forked from timothywarner/chatgptclass
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dependabot-alerts.json
1 lines (1 loc) · 35.4 KB
/
dependabot-alerts.json
1
[{"number":12,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"werkzeug"},"manifest_path":"requirements.txt","scope":"runtime"},"security_advisory":{"ghsa_id":"GHSA-hrfv-mqp8-q5rw","cve_id":"CVE-2023-46136","summary":"Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning","description":"Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.\n\nThis allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.\n","severity":"medium","identifiers":[{"value":"GHSA-hrfv-mqp8-q5rw","type":"GHSA"},{"value":"CVE-2023-46136","type":"CVE"}],"references":[{"url":"https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw"},{"url":"https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46136"},{"url":"https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2"},{"url":"https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-221.yaml"},{"url":"https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9"},{"url":"https://security.netapp.com/advisory/ntap-20231124-0008/"},{"url":"https://github.com/advisories/GHSA-hrfv-mqp8-q5rw"}],"published_at":"2023-10-25T14:22:59Z","updated_at":"2023-12-03T05:04:51Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"werkzeug"},"severity":"medium","vulnerable_version_range":">= 3.0.0, < 3.0.1","first_patched_version":{"identifier":"3.0.1"}},{"package":{"ecosystem":"pip","name":"werkzeug"},"severity":"medium","vulnerable_version_range":"< 2.3.8","first_patched_version":{"identifier":"2.3.8"}}],"cvss":{"vector_string":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","score":5.7},"cwes":[{"cwe_id":"CWE-400","name":"Uncontrolled Resource Consumption"},{"cwe_id":"CWE-787","name":"Out-of-bounds Write"}]},"security_vulnerability":{"package":{"ecosystem":"pip","name":"werkzeug"},"severity":"medium","vulnerable_version_range":"< 2.3.8","first_patched_version":{"identifier":"2.3.8"}},"url":"https://api.github.com/repos/timothywarner-org/openai-chat/dependabot/alerts/12","html_url":"https://github.com/timothywarner-org/openai-chat/security/dependabot/12","created_at":"2024-01-25T12:54:34Z","updated_at":"2024-01-25T12:54:34Z","dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":11,"state":"dismissed","dependency":{"package":{"ecosystem":"pip","name":"flask"},"manifest_path":"requirements.txt","scope":"runtime"},"security_advisory":{"ghsa_id":"GHSA-5wv5-4vpf-pj6m","cve_id":"CVE-2019-1010083","summary":"Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory usage","description":"The Pallets Project Flask before 1.0 is affected by unexpected memory usage. The impact is denial of service. The attack vector is crafted encoded JSON data. The fixed version is 1. NOTE this may overlap CVE-2018-1000656.","severity":"high","identifiers":[{"value":"GHSA-5wv5-4vpf-pj6m","type":"GHSA"},{"value":"CVE-2019-1010083","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010083"},{"url":"https://www.palletsprojects.com/blog/flask-1-0-released/"},{"url":"https://github.com/advisories/GHSA-5wv5-4vpf-pj6m"}],"published_at":"2019-07-19T16:12:46Z","updated_at":"2023-08-14T21:11:53Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"flask"},"severity":"high","vulnerable_version_range":"< 1.0","first_patched_version":{"identifier":"1.0"}}],"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-400","name":"Uncontrolled Resource Consumption"}]},"security_vulnerability":{"package":{"ecosystem":"pip","name":"flask"},"severity":"high","vulnerable_version_range":"< 1.0","first_patched_version":{"identifier":"1.0"}},"url":"https://api.github.com/repos/timothywarner-org/openai-chat/dependabot/alerts/11","html_url":"https://github.com/timothywarner-org/openai-chat/security/dependabot/11","created_at":"2024-01-25T12:54:34Z","updated_at":"2024-01-25T19:15:10Z","dismissed_at":"2024-01-25T19:15:10Z","dismissed_by":{"login":"timothywarner","id":12627911,"node_id":"MDQ6VXNlcjEyNjI3OTEx","avatar_url":"https://avatars.githubusercontent.com/u/12627911?v=4","gravatar_id":"","url":"https://api.github.com/users/timothywarner","html_url":"https://github.com/timothywarner","followers_url":"https://api.github.com/users/timothywarner/followers","following_url":"https://api.github.com/users/timothywarner/following{/other_user}","gists_url":"https://api.github.com/users/timothywarner/gists{/gist_id}","starred_url":"https://api.github.com/users/timothywarner/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/timothywarner/subscriptions","organizations_url":"https://api.github.com/users/timothywarner/orgs","repos_url":"https://api.github.com/users/timothywarner/repos","events_url":"https://api.github.com/users/timothywarner/events{/privacy}","received_events_url":"https://api.github.com/users/timothywarner/received_events","type":"User","site_admin":false},"dismissed_reason":"fix_started","dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":10,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"Werkzeug"},"manifest_path":"requirements.txt","scope":"runtime"},"security_advisory":{"ghsa_id":"GHSA-px8h-6qxv-m22q","cve_id":"CVE-2023-23934","summary":"Incorrect parsing of nameless cookies leads to __Host- cookies bypass","description":"Browsers may allow \"nameless\" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain.\n\nWerkzeug <= 2.2.2 will parse the cookie `=__Host-test=bad` as `__Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.","severity":"low","identifiers":[{"value":"GHSA-px8h-6qxv-m22q","type":"GHSA"},{"value":"CVE-2023-23934","type":"CVE"}],"references":[{"url":"https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23934"},{"url":"https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028"},{"url":"https://github.com/pallets/werkzeug/releases/tag/2.2.3"},{"url":"https://www.debian.org/security/2023/dsa-5470"},{"url":"https://security.netapp.com/advisory/ntap-20230818-0003/"},{"url":"https://github.com/advisories/GHSA-px8h-6qxv-m22q"}],"published_at":"2023-02-15T15:37:03Z","updated_at":"2023-09-04T05:06:48Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"Werkzeug"},"severity":"low","vulnerable_version_range":"< 2.2.3","first_patched_version":{"identifier":"2.2.3"}}],"cvss":{"vector_string":"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","score":2.6},"cwes":[{"cwe_id":"CWE-20","name":"Improper Input Validation"}]},"security_vulnerability":{"package":{"ecosystem":"pip","name":"Werkzeug"},"severity":"low","vulnerable_version_range":"< 2.2.3","first_patched_version":{"identifier":"2.2.3"}},"url":"https://api.github.com/repos/timothywarner-org/openai-chat/dependabot/alerts/10","html_url":"https://github.com/timothywarner-org/openai-chat/security/dependabot/10","created_at":"2024-01-25T12:54:33Z","updated_at":"2024-01-25T12:54:33Z","dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":9,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"Werkzeug"},"manifest_path":"requirements.txt","scope":"runtime"},"security_advisory":{"ghsa_id":"GHSA-xg9f-g7g7-2323","cve_id":"CVE-2023-25577","summary":"High resource usage when parsing multipart form data with many fields","description":"Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage.\n\nThis allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.","severity":"high","identifiers":[{"value":"GHSA-xg9f-g7g7-2323","type":"GHSA"},{"value":"CVE-2023-25577","type":"CVE"}],"references":[{"url":"https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25577"},{"url":"https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1"},{"url":"https://github.com/pallets/werkzeug/releases/tag/2.2.3"},{"url":"https://www.debian.org/security/2023/dsa-5470"},{"url":"https://security.netapp.com/advisory/ntap-20230818-0003/"},{"url":"https://github.com/advisories/GHSA-xg9f-g7g7-2323"}],"published_at":"2023-02-15T15:36:26Z","updated_at":"2023-08-18T15:47:26Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"Werkzeug"},"severity":"high","vulnerable_version_range":"< 2.2.3","first_patched_version":{"identifier":"2.2.3"}}],"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-400","name":"Uncontrolled Resource Consumption"},{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}]},"security_vulnerability":{"package":{"ecosystem":"pip","name":"Werkzeug"},"severity":"high","vulnerable_version_range":"< 2.2.3","first_patched_version":{"identifier":"2.2.3"}},"url":"https://api.github.com/repos/timothywarner-org/openai-chat/dependabot/alerts/9","html_url":"https://github.com/timothywarner-org/openai-chat/security/dependabot/9","created_at":"2024-01-25T12:54:33Z","updated_at":"2024-01-25T12:54:33Z","dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":8,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"werkzeug"},"manifest_path":"requirements.txt","scope":"runtime"},"security_advisory":{"ghsa_id":"GHSA-j544-7q9p-6xp8","cve_id":"CVE-2019-14322","summary":"Pallets Werkzeug vulnerable to Path Traversal","description":"In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.","severity":"high","identifiers":[{"value":"GHSA-j544-7q9p-6xp8","type":"GHSA"},{"value":"CVE-2019-14322","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14322"},{"url":"https://palletsprojects.com/blog/werkzeug-0-15-5-released/"},{"url":"http://packetstormsecurity.com/files/163398/Pallets-Werkzeug-0.15.4-Path-Traversal.html"},{"url":"https://github.com/advisories/GHSA-j544-7q9p-6xp8"}],"published_at":"2022-05-24T16:51:33Z","updated_at":"2023-02-02T01:32:53Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"werkzeug"},"severity":"high","vulnerable_version_range":"< 0.15.5","first_patched_version":{"identifier":"0.15.5"}}],"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","score":7.5},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]},"security_vulnerability":{"package":{"ecosystem":"pip","name":"werkzeug"},"severity":"high","vulnerable_version_range":"< 0.15.5","first_patched_version":{"identifier":"0.15.5"}},"url":"https://api.github.com/repos/timothywarner-org/openai-chat/dependabot/alerts/8","html_url":"https://github.com/timothywarner-org/openai-chat/security/dependabot/8","created_at":"2024-01-25T12:54:33Z","updated_at":"2024-01-25T12:54:33Z","dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":7,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"jinja2"},"manifest_path":"requirements.txt","scope":"runtime"},"security_advisory":{"ghsa_id":"GHSA-g3rq-g295-4j3m","cve_id":"CVE-2020-28493","summary":"Regular Expression Denial of Service (ReDoS) in Jinja2","description":"This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.","severity":"medium","identifiers":[{"value":"GHSA-g3rq-g295-4j3m","type":"GHSA"},{"value":"CVE-2020-28493","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28493"},{"url":"https://github.com/pallets/jinja/pull/1343"},{"url":"https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20"},{"url":"https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/"},{"url":"https://security.gentoo.org/glsa/202107-19"},{"url":"https://github.com/pallets/jinja/commit/15ef8f09b659f9100610583938005a7a10472d4d"},{"url":"https://github.com/advisories/GHSA-g3rq-g295-4j3m"}],"published_at":"2021-03-19T21:28:05Z","updated_at":"2023-09-07T19:35:25Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"jinja2"},"severity":"medium","vulnerable_version_range":"< 2.11.3","first_patched_version":{"identifier":"2.11.3"}}],"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","score":5.3},"cwes":[{"cwe_id":"CWE-400","name":"Uncontrolled Resource Consumption"}]},"security_vulnerability":{"package":{"ecosystem":"pip","name":"jinja2"},"severity":"medium","vulnerable_version_range":"< 2.11.3","first_patched_version":{"identifier":"2.11.3"}},"url":"https://api.github.com/repos/timothywarner-org/openai-chat/dependabot/alerts/7","html_url":"https://github.com/timothywarner-org/openai-chat/security/dependabot/7","created_at":"2024-01-25T12:54:33Z","updated_at":"2024-01-25T12:54:33Z","dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":6,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"werkzeug"},"manifest_path":"requirements.txt","scope":"runtime"},"security_advisory":{"ghsa_id":"GHSA-gq9m-qvpx-68hc","cve_id":"CVE-2019-14806","summary":"Pallets Werkzeug Insufficient Entropy","description":"Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.","severity":"high","identifiers":[{"value":"GHSA-gq9m-qvpx-68hc","type":"GHSA"},{"value":"CVE-2019-14806","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14806"},{"url":"https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168"},{"url":"https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246"},{"url":"https://palletsprojects.com/blog/werkzeug-0-15-3-released/"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html"},{"url":"https://github.com/advisories/GHSA-gq9m-qvpx-68hc"}],"published_at":"2019-08-21T16:15:24Z","updated_at":"2023-08-31T09:34:58Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"werkzeug"},"severity":"high","vulnerable_version_range":"< 0.15.3","first_patched_version":{"identifier":"0.15.3"}}],"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","score":7.5},"cwes":[{"cwe_id":"CWE-331","name":"Insufficient Entropy"}]},"security_vulnerability":{"package":{"ecosystem":"pip","name":"werkzeug"},"severity":"high","vulnerable_version_range":"< 0.15.3","first_patched_version":{"identifier":"0.15.3"}},"url":"https://api.github.com/repos/timothywarner-org/openai-chat/dependabot/alerts/6","html_url":"https://github.com/timothywarner-org/openai-chat/security/dependabot/6","created_at":"2024-01-25T12:54:33Z","updated_at":"2024-01-25T12:54:33Z","dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":5,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"Jinja2"},"manifest_path":"requirements.txt","scope":"runtime"},"security_advisory":{"ghsa_id":"GHSA-462w-v97r-4m45","cve_id":"CVE-2019-10906","summary":"Jinja2 sandbox escape via string formatting","description":"In Pallets Jinja before 2.10.1, `str.format_map` allows a sandbox escape.\n\nThe sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the `str.format_map` method could be used to escape the sandbox.\n\nThis issue was previously addressed for the `str.format` method in Jinja 2.8.1, which discusses the issue in detail. However, the less-common `str.format_map` method was overlooked. This release applies the same sandboxing to both methods.\n\nIf you cannot upgrade Jinja, you can override the `is_safe_attribute` method on the sandbox and explicitly disallow the `format_map` method on string objects.","severity":"high","identifiers":[{"value":"GHSA-462w-v97r-4m45","type":"GHSA"},{"value":"CVE-2019-10906","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10906"},{"url":"https://access.redhat.com/errata/RHSA-2019:1152"},{"url":"https://access.redhat.com/errata/RHSA-2019:1237"},{"url":"https://access.redhat.com/errata/RHSA-2019:1329"},{"url":"https://github.com/advisories/GHSA-462w-v97r-4m45"},{"url":"https://lists.apache.org/thread.html/09fc842ff444cd43d9d4c510756fec625ef8eb1175f14fd21de2605f@%3Cdevnull.infra.apache.org%3E"},{"url":"https://lists.apache.org/thread.html/2b52b9c8b9d6366a4f1b407a8bde6af28d9fc73fdb3b37695fd0d9ac@%3Cdevnull.infra.apache.org%3E"},{"url":"https://lists.apache.org/thread.html/320441dccbd9a545320f5f07306d711d4bbd31ba43dc9eebcfc602df@%3Cdevnull.infra.apache.org%3E"},{"url":"https://lists.apache.org/thread.html/46c055e173b52d599c648a98199972dbd6a89d2b4c4647b0500f2284@%3Cdevnull.infra.apache.org%3E"},{"url":"https://lists.apache.org/thread.html/57673a78c4d5c870d3f21465c7e2946b9f8285c7c57e54c2ae552f02@%3Ccommits.airflow.apache.org%3E"},{"url":"https://lists.apache.org/thread.html/7f39f01392d320dfb48e4901db68daeece62fd60ef20955966739993@%3Ccommits.airflow.apache.org%3E"},{"url":"https://lists.apache.org/thread.html/b2380d147b508bbcb90d2cad443c159e63e12555966ab4f320ee22da@%3Ccommits.airflow.apache.org%3E"},{"url":"https://lists.apache.org/thread.html/f0c4a03418bcfe70c539c5dbaf99c04c98da13bfa1d3266f08564316@%3Ccommits.airflow.apache.org%3E"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/DSW3QZMFVVR7YE3UT4YRQA272TYAL5AF/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/QCDYIS254EJMBNWOG4S5QY6AOTOR4TZU/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/TS7IVZAJBWOHNRDMFJDIZVFCMRP6YIUQ/"},{"url":"https://palletsprojects.com/blog/jinja-2-10-1-released"},{"url":"https://usn.ubuntu.com/4011-1/"},{"url":"https://usn.ubuntu.com/4011-2/"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"}],"published_at":"2019-04-10T14:30:24Z","updated_at":"2023-08-30T21:01:32Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"Jinja2"},"severity":"high","vulnerable_version_range":"< 2.10.1","first_patched_version":{"identifier":"2.10.1"}}],"cvss":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","score":8.6},"cwes":[{"cwe_id":"CWE-693","name":"Protection Mechanism Failure"}]},"security_vulnerability":{"package":{"ecosystem":"pip","name":"Jinja2"},"severity":"high","vulnerable_version_range":"< 2.10.1","first_patched_version":{"identifier":"2.10.1"}},"url":"https://api.github.com/repos/timothywarner-org/openai-chat/dependabot/alerts/5","html_url":"https://github.com/timothywarner-org/openai-chat/security/dependabot/5","created_at":"2024-01-25T12:54:33Z","updated_at":"2024-01-25T12:54:33Z","dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":4,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"jinja2"},"manifest_path":"requirements.txt","scope":"runtime"},"security_advisory":{"ghsa_id":"GHSA-h5c8-rqwp-cp95","cve_id":"CVE-2024-22195","summary":"Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter","description":"The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix.","severity":"medium","identifiers":[{"value":"GHSA-h5c8-rqwp-cp95","type":"GHSA"},{"value":"CVE-2024-22195","type":"CVE"}],"references":[{"url":"https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22195"},{"url":"https://github.com/pallets/jinja/commit/716795349a41d4983a9a4771f7d883c96ea17be7"},{"url":"https://github.com/pallets/jinja/releases/tag/3.1.3"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2/"},{"url":"https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html"},{"url":"https://github.com/advisories/GHSA-h5c8-rqwp-cp95"}],"published_at":"2024-01-11T15:20:48Z","updated_at":"2024-01-25T03:30:58Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"jinja2"},"severity":"medium","vulnerable_version_range":"< 3.1.3","first_patched_version":{"identifier":"3.1.3"}}],"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","score":5.4},"cwes":[{"cwe_id":"CWE-79","name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]},"security_vulnerability":{"package":{"ecosystem":"pip","name":"jinja2"},"severity":"medium","vulnerable_version_range":"< 3.1.3","first_patched_version":{"identifier":"3.1.3"}},"url":"https://api.github.com/repos/timothywarner-org/openai-chat/dependabot/alerts/4","html_url":"https://github.com/timothywarner-org/openai-chat/security/dependabot/4","created_at":"2024-01-24T21:20:00Z","updated_at":"2024-01-24T21:20:00Z","dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":3,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"requests"},"manifest_path":"requirements.txt","scope":"runtime"},"security_advisory":{"ghsa_id":"GHSA-j8r2-6x86-q33q","cve_id":"CVE-2023-32681","summary":"Unintended leak of Proxy-Authorization header in requests","description":"### Impact\n\nSince Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`).\n\n**Current vulnerable behavior(s):**\n\n1. HTTP  HTTPS: **leak**\n2. HTTPS  HTTP: **no leak**\n3. HTTPS  HTTPS: **leak**\n4. HTTP  HTTP: **no leak**\n\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\n\nThe reason this currently works for HTTPS connections in Requests is the `Proxy-Authorization` header is also handled by urllib3 with our usage of the ProxyManager in adapters.py with [`proxy_manager_for`](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235). This will compute the required proxy headers in `proxy_headers` and pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.\n\n### Patches\nStarting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.\n\nFor users with custom adapters, this _may_ be potentially breaking if you were already working around this behavior. The previous functionality of `rebuild_proxies` doesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.\n\n### Workarounds\nFor users who are not able to update Requests immediately, there is one potential workaround.\n\nYou may disable redirects by setting `allow_redirects` to `False` on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.\n```\nimport requests\nr = requests.get('http://github.com/', allow_redirects=False)\n```\n\n### Credits\n\nThis vulnerability was discovered and disclosed by the following individuals.\n\nDennis Brinkrolf, Haxolot (https://haxolot.com/)\nTobias Funke, ([email protected])","severity":"medium","identifiers":[{"value":"GHSA-j8r2-6x86-q33q","type":"GHSA"},{"value":"CVE-2023-32681","type":"CVE"}],"references":[{"url":"https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q"},{"url":"https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32681"},{"url":"https://github.com/psf/requests/releases/tag/v2.31.0"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/"},{"url":"https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html"},{"url":"https://security.gentoo.org/glsa/202309-08"},{"url":"https://github.com/advisories/GHSA-j8r2-6x86-q33q"}],"published_at":"2023-05-22T20:36:32Z","updated_at":"2023-11-11T05:01:31Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"requests"},"severity":"medium","vulnerable_version_range":">= 2.3.0, < 2.31.0","first_patched_version":{"identifier":"2.31.0"}}],"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N","score":6.1},"cwes":[{"cwe_id":"CWE-200","name":"Exposure of Sensitive Information to an Unauthorized Actor"}]},"security_vulnerability":{"package":{"ecosystem":"pip","name":"requests"},"severity":"medium","vulnerable_version_range":">= 2.3.0, < 2.31.0","first_patched_version":{"identifier":"2.31.0"}},"url":"https://api.github.com/repos/timothywarner-org/openai-chat/dependabot/alerts/3","html_url":"https://github.com/timothywarner-org/openai-chat/security/dependabot/3","created_at":"2024-01-24T21:13:11Z","updated_at":"2024-01-24T21:13:11Z","dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":2,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"flask"},"manifest_path":"requirements.txt","scope":"runtime"},"security_advisory":{"ghsa_id":"GHSA-m2qf-hxjv-5gpq","cve_id":"CVE-2023-30861","summary":"Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header","description":"When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on _all_ these conditions being met.\n\n1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\n2. The application sets [`session.permanent = True`](https://flask.palletsprojects.com/en/2.3.x/api/#flask.session.permanent).\n2. The application does not access or modify the session at any point during a request.\n4. [`SESSION_REFRESH_EACH_REQUEST`](https://flask.palletsprojects.com/en/2.3.x/config/#SESSION_REFRESH_EACH_REQUEST) is enabled (the default).\n5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\n\nThis happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.","severity":"high","identifiers":[{"value":"GHSA-m2qf-hxjv-5gpq","type":"GHSA"},{"value":"CVE-2023-30861","type":"CVE"}],"references":[{"url":"https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq"},{"url":"https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b"},{"url":"https://github.com/pallets/flask/releases/tag/2.3.2"},{"url":"https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30861"},{"url":"https://github.com/pallets/flask/releases/tag/2.2.5"},{"url":"https://github.com/pypa/advisory-database/tree/main/vulns/flask/PYSEC-2023-62.yaml"},{"url":"https://www.debian.org/security/2023/dsa-5442"},{"url":"https://security.netapp.com/advisory/ntap-20230818-0006/"},{"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00024.html"},{"url":"https://github.com/advisories/GHSA-m2qf-hxjv-5gpq"}],"published_at":"2023-05-01T19:22:20Z","updated_at":"2023-11-06T05:03:38Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"flask"},"severity":"high","vulnerable_version_range":">= 2.3.0, < 2.3.2","first_patched_version":{"identifier":"2.3.2"}},{"package":{"ecosystem":"pip","name":"flask"},"severity":"high","vulnerable_version_range":"< 2.2.5","first_patched_version":{"identifier":"2.2.5"}}],"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","score":7.5},"cwes":[{"cwe_id":"CWE-539","name":"Use of Persistent Cookies Containing Sensitive Information"}]},"security_vulnerability":{"package":{"ecosystem":"pip","name":"flask"},"severity":"high","vulnerable_version_range":"< 2.2.5","first_patched_version":{"identifier":"2.2.5"}},"url":"https://api.github.com/repos/timothywarner-org/openai-chat/dependabot/alerts/2","html_url":"https://github.com/timothywarner-org/openai-chat/security/dependabot/2","created_at":"2024-01-24T21:13:11Z","updated_at":"2024-01-25T12:54:34Z","dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":1,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"requests"},"manifest_path":"requirements.txt","scope":"runtime"},"security_advisory":{"ghsa_id":"GHSA-x84v-xcm2-53pg","cve_id":"CVE-2018-18074","summary":"Insufficiently Protected Credentials in Requests","description":"The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.","severity":"high","identifiers":[{"value":"GHSA-x84v-xcm2-53pg","type":"GHSA"},{"value":"CVE-2018-18074","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-18074"},{"url":"https://github.com/requests/requests/issues/4716"},{"url":"https://github.com/requests/requests/pull/4718"},{"url":"https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff"},{"url":"https://access.redhat.com/errata/RHSA-2019:2035"},{"url":"https://bugs.debian.org/910766"},{"url":"https://github.com/advisories/GHSA-x84v-xcm2-53pg"},{"url":"https://usn.ubuntu.com/3790-1/"},{"url":"https://usn.ubuntu.com/3790-2/"},{"url":"http://docs.python-requests.org/en/master/community/updates/#release-and-version-history"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"published_at":"2018-10-29T19:06:46Z","updated_at":"2023-02-01T05:04:21Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"requests"},"severity":"high","vulnerable_version_range":"<= 2.19.1","first_patched_version":{"identifier":"2.20.0"}}],"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","score":7.5},"cwes":[{"cwe_id":"CWE-522","name":"Insufficiently Protected Credentials"}]},"security_vulnerability":{"package":{"ecosystem":"pip","name":"requests"},"severity":"high","vulnerable_version_range":"<= 2.19.1","first_patched_version":{"identifier":"2.20.0"}},"url":"https://api.github.com/repos/timothywarner-org/openai-chat/dependabot/alerts/1","html_url":"https://github.com/timothywarner-org/openai-chat/security/dependabot/1","created_at":"2024-01-24T21:13:11Z","updated_at":"2024-01-25T12:54:33Z","dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2024-01-25T12:54:33Z","auto_dismissed_at":null}]