diff --git a/audits/aws-sam-cli-requirements.audit.json b/audits/aws-sam-cli-requirements.audit.json deleted file mode 100644 index 0552c621..00000000 --- a/audits/aws-sam-cli-requirements.audit.json +++ /dev/null @@ -1,471 +0,0 @@ -[ - { - "package": { - "name": "werkzeug", - "version": "3.0.4", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "aws-sam-cli-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-10-25T21:42:39Z", - "published": "2024-10-25T19:43:41Z", - "schema_version": "1.6.0", - "id": "GHSA-f9vj-2wh5-fj8j", - "aliases": [ - "CVE-2024-49766" - ], - "summary": "Werkzeug safe_join not safe on Windows", - "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:43:41Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - }, - { - "modified": "2024-10-25T21:45:09Z", - "published": "2024-10-25T19:44:43Z", - "schema_version": "1.6.0", - "id": "GHSA-q34m-jh98-gwm2", - "aliases": [ - "CVE-2024-49767" - ], - "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", - "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "quart", - "purl": "pkg:pypi/quart" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.19.7" - } - ] - } - ], - "versions": [ - "0.1.0", - "0.10.0", - "0.11.0", - "0.11.1", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.15.0", - "0.15.1", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.17.0", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.19.1", - "0.19.2", - "0.19.3", - "0.19.4", - "0.19.5", - "0.19.6", - "0.2.0", - "0.3.0", - "0.3.1", - "0.4.0", - "0.4.1", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.10", - "0.6.11", - "0.6.12", - "0.6.13", - "0.6.14", - "0.6.15", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.6.6", - "0.6.7", - "0.6.8", - "0.6.9", - "0.7.0", - "0.7.1", - "0.7.2", - "0.8.0", - "0.8.1", - "0.9.0", - "0.9.1" - ], - "database_specific": { - "last_known_affected_version_range": "<= 0.19.6", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-400" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:44:43Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-f9vj-2wh5-fj8j" - ], - "aliases": [ - "CVE-2024-49766", - "GHSA-f9vj-2wh5-fj8j" - ], - "max_severity": "6.3" - }, - { - "ids": [ - "GHSA-q34m-jh98-gwm2" - ], - "aliases": [ - "CVE-2024-49767", - "GHSA-q34m-jh98-gwm2" - ], - "max_severity": "6.9" - } - ] - } -] \ No newline at end of file diff --git a/audits/buku-requirements.audit.json b/audits/buku-requirements.audit.json index a4eaa143..d53f68f4 100644 --- a/audits/buku-requirements.audit.json +++ b/audits/buku-requirements.audit.json @@ -201,6 +201,9 @@ "aliases": [ "CVE-2024-49766" ], + "related": [ + "CGA-386h-56mx-h78g" + ], "summary": "Werkzeug safe_join not safe on Windows", "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", "affected": [ @@ -373,6 +376,9 @@ "aliases": [ "CVE-2024-49767" ], + "related": [ + "CGA-3m9h-7wmp-p5r3" + ], "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", "affected": [ diff --git a/audits/certsync-requirements.audit.json b/audits/certsync-requirements.audit.json index 3c806f19..d62f20f2 100644 --- a/audits/certsync-requirements.audit.json +++ b/audits/certsync-requirements.audit.json @@ -17,6 +17,9 @@ "aliases": [ "CVE-2024-49766" ], + "related": [ + "CGA-386h-56mx-h78g" + ], "summary": "Werkzeug safe_join not safe on Windows", "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", "affected": [ @@ -189,6 +192,9 @@ "aliases": [ "CVE-2024-49767" ], + "related": [ + "CGA-3m9h-7wmp-p5r3" + ], "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", "affected": [ diff --git a/audits/cloudformation-cli-requirements.audit.json b/audits/cloudformation-cli-requirements.audit.json deleted file mode 100644 index 6652ef92..00000000 --- a/audits/cloudformation-cli-requirements.audit.json +++ /dev/null @@ -1,471 +0,0 @@ -[ - { - "package": { - "name": "werkzeug", - "version": "3.0.4", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "cloudformation-cli-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-10-25T21:42:39Z", - "published": "2024-10-25T19:43:41Z", - "schema_version": "1.6.0", - "id": "GHSA-f9vj-2wh5-fj8j", - "aliases": [ - "CVE-2024-49766" - ], - "summary": "Werkzeug safe_join not safe on Windows", - "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:43:41Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - }, - { - "modified": "2024-10-25T21:45:09Z", - "published": "2024-10-25T19:44:43Z", - "schema_version": "1.6.0", - "id": "GHSA-q34m-jh98-gwm2", - "aliases": [ - "CVE-2024-49767" - ], - "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", - "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "quart", - "purl": "pkg:pypi/quart" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.19.7" - } - ] - } - ], - "versions": [ - "0.1.0", - "0.10.0", - "0.11.0", - "0.11.1", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.15.0", - "0.15.1", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.17.0", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.19.1", - "0.19.2", - "0.19.3", - "0.19.4", - "0.19.5", - "0.19.6", - "0.2.0", - "0.3.0", - "0.3.1", - "0.4.0", - "0.4.1", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.10", - "0.6.11", - "0.6.12", - "0.6.13", - "0.6.14", - "0.6.15", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.6.6", - "0.6.7", - "0.6.8", - "0.6.9", - "0.7.0", - "0.7.1", - "0.7.2", - "0.8.0", - "0.8.1", - "0.9.0", - "0.9.1" - ], - "database_specific": { - "last_known_affected_version_range": "<= 0.19.6", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-400" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:44:43Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-f9vj-2wh5-fj8j" - ], - "aliases": [ - "CVE-2024-49766", - "GHSA-f9vj-2wh5-fj8j" - ], - "max_severity": "6.3" - }, - { - "ids": [ - "GHSA-q34m-jh98-gwm2" - ], - "aliases": [ - "CVE-2024-49767", - "GHSA-q34m-jh98-gwm2" - ], - "max_severity": "6.9" - } - ] - } -] \ No newline at end of file diff --git a/audits/fastapi-requirements.audit.json b/audits/fastapi-requirements.audit.json deleted file mode 100644 index e14848ee..00000000 --- a/audits/fastapi-requirements.audit.json +++ /dev/null @@ -1,262 +0,0 @@ -[ - { - "package": { - "name": "starlette", - "version": "0.39.2", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "fastapi-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-10-15T20:01:19Z", - "published": "2024-10-15T18:12:57Z", - "schema_version": "1.6.0", - "id": "GHSA-f96h-pmfr-66vw", - "aliases": [ - "CVE-2024-47874" - ], - "summary": "Starlette Denial of service (DoS) via multipart/form-data", - "details": "### Summary\nStarlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette.\n\n### PoC\n\n```python\nfrom starlette.applications import Starlette\nfrom starlette.routing import Route\n\nasync def poc(request):\n async with request.form():\n pass\n\napp = Starlette(routes=[\n Route('/', poc, methods=[\"POST\"]),\n])\n```\n\n```sh\ncurl http://localhost:8000 -F 'big== 3.11, or not using Windows, are not vulnerable.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:43:41Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - }, - { - "modified": "2024-10-25T21:45:09Z", - "published": "2024-10-25T19:44:43Z", - "schema_version": "1.6.0", - "id": "GHSA-q34m-jh98-gwm2", - "aliases": [ - "CVE-2024-49767" - ], - "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", - "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "quart", - "purl": "pkg:pypi/quart" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.19.7" - } - ] - } - ], - "versions": [ - "0.1.0", - "0.10.0", - "0.11.0", - "0.11.1", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.15.0", - "0.15.1", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.17.0", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.19.1", - "0.19.2", - "0.19.3", - "0.19.4", - "0.19.5", - "0.19.6", - "0.2.0", - "0.3.0", - "0.3.1", - "0.4.0", - "0.4.1", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.10", - "0.6.11", - "0.6.12", - "0.6.13", - "0.6.14", - "0.6.15", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.6.6", - "0.6.7", - "0.6.8", - "0.6.9", - "0.7.0", - "0.7.1", - "0.7.2", - "0.8.0", - "0.8.1", - "0.9.0", - "0.9.1" - ], - "database_specific": { - "last_known_affected_version_range": "<= 0.19.6", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-400" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:44:43Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-f9vj-2wh5-fj8j" - ], - "aliases": [ - "CVE-2024-49766", - "GHSA-f9vj-2wh5-fj8j" - ], - "max_severity": "6.3" - }, - { - "ids": [ - "GHSA-q34m-jh98-gwm2" - ], - "aliases": [ - "CVE-2024-49767", - "GHSA-q34m-jh98-gwm2" - ], - "max_severity": "6.9" - } - ] - } -] \ No newline at end of file diff --git a/audits/gdbgui-requirements.audit.json b/audits/gdbgui-requirements.audit.json index 7fe76fff..7eb85a7d 100644 --- a/audits/gdbgui-requirements.audit.json +++ b/audits/gdbgui-requirements.audit.json @@ -789,6 +789,9 @@ "aliases": [ "CVE-2024-49766" ], + "related": [ + "CGA-386h-56mx-h78g" + ], "summary": "Werkzeug safe_join not safe on Windows", "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", "affected": [ @@ -1182,6 +1185,9 @@ "aliases": [ "CVE-2024-49767" ], + "related": [ + "CGA-3m9h-7wmp-p5r3" + ], "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", "affected": [ diff --git a/audits/grip-requirements.audit.json b/audits/grip-requirements.audit.json deleted file mode 100644 index 96fc5784..00000000 --- a/audits/grip-requirements.audit.json +++ /dev/null @@ -1,471 +0,0 @@ -[ - { - "package": { - "name": "werkzeug", - "version": "3.0.4", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "grip-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-10-25T21:42:39Z", - "published": "2024-10-25T19:43:41Z", - "schema_version": "1.6.0", - "id": "GHSA-f9vj-2wh5-fj8j", - "aliases": [ - "CVE-2024-49766" - ], - "summary": "Werkzeug safe_join not safe on Windows", - "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:43:41Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - }, - { - "modified": "2024-10-25T21:45:09Z", - "published": "2024-10-25T19:44:43Z", - "schema_version": "1.6.0", - "id": "GHSA-q34m-jh98-gwm2", - "aliases": [ - "CVE-2024-49767" - ], - "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", - "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "quart", - "purl": "pkg:pypi/quart" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.19.7" - } - ] - } - ], - "versions": [ - "0.1.0", - "0.10.0", - "0.11.0", - "0.11.1", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.15.0", - "0.15.1", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.17.0", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.19.1", - "0.19.2", - "0.19.3", - "0.19.4", - "0.19.5", - "0.19.6", - "0.2.0", - "0.3.0", - "0.3.1", - "0.4.0", - "0.4.1", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.10", - "0.6.11", - "0.6.12", - "0.6.13", - "0.6.14", - "0.6.15", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.6.6", - "0.6.7", - "0.6.8", - "0.6.9", - "0.7.0", - "0.7.1", - "0.7.2", - "0.8.0", - "0.8.1", - "0.9.0", - "0.9.1" - ], - "database_specific": { - "last_known_affected_version_range": "<= 0.19.6", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-400" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:44:43Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-f9vj-2wh5-fj8j" - ], - "aliases": [ - "CVE-2024-49766", - "GHSA-f9vj-2wh5-fj8j" - ], - "max_severity": "6.3" - }, - { - "ids": [ - "GHSA-q34m-jh98-gwm2" - ], - "aliases": [ - "CVE-2024-49767", - "GHSA-q34m-jh98-gwm2" - ], - "max_severity": "6.9" - } - ] - } -] \ No newline at end of file diff --git a/audits/icloudpd-requirements.audit.json b/audits/icloudpd-requirements.audit.json index 1c4d10fc..da7f6c33 100644 --- a/audits/icloudpd-requirements.audit.json +++ b/audits/icloudpd-requirements.audit.json @@ -1692,474 +1692,5 @@ "max_severity": "8.1" } ] - }, - { - "package": { - "name": "werkzeug", - "version": "3.0.4", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "icloudpd-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-10-25T21:42:39Z", - "published": "2024-10-25T19:43:41Z", - "schema_version": "1.6.0", - "id": "GHSA-f9vj-2wh5-fj8j", - "aliases": [ - "CVE-2024-49766" - ], - "summary": "Werkzeug safe_join not safe on Windows", - "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:43:41Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - }, - { - "modified": "2024-10-25T21:45:09Z", - "published": "2024-10-25T19:44:43Z", - "schema_version": "1.6.0", - "id": "GHSA-q34m-jh98-gwm2", - "aliases": [ - "CVE-2024-49767" - ], - "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", - "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "quart", - "purl": "pkg:pypi/quart" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.19.7" - } - ] - } - ], - "versions": [ - "0.1.0", - "0.10.0", - "0.11.0", - "0.11.1", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.15.0", - "0.15.1", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.17.0", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.19.1", - "0.19.2", - "0.19.3", - "0.19.4", - "0.19.5", - "0.19.6", - "0.2.0", - "0.3.0", - "0.3.1", - "0.4.0", - "0.4.1", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.10", - "0.6.11", - "0.6.12", - "0.6.13", - "0.6.14", - "0.6.15", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.6.6", - "0.6.7", - "0.6.8", - "0.6.9", - "0.7.0", - "0.7.1", - "0.7.2", - "0.8.0", - "0.8.1", - "0.9.0", - "0.9.1" - ], - "database_specific": { - "last_known_affected_version_range": "<= 0.19.6", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-400" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:44:43Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-f9vj-2wh5-fj8j" - ], - "aliases": [ - "CVE-2024-49766", - "GHSA-f9vj-2wh5-fj8j" - ], - "max_severity": "6.3" - }, - { - "ids": [ - "GHSA-q34m-jh98-gwm2" - ], - "aliases": [ - "CVE-2024-49767", - "GHSA-q34m-jh98-gwm2" - ], - "max_severity": "6.9" - } - ] } ] \ No newline at end of file diff --git a/audits/locust-requirements.audit.json b/audits/locust-requirements.audit.json deleted file mode 100644 index aef60c84..00000000 --- a/audits/locust-requirements.audit.json +++ /dev/null @@ -1,471 +0,0 @@ -[ - { - "package": { - "name": "werkzeug", - "version": "3.0.4", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "locust-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-10-25T21:42:39Z", - "published": "2024-10-25T19:43:41Z", - "schema_version": "1.6.0", - "id": "GHSA-f9vj-2wh5-fj8j", - "aliases": [ - "CVE-2024-49766" - ], - "summary": "Werkzeug safe_join not safe on Windows", - "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:43:41Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - }, - { - "modified": "2024-10-25T21:45:09Z", - "published": "2024-10-25T19:44:43Z", - "schema_version": "1.6.0", - "id": "GHSA-q34m-jh98-gwm2", - "aliases": [ - "CVE-2024-49767" - ], - "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", - "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "quart", - "purl": "pkg:pypi/quart" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.19.7" - } - ] - } - ], - "versions": [ - "0.1.0", - "0.10.0", - "0.11.0", - "0.11.1", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.15.0", - "0.15.1", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.17.0", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.19.1", - "0.19.2", - "0.19.3", - "0.19.4", - "0.19.5", - "0.19.6", - "0.2.0", - "0.3.0", - "0.3.1", - "0.4.0", - "0.4.1", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.10", - "0.6.11", - "0.6.12", - "0.6.13", - "0.6.14", - "0.6.15", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.6.6", - "0.6.7", - "0.6.8", - "0.6.9", - "0.7.0", - "0.7.1", - "0.7.2", - "0.8.0", - "0.8.1", - "0.9.0", - "0.9.1" - ], - "database_specific": { - "last_known_affected_version_range": "<= 0.19.6", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-400" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:44:43Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-f9vj-2wh5-fj8j" - ], - "aliases": [ - "CVE-2024-49766", - "GHSA-f9vj-2wh5-fj8j" - ], - "max_severity": "6.3" - }, - { - "ids": [ - "GHSA-q34m-jh98-gwm2" - ], - "aliases": [ - "CVE-2024-49767", - "GHSA-q34m-jh98-gwm2" - ], - "max_severity": "6.9" - } - ] - } -] \ No newline at end of file diff --git a/audits/mapproxy-requirements.audit.json b/audits/mapproxy-requirements.audit.json index ded1445e..a0677fc8 100644 --- a/audits/mapproxy-requirements.audit.json +++ b/audits/mapproxy-requirements.audit.json @@ -201,6 +201,9 @@ "aliases": [ "CVE-2024-49766" ], + "related": [ + "CGA-386h-56mx-h78g" + ], "summary": "Werkzeug safe_join not safe on Windows", "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", "affected": [ @@ -763,6 +766,9 @@ "aliases": [ "CVE-2024-49767" ], + "related": [ + "CGA-3m9h-7wmp-p5r3" + ], "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", "affected": [ diff --git a/audits/moto-requirements.audit.json b/audits/moto-requirements.audit.json deleted file mode 100644 index 86238843..00000000 --- a/audits/moto-requirements.audit.json +++ /dev/null @@ -1,471 +0,0 @@ -[ - { - "package": { - "name": "werkzeug", - "version": "3.0.4", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "moto-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-10-25T21:42:39Z", - "published": "2024-10-25T19:43:41Z", - "schema_version": "1.6.0", - "id": "GHSA-f9vj-2wh5-fj8j", - "aliases": [ - "CVE-2024-49766" - ], - "summary": "Werkzeug safe_join not safe on Windows", - "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:43:41Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - }, - { - "modified": "2024-10-25T21:45:09Z", - "published": "2024-10-25T19:44:43Z", - "schema_version": "1.6.0", - "id": "GHSA-q34m-jh98-gwm2", - "aliases": [ - "CVE-2024-49767" - ], - "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", - "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "quart", - "purl": "pkg:pypi/quart" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.19.7" - } - ] - } - ], - "versions": [ - "0.1.0", - "0.10.0", - "0.11.0", - "0.11.1", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.15.0", - "0.15.1", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.17.0", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.19.1", - "0.19.2", - "0.19.3", - "0.19.4", - "0.19.5", - "0.19.6", - "0.2.0", - "0.3.0", - "0.3.1", - "0.4.0", - "0.4.1", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.10", - "0.6.11", - "0.6.12", - "0.6.13", - "0.6.14", - "0.6.15", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.6.6", - "0.6.7", - "0.6.8", - "0.6.9", - "0.7.0", - "0.7.1", - "0.7.2", - "0.8.0", - "0.8.1", - "0.9.0", - "0.9.1" - ], - "database_specific": { - "last_known_affected_version_range": "<= 0.19.6", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-400" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:44:43Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-f9vj-2wh5-fj8j" - ], - "aliases": [ - "CVE-2024-49766", - "GHSA-f9vj-2wh5-fj8j" - ], - "max_severity": "6.3" - }, - { - "ids": [ - "GHSA-q34m-jh98-gwm2" - ], - "aliases": [ - "CVE-2024-49767", - "GHSA-q34m-jh98-gwm2" - ], - "max_severity": "6.9" - } - ] - } -] \ No newline at end of file diff --git a/audits/pdfalyzer-requirements.audit.json b/audits/pdfalyzer-requirements.audit.json deleted file mode 100644 index e918f965..00000000 --- a/audits/pdfalyzer-requirements.audit.json +++ /dev/null @@ -1,178 +0,0 @@ -[ - { - "package": { - "name": "pypdf2", - "version": "2.12.1", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "pdfalyzer-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-02-16T08:11:47Z", - "published": "2023-06-30T20:33:57Z", - "schema_version": "1.6.0", - "id": "GHSA-4vvm-4w3v-6mr8", - "aliases": [ - "CVE-2023-36464" - ], - "summary": "pypdf and PyPDF2 possible Infinite Loop when a comment isn't followed by a character", - "details": "### Impact\nAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if `__parse_content_stream` is executed. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case if the user extracted text from such a PDF.\n\nExample Code and a PDF that causes the issue:\n\n```python\nfrom pypdf import PdfReader\n\n# https://objects.githubusercontent.com/github-production-repository-file-5c1aeb/3119517/11367871?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230627T201018Z&X-Amz-Expires=300&X-Amz-Signature=d71c8fd9181c4875f0c04d563b6d32f1d4da6e7b2e6be2f14479ce4ecdc9c8b2&X-Amz-SignedHeaders=host&actor_id=1658117&key_id=0&repo_id=3119517&response-content-disposition=attachment%3Bfilename%3DMiFO_LFO_FEIS_NOA_Published.3.pdf&response-content-type=application%2Fpdf\nreader = PdfReader(\"MiFO_LFO_FEIS_NOA_Published.3.pdf\")\npage = reader.pages[0]\npage.extract_text()\n```\n\nThe issue was introduced with https://github.com/py-pdf/pypdf/pull/969\n\n### Patches\n\nThe issue was fixed with https://github.com/py-pdf/pypdf/pull/1828\n\n### Workarounds\n\nIt is recommended to upgrade to `pypdf>=3.9.0`. PyPDF2 users should migrate to pypdf.\n\nIf you cannot update your version of pypdf, you should modify `pypdf/generic/_data_structures.py`:\n\n```\nOLD: while peek not in (b\"\\r\", b\"\\n\"):\nNEW: while peek not in (b\"\\r\", b\"\\n\", b\"\"):\n```", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "pypdf", - "purl": "pkg:pypi/pypdf" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.1.0" - }, - { - "fixed": "3.9.0" - } - ] - } - ], - "versions": [ - "3.1.0", - "3.2.0", - "3.2.1", - "3.3.0", - "3.4.0", - "3.4.1", - "3.5.0", - "3.5.1", - "3.5.2", - "3.6.0", - "3.7.0", - "3.7.1", - "3.8.0", - "3.8.1" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-4vvm-4w3v-6mr8/GHSA-4vvm-4w3v-6mr8.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "pypdf2", - "purl": "pkg:pypi/pypdf2" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.2.0" - }, - { - "last_affected": "3.0.1" - } - ] - } - ], - "versions": [ - "2.10.0", - "2.10.1", - "2.10.2", - "2.10.3", - "2.10.4", - "2.10.5", - "2.10.6", - "2.10.7", - "2.10.8", - "2.10.9", - "2.11.0", - "2.11.1", - "2.11.2", - "2.12.0", - "2.12.1", - "2.2.0", - "2.2.1", - "2.3.0", - "2.3.1", - "2.4.0", - "2.4.1", - "2.4.2", - "2.5.0", - "2.6.0", - "2.7.0", - "2.8.0", - "2.8.1", - "2.9.0", - "3.0.0", - "3.0.1" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-4vvm-4w3v-6mr8/GHSA-4vvm-4w3v-6mr8.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-4vvm-4w3v-6mr8" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36464" - }, - { - "type": "WEB", - "url": "https://github.com/py-pdf/pypdf/pull/1828" - }, - { - "type": "WEB", - "url": "https://github.com/py-pdf/pypdf/pull/969" - }, - { - "type": "WEB", - "url": "https://github.com/py-pdf/pypdf/commit/b0e5c689df689ab173df84dacd77b6fc3c161932" - }, - { - "type": "PACKAGE", - "url": "https://github.com/py-pdf/pypdf" - }, - { - "type": "WEB", - "url": "https://github.com/py-pdf/pypdf/releases/tag/3.9.0" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-835" - ], - "github_reviewed": true, - "github_reviewed_at": "2023-06-30T20:33:57Z", - "nvd_published_at": "2023-06-27T22:15:11Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-4vvm-4w3v-6mr8" - ], - "aliases": [ - "CVE-2023-36464", - "GHSA-4vvm-4w3v-6mr8" - ], - "max_severity": "6.2" - } - ] - } -] \ No newline at end of file diff --git a/audits/prowler-requirements.audit.json b/audits/prowler-requirements.audit.json deleted file mode 100644 index 7004a5e5..00000000 --- a/audits/prowler-requirements.audit.json +++ /dev/null @@ -1,471 +0,0 @@ -[ - { - "package": { - "name": "werkzeug", - "version": "3.0.4", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "prowler-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-10-25T21:42:39Z", - "published": "2024-10-25T19:43:41Z", - "schema_version": "1.6.0", - "id": "GHSA-f9vj-2wh5-fj8j", - "aliases": [ - "CVE-2024-49766" - ], - "summary": "Werkzeug safe_join not safe on Windows", - "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:43:41Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - }, - { - "modified": "2024-10-25T21:45:09Z", - "published": "2024-10-25T19:44:43Z", - "schema_version": "1.6.0", - "id": "GHSA-q34m-jh98-gwm2", - "aliases": [ - "CVE-2024-49767" - ], - "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", - "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "quart", - "purl": "pkg:pypi/quart" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.19.7" - } - ] - } - ], - "versions": [ - "0.1.0", - "0.10.0", - "0.11.0", - "0.11.1", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.15.0", - "0.15.1", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.17.0", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.19.1", - "0.19.2", - "0.19.3", - "0.19.4", - "0.19.5", - "0.19.6", - "0.2.0", - "0.3.0", - "0.3.1", - "0.4.0", - "0.4.1", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.10", - "0.6.11", - "0.6.12", - "0.6.13", - "0.6.14", - "0.6.15", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.6.6", - "0.6.7", - "0.6.8", - "0.6.9", - "0.7.0", - "0.7.1", - "0.7.2", - "0.8.0", - "0.8.1", - "0.9.0", - "0.9.1" - ], - "database_specific": { - "last_known_affected_version_range": "<= 0.19.6", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-400" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:44:43Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-f9vj-2wh5-fj8j" - ], - "aliases": [ - "CVE-2024-49766", - "GHSA-f9vj-2wh5-fj8j" - ], - "max_severity": "6.3" - }, - { - "ids": [ - "GHSA-q34m-jh98-gwm2" - ], - "aliases": [ - "CVE-2024-49767", - "GHSA-q34m-jh98-gwm2" - ], - "max_severity": "6.9" - } - ] - } -] \ No newline at end of file diff --git a/audits/recon-ng-requirements.audit.json b/audits/recon-ng-requirements.audit.json index f10a605a..5f64f5d1 100644 --- a/audits/recon-ng-requirements.audit.json +++ b/audits/recon-ng-requirements.audit.json @@ -17,6 +17,9 @@ "aliases": [ "CVE-2024-49766" ], + "related": [ + "CGA-386h-56mx-h78g" + ], "summary": "Werkzeug safe_join not safe on Windows", "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", "affected": [ @@ -189,6 +192,9 @@ "aliases": [ "CVE-2024-49767" ], + "related": [ + "CGA-3m9h-7wmp-p5r3" + ], "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", "affected": [ diff --git a/audits/schemathesis-requirements.audit.json b/audits/schemathesis-requirements.audit.json deleted file mode 100644 index f0c3413c..00000000 --- a/audits/schemathesis-requirements.audit.json +++ /dev/null @@ -1,471 +0,0 @@ -[ - { - "package": { - "name": "werkzeug", - "version": "3.0.4", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "schemathesis-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-10-25T21:42:39Z", - "published": "2024-10-25T19:43:41Z", - "schema_version": "1.6.0", - "id": "GHSA-f9vj-2wh5-fj8j", - "aliases": [ - "CVE-2024-49766" - ], - "summary": "Werkzeug safe_join not safe on Windows", - "details": "On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f9vj-2wh5-fj8j/GHSA-f9vj-2wh5-fj8j.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49766" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:43:41Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - }, - { - "modified": "2024-10-25T21:45:09Z", - "published": "2024-10-25T19:44:43Z", - "schema_version": "1.6.0", - "id": "GHSA-q34m-jh98-gwm2", - "aliases": [ - "CVE-2024-49767" - ], - "summary": "Werkzeug possible resource exhaustion when parsing file data in forms", - "details": "Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.\n\nThe `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "werkzeug", - "purl": "pkg:pypi/werkzeug" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.6" - } - ] - } - ], - "versions": [ - "0.1", - "0.10", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.11", - "0.11.1", - "0.11.10", - "0.11.11", - "0.11.12", - "0.11.13", - "0.11.14", - "0.11.15", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.11.6", - "0.11.7", - "0.11.8", - "0.11.9", - "0.12", - "0.12.1", - "0.12.2", - "0.13", - "0.14", - "0.14.1", - "0.15.0", - "0.15.1", - "0.15.2", - "0.15.3", - "0.15.4", - "0.15.5", - "0.15.6", - "0.16.0", - "0.16.1", - "0.2", - "0.3", - "0.3.1", - "0.4", - "0.4.1", - "0.5", - "0.5.1", - "0.6", - "0.6.1", - "0.6.2", - "0.7", - "0.7.1", - "0.7.2", - "0.8", - "0.8.1", - "0.8.2", - "0.8.3", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "1.0.0", - "1.0.0rc1", - "1.0.1", - "2.0.0", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.1", - "2.0.2", - "2.0.3", - "2.1.0", - "2.1.1", - "2.1.2", - "2.2.0", - "2.2.0a1", - "2.2.1", - "2.2.2", - "2.2.3", - "2.3.0", - "2.3.1", - "2.3.2", - "2.3.3", - "2.3.4", - "2.3.5", - "2.3.6", - "2.3.7", - "2.3.8", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.5", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "quart", - "purl": "pkg:pypi/quart" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.19.7" - } - ] - } - ], - "versions": [ - "0.1.0", - "0.10.0", - "0.11.0", - "0.11.1", - "0.11.2", - "0.11.3", - "0.11.4", - "0.11.5", - "0.12.0", - "0.13.0", - "0.13.1", - "0.14.0", - "0.14.1", - "0.15.0", - "0.15.1", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.17.0", - "0.18.0", - "0.18.1", - "0.18.2", - "0.18.3", - "0.18.4", - "0.19.0", - "0.19.1", - "0.19.2", - "0.19.3", - "0.19.4", - "0.19.5", - "0.19.6", - "0.2.0", - "0.3.0", - "0.3.1", - "0.4.0", - "0.4.1", - "0.5.0", - "0.6.0", - "0.6.1", - "0.6.10", - "0.6.11", - "0.6.12", - "0.6.13", - "0.6.14", - "0.6.15", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.6.6", - "0.6.7", - "0.6.8", - "0.6.9", - "0.7.0", - "0.7.1", - "0.7.2", - "0.8.0", - "0.8.1", - "0.9.0", - "0.9.1" - ], - "database_specific": { - "last_known_affected_version_range": "<= 0.19.6", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-q34m-jh98-gwm2/GHSA-q34m-jh98-gwm2.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/werkzeug" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-400" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-10-25T19:44:43Z", - "nvd_published_at": "2024-10-25T20:15:04Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-f9vj-2wh5-fj8j" - ], - "aliases": [ - "CVE-2024-49766", - "GHSA-f9vj-2wh5-fj8j" - ], - "max_severity": "6.3" - }, - { - "ids": [ - "GHSA-q34m-jh98-gwm2" - ], - "aliases": [ - "CVE-2024-49767", - "GHSA-q34m-jh98-gwm2" - ], - "max_severity": "6.9" - } - ] - } -] \ No newline at end of file diff --git a/requirements/aws-sam-cli-requirements.txt b/requirements/aws-sam-cli-requirements.txt index e03354d2..0c5c4850 100644 --- a/requirements/aws-sam-cli-requirements.txt +++ b/requirements/aws-sam-cli-requirements.txt @@ -5,10 +5,10 @@ aws-lambda-builders==1.50.0 aws-sam-translator==1.91.0 binaryornot==0.4.4 blinker==1.8.2 -boto3==1.35.43 +boto3==1.35.49 boto3-stubs==1.35.32 -botocore==1.35.43 -botocore-stubs==1.35.43 +botocore==1.35.49 +botocore-stubs==1.35.49 cfn-lint==1.16.1 chardet==5.2.0 charset-normalizer==3.4.0 @@ -27,7 +27,7 @@ jsonpointer==3.0.0 jsonschema==4.23.0 jsonschema-specifications==2024.10.1 markdown-it-py==3.0.0 -markupsafe==3.0.1 +markupsafe==3.0.2 mdurl==0.1.2 mpmath==1.3.0 mypy-boto3-apigateway==1.35.25 @@ -35,16 +35,16 @@ mypy-boto3-cloudformation==1.35.41 mypy-boto3-ecr==1.35.21 mypy-boto3-iam==1.35.0 mypy-boto3-kinesis==1.35.26 -mypy-boto3-lambda==1.35.28 -mypy-boto3-s3==1.35.42 +mypy-boto3-lambda==1.35.49 +mypy-boto3-s3==1.35.46 mypy-boto3-schemas==1.35.0 mypy-boto3-secretsmanager==1.35.0 mypy-boto3-signer==1.35.0 mypy-boto3-sqs==1.35.0 -mypy-boto3-stepfunctions==1.35.9 +mypy-boto3-stepfunctions==1.35.46 mypy-boto3-sts==1.35.0 mypy-boto3-xray==1.35.0 -networkx==3.4.1 +networkx==3.4.2 pydantic==2.9.2 pydantic-core==2.23.4 pygments==2.18.0 @@ -56,7 +56,7 @@ pyyaml==6.0.2 referencing==0.35.1 regex==2024.9.11 requests==2.32.3 -rich==13.9.2 +rich==13.9.3 rpds-py==0.20.0 ruamel-yaml==0.18.6 s3transfer==0.10.3 @@ -65,12 +65,12 @@ six==1.16.0 sympy==1.13.3 text-unidecode==1.3 tomlkit==0.13.2 -types-awscrt==0.22.0 +types-awscrt==0.23.0 types-python-dateutil==2.9.0.20241003 types-s3transfer==0.10.3 typing-extensions==4.12.2 tzlocal==5.2 urllib3==2.2.3 watchdog==5.0.3 -werkzeug==3.0.4 +werkzeug==3.0.6 wheel==0.44.0 diff --git a/requirements/checkdmarc-requirements.txt b/requirements/checkdmarc-requirements.txt index f0d1d7dd..bff632ed 100644 --- a/requirements/checkdmarc-requirements.txt +++ b/requirements/checkdmarc-requirements.txt @@ -2,8 +2,9 @@ charset-normalizer==3.4.0 dnspython==2.7.0 expiringdict==1.2.2 idna==3.10 -publicsuffixlist==1.0.2.20241010 +publicsuffixlist==1.0.2.20241026 pyleri==1.4.3 requests==2.32.3 timeout-decorator==0.5.0 urllib3==2.2.3 +xmltodict==0.14.2 diff --git a/requirements/cloudformation-cli-requirements.txt b/requirements/cloudformation-cli-requirements.txt index f58a66b2..cba82d1c 100644 --- a/requirements/cloudformation-cli-requirements.txt +++ b/requirements/cloudformation-cli-requirements.txt @@ -1,10 +1,10 @@ annotated-types==0.7.0 attrs==24.2.0 aws-sam-translator==1.91.0 -boto3==1.35.39 -botocore==1.35.39 +boto3==1.35.49 +botocore==1.35.49 cfn-flip==1.3.0 -cfn-lint==1.16.1 +cfn-lint==1.18.1 charset-normalizer==3.4.0 click==8.1.7 cloudformation-cli-go-plugin==2.2.0 @@ -12,7 +12,7 @@ cloudformation-cli-java-plugin==2.1.1 cloudformation-cli-python-plugin==2.1.9 colorama==0.4.6 docker==7.1.0 -hypothesis==6.114.1 +hypothesis==6.115.5 idna==3.10 iniconfig==2.0.0 jinja2==3.1.4 @@ -20,10 +20,10 @@ jmespath==1.0.1 jsonpatch==1.33 jsonpointer==3.0.0 jsonschema==4.17.3 -markupsafe==3.0.1 +markupsafe==3.0.2 mpmath==1.3.0 nested-lookup==0.2.25 -networkx==3.4.1 +networkx==3.4.2 ordered-set==4.1.0 packaging==24.1 pluggy==1.5.0 @@ -39,11 +39,11 @@ regex==2024.9.11 requests==2.32.3 s3transfer==0.10.3 semver==3.0.2 -setuptools==75.1.0 +setuptools==75.2.0 six==1.16.0 sortedcontainers==2.4.0 sympy==1.13.3 types-dataclasses==0.6.6 typing-extensions==4.12.2 urllib3==2.2.3 -werkzeug==3.0.4 +werkzeug==3.0.6 diff --git a/requirements/fastapi-requirements.txt b/requirements/fastapi-requirements.txt index 9086b2b3..82ec2e5c 100644 --- a/requirements/fastapi-requirements.txt +++ b/requirements/fastapi-requirements.txt @@ -1,17 +1,17 @@ annotated-types==0.7.0 -anyio==4.6.0 +anyio==4.6.2.post1 click==8.1.7 dnspython==2.7.0 email-validator==2.2.0 fastapi-cli==0.0.5 h11==0.14.0 httpcore==1.0.6 -httptools==0.6.1 +httptools==0.6.4 httpx==0.27.2 idna==3.10 jinja2==3.1.4 markdown-it-py==3.0.0 -markupsafe==3.0.1 +markupsafe==3.0.2 mdurl==0.1.2 pydantic==2.9.2 pydantic-core==2.23.4 @@ -19,13 +19,13 @@ pygments==2.18.0 python-dotenv==1.0.1 python-multipart==0.0.12 pyyaml==6.0.2 -rich==13.9.2 +rich==13.9.3 shellingham==1.5.4 sniffio==1.3.1 -starlette==0.39.2 +starlette==0.41.0 typer==0.12.5 typing-extensions==4.12.2 -uvicorn==0.31.1 -uvloop==0.21.0b1 +uvicorn==0.32.0 +uvloop==0.21.0 watchfiles==0.24.0 websockets==13.1 diff --git a/requirements/fava-requirements.txt b/requirements/fava-requirements.txt index 9f8087ec..e5092758 100644 --- a/requirements/fava-requirements.txt +++ b/requirements/fava-requirements.txt @@ -1,4 +1,4 @@ -anyio==4.6.0 +anyio==4.6.2.post1 babel==2.16.0 beancount==2.3.6 beautifulsoup4==4.12.3 @@ -24,17 +24,17 @@ jaraco-functools==4.1.0 jinja2==3.1.4 lxml==5.3.0 markdown2==2.5.1 -markupsafe==3.0.1 +markupsafe==3.0.2 more-itertools==10.5.0 packaging==24.1 pdfminer2==20151206 pluggy==1.5.0 ply==3.11 -proto-plus==1.24.0 -protobuf==5.28.2 +proto-plus==1.25.0 +protobuf==5.28.3 pyasn1==0.6.1 pyasn1-modules==0.4.1 -pyparsing==3.1.4 +pyparsing==3.2.0 pytest==8.3.3 python-dateutil==2.9.0.post0 python-magic==0.4.27 @@ -48,4 +48,4 @@ soupsieve==2.6 uritemplate==4.1.1 urllib3==2.2.3 watchfiles==0.24.0 -werkzeug==3.0.4 +werkzeug==3.0.6 diff --git a/requirements/grip-requirements.txt b/requirements/grip-requirements.txt index 14956ea4..57ea83f2 100644 --- a/requirements/grip-requirements.txt +++ b/requirements/grip-requirements.txt @@ -7,9 +7,9 @@ idna==3.10 itsdangerous==2.2.0 jinja2==3.1.4 markdown==3.7 -markupsafe==3.0.1 +markupsafe==3.0.2 path-and-address==2.0.1 pygments==2.18.0 requests==2.32.3 urllib3==2.2.3 -werkzeug==3.0.4 +werkzeug==3.0.6 diff --git a/requirements/icloudpd-requirements.txt b/requirements/icloudpd-requirements.txt index 5ff24393..598a3988 100644 --- a/requirements/icloudpd-requirements.txt +++ b/requirements/icloudpd-requirements.txt @@ -1,27 +1,28 @@ blinker==1.8.2 certifi==2022.12.7 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.6 contextlib2==21.6.0 flask==3.0.3 -idna==3.8 +idna==3.10 itsdangerous==2.2.0 jaraco-classes==3.4.0 jaraco-context==6.0.1 -jaraco-functools==4.0.2 +jaraco-functools==4.1.0 jinja2==3.1.4 keyring==25.2.1 keyrings-alt==5.0.1 -markupsafe==2.1.5 -more-itertools==10.4.0 +markupsafe==3.0.2 +more-itertools==10.5.0 piexif==1.1.3 pytz==2024.1 requests==2.31.0 schema==0.7.5 six==1.16.0 +srp==1.0.21 tqdm==4.66.4 typing-extensions==4.11.0 tzlocal==5.1 urllib3==1.26.16 waitress==3.0.0 -werkzeug==3.0.4 +Werkzeug==3.0.6 diff --git a/requirements/locust-requirements.txt b/requirements/locust-requirements.txt index ad5c9239..268e3dd9 100644 --- a/requirements/locust-requirements.txt +++ b/requirements/locust-requirements.txt @@ -6,19 +6,19 @@ configargparse==1.7 flask==3.0.3 flask-cors==5.0.0 flask-login==0.6.3 -gevent==24.10.2 +gevent==24.10.3 geventhttpclient==2.3.1 greenlet==3.1.1 idna==3.10 itsdangerous==2.2.0 jinja2==3.1.4 -markupsafe==3.0.1 +markupsafe==3.0.2 msgpack==1.1.0 -psutil==6.0.0 +psutil==6.1.0 pyzmq==26.2.0 requests==2.32.3 -setuptools==75.1.0 +setuptools==75.2.0 urllib3==2.2.3 -werkzeug==3.0.4 +werkzeug==3.0.6 zope-event==5.0 -zope-interface==7.1.0 +zope-interface==7.1.1 diff --git a/requirements/moto-requirements.txt b/requirements/moto-requirements.txt index bce51bb3..9a7159ae 100644 --- a/requirements/moto-requirements.txt +++ b/requirements/moto-requirements.txt @@ -4,9 +4,9 @@ attrs==24.2.0 aws-sam-translator==1.91.0 aws-xray-sdk==2.14.0 blinker==1.8.2 -boto3==1.35.44 -botocore==1.35.44 -cfn-lint==1.17.2 +boto3==1.35.49 +botocore==1.35.49 +cfn-lint==1.18.1 charset-normalizer==3.4.0 click==8.1.7 docker==7.1.0 @@ -29,7 +29,7 @@ lazy-object-proxy==1.10.0 markupsafe==3.0.2 mpmath==1.3.0 multipart==1.1.0 -networkx==3.4.1 +networkx==3.4.2 openapi-schema-validator==0.6.2 openapi-spec-validator==0.7.1 pathable==0.4.3 @@ -52,6 +52,6 @@ six==1.16.0 sympy==1.13.3 typing-extensions==4.12.2 urllib3==2.2.3 -werkzeug==3.0.4 +werkzeug==3.0.6 wrapt==1.16.0 xmltodict==0.14.2 diff --git a/requirements/pdfalyzer-requirements.txt b/requirements/pdfalyzer-requirements.txt index 5b5166c5..2da4c74d 100644 --- a/requirements/pdfalyzer-requirements.txt +++ b/requirements/pdfalyzer-requirements.txt @@ -2,7 +2,7 @@ anytree==2.12.1 chardet==5.2.0 commonmark==0.9.1 pygments==2.18.0 -pypdf2==2.12.1 +pypdf==5.0.1 python-dotenv==0.21.1 rich==12.6.0 rich-argparse-plus==0.3.1.4 diff --git a/requirements/prowler-requirements.txt b/requirements/prowler-requirements.txt index d42446a8..6b603bf0 100644 --- a/requirements/prowler-requirements.txt +++ b/requirements/prowler-requirements.txt @@ -48,7 +48,7 @@ durationpy==0.9 email-validator==2.1.1 filelock==3.16.1 flask==3.0.3 -frozenlist==1.4.1 +frozenlist==1.5.0 google-api-core==2.21.0 google-api-python-client==2.147.0 google-auth==2.35.0 @@ -96,8 +96,8 @@ pendulum==3.0.0 plotly==5.24.1 portalocker==2.10.1 propcache==0.2.0 -proto-plus==1.24.0 -protobuf==5.28.2 +proto-plus==1.25.0 +protobuf==5.28.3 py-ocsf-models==0.1.1 pyasn1==0.6.1 pyasn1-modules==0.4.1 @@ -132,8 +132,8 @@ tzlocal==5.2 uritemplate==4.1.1 urllib3==2.2.3 websocket-client==1.8.0 -werkzeug==3.0.4 +werkzeug==3.0.6 wrapt==1.16.0 xlsxwriter==3.2.0 -yarl==1.15.5 +yarl==1.16.0 zipp==3.20.2 diff --git a/requirements/python-freethreading-requirements.txt b/requirements/python-freethreading-requirements.txt new file mode 100644 index 00000000..d7c038f1 --- /dev/null +++ b/requirements/python-freethreading-requirements.txt @@ -0,0 +1,4 @@ +flit-core==3.9.0 +pip==24.2 +setuptools==75.1.0 +wheel==0.44.0 diff --git a/requirements/safety-requirements.txt b/requirements/safety-requirements.txt index 9ce7a67e..94250549 100644 --- a/requirements/safety-requirements.txt +++ b/requirements/safety-requirements.txt @@ -7,8 +7,8 @@ filelock==3.12.4 idna==3.10 jinja2==3.1.4 markdown-it-py==3.0.0 -markupsafe==3.0.1 -marshmallow==3.22.0 +markupsafe==3.0.2 +marshmallow==3.23.0 mdurl==0.1.2 packaging==24.1 psutil==6.0.0 @@ -16,10 +16,10 @@ pydantic==2.9.2 pydantic-core==2.23.4 pygments==2.18.0 requests==2.32.3 -rich==13.9.2 +rich==13.9.3 ruamel-yaml==0.18.6 -safety-schemas==0.0.5 -setuptools==75.1.0 +safety-schemas==0.0.8 +setuptools==75.2.0 shellingham==1.5.4 typer==0.12.5 typing-extensions==4.12.2 diff --git a/requirements/schemathesis-requirements.txt b/requirements/schemathesis-requirements.txt index 872e46c0..59bce650 100644 --- a/requirements/schemathesis-requirements.txt +++ b/requirements/schemathesis-requirements.txt @@ -11,7 +11,7 @@ h11==0.14.0 harfile==0.3.0 httpcore==1.0.6 httpx==0.27.2 -hypothesis==6.115.3 +hypothesis==6.115.5 hypothesis-graphql==0.11.1 hypothesis-jsonschema==0.23.1 idna==3.10 @@ -47,5 +47,5 @@ types-python-dateutil==2.9.0.20241003 uri-template==1.3.0 urllib3==2.2.3 webcolors==24.8.0 -werkzeug==3.0.4 +werkzeug==3.0.6 yarl==1.16.0 diff --git a/requirements/tmt-requirements.txt b/requirements/tmt-requirements.txt index 1b5f5aee..443fa4e2 100644 --- a/requirements/tmt-requirements.txt +++ b/requirements/tmt-requirements.txt @@ -1,6 +1,6 @@ appdirs==1.4.4 attrs==24.2.0 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.7 docutils==0.21.2 filelock==3.16.1 @@ -9,8 +9,8 @@ flexparser==0.3.1 idna==3.10 jinja2==3.1.4 jsonschema==4.23.0 -jsonschema-specifications==2023.12.1 -markupSafe==2.1.5 +jsonschema-specifications==2024.10.1 +markupSafe==3.0.2 packaging==24.1 pint==0.24.3 pygments==2.18.0