,>1.11.21" + ], + "v": "<1.11.22,>1.11.21" + }, + { + "advisory": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) See CVE-2019-19844.", + "cve": "CVE-2019-19844", + "id": "pyup.io-37771", + "specs": [ + "<1.11.27", + ">=2.0a1,<2.2.9", + ">=3.0a1,<3.0.1" + ], + "v": "<1.11.27,>=2.0a1,<2.2.9,>=3.0a1,<3.0.1" + }, + { + "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.", + "cve": "CVE-2010-3082", + "id": "pyup.io-25701", + "specs": [ + "<1.2.2" + ], + "v": "<1.2.2" + }, + { + "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.", + "cve": "CVE-2011-4138", + "id": "pyup.io-33065", + "specs": [ + "<1.2.7", + ">=1.3,<1.3.1" + ], + "v": "<1.2.7,>=1.3,<1.3.1" + }, + { + "advisory": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.", + "cve": "CVE-2011-4140", + "id": "pyup.io-33066", + "specs": [ + "<1.2.7", + ">=1.3,<1.3.1" + ], + "v": "<1.2.7,>=1.3,<1.3.1" + }, + { + "advisory": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.", + "cve": "CVE-2011-4136", + "id": "pyup.io-33063", + "specs": [ + "<1.2.7", + ">=1.3,<1.3.1" + ], + "v": "<1.2.7,>=1.3,<1.3.1" + }, + { + "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.", + "cve": "CVE-2011-4137", + "id": "pyup.io-33064", + "specs": [ + "<1.2.7", + ">=1.3,<1.3.1" + ], + "v": "<1.2.7,>=1.3,<1.3.1" + }, + { + "advisory": "The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.", + "cve": "CVE-2012-3442", + "id": "pyup.io-33067", + "specs": [ + "<1.3.2", + ">=1.4,<1.4.1" + ], + "v": "<1.3.2,>=1.4,<1.4.1" + }, + { + "advisory": "The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.", + "cve": "CVE-2012-3443", + "id": "pyup.io-33068", + "specs": [ + "<1.3.2", + ">=1.4,<1.4.1" + ], + "v": "<1.3.2,>=1.4,<1.4.1" + }, + { + "advisory": "The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.", + "cve": "CVE-2012-3444", + "id": "pyup.io-33069", + "specs": [ + "<1.3.2", + ">=1.4,<1.4.1" + ], + "v": "<1.3.2,>=1.4,<1.4.1" + }, + { + "advisory": "The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.", + "cve": "CVE-2012-4520", + "id": "pyup.io-25709", + "specs": [ + "<1.3.4", + ">=1.4,<1.4.2" + ], + "v": "<1.3.4,>=1.4,<1.4.2" + }, + { + "advisory": "The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. See: CVE-2014-0483.", + "cve": "CVE-2014-0483", + "id": "pyup.io-35516", + "specs": [ + "<1.4.14", + ">=1.5,<1.5.9", + ">=1.6,<1.6.6", + ">=1.7,<1.7rc3" + ], + "v": "<1.4.14,>=1.5,<1.5.9,>=1.6,<1.6.6,>=1.7,<1.7rc3" + }, + { + "advisory": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL.", + "cve": "CVE-2015-0220", + "id": "pyup.io-33071", + "specs": [ + "<1.4.18", + ">=1.6,<1.6.10", + ">=1.7,<1.7.3" + ], + "v": "<1.4.18,>=1.6,<1.6.10,>=1.7,<1.7.3" + }, + { + "advisory": "The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.", + "cve": "CVE-2015-0221", + "id": "pyup.io-33072", + "specs": [ + "<1.4.18", + ">=1.6,<1.6.10", + ">=1.7,<1.7.3" + ], + "v": "<1.4.18,>=1.6,<1.6.10,>=1.7,<1.7.3" + }, + { + "advisory": "Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.", + "cve": "CVE-2015-0219", + "id": "pyup.io-33070", + "specs": [ + "<1.4.18", + ">=1.7,<1.7.3", + ">=1.6,<1.6.10" + ], + "v": "<1.4.18,>=1.7,<1.7.3,>=1.6,<1.6.10" + }, + { + "advisory": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.", + "cve": "CVE-2016-2512", + "id": "pyup.io-33073", + "specs": [ + "<1.8.10", + ">=1.9,<1.9.3" + ], + "v": "<1.8.10,>=1.9,<1.9.3" + }, + { + "advisory": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.", + "cve": "CVE-2016-2513", + "id": "pyup.io-33074", + "specs": [ + "<1.8.10", + ">=1.9,<1.9.3" + ], + "v": "<1.8.10,>=1.9,<1.9.3" + }, + { + "advisory": "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.", + "cve": "CVE-2018-16984", + "id": "pyup.io-36522", + "specs": [ + "<2.1.2,>=2.1" + ], + "v": "<2.1.2,>=2.1" + }, + { + "advisory": "django before 2.1.2 fixes a security bug in 2.1.x. \r\nIf an admin user has the change permission to the user model, only part of the\r\npassword hash is displayed in the change form. Admin users with the view (but\r\nnot change) permission to the user model were displayed the entire hash.", + "cve": "CVE-2018-16984", + "id": "pyup.io-36517", + "specs": [ + "<2.1.2,>=2.1.0" + ], + "v": "<2.1.2,>=2.1.0" + }, + { + "advisory": "Django 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", + "cve": "CVE-2019-6975", + "id": "pyup.io-36883", + "specs": [ + "<2.1.6,>=2.1.0" + ], + "v": "<2.1.6,>=2.1.0" + }, + { + "advisory": "Django versions 2.2.24, 3.1.12, and 3.2.4 include a fix for CVE-2021-33203: Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories. See CVE-2021-33203.\r\nhttps://www.djangoproject.com/weblog/2021/jun/02/security-releases/\r\nhttps://docs.djangoproject.com/en/3.2/releases/security/\r\nhttps://groups.google.com/forum/#%21forum/django-announce", + "cve": "CVE-2021-33203", + "id": "pyup.io-40637", + "specs": [ + "<2.2.24", + ">=3.0a1,<3.1.12", + ">=3.2a1,<3.2.4" + ], + "v": "<2.2.24,>=3.0a1,<3.1.12,>=3.2a1,<3.2.4" + }, + { + "advisory": "Django versions 2.2.25, 3.1.14 and 3.2.10 include a fix for CVE-2021-44420: In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.\r\nhttps://www.djangoproject.com/weblog/2021/dec/07/security-releases/", + "cve": "CVE-2021-44420", + "id": "pyup.io-43041", + "specs": [ + "<2.2.25", + ">=3.2a1,<3.2.10", + ">=3.1a1,<3.1.14" + ], + "v": "<2.2.25,>=3.2a1,<3.2.10,>=3.1a1,<3.1.14" + }, + { + "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45116: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases/", + "cve": "CVE-2021-45116", + "id": "pyup.io-44427", + "specs": [ + "<2.2.26", + ">=3.0a1,<3.2.11", + ">=4.0a1,<4.0.1" + ], + "v": "<2.2.26,>=3.0a1,<3.2.11,>=4.0a1,<4.0.1" + }, + { + "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45115: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases/", + "cve": "CVE-2021-45115", + "id": "pyup.io-44423", + "specs": [ + "<2.2.26", + ">=3.0a1,<3.2.11", + ">=4.0a1,<4.0.1" + ], + "v": "<2.2.26,>=3.0a1,<3.2.11,>=4.0a1,<4.0.1" + }, + { + "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45452: Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases/", + "cve": "CVE-2021-45452", + "id": "pyup.io-44426", + "specs": [ + "<2.2.26", + ">=3.0a1,<3.2.11", + ">=4.0a1,<4.0.1" + ], + "v": "<2.2.26,>=3.0a1,<3.2.11,>=4.0a1,<4.0.1" + }, + { + "advisory": "django 1.11.15 fixes a phishing security issue in 1.11.14 if the :class:`~django.middleware.common.CommonMiddleware` and the :setting:`APPEND_SLASH` setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash. See: CVE-2018-14574.", + "cve": "CVE-2018-14574", + "id": "pyup.io-36359", + "specs": [ + "==1.11.14" + ], + "v": "==1.11.14" + }, + { + "advisory": "Django 1.11.21 fixes a security issue in 1.11.20: CVE-2019-12308 (AdminURLFieldWidget XSS).", + "cve": "CVE-2019-12308", + "id": "pyup.io-37186", + "specs": [ + "==1.11.20" + ], + "v": "==1.11.20" + }, + { + "advisory": "Django 1.11.23 fixes CVE-2019-14233 in 1.11.22.", + "cve": "CVE-2019-14233", + "id": "pyup.io-39601", + "specs": [ + "==1.11.22" + ], + "v": "==1.11.22" + }, + { + "advisory": "Django 1.11.23 fixes CVE-2019-14235 in 1.11.22.", + "cve": "CVE-2019-14235", + "id": "pyup.io-39599", + "specs": [ + "==1.11.22" + ], + "v": "==1.11.22" + }, + { + "advisory": "Django 1.11.23 fixes CVE-2019-14234 in 1.11.22.", + "cve": "CVE-2019-14234", + "id": "pyup.io-39600", + "specs": [ + "==1.11.22" + ], + "v": "==1.11.22" + }, + { + "advisory": "Django 1.11.23 fixes the following security issue in 1.11.22: CVE-2019-14232.", + "cve": "CVE-2019-14232", + "id": "pyup.io-37326", + "specs": [ + "==1.11.22" + ], + "v": "==1.11.22" + }, + { + "advisory": "Django 1.11.27 fixes CVE-2019-19844 in 1.11.26: potential account hijack via password reset form.", + "cve": "CVE-2019-19844", + "id": "pyup.io-37663", + "specs": [ + "==1.11.26" + ], + "v": "==1.11.26" + }, + { + "advisory": "Django 1.11.28 fixes a security issue in 1.11.27. Potential SQL injection via `StringAgg(delimiter)`. See: CVE-2020-7471.", + "cve": "CVE-2020-7471", + "id": "pyup.io-37817", + "specs": [ + "==1.11.27" + ], + "v": "==1.11.27" + }, + { + "advisory": "django 2.0.8 fixes a security issue and several bugs in 2.0.7 if the :class:`~django.middleware.common.CommonMiddleware` and the\r\n:setting:`APPEND_SLASH` setting are both enabled, and if the project has a\r\nURL pattern that accepts any path ending in a slash. See: CVE-2018-14574.", + "cve": "CVE-2018-14574", + "id": "pyup.io-36358", + "specs": [ + "==2.0.7" + ], + "v": "==2.0.7" + }, + { + "advisory": "Django 2.1.11 fixes a security issue in 2.1.10:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``", + "cve": "CVE-2019-14232", + "id": "pyup.io-37325", + "specs": [ + "==2.1.10" + ], + "v": "==2.1.10" + }, + { + "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``", + "cve": "CVE-2019-14233", + "id": "pyup.io-39598", + "specs": [ + "==2.1.10" + ], + "v": "==2.1.10" + }, + { + "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``", + "cve": "CVE-2019-14235", + "id": "pyup.io-39596", + "specs": [ + "==2.1.10" + ], + "v": "==2.1.10" + }, + { + "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``", + "cve": "CVE-2019-14234", + "id": "pyup.io-39597", + "specs": [ + "==2.1.10" + ], + "v": "==2.1.10" + }, + { + "advisory": "Django 2.1.15 fixes CVE-2019-19118 in 2.1.14: Privilege escalation in the Django admin.", + "cve": "CVE-2019-19118", + "id": "pyup.io-37657", + "specs": [ + "==2.1.14" + ], + "v": "==2.1.14" + }, + { + "advisory": "Django 2.1.9 fixes security issues in 2.1.8: CVE-2019-12308 (AdminURLFieldWidget XSS).", + "cve": "CVE-2019-12308", + "id": "pyup.io-37185", + "specs": [ + "==2.1.8" + ], + "v": "==2.1.8" + }, + { + "advisory": "Django 2.2.2 fixes security issues in 2.2.1: CVE-2019-12308 (AdminURLFieldWidget XSS).", + "cve": "CVE-2019-12308", + "id": "pyup.io-37184", + "specs": [ + "==2.2.1" + ], + "v": "==2.2.1" + }, + { + "advisory": "Django 2.2.18 fixes a security issue with severity \"low\" in 2.2.17 (CVE-2021-3281).", + "cve": "CVE-2021-3281", + "id": "pyup.io-39523", + "specs": [ + "==2.2.17" + ], + "v": "==2.2.17" + }, + { + "advisory": "Django 2.2.3 fixes CVE-2019-12781 in 2.2.2: incorrect HTTP detection with reverse-proxy connecting via HTTPS.", + "cve": "CVE-2019-12781", + "id": "pyup.io-37324", + "specs": [ + "==2.2.2" + ], + "v": "==2.2.2" + }, + { + "advisory": "Django 2.2.24 fixes security issue in 2.2.23 (CVE-2021-33571).", + "cve": "PVE-2021-40597", + "id": "pyup.io-40597", + "specs": [ + "==2.2.23" + ], + "v": "==2.2.23" + }, + { + "advisory": "Django 2.2.24 fixes security issue in 2.2.23 (CVE-2021-33203).", + "cve": "PVE-2021-40586", + "id": "pyup.io-40586", + "specs": [ + "==2.2.23" + ], + "v": "==2.2.23" + }, + { + "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``", + "cve": "CVE-2019-14233", + "id": "pyup.io-39593", + "specs": [ + "==2.2.3" + ], + "v": "==2.2.3" + }, + { + "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``", + "cve": "CVE-2019-14234", + "id": "pyup.io-39592", + "specs": [ + "==2.2.3" + ], + "v": "==2.2.3" + }, + { + "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``", + "cve": "CVE-2019-14235", + "id": "pyup.io-39591", + "specs": [ + "==2.2.3" + ], + "v": "==2.2.3" + }, + { + "advisory": "Django 2.2.4 fixes a security issue in 2.2.3:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``", + "cve": "CVE-2019-14232", + "id": "pyup.io-37323", + "specs": [ + "==2.2.3" + ], + "v": "==2.2.3" + }, + { + "advisory": "Django 2.2.8 fixes CVE-2019-19118 in 2.2.7: Privilege escalation in the Django admin.", + "cve": "CVE-2019-19118", + "id": "pyup.io-37656", + "specs": [ + "==2.2.7" + ], + "v": "==2.2.7" + }, + { + "advisory": "Django 2.2.9 fixes CVE-2019-19844 in 2.2.8: potential account hijack via password reset form.", + "cve": "CVE-2019-19844", + "id": "pyup.io-37662", + "specs": [ + "==2.2.8" + ], + "v": "==2.2.8" + }, + { + "advisory": "Django 2.2.10 fixes a security issue in 2.2.9. Potential SQL injection via `StringAgg(delimiter)`. See CVE-2020-7471.", + "cve": "CVE-2020-7471", + "id": "pyup.io-37816", + "specs": [ + "==2.2.9" + ], + "v": "==2.2.9" + }, + { + "advisory": "Django 3.0.1 fixes CVE-2019-19844 in 3.0: potential account hijack via password reset form.", + "cve": "CVE-2019-19844", + "id": "pyup.io-37661", + "specs": [ + "==3.0" + ], + "v": "==3.0" + }, + { + "advisory": "Django 3.0.12 fixes a security issue with severity \"low\" in 3.0.11 (CVE-2021-3281).", + "cve": "CVE-2021-3281", + "id": "pyup.io-39522", + "specs": [ + "==3.0.11" + ], + "v": "==3.0.11" + }, + { + "advisory": "Django 3.0.3 fixes a security issue and several bugs in 3.0.2. Potential SQL injection via `StringAgg(delimiter)`. See: CVE-2020-7471.", + "cve": "CVE-2020-7471", + "id": "pyup.io-37815", + "specs": [ + "==3.0.2" + ], + "v": "==3.0.2" + }, + { + "advisory": "Django 3.1.12 fixes two security issues in 3.1.11 (CVE-2021-33571).", + "cve": "PVE-2021-40598", + "id": "pyup.io-40598", + "specs": [ + "==3.1.11" + ], + "v": "==3.1.11" + }, + { + "advisory": "Django 3.1.12 fixes two security issues in 3.1.11 (CVE-2021-33203).", + "cve": "PVE-2021-40585", + "id": "pyup.io-40585", + "specs": [ + "==3.1.11" + ], + "v": "==3.1.11" + }, + { + "advisory": "Django 3.1.6 fixes a security issue with severity \"low\" and a bug in 3.1.5 (CVE-2021-3281).", + "cve": "CVE-2021-3281", + "id": "pyup.io-39521", + "specs": [ + "==3.1.5" + ], + "v": "==3.1.5" + }, + { + "advisory": "Django 3.2.4 fixes two security issues and several bugs in 3.2.3 (CVE-2021-33203).", + "cve": "PVE-2021-40584", + "id": "pyup.io-40584", + "specs": [ + "==3.2.3" + ], + "v": "==3.2.3" + }, + { + "advisory": "Django 3.2.4 fixes two security issues and several bugs in 3.2.3 (CVE-2021-3357).", + "cve": "PVE-2021-40599", + "id": "pyup.io-40599", + "specs": [ + "==3.2.3" + ], + "v": "==3.2.3" + }, + { + "advisory": "Django 1.10.3 fixes two security issues and several bugs in 1.10.2.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================", + "cve": "PVE-2021-25722", + "id": "pyup.io-25722", + "specs": [ + ">=1.10,<1.10.3" + ], + "v": ">=1.10,<1.10.3" + }, + { + "advisory": "Django version 1.10.7, 1.9.13 and 1.8.18 include a fix for CVE-2017-7233: Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely 'django.utils.http.is_safe_url()') considered some numeric URLs \"safe\" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on 'is_safe_url()' to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.\r\nhttps://www.djangoproject.com/weblog/2017/apr/04/security-releases/", + "cve": "CVE-2017-7233", + "id": "pyup.io-33300", + "specs": [ + ">=1.10,<1.10.7", + ">=1.9.0,<1.9.13", + ">=1.8.0,<1.8.18" + ], + "v": ">=1.10,<1.10.7,>=1.9.0,<1.9.13,>=1.8.0,<1.8.18" + }, + { + "advisory": "Django 1.10.8 fixes a security issue in 1.10.7. In older versions, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with 'DEBUG = True' (which makes this page accessible) in your production settings. See also: CVE-2017-12794, described as \"Possible XSS in traceback section of technical 500 debug page\".", + "cve": "CVE-2017-12794", + "id": "pyup.io-34918", + "specs": [ + ">=1.10.7,<1.10.8" + ], + "v": ">=1.10.7,<1.10.8" + }, + { + "advisory": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.", + "cve": "CVE-2020-7471", + "id": "pyup.io-37970", + "specs": [ + ">=1.11,<1.11.28", + ">=2.2,<2.2.10", + ">=3.0,<3.0.3" + ], + "v": ">=1.11,<1.11.28,>=2.2,<2.2.10,>=3.0,<3.0.3" + }, + { + "advisory": "Django 1.11.5 fixes a security issue and several bugs in 1.11.4.\r\n\r\nCVE-2017-12794: Possible XSS in traceback section of technical 500 debug page\r\n=============================================================================\r\n\r\nIn older versions, HTML autoescaping was disabled in a portion of the template\r\nfor the technical 500 debug page. Given the right circumstances, this allowed\r\na cross-site scripting attack. This vulnerability shouldn't affect most\r\nproduction sites since you shouldn't run with ``DEBUG = True`` (which makes\r\nthis page accessible) in your production settings.", + "cve": "CVE-2017-12794", + "id": "pyup.io-34917", + "specs": [ + ">=1.11,<1.11.5" + ], + "v": ">=1.11,<1.11.5" + }, + { + "advisory": "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.", + "cve": "CVE-2019-12308", + "id": "pyup.io-37191", + "specs": [ + ">=1.11.0,<1.11.21", + ">=2.1,<2.1.9", + ">=2.2,<2.2.2" + ], + "v": ">=1.11.0,<1.11.21,>=2.1,<2.1.9,>=2.2,<2.2.2" + }, + { + "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", + "cve": "CVE-2019-14232", + "id": "pyup.io-37329", + "specs": [ + ">=1.11.0,<1.11.23", + ">=2.1.0,<2.1.11", + ">=2.2.0,<2.2.4" + ], + "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" + }, + { + "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.", + "cve": "CVE-2019-14234", + "id": "pyup.io-37357", + "specs": [ + ">=1.11.0,<1.11.23", + ">=2.1.0,<2.1.11", + ">=2.2.0,<2.2.4" + ], + "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" + }, + { + "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.", + "cve": "CVE-2019-14233", + "id": "pyup.io-37330", + "specs": [ + ">=1.11.0,<1.11.23", + ">=2.1.0,<2.1.11", + ">=2.2.0,<2.2.4" + ], + "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" + }, + { + "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.", + "cve": "CVE-2019-14235", + "id": "pyup.io-37331", + "specs": [ + ">=1.11.0,<1.11.23", + ">=2.1.0,<2.1.11", + ">=2.2.0,<2.2.4" + ], + "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" + }, + { + "advisory": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL Injections if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. See: CVE-2020-9402.", + "cve": "CVE-2020-9402", + "id": "pyup.io-38010", + "specs": [ + ">=1.11.0,<1.11.29", + ">=2.2.0,<2.2.11", + ">=3.0.0,<3.0.4" + ], + "v": ">=1.11.0,<1.11.29,>=2.2.0,<2.2.11,>=3.0.0,<3.0.4" + }, + { + "advisory": "CVE-2018-6188: Information leakage in ``AuthenticationForm``\r\n============================================================\r\n\r\nA regression in Django 1.11.8 made\r\n:class:`~django.contrib.auth.forms.AuthenticationForm` run its\r\n``confirm_login_allowed()`` method even if an incorrect password is entered.\r\nThis can leak information about a user, depending on what messages\r\n``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't\r\noverridden, an attacker enter an arbitrary username and see if that user has\r\nbeen set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,\r\nmore sensitive details could be leaked.\r\n\r\nThis issue is fixed with the caveat that ``AuthenticationForm`` can no longer\r\nraise the \"This account is inactive.\" error if the authentication backend\r\nrejects inactive users (the default authentication backend, ``ModelBackend``,\r\nhas done that since Django 1.10). This issue will be revisited for Django 2.1\r\nas a fix to address the caveat will likely be too invasive for inclusion in\r\nolder versions.", + "cve": "CVE-2018-6188", + "id": "pyup.io-35174", + "specs": [ + ">=1.11.8,<1.11.10" + ], + "v": ">=1.11.8,<1.11.10" + }, + { + "advisory": "django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. A remote user can redirect the target user's browser to an arbitrary site.", + "cve": "CVE-2018-14574", + "id": "pyup.io-36368", + "specs": [ + ">=1.11a1,<1.11.15", + ">=2.0a1,<2.0.8" + ], + "v": ">=1.11a1,<1.11.15,>=2.0a1,<2.0.8" + }, + { + "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.", + "cve": "CVE-2019-3498", + "id": "pyup.io-36771", + "specs": [ + ">=1.11a1,<1.11.18" + ], + "v": ">=1.11a1,<1.11.18" + }, + { + "advisory": "The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.", + "cve": "CVE-2013-0305", + "id": "pyup.io-33111", + "specs": [ + ">=1.3,<1.3.6", + ">=1.4,<1.4.4", + ">=1.5,<1.5.1" + ], + "v": ">=1.3,<1.3.6,>=1.4,<1.4.4,>=1.5,<1.5.1" + }, + { + "advisory": "The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.", + "cve": "CVE-2013-0306", + "id": "pyup.io-33112", + "specs": [ + ">=1.3,<1.3.6", + ">=1.4,<1.4.4", + ">=1.5,<1.5.1" + ], + "v": ">=1.3,<1.3.6,>=1.4,<1.4.4,>=1.5,<1.5.1" + }, + { + "advisory": "The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.", + "cve": "CVE-2015-5964", + "id": "pyup.io-25728", + "specs": [ + ">=1.4,<1.4.22", + ">=1.7,<1.7.10" + ], + "v": ">=1.4,<1.4.22,>=1.7,<1.7.10" + }, + { + "advisory": "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.", + "cve": "CVE-2015-5963", + "id": "pyup.io-25727", + "specs": [ + ">=1.4,<1.4.22", + ">=1.7,<1.7.10", + ">=1.8,<1.8.4" + ], + "v": ">=1.4,<1.4.22,>=1.7,<1.7.10,>=1.8,<1.8.4" + }, + { + "advisory": "The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by \"the login view in django.contrib.auth.views\" and the javascript: scheme.", + "cve": "CVE-2013-6044", + "id": "pyup.io-42237", + "specs": [ + ">=1.4,<1.4.6", + ">=1.5,<1.5.2", + ">1.6,<1.6b2" + ], + "v": ">=1.4,<1.4.6,>=1.5,<1.5.2,>1.6,<1.6b2" + }, + { + "advisory": "Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField. See: CVE-2013-4249.", + "cve": "CVE-2013-4249", + "id": "pyup.io-35456", + "specs": [ + ">=1.5,<1.5.2", + ">=1.6,<1.6b2" + ], + "v": ">=1.5,<1.5.2,>=1.6,<1.6b2" + }, + { + "advisory": "The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.", + "cve": "CVE-2013-1443", + "id": "pyup.io-25729", + "specs": [ + ">=1.6,<1.6-beta-4", + ">=1.4,<1.4.8", + ">=1.5,<1.5.4" + ], + "v": ">=1.6,<1.6-beta-4,>=1.4,<1.4.8,>=1.5,<1.5.4" + }, + { + "advisory": "ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.", + "cve": "CVE-2015-0222", + "id": "pyup.io-25730", + "specs": [ + ">=1.7,<1.7.3", + ">=1.6,<1.6.10" + ], + "v": ">=1.7,<1.7.3,>=1.6,<1.6.10" + }, + { + "advisory": "The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.", + "cve": "CVE-2015-2316", + "id": "pyup.io-25731", + "specs": [ + ">=1.7,<1.7.7", + ">=1.6,<1.6.11", + ">=1.8a1,<1.8c1" + ], + "v": ">=1.7,<1.7.7,>=1.6,<1.6.11,>=1.8a1,<1.8c1" + }, + { + "advisory": "The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.", + "cve": "CVE-2015-5143", + "id": "pyup.io-25725", + "specs": [ + ">=1.7,<1.7.9", + ">=1.5,<1.7", + ">=1.4,<1.4.21" + ], + "v": ">=1.7,<1.7.9,>=1.5,<1.7,>=1.4,<1.4.21" + }, + { + "advisory": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.", + "cve": "CVE-2016-9014", "id": "pyup.io-33075", "specs": [ - ">=1.8,<1.8.16", - ">=1.9,<1.9.11", - ">=1.10,<1.10.3" + ">=1.8,<1.8.16", + ">=1.9,<1.9.11", + ">=1.10,<1.10.3" + ], + "v": ">=1.8,<1.8.16,>=1.9,<1.9.11,>=1.10,<1.10.3" + }, + { + "advisory": "Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.", + "cve": "CVE-2016-9013", + "id": "pyup.io-33076", + "specs": [ + ">=1.8,<1.8.16", + ">=1.9,<1.9.11", + ">=1.10,<1.10.3" + ], + "v": ">=1.8,<1.8.16,>=1.9,<1.9.11,>=1.10,<1.10.3" + }, + { + "advisory": "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.", + "cve": "CVE-2015-3982", + "id": "pyup.io-25732", + "specs": [ + ">=1.8,<1.8.2" + ], + "v": ">=1.8,<1.8.2" + }, + { + "advisory": "validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.", + "cve": "CVE-2015-5145", + "id": "pyup.io-25733", + "specs": [ + ">=1.8,<1.8.3" + ], + "v": ">=1.8,<1.8.3" + }, + { + "advisory": "Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.", + "cve": "CVE-2015-5144", + "id": "pyup.io-25726", + "specs": [ + ">=1.8,<1.8.3", + ">=1.7,<1.7.9", + ">=1.5,<1.6", + ">=1.4,<1.4.21" + ], + "v": ">=1.8,<1.8.3,>=1.7,<1.7.9,>=1.5,<1.6,>=1.4,<1.4.21" + }, + { + "advisory": "The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.", + "cve": "CVE-2015-8213", + "id": "pyup.io-25714", + "specs": [ + ">=1.8,<1.8.7", + "<1.7.11", + ">=1.9,<1.9rc2" + ], + "v": ">=1.8,<1.8.7,<1.7.11,>=1.9,<1.9rc2" + }, + { + "advisory": "Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.", + "cve": "CVE-2015-2241", + "id": "pyup.io-25715", + "specs": [ + ">=1.8,<1.8b2", + "<1.7.6" + ], + "v": ">=1.8,<1.8b2,<1.7.6" + }, + { + "advisory": "The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \\x08javascript: URL.", + "cve": "CVE-2015-2317", + "id": "pyup.io-25713", + "specs": [ + ">=1.8,<1.8c1", + "<1.4.20", + ">=1.5,<1.6", + ">=1.6,<1.6.11", + ">=1.7,<1.7.7" + ], + "v": ">=1.8,<1.8c1,<1.4.20,>=1.5,<1.6,>=1.6,<1.6.11,>=1.7,<1.7.7" + }, + { + "advisory": "Django versions 1.10.7, 1.9.13 and 1.8.18 include a fix for CVE-2017-7234: A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the 'django.views.static.serve()' view could redirect to any other domain, aka an open redirect vulnerability.\r\nhttps://www.djangoproject.com/weblog/2017/apr/04/security-releases/\r\nhttp://www.debian.org/security/2017/dsa-3835\r\nhttp://www.securityfocus.com/bid/97401\r\nhttp://www.securitytracker.com/id/1038177", + "cve": "CVE-2017-7234", + "id": "pyup.io-35740", + "specs": [ + ">=1.8.0a1,<1.8.18", + ">=1.9.0a1,<1.9.13", + ">=1.10.0a1,<1.10.7" + ], + "v": ">=1.8.0a1,<1.8.18,>=1.9.0a1,<1.9.13,>=1.10.0a1,<1.10.7" + }, + { + "advisory": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.", + "cve": "CVE-2016-7401", + "id": "pyup.io-25718", + "specs": [ + ">=1.9,<1.9.10", + "<1.8.15" + ], + "v": ">=1.9,<1.9.10,<1.8.15" + }, + { + "advisory": "Django 1.9.11 fixes two security issues in 1.9.10.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================", + "cve": "PVE-2021-25734", + "id": "pyup.io-25734", + "specs": [ + ">=1.9,<1.9.11" + ], + "v": ">=1.9,<1.9.11" + }, + { + "advisory": "Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the \"Save as New\" option when editing objects and leveraging the \"change\" permission.", + "cve": "CVE-2016-2048", + "id": "pyup.io-25735", + "specs": [ + ">=1.9,<1.9.2" + ], + "v": ">=1.9,<1.9.2" + }, + { + "advisory": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.", + "cve": "CVE-2016-6186", + "id": "pyup.io-25721", + "specs": [ + ">=1.9,<1.9.8", + "==1.8.14", + ">=1.10,<1.10rc1" + ], + "v": ">=1.9,<1.9.8,==1.8.14,>=1.10,<1.10rc1" + }, + { + "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.", + "cve": "CVE-2019-3498", + "id": "pyup.io-36770", + "specs": [ + ">=2.0a1,<2.0.10" + ], + "v": ">=2.0a1,<2.0.10" + }, + { + "advisory": "Django 2.0.x before 2.0.11 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", + "cve": "CVE-2019-6975", + "id": "pyup.io-36884", + "specs": [ + ">=2.0a1,<2.0.11" + ], + "v": ">=2.0a1,<2.0.11" + }, + { + "advisory": "CVE-2018-6188: Information leakage in ``AuthenticationForm``\r\n============================================================\r\n\r\nA regression in Django 1.11.8 made\r\n:class:`~django.contrib.auth.forms.AuthenticationForm` run its\r\n``confirm_login_allowed()`` method even if an incorrect password is entered.\r\nThis can leak information about a user, depending on what messages\r\n``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't\r\noverridden, an attacker enter an arbitrary username and see if that user has\r\nbeen set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,\r\nmore sensitive details could be leaked.\r\n\r\nThis issue is fixed with the caveat that ``AuthenticationForm`` can no longer\r\nraise the \"This account is inactive.\" error if the authentication backend\r\nrejects inactive users (the default authentication backend, ``ModelBackend``,\r\nhas done that since Django 1.10). This issue will be revisited for Django 2.1\r\nas a fix to address the caveat will likely be too invasive for inclusion in\r\nolder versions.", + "cve": "CVE-2018-6188", + "id": "pyup.io-35173", + "specs": [ + ">=2.0a1,<2.0.2", + "==1.11.8", + "==1.11.9" + ], + "v": ">=2.0a1,<2.0.2,==1.11.8,==1.11.9" + }, + { + "advisory": "If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were\r\npassed the ``html=True`` argument, they were extremely slow to evaluate certain\r\ninputs due to a catastrophic backtracking vulnerability in a regular\r\nexpression. The ``chars()`` and ``words()`` methods are used to implement the\r\n``truncatechars_html`` and ``truncatewords_html`` template filters, which were\r\nthus vulnerable.", + "cve": "CVE-2018-7537", + "id": "pyup.io-35796", + "specs": [ + ">=2.0a1,<2.0.3", + ">=1.8a1 ,<1.8.19", + ">=1.11a1,<1.11.11" + ], + "v": ">=2.0a1,<2.0.3,>=1.8a1 ,<1.8.19,>=1.11a1,<1.11.11" + }, + { + "advisory": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. See: CVE-2018-7536.", + "cve": "CVE-2018-7536", + "id": "pyup.io-35797", + "specs": [ + ">=2.0a1,<2.0.3", + ">=1.8a1 ,<1.8.19", + ">=1.11a1,<1.11.11" + ], + "v": ">=2.0a1,<2.0.3,>=1.8a1 ,<1.8.19,>=1.11a1,<1.11.11" + }, + { + "advisory": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.) See: CVE-2019-19118.", + "cve": "CVE-2019-19118", + "id": "pyup.io-37766", + "specs": [ + ">=2.1,<2.1.15", + ">=2.2,<2.2.8" + ], + "v": ">=2.1,<2.1.15,>=2.2,<2.2.8" + }, + { + "advisory": "Django versions 2.1.9 and 2.2.2 apply a patch to fix a vulnerability in its dependency 'jQuery'.\r\nhttps://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad", + "cve": "CVE-2019-11358", + "id": "pyup.io-39594", + "specs": [ + ">=2.1a0,<2.1.9", + ">=2.2a0,<2.2.2" + ], + "v": ">=2.1a0,<2.1.9,>=2.2a0,<2.2.2" + }, + { + "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.", + "cve": "CVE-2019-3498", + "id": "pyup.io-36769", + "specs": [ + ">=2.1a1,<2.1.5" + ], + "v": ">=2.1a1,<2.1.5" + }, + { + "advisory": "In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments. See CVE-2021-3281.", + "cve": "CVE-2021-3281", + "id": "pyup.io-39526", + "specs": [ + ">=2.2,<2.2.18", + ">=3.1,<3.1.6", + ">=3.0,<3.0.12" + ], + "v": ">=2.2,<2.2.18,>=3.1,<3.1.6,>=3.0,<3.0.12" + }, + { + "advisory": "Django versions 3.2.1, 3.1.9 and 2.2.21 include a fix for CVE-2021-31542: In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.\r\nhttps://www.djangoproject.com/weblog/2021/may/04/security-releases/", + "cve": "CVE-2021-31542", + "id": "pyup.io-40404", + "specs": [ + ">=2.2,<2.2.21", + ">=3.1a1,<3.1.9", + ">=3.2,<3.2.1" + ], + "v": ">=2.2,<2.2.21,>=3.1a1,<3.1.9,>=3.2,<3.2.1" + }, + { + "advisory": "Django 2.2.24, 3.1.12, and 3.2.4 includes a fix for CVE-2021-33571: In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+).\r\nhttps://www.djangoproject.com/weblog/2021/jun/02/security-releases/", + "cve": "CVE-2021-33571", + "id": "pyup.io-40638", + "specs": [ + ">=2.2.0a1,<2.2.24", + ">=3.0.0a1,<3.1.12", + ">=3.2.0a1,<3.2.4" + ], + "v": ">=2.2.0a1,<2.2.24,>=3.0.0a1,<3.1.12,>=3.2.0a1,<3.2.4" + }, + { + "advisory": "Django 2.2.19, 3.0.13 and 3.1.7 include a fix for CVE-2021-23336: Web cache poisoning via 'django.utils.http.limited_parse_qsl()'.", + "cve": "CVE-2021-23336", + "id": "pyup.io-39646", + "specs": [ + ">=2.2a1,<2.2.19", + ">=3.0a1,<3.0.13", + ">=3.1a1,<3.1.7" + ], + "v": ">=2.2a1,<2.2.19,>=3.0a1,<3.0.13,>=3.1a1,<3.1.7" + }, + { + "advisory": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.", + "cve": "CVE-2021-28658", + "id": "pyup.io-40163", + "specs": [ + ">=2.2a1,<2.2.20", + ">=3.0a1,<3.0.14", + ">=3.1a1,<3.1.8" + ], + "v": ">=2.2a1,<2.2.20,>=3.0a1,<3.0.14,>=3.1a1,<3.1.8" + }, + { + "advisory": "CVE-2020-13254: Potential data leakage via malformed memcached keys. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.\r\n\r\nAdditionally, Django 2.2.13 and 3.0.7 upgrade the version of jQuery used by the admin to 3.5.1 for security reasons.", + "cve": "CVE-2020-13254", + "id": "pyup.io-38373", + "specs": [ + ">=3.0a1,<3.0.7", + ">=2.2a1,<2.2.13" + ], + "v": ">=3.0a1,<3.0.7,>=2.2a1,<2.2.13" + }, + { + "advisory": "CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.\r\n\r\nAdditionally, Django 2.2.13 and 3.0.7 upgrade the version of jQuery used by the admin to 3.5.1 for security reasons.", + "cve": "CVE-2020-13596", + "id": "pyup.io-38372", + "specs": [ + ">=3.0a1,<3.0.7", + ">=2.2a1,<2.2.13" + ], + "v": ">=3.0a1,<3.0.7,>=2.2a1,<2.2.13" + }, + { + "advisory": "Django versions 3.1.13 and 3.2.5 include a fix for CVE-2021-35042: Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.\r\nhttps://www.djangoproject.com/weblog/2021/jul/01/security-releases/\r\nhttps://www.openwall.com/lists/oss-security/2021/07/02/2\r\nhttps://docs.djangoproject.com/en/3.2/releases/security/\r\nhttps://groups.google.com/forum/#%21forum/django-announce", + "cve": "CVE-2021-35042", + "id": "pyup.io-40899", + "specs": [ + ">=3.1,<3.1.13", + ">=3.2,<3.2.5" + ], + "v": ">=3.1,<3.1.13,>=3.2,<3.2.5" + }, + { + "advisory": "Django versions 3.2.2, 3.1.10 and 2.2.22 include a fix for CVE-2021-32052: In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.\r\nhttps://www.djangoproject.com/weblog/2021/may/06/security-releases", + "cve": "CVE-2021-32052", + "id": "pyup.io-40414", + "specs": [ + ">=3.1a1,<3.1.10", + ">=2.2a1,<2.2.22", + ">=3.2a1,<3.2.2" + ], + "v": ">=3.1a1,<3.1.10,>=2.2a1,<2.2.22,>=3.2a1,<3.2.2" + } + ], + "django-access-tokens": [ + { + "advisory": "django-access-tokens 0.9.2 fixes scoping of permissions where the token provides a smaller subset of the required permissions. As an extreme case, an access token granting no permissions could be used to access any permissions on the site.", + "cve": "PVE-2021-25736", + "id": "pyup.io-25736", + "specs": [ + "<0.9.2" + ], + "v": "<0.9.2" + } + ], + "django-access-tokens-py3": [ + { + "advisory": "Fixing scoping of permissions where the token provides a\r\nsmaller subset of the required permissions. As an extreme case, an access token\r\ngranting no permissions could be used to access any permissions on the site.", + "cve": "PVE-2021-34892", + "id": "pyup.io-34892", + "specs": [ + "<0.9.2" + ], + "v": "<0.9.2" + } + ], + "django-afip": [ + { + "advisory": "Django-afip 7.1.1 overrides the TLS configuration for AFIP's servers (and only those). They have worsened their security configuration, and it's now seen as insecure by default on many environments.", + "cve": "PVE-2021-38705", + "id": "pyup.io-38705", + "specs": [ + "<7.1.1" + ], + "v": "<7.1.1" + } + ], + "django-airplane": [ + { + "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", + "cve": "CVE-2021-33203", + "id": "pyup.io-43713", + "specs": [ + "<=1.1.0" + ], + "v": "<=1.1.0" + }, + { + "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", + "cve": "CVE-2021-33571", + "id": "pyup.io-43714", + "specs": [ + "<=1.1.0" + ], + "v": "<=1.1.0" + }, + { + "advisory": "Django-airplane 1.1.0 and prior includes a vulnerable version of 'Django' (3.1.7).", + "cve": "CVE-2021-32052", + "id": "pyup.io-43715", + "specs": [ + "<=1.1.0" + ], + "v": "<=1.1.0" + }, + { + "advisory": "Django-airplane 1.1.0 and prior includes a vulnerable version of 'Django' (3.1.7).", + "cve": "CVE-2021-31542", + "id": "pyup.io-43716", + "specs": [ + "<=1.1.0" + ], + "v": "<=1.1.0" + }, + { + "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", + "cve": "CVE-2021-28658", + "id": "pyup.io-43717", + "specs": [ + "<=1.1.0" + ], + "v": "<=1.1.0" + }, + { + "advisory": "Django-airplane 1.1.0 and prior uses a version of Django (>=2.2.10) potentially insecure.", + "cve": "CVE-2021-44420", + "id": "pyup.io-43712", + "specs": [ + "<=1.1.0" + ], + "v": "<=1.1.0" + }, + { + "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", + "cve": "CVE-2021-23336", + "id": "pyup.io-43718", + "specs": [ + "<=1.1.0" + ], + "v": "<=1.1.0" + }, + { + "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", + "cve": "CVE-2021-3281", + "id": "pyup.io-43719", + "specs": [ + "<=1.1.0" + ], + "v": "<=1.1.0" + }, + { + "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", + "cve": "CVE-2020-24584", + "id": "pyup.io-43720", + "specs": [ + "<=1.1.0" + ], + "v": "<=1.1.0" + }, + { + "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", + "cve": "CVE-2020-24583", + "id": "pyup.io-43721", + "specs": [ + "<=1.1.0" + ], + "v": "<=1.1.0" + }, + { + "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", + "cve": "CVE-2020-13254", + "id": "pyup.io-43722", + "specs": [ + "<=1.1.0" + ], + "v": "<=1.1.0" + }, + { + "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", + "cve": "CVE-2020-13596", + "id": "pyup.io-43723", + "specs": [ + "<=1.1.0" + ], + "v": "<=1.1.0" + }, + { + "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", + "cve": "CVE-2020-9402", + "id": "pyup.io-43724", + "specs": [ + "<=1.1.0" + ], + "v": "<=1.1.0" + } + ], + "django-ajax-datatable": [ + { + "advisory": "Django-ajax-datatable version 4.1.4 adds missing CSRF token header in the first POST call (initialize_table()).", + "cve": "PVE-2021-41834", + "id": "pyup.io-41834", + "specs": [ + "<4.1.4" + ], + "v": "<4.1.4" + }, + { + "advisory": "Django-ajax-datatable 4.4.0 strips HTML tags by default in the rendered table for security reasons.\r\nhttps://github.com/morlandi/django-ajax-datatable/commit/702d2acfc953c2e9a2deb098e10c124cefb2bfc3", + "cve": "PVE-2021-43640", + "id": "pyup.io-43640", + "specs": [ + "<4.4.0" + ], + "v": "<4.4.0" + } + ], + "django-allauth": [ + { + "advisory": "django-allauth before 0.28.0 previous versions contained a vulnerability allowing an attacker to alter the provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the larger ``SOCIALACCOUNT_PROVIDERS`` setting). The changes would persist across subsequent requests for all users, provided these settings were explicitly set within your project. These settings translate directly into request parameters, giving the attacker undesirable control over the OAuth(2) handshake. You are not affected if you did not explicitly configure these settings.", + "cve": "PVE-2021-25737", + "id": "pyup.io-25737", + "specs": [ + "<0.28.0" + ], + "v": "<0.28.0" + }, + { + "advisory": "On django-allauth before 0.34.0 the \"Set Password\" view did not properly check whether or not the user already had a usable password set. This allowed an attacker to set the password without providing the current password, but only in case the attacker already gained control over the victim's session.", + "cve": "PVE-2021-35034", + "id": "pyup.io-35034", + "specs": [ + "<0.34.0" + ], + "v": "<0.34.0" + }, + { + "advisory": "Django-allauth 0.41.0 conforms to the general Django 3.0.1, 2.2.9, and 1.11.27 security release. See CVE-2019-19844 and .", + "cve": "CVE-2019-19844", + "id": "pyup.io-37664", + "specs": [ + "<0.41.0" + ], + "v": "<0.41.0" + }, + { + "advisory": "Django-allauth 0.47.0 adds a new setting 'SOCIALACCOUNT_LOGIN_ON_GET' that controls whether or not the endpoints for initiating a social login (for example, \"/accounts/google/login/\") require a POST request to initiate the handshake. As requiring a POST is more secure, the default of this new setting is 'False'. This is useful to prevent redirect attacks.", + "cve": "PVE-2021-43274", + "id": "pyup.io-43274", + "specs": [ + "<0.47.0" + ], + "v": "<0.47.0" + } + ], + "django-allauth-underground": [ + { + "advisory": "django-allauth-underground before 0.28.0 contained a vulnerability allowing an attacker to alter the\r\n provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the\r\n larger ``SOCIALACCOUNT_PROVIDERS`` setting).", + "cve": "PVE-2021-36394", + "id": "pyup.io-36394", + "specs": [ + "<0.28.0" + ], + "v": "<0.28.0" + } + ], + "django-anonymizer": [ + { + "advisory": "Django-anonymizer 0.4 changes 'Anonymizer.attributes' to require every field to be listed. This deals with the common security problem when a model is updated, but the Anonymizer is not updated.", + "cve": "PVE-2021-25738", + "id": "pyup.io-25738", + "specs": [ + "<0.4" + ], + "v": "<0.4" + } + ], + "django-anymail": [ + { + "advisory": "In django-anymail before 1.4 the webhook validation was vulnerable to a timing attack. An attacker could have used this to obtain the WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to the app.", + "cve": "CVE-2018-6596", + "id": "pyup.io-35178", + "specs": [ + "<1.4" + ], + "v": "<1.4" + }, + { + "advisory": "Django-anymail version 1.4 includes a fix for CVE-2018-1000089: Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in an attacker with access to error logs could fabricate email tracking events. If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app.\r\nhttps://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef", + "cve": "CVE-2018-1000089", + "id": "pyup.io-35198", + "specs": [ + ">=0.2,<1.4" + ], + "v": ">=0.2,<1.4" + } + ], + "django-autocomplete-light": [ + { + "advisory": "Django-autocomplete-light before 2.3.0 when updating the queryset from outside the autocomplete class may lead to a security problem, ie. if you don't replicate filters you apply manually on the autocomplete object choices into choices_for_request() then a malicious user could see choices which they shouldn't by querying the autocomplete directly.\r\nhttps://github.com/yourlabs/django-autocomplete-light/pull/494", + "cve": "PVE-2021-25740", + "id": "pyup.io-25740", + "specs": [ + "<2.3.0" + ], + "v": "<2.3.0" + } + ], + "django-awl": [ + { + "advisory": "Django-awl 0.23.1 updates minimum requirements for Django to v2.1.2 to include a security fix.", + "cve": "CVE-2018-16984", + "id": "pyup.io-36588", + "specs": [ + "<0.23.1" + ], + "v": "<0.23.1" + }, + { + "advisory": "Django-awl 1.0 updates the minimum requirements for Django to versions 2.2.10 and 3.0 to include security fixes.", + "cve": "CVE-2019-6975", + "id": "pyup.io-43689", + "specs": [ + "<1.0" + ], + "v": "<1.0" + }, + { + "advisory": "Django-awl 1.0 updates the minimum requirements for Django to versions 2.2.10 and 3.0 to include security fixes.", + "cve": "CVE-2019-3498", + "id": "pyup.io-38139", + "specs": [ + "<1.0" + ], + "v": "<1.0" + } + ], + "django-basic-auth-ip-whitelist": [ + { + "advisory": "In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid credentials. This attack is understood not to be realistic over the Internet. However, it may be achieved from within local networks where the website is hosted, e.g. from inside a data centre where a website's server is located. Sites protected by IP address whitelisting only are unaffected by this vulnerability. This vulnerability has been fixed on version 0.3.4 of django-basic-auth-ip-whitelist. Update to version 0.3.4 as soon as possible and change basic authentication username and password configured on a Django project using this package. A workaround without upgrading to version 0.3.4 is to stop using basic authentication and use the IP whitelisting component only. It can be achieved by not setting BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD in Django project settings. See: CVE-2020-4071.", + "cve": "CVE-2020-4071", + "id": "pyup.io-38443", + "specs": [ + "<0.3.4" + ], + "v": "<0.3.4" + }, + { + "advisory": "Django-basic-auth-ip-whitelist 0.3.4 fixes a potential timing attack if basic authentication is enabled.", + "cve": "PVE-2021-38438", + "id": "pyup.io-38438", + "specs": [ + "<0.3.4" + ], + "v": "<0.3.4" + } + ], + "django-basicauth": [ + { + "advisory": "django-basicauth before 0.4.2 is vulnerable to undisclosed timing attacks.", + "cve": "PVE-2021-35076", + "id": "pyup.io-35076", + "specs": [ + "<0.4.2" + ], + "v": "<0.4.2" + } + ], + "django-bootstrap4": [ + { + "advisory": "Django-bootstrap4 2.3.0 updates its dependency 'Django' to v3.1.2 to include security fixes.", + "cve": "CVE-2020-24583", + "id": "pyup.io-38870", + "specs": [ + "<2.3.0" + ], + "v": "<2.3.0" + }, + { + "advisory": "Django-bootstrap4 2.3.0 updates its dependency 'Django' to v3.1.2 to include security fixes.", + "cve": "CVE-2020-24584", + "id": "pyup.io-43711", + "specs": [ + "<2.3.0" + ], + "v": "<2.3.0" + } + ], + "django-ca": [ + { + "advisory": "django-ca 1.10.0 stores CA private keys in the more secure PKCS8 format.", + "cve": "PVE-2021-37015", + "id": "pyup.io-37015", + "specs": [ + "<1.10.0" + ], + "v": "<1.10.0" + }, + { + "advisory": "Django-ca 1.17.0 secures CSRF and session cookies using Djangos `SESSION_COOKIE_SECURE`, `CSRF_COOKIE_HTTPONLY` and `CSRF_COOKIE_SECURE` settings. It also adds several security related headers to the admin interface (CSP, etc).", + "cve": "PVE-2021-39375", + "id": "pyup.io-39375", + "specs": [ + "<1.17.0" + ], + "v": "<1.17.0" + }, + { + "advisory": "Django-ca version 1.19.0 fetches only the expected number of bytes when validating ACME challenges via HTTP to prevent DOS attacks.", + "cve": "PVE-2021-42088", + "id": "pyup.io-42088", + "specs": [ + "<1.19.0" + ], + "v": "<1.19.0" + }, + { + "advisory": "django-ca before 1.9.0 did not properly escape x509 extensions, allowing for potential injection attacks.", + "cve": "PVE-2021-36405", + "id": "pyup.io-36405", + "specs": [ + "<1.9.0" + ], + "v": "<1.9.0" + } + ], + "django-celery-results": [ + { + "advisory": "Django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database. See CVE-2020-17495.", + "cve": "CVE-2020-17495", + "id": "pyup.io-38678", + "specs": [ + "<=1.2.1" + ], + "v": "<=1.2.1" + } + ], + "django-cms": [ + { + "advisory": "django-cms 2.1.3 fixes a serious security issue in PlaceholderAdmin", + "cve": "PVE-2021-25741", + "id": "pyup.io-25741", + "specs": [ + "<2.1.3" + ], + "v": "<2.1.3" + }, + { + "advisory": "Django-cms before 2.1.4 fixes a XSS issue in Text Plugins.\r\nhttps://github.com/django-cms/django-cms/commit/9ca7738bc1cef827765589c5b254810370a0fc0b", + "cve": "PVE-2021-25742", + "id": "pyup.io-25742", + "specs": [ + "<2.1.4" + ], + "v": "<2.1.4" + }, + { + "advisory": "django-cms 3.0.14 fixes an issue where privileged users could be tricked into performing actions without their knowledge via a CSRF vulnerability", + "cve": "PVE-2021-25743", + "id": "pyup.io-25743", + "specs": [ + "<3.0.14" + ], + "v": "<3.0.14" + }, + { + "advisory": "Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors.", + "cve": "CVE-2015-5081", + "id": "pyup.io-35628", + "specs": [ + "<3.0.14", + ">3.1,<3.1.1" + ], + "v": "<3.0.14,>3.1,<3.1.1" + }, + { + "advisory": "django-cms 3.2.4 addresses security vulnerabilities in the `render_model` template tag that could lead to escalation of privileges or other security issues. It also addresses a security vulnerability in the cms' usage of the messages framework. Furthermore it fixes security vulnerabilities in custom FormFields that could lead to escalation of privileges or other security issue", + "cve": "PVE-2021-25746", + "id": "pyup.io-25746", + "specs": [ + "<3.2.4" + ], + "v": "<3.2.4" + }, + { + "advisory": "django-cms 3.4.3 fixes a security vulnerability in the page redirect field which allowed users to insert JavaScript code and a vulnerability where the next parameter for the toolbar login was not sanitised and could point to another domain.", + "cve": "PVE-2021-34226", + "id": "pyup.io-34226", + "specs": [ + "<3.4.3" + ], + "v": "<3.4.3" + }, + { + "advisory": "Django-cms versions 3.7.4, 3.6.1, 3.5.4 and 3.4.7 include a fix for CVE-2021-44649: Django CMS 3.7.3 and prior does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.\r\nhttps://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability\r\nhttps://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1", + "cve": "CVE-2021-44649", + "id": "pyup.io-44516", + "specs": [ + "<3.4.7", + ">=3.5.0a0,<3.5.4", + ">=3.6.0a0,<3.6.1", + ">=3.7.0a0,<3.7.4" + ], + "v": "<3.4.7,>=3.5.0a0,<3.5.4,>=3.6.0a0,<3.6.1,>=3.7.0a0,<3.7.4" + }, + { + "advisory": "Django-cms 3.4.7 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.", + "cve": "PVE-2021-38791", + "id": "pyup.io-38791", + "specs": [ + ">=3.4.0,<3.4.7" + ], + "v": ">=3.4.0,<3.4.7" + }, + { + "advisory": "Django-cms 3.5.4 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.", + "cve": "PVE-2021-38790", + "id": "pyup.io-38790", + "specs": [ + ">=3.5.0,<3.5.4" + ], + "v": ">=3.5.0,<3.5.4" + }, + { + "advisory": "django-cms before 3.6.1\r\nDjango-cms 3.6.1 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.", + "cve": "PVE-2021-38789", + "id": "pyup.io-38789", + "specs": [ + ">=3.6.0,<3.6.1" + ], + "v": ">=3.6.0,<3.6.1" + }, + { + "advisory": "Django-cms 3.7.4 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.", + "cve": "PVE-2021-38788", + "id": "pyup.io-38788", + "specs": [ + ">=3.7.0,<3.7.4" + ], + "v": ">=3.7.0,<3.7.4" + } + ], + "django-cms-patched": [ + { + "advisory": "django-cms-patched before 3.0.17 has security vulnerabilities in the `render_model` template tag that could\r\n lead to escalation of privileges or other security issues.", + "cve": "PVE-2021-34123", + "id": "pyup.io-34123", + "specs": [ + "<3.0.17" + ], + "v": "<3.0.17" + }, + { + "advisory": "django-cms-patched 3.4.3 fixes a security vulnerability in the page redirect field which allowed users to insert JavaScript code.", + "cve": "PVE-2021-34121", + "id": "pyup.io-34121", + "specs": [ + "<3.4.3" + ], + "v": "<3.4.3" + } + ], + "django-cors-headers": [ + { + "advisory": "Django-cors-headers version 3.0.0 fixes a security issue where the CORS middleware would allow requests between schemes, for example from insecure 'http://' origins to a secure 'https://' site. Now you will need to update your whitelist to include schemes, for example from this:\r\nCORS_ORIGIN_WHITELIST = ['example.com']\r\nto this:\r\nCORS_ORIGIN_WHITELIST = ['https://example.com']\r\nhttps://github.com/adamchainz/django-cors-headers/issues/259", + "cve": "PVE-2021-37132", + "id": "pyup.io-37132", + "specs": [ + "<3.0.0" + ], + "v": "<3.0.0" + } + ], + "django-councilmatic": [ + { + "advisory": "Django-councilmatic 2.5.9 patches a XSS vulnerability when using filter options. \r\nhttps://github.com/datamade/django-councilmatic/issues/270\r\nhttps://github.com/datamade/django-councilmatic/pull/271", + "cve": "PVE-2021-38708", + "id": "pyup.io-38708", + "specs": [ + "<2.5.9" + ], + "v": "<2.5.9" + } + ], + "django-countries": [ + { + "advisory": "Django-countries 3.4 fixes a escaping issue in CountrySelectWidget that could lead to XSS.\r\nhttps://github.com/SmileyChris/django-countries/commit/1ed7c6763d890d00f32242202b424709e8668d5a", + "cve": "PVE-2021-25747", + "id": "pyup.io-25747", + "specs": [ + "<3.4" + ], + "v": "<3.4" + } + ], + "django-crispy-forms": [ + { + "advisory": "django-crispy-forms 1.1.4 contains a security fix: Thread safety fixes to `CrispyFieldNode` thanks to Paul Oswald. This avoids leaking information between requests in multithreaded WSGI servers.", + "cve": "PVE-2021-25751", + "id": "pyup.io-25751", + "specs": [ + "<1.1.4" + ], + "v": "<1.1.4" + } + ], + "django-crm": [ + { + "advisory": "MicroPyramid Django-CRM 0.2 does not use CSRF token for /users/create/, /users/##/edit/, and /accounts/##/delete/ URIs.", + "cve": "CVE-2018-16552", + "id": "pyup.io-36440", + "specs": [ + "<=0.2" + ], + "v": "<=0.2" + }, + { + "advisory": "Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /change-password-by-admin/, /api/settings/add/, /cases/create/, /change-password-by-admin/, /comment/add/, /documents/1/view/, /documents/create/, /opportunities/create/, and /login/. See: CVE-2019-11457.", + "cve": "CVE-2019-11457", + "id": "pyup.io-37416", + "specs": [ + "==0.2.1" + ], + "v": "==0.2.1" + } + ], + "django-dajaxice-ng": [ + { + "advisory": "Django-dajaxice-ng 0.1.7 fixes the dajaxice callback model to improve security against XSS attacks.\r\nhttps://github.com/ifanrx/django-dajaxice/commit/cd56cde9d9f4f0bea56e97fe86513553669ad187", + "cve": "PVE-2021-25753", + "id": "pyup.io-25753", + "specs": [ + "<0.1.7" + ], + "v": "<0.1.7" + } + ], + "django-debug-toolbar": [ + { + "advisory": "A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar before 1.11.1, 2.x before 2.2.1, and 3.x before 3.2.1 allows attackers to execute SQL statements by changing the raw_sql input field of the SQL explain, analyze, or select form. See CVE-2021-30459.", + "cve": "CVE-2021-30459", + "id": "pyup.io-40207", + "specs": [ + "<1.11.1", + ">2,<2.2.1", + ">3,<3.2.1" + ], + "v": "<1.11.1,>2,<2.2.1,>3,<3.2.1" + } + ], + "django-discord-bind": [ + { + "advisory": "django-discord-bind 0.2.0 added state validation to prevent CSRF attacks.", + "cve": "PVE-2021-25754", + "id": "pyup.io-25754", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + } + ], + "django-embed-video": [ + { + "advisory": "django-embed-video 0.3 has a security fix: faked urls are treated as invalid.", + "cve": "PVE-2021-25755", + "id": "pyup.io-25755", + "specs": [ + "<0.3" + ], + "v": "<0.3" + } + ], + "django-envelope": [ + { + "advisory": "django-envelope 0.4.1 contains a security bugfix regarding initial form values.", + "cve": "PVE-2021-25756", + "id": "pyup.io-25756", + "specs": [ + "<0.4.1" + ], + "v": "<0.4.1" + } + ], + "django-epiced": [ + { + "advisory": "django-epiced before 0.3.0 does not escape HTML output by default.", + "cve": "PVE-2021-34269", + "id": "pyup.io-34269", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], + "django-epiceditor": [ + { + "advisory": "There is a cross-site scripting vulnerability in django-epiceditor 0.2.3 via crafted content in a form field.", + "cve": "CVE-2017-6591", + "id": "pyup.io-35735", + "specs": [ + "<=0.2.3" + ], + "v": "<=0.2.3" + } + ], + "django-fernet-fields": [ + { + "advisory": "django-fernet-fields before 0.3 has DualField and HashField. The only cases where they are useful, they aren't secure.", + "cve": "PVE-2021-34331", + "id": "pyup.io-34331", + "specs": [ + "<0.3" + ], + "v": "<0.3" + }, + { + "advisory": "django-fernet-fields 0.3 removes DualField and HashField. The only cases where they are useful, they aren't secure.", + "cve": "PVE-2021-25757", + "id": "pyup.io-25757", + "specs": [ + "<0.3" + ], + "v": "<0.3" + } + ], + "django-fiber": [ + { + "advisory": "django-fiber 0.9.9.1 contains a security bugfix: Changed permission check in API from IsAuthenticated to IsAdminUser", + "cve": "PVE-2021-25758", + "id": "pyup.io-25758", + "specs": [ + "<0.9.9.1" + ], + "v": "<0.9.9.1" + } + ], + "django-filter": [ + { + "advisory": "Django-filter 2.4.0 added a MaxValueValidator to the form field for NumberFilter. This prevents a potential DoS attack if numbers with very large exponents were subsequently converted to integers.", + "cve": "PVE-2021-38825", + "id": "pyup.io-38825", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" + }, + { + "advisory": "Django-filter 2.4.0 includes a fix for CVE-2020-15225: In django-filter before version 2.4.0, automatically generated 'NumberFilter' instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a 'MaxValueValidator' with a default 'limit_value' of 1e50 to the form field used by 'NumberFilter' instances. In addition, 'NumberFilter' implements the new 'get_max_validator()' which should return a configured validator instance to customise the limit, or else 'None' to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.\r\nhttps://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973", + "cve": "CVE-2020-15225", + "id": "pyup.io-40317", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" + } + ], + "django-fluent-comments": [ + { + "advisory": "django-fluent-comments 1.0.1 fixes security hash formatting errors on bad requests..", + "cve": "PVE-2021-25761", + "id": "pyup.io-25761", + "specs": [ + "<1.0.1" + ], + "v": "<1.0.1" + } + ], + "django-formidable": [ + { + "advisory": "Django-formidable 4.0.0 adds an XSS prevention mechanism.\r\nhttps://github.com/peopledoc/django-formidable/pull/378/commits/e6e5392823e78bb17259b1d4ed45182e34c13dd7", + "cve": "PVE-2021-37875", + "id": "pyup.io-37875", + "specs": [ + "<4.0.0" + ], + "v": "<4.0.0" + } + ], + "django-friendship": [ + { + "advisory": "django-friendship 1.2.0 fixes a security issue where the library was not checking the owner of a FriendRequest during accept and cancelation.", + "cve": "PVE-2021-25762", + "id": "pyup.io-25762", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + } + ], + "django-froala-editor": [ + { + "advisory": "Django-froala-editor 4.0.8 fixed high level security vulnerability in dependent packages for Node.", + "cve": "PVE-2021-43580", + "id": "pyup.io-43580", + "specs": [ + "<4.0.8" + ], + "v": "<4.0.8" + } + ], + "django-guts": [ + { + "advisory": "django-guts 0.1.1 fixes a security issue, allowing anyone to read any file.", + "cve": "PVE-2021-25763", + "id": "pyup.io-25763", + "specs": [ + "<0.1.1" + ], + "v": "<0.1.1" + } + ], + "django-hashedfilenamestorage": [ + { + "advisory": "Django-hashedfilenamestorage 2.4 updates Django dependency requirement to >=2.0.8 to include security fixes.", + "cve": "CVE-2018-14574", + "id": "pyup.io-36802", + "specs": [ + "<2.4" + ], + "v": "<2.4" + }, + { + "advisory": "Django-hashedfilenamestorage 2.4 updates Django dependency requirement to >=2.0.8 to include security fixes.", + "cve": "CVE-2018-7537", + "id": "pyup.io-43734", + "specs": [ + "<2.4" + ], + "v": "<2.4" + } + ], + "django-hashid-field": [ + { + "advisory": "Django-hashid-field v1.0.0 \r\n\r\nIf you already specified `salt` in fields, like `id = HashidField(salt=\"something\")` everywhere then you're already set, and can upgrade worry-free.\r\n\r\nIf you instead let the module fallback to `salt=settings.SECRET_KEY` (default behavior) then this upgrade will change all of your existing fields. It has been pointed out that it's possible to discover the salt used when encoding Hashids, and thus it is very dangerous to use settings.SECRET_KEY, as an attacker may be able to get your SECRET_KEY from your HashidFields.\r\n\r\nIf you absolutely MUST maintain backwards-compatibility and continue to support your old hashed values, then you can set `HASHID_FIELD_SALT = SECRET_KEY` in your settings. But this is *VERY DISCOURAGED*.", + "cve": "PVE-2021-38508", + "id": "pyup.io-38508", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + }, + { + "advisory": "Django-hashid-field 3.1.1 fixes a security bug where comparison operators (gt, gte, lt, lte) would allow integer lookups regardless of ALLOW_INT_LOOKUP setting.", + "cve": "PVE-2021-37680", + "id": "pyup.io-37680", + "specs": [ + "<3.1.1" + ], + "v": "<3.1.1" + } + ], + "django-haystack": [ + { + "advisory": "Django-haystack 1.1 removes insecure use of 'eval' from the Whoosh backend.\r\nhttps://github.com/django-haystack/django-haystack/commit/e0dc369cc12621df51bc8f807ff5ef728131e6ea", + "cve": "PVE-2021-25764", + "id": "pyup.io-25764", + "specs": [ + "<1.1" + ], + "v": "<1.1" + } + ], + "django-heartbeat": [ + { + "advisory": "Django-heartbeat 2.0.3 fixes its dependency to an insecure psutil package.", + "cve": "PVE-2021-38604", + "id": "pyup.io-38604", + "specs": [ + "<2.0.3" + ], + "v": "<2.0.3" + } + ], + "django-helpdesk": [ + { + "advisory": "Django-helpdesk 0.3.1 includes a fix for CVE-2021-3945: Django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').\r\nhttps://github.com/django-helpdesk/django-helpdesk/commit/2c7065e0c4296e0c692fb4a7ee19c7357583af30\r\nhttps://huntr.dev/bounties/745f483c-70ed-441f-ab2e-7ac1305439a4", + "cve": "CVE-2021-3945", + "id": "pyup.io-42683", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" + }, + { + "advisory": "Django-helpdesk 0.3.1 includes a fix for CVE-2021-3950: Django-helpdesk is vulnerable to improper neutralization of input during web page generation ('Cross-site Scripting').\r\nhttps://huntr.dev/bounties/4d7a5fdd-b2de-467a-ade0-3f2fb386638e\r\nhttps://github.com/django-helpdesk/django-helpdesk/commit/04483bdac3b5196737516398b5ce0383875a5c60", + "cve": "CVE-2021-3950", + "id": "pyup.io-42743", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" + }, + { + "advisory": "Django-helpdesk 0.3.2 includes a fix for CVE-2021-3994: Django-helpdesk is vulnerable to improper neutralization of input during web page generation ('Cross-site Scripting').\r\nhttps://huntr.dev/bounties/be7f211d-4bfd-44fd-91e8-682329906fbd", + "cve": "CVE-2021-3994", + "id": "pyup.io-42766", + "specs": [ + "<0.3.2" + ], + "v": "<0.3.2" + } + ], + "django-hijack": [ + { + "advisory": "django-hijack before 1.0.7 has a unspecified security issue and is vulnerable via unknown vectors.", + "cve": "PVE-2021-25765", + "id": "pyup.io-25765", + "specs": [ + "<1.0.7" + ], + "v": "<1.0.7" + } + ], + "django-howl": [ + { + "advisory": "Django-howl 1.0.4 updates Django to v2.2.2 to include a security fix.", + "cve": "CVE-2019-12308", + "id": "pyup.io-37240", + "specs": [ + "<1.0.4" + ], + "v": "<1.0.4" + }, + { + "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", + "cve": "CVE-2019-14234", + "id": "pyup.io-43654", + "specs": [ + "<1.0.5" + ], + "v": "<1.0.5" + }, + { + "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", + "cve": "CVE-2020-7471", + "id": "pyup.io-43651", + "specs": [ + "<1.0.5" + ], + "v": "<1.0.5" + }, + { + "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", + "cve": "CVE-2019-14232", + "id": "pyup.io-43656", + "specs": [ + "<1.0.5" + ], + "v": "<1.0.5" + }, + { + "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", + "cve": "CVE-2019-19844", + "id": "pyup.io-43652", + "specs": [ + "<1.0.5" + ], + "v": "<1.0.5" + }, + { + "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", + "cve": "CVE-2019-19118", + "id": "pyup.io-43653", + "specs": [ + "<1.0.5" + ], + "v": "<1.0.5" + }, + { + "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", + "cve": "CVE-2019-14233", + "id": "pyup.io-43655", + "specs": [ + "<1.0.5" + ], + "v": "<1.0.5" + }, + { + "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", + "cve": "CVE-2019-14235", + "id": "pyup.io-43657", + "specs": [ + "<1.0.5" + ], + "v": "<1.0.5" + }, + { + "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", + "cve": "CVE-2019-12781", + "id": "pyup.io-43658", + "specs": [ + "<1.0.5" + ], + "v": "<1.0.5" + }, + { + "advisory": "Django-howl 1.0.5 updates its dependency 'urllib3' to v1.25.8 to include a security fix.", + "cve": "CVE-2020-7212", + "id": "pyup.io-43659", + "specs": [ + "<1.0.5" + ], + "v": "<1.0.5" + }, + { + "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", + "cve": "CVE-2020-9402", + "id": "pyup.io-38069", + "specs": [ + "<1.0.5" + ], + "v": "<1.0.5" + } + ], + "django-html5-appcache": [ + { + "advisory": "django-html5-appcache 0.3.0 added a security check for sensitive views.", + "cve": "PVE-2021-25766", + "id": "pyup.io-25766", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], + "django-idempotency-key": [ + { + "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", + "cve": "CVE-2020-7471", + "id": "pyup.io-42977", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", + "cve": "CVE-2019-14232", + "id": "pyup.io-42978", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", + "cve": "CVE-2019-14234", + "id": "pyup.io-42979", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", + "cve": "CVE-2019-14233", + "id": "pyup.io-42980", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", + "cve": "CVE-2019-14235", + "id": "pyup.io-42981", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", + "cve": "CVE-2019-12308", + "id": "pyup.io-42982", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", + "cve": "CVE-2019-12781", + "id": "pyup.io-42983", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", + "cve": "CVE-2019-19844", + "id": "pyup.io-42984", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", + "cve": "CVE-2020-9402", + "id": "pyup.io-42985", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", + "cve": "CVE-2021-33203", + "id": "pyup.io-38162", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Django-idempotency-key 1.1.0 updates the minimum version of its dependency 'bleach' to v3.1.4 to include a security fix.", + "cve": "CVE-2020-6817", + "id": "pyup.io-42975", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Django-idempotency-key 1.1.0 updates the minimum version of its dependency 'urllib3' to v1.24.2 to include a security fix.", + "cve": "CVE-2019-11324", + "id": "pyup.io-42976", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], + "django-initial-avatars": [ + { + "advisory": "django-initial-avatars before 0.4 has a unspecified security issue and is vulnerable via unknown vectors.", + "cve": "PVE-2021-25767", + "id": "pyup.io-25767", + "specs": [ + "<0.4" + ], + "v": "<0.4" + }, + { + "advisory": "django-initial-avatars before 0.5.0 has a unspecified security issue and is vulnerable via unknown vectors.", + "cve": "PVE-2021-25768", + "id": "pyup.io-25768", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" + } + ], + "django-jet": [ + { + "advisory": "Django-jet 1.0.4 fixes a security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.\r\nhttps://github.com/geex-arts/django-jet/commit/734f3521d8290f6162847ad0b5c33d8ab5e119a9", + "cve": "PVE-2021-25769", + "id": "pyup.io-25769", + "specs": [ + "<1.0.4" + ], + "v": "<1.0.4" + } + ], + "django-jet-reboot": [ + { + "advisory": "Django-jet-reboot 1.0.4 fixes a security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.\r\nhttps://github.com/assem-ch/django-jet-reboot/commit/734f3521d8290f6162847ad0b5c33d8ab5e119a9", + "cve": "PVE-2021-39370", + "id": "pyup.io-39370", + "specs": [ + "<1.0.4" + ], + "v": "<1.0.4" + } + ], + "django-jinja-knockout": [ + { + "advisory": "'TemplateContext' class is used in Django-jinja-knockout 0.9.0 to manage client-side data injection.", + "cve": "PVE-2021-39610", + "id": "pyup.io-39610", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + } + ], + "django-js-reverse": [ + { + "advisory": "django-js-reverse (aka Django JS Reverse) before 0.9.1 has XSS via js_reverse_inline. See: CVE-2019-15486.", + "cve": "CVE-2019-15486", + "id": "pyup.io-37399", + "specs": [ + "<0.9.1" + ], + "v": "<0.9.1" + } + ], + "django-lazysignup": [ + { + "advisory": "Django-lazysignup before 0.4.0 fixes a security issue: Generated usernames are now based on the session key, rather than actually being the session key. This is to avoid a potential security issue where an app might simply display a username, giving away a significant part of the user's session key. The username is now generated from a SHA1 hash of the session key. This change means that existing generated users will become invalid.\r\nhttps://github.com/danfairs/django-lazysignup/commit/ea27d50ea222063de81f005565dfbb7f83d8759f", + "cve": "PVE-2021-25770", + "id": "pyup.io-25770", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + } + ], + "django-lazysignup-redux": [ + { + "advisory": "django-lazysignup-redux 0.4.0 fixes a security issue: Generated usernames are now based on the session key, rather than actually being the session key. This is to avoid a potential security issue where an app might simply display a username, giving away a significant part of the user's session key. The username is now generated from a SHA1 hash of the session key. This change means that existing generated users will become invalid.", + "cve": "PVE-2021-25771", + "id": "pyup.io-25771", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + } + ], + "django-lfs": [ + { + "advisory": "django-lfs before 0.6.9 has a unspecified security issue and is vulnerable via unknown vectors.", + "cve": "PVE-2021-25772", + "id": "pyup.io-25772", + "specs": [ + "<0.6.9" + ], + "v": "<0.6.9" + } + ], + "django-magiclink": [ + { + "advisory": "Django-magiclink 1.0.4 adds csrf_protect decorator for POST requests by default to improve security.", + "cve": "PVE-2021-41829", + "id": "pyup.io-41829", + "specs": [ + "<1.0.4" + ], + "v": "<1.0.4" + } + ], + "django-mail-auth": [ + { + "advisory": "Django-mail-auth 0.1.3 fixes session key security issues.", + "cve": "PVE-2021-37171", + "id": "pyup.io-37171", + "specs": [ + "<0.1.3" + ], + "v": "<0.1.3" + } + ], + "django-make-app": [ + { + "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_app 0.1.3. A YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.", + "cve": "CVE-2017-16764", + "id": "pyup.io-35722", + "specs": [ + "<0.1.3" + ], + "v": "<0.1.3" + } + ], + "django-mapstore-adapter": [ + { + "advisory": "Django-mapstore-adapter 1.0.4 fixes an unescaped \"ms2_config\" which may cause JS injection.", + "cve": "PVE-2021-38936", + "id": "pyup.io-38936", + "specs": [ + "<1.0.4" + ], + "v": "<1.0.4" + } + ], + "django-markupfield": [ + { + "advisory": "django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors.", + "cve": "CVE-2015-0846", + "id": "pyup.io-25773", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + }, + { + "advisory": "django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors.", + "cve": "CVE-2015-0846", + "id": "pyup.io-25774", + "specs": [ + "<1.3.3" + ], + "v": "<1.3.3" + } + ], + "django-material": [ + { + "advisory": "Django-material 0.9.0 fixes a XSS vulnerability in input fields.\r\nhttps://github.com/viewflow/django-material/issues/139", + "cve": "PVE-2021-25775", + "id": "pyup.io-25775", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + }, + { + "advisory": "Django-material before 1.5.1 included a js injection vulnerability in a list view.\r\nhttps://github.com/viewflow/django-material/commit/778ad3e170a59e750ed7a86b83beebe5eccc39ee", + "cve": "PVE-2021-36950", + "id": "pyup.io-36950", + "specs": [ + "<1.5.1" + ], + "v": "<1.5.1" + } + ], + "django-modern-rpc": [ + { + "advisory": "django-modern-rpc before 0.8.1 isn't correctly checking the authentication backend when executing 'system.multicall()'.", + "cve": "PVE-2021-34991", + "id": "pyup.io-34991", + "specs": [ + "<0.8.1" + ], + "v": "<0.8.1" + } + ], + "django-mptt": [ + { + "advisory": "Django-mptt <0.8.0 uses versions of python/django that no longer receive security patches. You should upgrade to Python 2.7 and Django 1.8+.", + "cve": "PVE-2021-41205", + "id": "pyup.io-41205", + "specs": [ + "<0.8.0" + ], + "v": "<0.8.0" + } + ], + "django-music-publisher": [ + { + "advisory": "Django 2.1 had a minor security issue, so 2.1.2 was promptly released.. django-music-publisher before 18.9.1 included this issue.", + "cve": "PVE-2021-36523", + "id": "pyup.io-36523", + "specs": [ + "<18.9.1" + ], + "v": "<18.9.1" + }, + { + "advisory": "Django-music-publisher 18.9.3 updates its dependency 'requests' to v2.20.0 to include a security fix.", + "cve": "CVE-2018-18074", + "id": "pyup.io-36608", + "specs": [ + "<18.9.3" + ], + "v": "<18.9.3" + } + ], + "django-nameko-standalone": [ + { + "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", + "cve": "CVE-2019-14233", + "id": "pyup.io-43702", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + }, + { + "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", + "cve": "CVE-2019-14234", + "id": "pyup.io-43703", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + }, + { + "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", + "cve": "CVE-2019-12308", + "id": "pyup.io-43706", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + }, + { + "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", + "cve": "CVE-2019-6975", + "id": "pyup.io-43707", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + }, + { + "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", + "cve": "CVE-2018-14574", + "id": "pyup.io-43709", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + }, + { + "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", + "cve": "CVE-2018-7537", + "id": "pyup.io-38565", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + }, + { + "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", + "cve": "CVE-2019-19844", + "id": "pyup.io-43700", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + }, + { + "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", + "cve": "CVE-2019-14232", + "id": "pyup.io-43701", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + }, + { + "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", + "cve": "CVE-2019-14235", + "id": "pyup.io-43704", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + }, + { + "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", + "cve": "CVE-2019-12781", + "id": "pyup.io-43705", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + }, + { + "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", + "cve": "CVE-2019-3498", + "id": "pyup.io-43708", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + } + ], + "django-newsletter": [ + { + "advisory": "django-newsletter before 0.7 allowed a user to subscribe others to the newsletter without authorization.", + "cve": "PVE-2021-36318", + "id": "pyup.io-36318", + "specs": [ + "<0.7" + ], + "v": "<0.7" + }, + { + "advisory": "Django-newsletter 0.9 updates its dependency 'Waitress' to v1.4.3 to include a security fix.", + "cve": "CVE-2020-5236", + "id": "pyup.io-43671", + "specs": [ + "<0.9" + ], + "v": "<0.9" + }, + { + "advisory": "Django-newsletter 0.9 updates its dependency 'Django' to v3.0.3 to include a security fix.", + "cve": "CVE-2020-7471", + "id": "pyup.io-37916", + "specs": [ + "<0.9" + ], + "v": "<0.9" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'waitress' to v1.4.2 to include security fixes.", + "cve": "CVE-2019-16789", + "id": "pyup.io-43673", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'waitress' to v1.4.2 to include security fixes.", + "cve": "CVE-2019-16792", + "id": "pyup.io-43674", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'pillow' to v7.0.0 to include security fixes.", + "cve": "CVE-2019-19911", + "id": "pyup.io-43675", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", + "cve": "CVE-2019-12308", + "id": "pyup.io-43687", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'waitress' to v1.4.2 to include security fixes.", + "cve": "CVE-2019-16785", + "id": "pyup.io-43672", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'pillow' to v7.0.0 to include security fixes.", + "cve": "CVE-2020-5310", + "id": "pyup.io-43676", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'pillow' to v7.0.0 to include security fixes.", + "cve": "CVE-2020-5311", + "id": "pyup.io-43677", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'pillow' to v7.0.0 to include security fixes.", + "cve": "CVE-2020-5312", + "id": "pyup.io-43678", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'pillow' to v7.0.0 to include security fixes.", + "cve": "CVE-2020-5313", + "id": "pyup.io-43679", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", + "cve": "CVE-2019-3498", + "id": "pyup.io-43680", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", + "cve": "CVE-2019-19118", + "id": "pyup.io-43681", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", + "cve": "CVE-2019-14234", + "id": "pyup.io-43682", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", + "cve": "CVE-2019-14233", + "id": "pyup.io-43683", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", + "cve": "CVE-2019-14232", + "id": "pyup.io-43684", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", + "cve": "CVE-2019-14235", + "id": "pyup.io-43685", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", + "cve": "CVE-2019-12781", + "id": "pyup.io-43686", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", + "cve": "CVE-2019-6975", + "id": "pyup.io-43688", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + }, + { + "advisory": "Django-newsletter 0.9b1 updates its dependency 'waitress' to v1.4.2 to include security fixes.", + "cve": "CVE-2019-16786", + "id": "pyup.io-37677", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" + } + ], + "django-ninecms": [ + { + "advisory": "django-ninecms before 0.4.5b has a unknown security issue in its url configuration.", + "cve": "PVE-2021-25776", + "id": "pyup.io-25776", + "specs": [ + "<0.4.5b" + ], + "v": "<0.4.5b" + } + ], + "django-nopassword": [ + { + "advisory": "django-nopassword before 5.0.0 stores cleartext secrets in the database. See: CVE-2019-10682.", + "cve": "CVE-2019-10682", + "id": "pyup.io-38080", + "specs": [ + "<5.0.0" + ], + "v": "<5.0.0" + } + ], + "django-oauth-toolkit": [ + { + "advisory": "Django-oauth-toolkit 0.8.0 includes fixes for various vulnerabilities on 'Basic' authentication.", + "cve": "PVE-2021-39609", + "id": "pyup.io-39609", + "specs": [ + "<0.8.0" + ], + "v": "<0.8.0" + } + ], + "django-orghierarchy": [ + { + "advisory": "Django-orghierarchy 0.1.13 updates its dependency 'Django' to v1.11.15 to include a security fix.", + "cve": "CVE-2018-14574", + "id": "pyup.io-37039", + "specs": [ + "<0.1.13" + ], + "v": "<0.1.13" + }, + { + "advisory": "Django-orghierarchy 0.1.18 updates its dependency 'requests' to v2.20.0 to include a security fix.", + "cve": "CVE-2018-18074", + "id": "pyup.io-37038", + "specs": [ + "<0.1.18" + ], + "v": "<0.1.18" + } + ], + "django-pagetree": [ + { + "advisory": "Django-pagetree version 1.0.4 adds csrf_tokens to several forms where it was missing.", + "cve": "PVE-2021-41899", + "id": "pyup.io-41899", + "specs": [ + "<1.0.4" + ], + "v": "<1.0.4" + }, + { + "advisory": "Django-pagetree version 1.0.7 adds a csrf token for the import_json form.", + "cve": "PVE-2021-41898", + "id": "pyup.io-41898", + "specs": [ + "<1.0.7" + ], + "v": "<1.0.7" + }, + { + "advisory": "Django-pagetree 1.1.8 adds a csrf_token to the base clone_hierarchy form.", + "cve": "PVE-2021-41897", + "id": "pyup.io-41897", + "specs": [ + "<1.1.8" + ], + "v": "<1.1.8" + } + ], + "django-patchwork": [ + { + "advisory": "A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. This allows an attacker to insert JavaScript or HTML into the patch detail page via an email sent to a mailing list consumed by Patchwork. This affects the function msgid in templatetags/patch.py. Patchwork versions v2.1.4 and v2.0.4 will contain the fix.", + "cve": "CVE-2019-13122", + "id": "pyup.io-42262", + "specs": [ + ">=1.1,<2.0.4", + ">=2.1.0,<2.1.4", + "==2.1.0:rc1", + "==2.1.0:rc2" + ], + "v": ">=1.1,<2.0.4,>=2.1.0,<2.1.4,==2.1.0:rc1,==2.1.0:rc2" + } + ], + "django-perms-provisioner": [ + { + "advisory": "Django-perms-provisioner 0.0.4 updates PyYAML to v5.3.1 to include security fixes.", + "cve": "CVE-2020-1747", + "id": "pyup.io-38289", + "specs": [ + "<0.0.4" + ], + "v": "<0.0.4" + }, + { + "advisory": "Django-perms-provisioner updates its dependency 'pyyaml' to v5.3.1 and code to include security fixes.\r\nhttps://github.com/labd/django-perms-provisioner/commit/1e65b781c47f6ba02805283a3ede56276ae14b44", + "cve": "CVE-2019-20477", + "id": "pyup.io-43456", + "specs": [ + "<0.0.4" + ], + "v": "<0.0.4" + } + ], + "django-piston": [ + { + "advisory": "emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.", + "cve": "CVE-2011-4103", + "id": "pyup.io-25777", + "specs": [ + "<0.2.3" + ], + "v": "<0.2.3" + } + ], + "django-pluggable-filebrowser": [ + { + "advisory": "django-pluggable-filebrowser 3.4.2 fixes a security bug: added staff_member_required decorator to the upload-function.", + "cve": "PVE-2021-25778", + "id": "pyup.io-25778", + "specs": [ + "<3.4.2" + ], + "v": "<3.4.2" + } + ], + "django-polaris": [ + { + "advisory": "Improvements in the Multi-signature Asset Distribution Account Support allow anchors since django-polaris version 1.1.0 to improve the security of the account that controls outbound payments.", + "cve": "PVE-2021-38837", + "id": "pyup.io-38837", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], + "django-postman": [ + { + "advisory": "django-postman 3.6.2 fixes issue 101, for security concern, ignore the scheme and domain parts in the 'next' query param.", + "cve": "PVE-2021-36667", + "id": "pyup.io-36667", + "specs": [ + "<3.6.2" + ], + "v": "<3.6.2" + } + ], + "django-python3-ldap": [ + { + "advisory": "Django-python3-ldap 0.9.5 fixes a security vulnerability where username and password could be transmitted in plain text before starting TLS.\r\nhttps://github.com/etianen/django-python3-ldap/commit/a250194e2911e270a90b0eec2251343040a75ece", + "cve": "PVE-2021-25779", + "id": "pyup.io-25779", + "specs": [ + "<0.9.5" + ], + "v": "<0.9.5" + }, + { + "advisory": "django-python3-ldap 0.9.8 fixes a security vulnerability allowing users to authenticate with a valid username but with an empty password if anonymous authentication is allowed on the LDAP server.", + "cve": "PVE-2021-25780", + "id": "pyup.io-25780", + "specs": [ + "<0.9.8" + ], + "v": "<0.9.8" + } + ], + "django-rated": [ + { + "advisory": "django-rated before 1.1.2 has a unspecified security issue and is vulnerable via unknown vectors.", + "cve": "PVE-2021-25781", + "id": "pyup.io-25781", + "specs": [ + "<1.1.2" + ], + "v": "<1.1.2" + } + ], + "django-registration": [ + { + "advisory": "django-registration before 1.7 leaked password reset token through the Referer\r\nheader.", + "cve": "PVE-2021-36431", + "id": "pyup.io-36431", + "specs": [ + "<1.7" + ], + "v": "<1.7" + }, + { + "advisory": "django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not properly apply filters to sensitive data, with the result that sensitive data could be included in error reports rather than removed automatically by Django. Triggering this requires: A site is using django-registration < 3.1.2, The site has detailed error reports (such as Django's emailed error reports to site staff/developers) enabled and a server-side error (HTTP 5xx) occurs during an attempt by a user to register an account. Under these conditions, recipients of the detailed error report will see all submitted data from the account-registration attempt, which may include the user's proposed credentials (such as a password). See CVE-2021-21416.", + "cve": "CVE-2021-21416", + "id": "pyup.io-40136", + "specs": [ + "<3.1.2" + ], + "v": "<3.1.2" + } + ], + "django-registration-redux": [ + { + "advisory": "django-registration-redux before 1.7 leaks password reset tokens through the Referer header. For more info, see: https://github.com/macropin/django-registration/pull/268", + "cve": "PVE-2021-35199", + "id": "pyup.io-35199", + "specs": [ + "<1.7" + ], + "v": "<1.7" + } + ], + "django-relatives": [ + { + "advisory": "Django-relatives before 0.3.0 is vulnerable to XSS in html tags.\r\nhttps://github.com/treyhunner/django-relatives/commit/6410ae4695389cb377ce23d35883d8b70b789deb", + "cve": "PVE-2021-25782", + "id": "pyup.io-25782", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], + "django-rest-registration": [ + { + "advisory": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.", + "cve": "CVE-2019-13177", + "id": "pyup.io-37266", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" + }, + { + "advisory": "Django-rest-registration 0.5.0 fixes a critical security issue with misusing the Django Signer API. See: .", + "cve": "PVE-2021-37385", + "id": "pyup.io-37385", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" + } + ], + "django-revproxy": [ + { + "advisory": "django-revproxy 0.9.6 fixes a security issue that allowed remote-user header injection.", + "cve": "PVE-2021-25783", + "id": "pyup.io-25783", + "specs": [ + "<0.9.6" + ], + "v": "<0.9.6" + }, + { + "advisory": "django-revproxy 0.9.7 fixes a security issue: when colon is present at URL path urljoin ignores the upstream and the request is redirected to the path itself allowing content injection.", + "cve": "PVE-2021-25784", + "id": "pyup.io-25784", + "specs": [ + "<0.9.7" + ], + "v": "<0.9.7" + } + ], + "django-safedelete": [ + { + "advisory": "Django-safedelete 0.3.3 contains a security fix that prevents an XSS attack in the admin interface.\r\nhttps://github.com/makinacorpus/django-safedelete/commit/317c548c9d53e8983bb9a361c02f658f635ac13e", + "cve": "PVE-2021-25785", + "id": "pyup.io-25785", + "specs": [ + "<0.3.3" + ], + "v": "<0.3.3" + } + ], + "django-sage-painless": [ + { + "advisory": "Django-sage-painless 1.10.2 includes fixes for few security bugs.", + "cve": "PVE-2021-41101", + "id": "pyup.io-41101", + "specs": [ + "<1.10.2" + ], + "v": "<1.10.2" + } + ], + "django-select2": [ + { + "advisory": "django-select2 5.7.0 contains a security fix that allows a `field_id` to only be used for the intended JSON endpoint.", + "cve": "PVE-2021-25787", + "id": "pyup.io-25787", + "specs": [ + "<5.7.0" + ], + "v": "<5.7.0" + } + ], + "django-selectable": [ + { + "advisory": "Django-selectable 0.5.2 fixes a XSS flaw with lookup \"get_item_*\" methods.\r\nhttps://github.com/mlavin/django-selectable/issues/63", + "cve": "PVE-2021-25788", + "id": "pyup.io-25788", + "specs": [ + "<0.5.2" + ], + "v": "<0.5.2" + } + ], + "django-server": [ + { + "advisory": "django-server is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", + "cve": "PVE-2021-34982", + "id": "pyup.io-34982", + "specs": [ + ">0", + "<0" + ], + "v": ">0,<0" + } + ], + "django-session-security": [ + { + "advisory": "django-session-security 2.4.0 fixes a vulnerability when SESSION_EXPIRE_AT_BROWSER_CLOSE is off.", + "cve": "PVE-2021-25789", + "id": "pyup.io-25789", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" + } + ], + "django-silk": [ + { + "advisory": "Django-silk version 0.4 improves user input sanitization.\r\nhttps://github.com/jazzband/django-silk/commit/487bca243e6d68678abfd83423c33684734281ab", + "cve": "PVE-2021-42212", + "id": "pyup.io-42212", + "specs": [ + "<0.4" + ], + "v": "<0.4" + }, + { + "advisory": "Django-silk version 4.0.0 masks request headers to avoid auth information leaking.\r\nhttps://github.com/jazzband/django-silk/issues/375", + "cve": "PVE-2021-42212", + "id": "pyup.io-42216", + "specs": [ + "<4.0.0" + ], + "v": "<4.0.0" + } + ], + "django-smart-lists": [ + { + "advisory": "Django-smart-lists 1.0.26 fixes a XSS vulnerability in the render_function.\r\nhttps://github.com/plecto/django-smart-lists/commit/44314e51b371e01cd9bceb2e0ed6c8d75d7f87c3", + "cve": "PVE-2021-38150", + "id": "pyup.io-38150", + "specs": [ + "<1.0.26" + ], + "v": "<1.0.26" + } + ], + "django-smart-selects": [ + { + "advisory": "django-smart-selects before 1.5.0 allowed anybody to list arbitrary objects by tweaking URL parameters. 1.5.0 adds checks to the views to ensure that queries return an HTTP 403 (Permission denied) for models that do not have smart_selects fields defined.", + "cve": "PVE-2021-34234", + "id": "pyup.io-34234", + "specs": [ + "<1.5.1" + ], + "v": "<1.5.1" + } + ], + "django-social-auth": [ + { + "advisory": "django-social-auth 0.7.2 fixes a security hole - redirects via the next param are now properly sanitized to disallow redirecting to external hosts.", + "cve": "PVE-2021-25790", + "id": "pyup.io-25790", + "specs": [ + "<0.7.2" + ], + "v": "<0.7.2" + } + ], + "django-social-auth3": [ + { + "advisory": "django-social-auth3 0.7.2 fixes a security hole - redirects via the next param are now properly sanitized to disallow redirecting to external hosts.", + "cve": "PVE-2021-25791", + "id": "pyup.io-25791", + "specs": [ + "<0.7.2" + ], + "v": "<0.7.2" + } + ], + "django-sql-dashboard": [ + { + "advisory": "Django-sql-dashboard 0.14 fixes a security and permissions flaw, where users without the 'execute_sql' permission could still run custom queries by editing saved dashboards using the Django admin interface.", + "cve": "PVE-2021-40482", + "id": "pyup.io-40482", + "specs": [ + "<0.14" + ], + "v": "<0.14" + } + ], + "django-sql-explorer": [ + { + "advisory": "Users in django-sql-explorer version 0.5 with view permissions can use query parameters. This results in a potential for SQL injection.", + "cve": "PVE-2021-39445", + "id": "pyup.io-39445", + "specs": [ + "<0.5" + ], + "v": "<0.5" + }, + { + "advisory": "Django-sql-explorer before 1.1.0 isn't escaping values from the database correctly, making it open for potential XSS-attacks.\r\nhttps://github.com/groveco/django-sql-explorer/pull/286", + "cve": "PVE-2021-33293", + "id": "pyup.io-33293", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], + "django-sticky-uploads": [ + { + "advisory": "django-sticky-uploads 0.2.0 fixes a security issue related to client changing the upload url specified by the widget for the upload.", + "cve": "PVE-2021-25793", + "id": "pyup.io-25793", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + } + ], + "django-storages": [ + { + "advisory": "In django-storages before 1.7 - the ``S3BotoStorage`` and ``S3Boto3Storage`` backends have an insecure default ACL of ``public-read``. It is recommended that all current users upgrade to 1.7 and audit their bucket permissions. Support has been added for setting ``AWS_DEFAULT_ACL = None`` and ``AWS_BUCKET_ACL = None``. V1.7 will raise a warning if ``AWS_DEFAULT_ACL`` or ``AWS_BUCKET_ACL`` is not explicitly set.", + "cve": "PVE-2021-36434", + "id": "pyup.io-36434", + "specs": [ + "<1.7" + ], + "v": "<1.7" + } + ], + "django-tastypie": [ + { + "advisory": "The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.", + "cve": "CVE-2011-4104", + "id": "pyup.io-25794", + "specs": [ + "<0.9.10" + ], + "v": "<0.9.10" + } + ], + "django-trench": [ + { + "advisory": "Django-trench 0.2.3 updates default backup codes settings to a more secure standard.\r\nhttps://github.com/merixstudio/django-trench/pull/52", + "cve": "PVE-2021-42899", + "id": "pyup.io-42899", + "specs": [ + "<0.2.3" + ], + "v": "<0.2.3" + } + ], + "django-triggers": [ + { + "advisory": "Django-triggers 2.0.13 updates its dependency 'Django' to v2.1.5 to include security fixes.", + "cve": "CVE-2020-9402", + "id": "pyup.io-43667", + "specs": [ + "<2.0.13" + ], + "v": "<2.0.13" + }, + { + "advisory": "Django-triggers 2.0.13 updates its dependency 'Django' to v2.1.5 to include security fixes.", + "cve": "CVE-2018-14574", + "id": "pyup.io-43669", + "specs": [ + "<2.0.13" + ], + "v": "<2.0.13" + }, + { + "advisory": "Django-triggers 2.0.13 updates its dependency 'Django' to v2.1.5 to include security fixes.", + "cve": "CVE-2019-3498", + "id": "pyup.io-43668", + "specs": [ + "<2.0.13" + ], + "v": "<2.0.13" + }, + { + "advisory": "Django-triggers 2.0.13 updates its dependency 'Django' to v2.1.5 to include security fixes.", + "cve": "CVE-2018-7537", + "id": "pyup.io-37072", + "specs": [ + "<2.0.13" + ], + "v": "<2.0.13" + } + ], + "django-two-factor-auth": [ + { + "advisory": "Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user begins the login process by entering their username and password and then leaves before entering their two-factor authentication code. The severity of this issue depends on which type of session storage you have configured: in the worst case, if you're using Django's default database session storage, then users' passwords are stored in clear text in your database. In the best case, if you're using Django's signed cookie session, then users' passwords are only stored in clear text within their browser's cookie store. In the common case of using Django's cache session store, the users' passwords are stored in clear text in whatever cache storage you have configured (typically Memcached or Redis). This has been fixed in 1.12. After upgrading, users should be sure to delete any clear text passwords that have been stored. For example, if you're using the database session backend, you'll likely want to delete any session record from the database and purge that data from any database backups or replicas. In addition, affected organizations who have suffered a database breach while using an affected version should inform their users that their clear text passwords have been compromised. All organizations should encourage users whose passwords were insecurely stored to change these passwords on any sites where they were used. As a workaround, wwitching Django's session storage to use signed cookies instead of the database or cache lessens the impact of this issue, but should not be done without a thorough understanding of the security tradeoffs of using signed cookies rather than a server-side session storage. There is no way to fully mitigate the issue without upgrading. See: CVE-2020-15105.", + "cve": "CVE-2020-15105", + "id": "pyup.io-38562", + "specs": [ + "<1.12" + ], + "v": "<1.12" + } + ], + "django-ucamlookup": [ + { + "advisory": "django-ucamlookup 1.9 fixes XXS vulnerability in template macros", + "cve": "PVE-2021-36744", + "id": "pyup.io-36744", + "specs": [ + "<1.9" + ], + "v": "<1.9" + } + ], + "django-uni-form": [ + { + "advisory": "Django-uni-form 0.9.0 fixes a XSS security issue. Errors weren't rendered safe: field's input was part of the error message, unsanitized.\r\nhttps://github.com/pydanny/django-uni-form/pull/98", + "cve": "PVE-2021-25796", + "id": "pyup.io-25796", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + } + ], + "django-unicorn": [ + { + "advisory": "Django-unicorn version 0.29.0 sanitizes initial JSON to prevent XSS.\r\nhttps://github.com/adamghill/django-unicorn/commit/c38e2a8bbb3ec6a8cdba30813282d9159c90f0d2", + "cve": "PVE-2021-42099", + "id": "pyup.io-42099", + "specs": [ + "<0.29.0" + ], + "v": "<0.29.0" + }, + { + "advisory": "Django-unicorn version 0.36.0 includes a fix for CVE-2021-42053: The Unicorn framework through 0.35.3 for Django allows XSS via component.name.\r\nhttps://github.com/adamghill/django-unicorn/pull/288/files", + "cve": "CVE-2021-42053", + "id": "pyup.io-42060", + "specs": [ + "<0.36.0" + ], + "v": "<0.36.0" + }, + { + "advisory": "The Unicorn framework before 0.36.1 for Django allows XSS via a component. NOTE: this issue exists because of an incomplete fix for CVE-2021-42053.\r\nhttps://github.com/adamghill/django-unicorn/commit/3a832a9e3f6455ddd3b87f646247269918ad10c6\r\nhttps://github.com/adamghill/django-unicorn/compare/0.36.0...0.36.1", + "cve": "CVE-2021-42134", + "id": "pyup.io-42107", + "specs": [ + "<0.36.1" + ], + "v": "<0.36.1" + } + ], + "django-urlconf-export": [ + { + "advisory": "Django-urlconf-export 1.1.1 updates Django to v3.0.7 to include security fixes.", + "cve": "CVE-2020-13596", + "id": "pyup.io-38386", + "specs": [ + "<1.1.1" + ], + "v": "<1.1.1" + }, + { + "advisory": "Django-urlconf-export 1.1.1 updates Django to v3.0.7 to include security fixes.", + "cve": "CVE-2020-13254", + "id": "pyup.io-43660", + "specs": [ + "<1.1.1" + ], + "v": "<1.1.1" + } + ], + "django-user-accounts": [ + { + "advisory": "django-user-accounts before 2.0.2 has a potentional security issue with leaking password reset tokens through HTTP Referer header.", + "cve": "PVE-2021-34774", + "id": "pyup.io-34774", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + } + ], + "django-user-management": [ + { + "advisory": "Django-user-management 18.0.0 updates its dependency 'djangorestframework' to a version >=3.9.1 to patch an XSS vulnerability.", + "cve": "PVE-2021-43472", + "id": "pyup.io-38634", + "specs": [ + "<18.0.0" + ], + "v": "<18.0.0" + }, + { + "advisory": "Django-user-management 18.0.0 updates its dependency 'pillow' to a version >3.3.2 to include security fixes.", + "cve": "CVE-2016-9189", + "id": "pyup.io-43473", + "specs": [ + "<18.0.0" + ], + "v": "<18.0.0" + }, + { + "advisory": "Django-user-management 18.0.0 updates its dependency 'pillow' to a version >3.3.2 to include security fixes.", + "cve": "CVE-2016-9190", + "id": "pyup.io-43474", + "specs": [ + "<18.0.0" + ], + "v": "<18.0.0" + } + ], + "django-user-sessions": [ + { + "advisory": "In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen. See: CVE-2020-5224.", + "cve": "CVE-2020-5224", + "id": "pyup.io-37777", + "specs": [ + "<1.7.1" + ], + "v": "<1.7.1" + } + ], + "django-watchman": [ + { + "advisory": "django-watchman 0.10.0 improves security by keeping tokens out of logs.", + "cve": "PVE-2021-25797", + "id": "pyup.io-25797", + "specs": [ + "<0.10.0" + ], + "v": "<0.10.0" + } + ], + "django-widgy": [ + { + "advisory": "Unrestricted Upload of File with Dangerous Type in Django-Widgy v0.8.4 allows remote attackers to execute arbitrary code via the 'image' widget in the component 'Change Widgy Page' (https://github.com/fusionbox/django-widgy/issues/387). See CVE-2020-18704.", + "cve": "CVE-2020-18704", + "id": "pyup.io-41185", + "specs": [ + "==0.8.4" + ], + "v": "==0.8.4" + } + ], + "django-x509": [ + { + "advisory": "Django-x509 0.9.1 updates the minimum version of 'cryptography' to 3.2 for security reasons.", + "cve": "CVE-2020-25659", + "id": "pyup.io-39116", + "specs": [ + "<0.9.1" + ], + "v": "<0.9.1" + } + ], + "djangocms-admin-style": [ + { + "advisory": "djangocms-admin-style 1.2.5 fixes a potential security issue if the ``Site.name`` field contains malicious code.", + "cve": "PVE-2021-36834", + "id": "pyup.io-36834", + "specs": [ + "<1.2.5" + ], + "v": "<1.2.5" + } + ], + "djangocms-highlightjs": [ + { + "advisory": "djangocms-highlightjs before 0.3.1 has a unspecified security issue and is vulnerable via unknown vectors.", + "cve": "PVE-2021-25798", + "id": "pyup.io-25798", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" + } + ], + "djangorestframework": [ + { + "advisory": "djangorestframework 2.2.1 fixes a security issue: Use `defusedxml` package to address XML parsing vulnerabilities.", + "cve": "PVE-2021-25799", + "id": "pyup.io-25799", + "specs": [ + "<2.2.1" + ], + "v": "<2.2.1" + }, + { + "advisory": "djangorestframework 2.3.12 fixes a security issue: `OrderingField` now only allows ordering on readable serializer fields, or on fields explicitly specified using `ordering_fields`. This prevents users being able to order by fields that are not visible in the API, and exploiting the ordering of sensitive data such as password hashes.", + "cve": "PVE-2021-25800", + "id": "pyup.io-25800", + "specs": [ + "<2.3.12" + ], + "v": "<2.3.12" + }, + { + "advisory": "djangorestframework 2.3.14 fixes a security issue: Escape request path when it is include as part of the login and logout links in the browsable API.", + "cve": "PVE-2021-25801", + "id": "pyup.io-25801", + "specs": [ + "<2.3.14" + ], + "v": "<2.3.14" + }, + { + "advisory": "djangorestframework 2.4.4 fixes a security issue: Escape URLs when replacing `format=` query parameter, as used in dropdown on `GET` button in browsable API to allow explicit selection of JSON vs HTML output.", + "cve": "PVE-2021-25802", + "id": "pyup.io-25802", + "specs": [ + "<2.4.4" + ], + "v": "<2.4.4" + }, + { + "advisory": "djangorestframework 2.4.5 fixes a security issue: Escape tab switching cookie name in browsable API. [Backported from 3.1.1]", + "cve": "PVE-2021-25803", + "id": "pyup.io-25803", + "specs": [ + "<2.4.5" + ], + "v": "<2.4.5" + }, + { + "advisory": "djangorestframework 3.1.1 fixes a security issue: : Escape tab switching cookie name in browsable API.", + "cve": "PVE-2021-25804", + "id": "pyup.io-25804", + "specs": [ + "<3.1.1" + ], + "v": "<3.1.1" + }, + { + "advisory": "Djangorestframework 3.12.0 includes a fix for CVE-2020-25626: A flaw was found in Django REST Framework versions before 3.12.0. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious