diff --git a/audits/alot-requirements.audit.json b/audits/alot-requirements.audit.json index cfa68568..8024503b 100644 --- a/audits/alot-requirements.audit.json +++ b/audits/alot-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "alot-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", @@ -126,6 +129,9 @@ "version": "23.8.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "alot-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:13:41Z", diff --git a/audits/animdl-requirements.audit.json b/audits/animdl-requirements.audit.json index 5ac1de4d..07d650e8 100644 --- a/audits/animdl-requirements.audit.json +++ b/audits/animdl-requirements.audit.json @@ -5,14 +5,18 @@ "version": "3.14.1", "ecosystem": "PyPI" }, + "dependency_groups": [ + "animdl-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-05T17:42:16Z", + "modified": "2024-01-17T11:41:25Z", "published": "2024-01-05T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-j225-cvw7-qrx7", "aliases": [ - "CVE-2023-52323" + "CVE-2023-52323", + "PYSEC-2024-3" ], "summary": "PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption", "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", @@ -204,16 +208,118 @@ "nvd_published_at": "2024-01-05T04:15:07Z", "severity": "MODERATE" } + }, + { + "modified": "2024-01-17T11:41:25Z", + "published": "2024-01-05T04:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2024-3", + "aliases": [ + "CVE-2023-52323", + "GHSA-j225-cvw7-qrx7" + ], + "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "pycryptodomex", + "purl": "pkg:pypi/pycryptodomex" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.19.1" + } + ] + } + ], + "versions": [ + "3.10.1", + "3.10.3", + "3.10.4", + "3.11.0", + "3.12.0", + "3.13.0", + "3.14.0", + "3.14.1", + "3.15.0", + "3.16.0", + "3.17", + "3.18.0", + "3.19.0", + "3.4.1", + "3.4.11", + "3.4.12", + "3.4.2", + "3.4.3", + "3.4.5", + "3.4.6", + "3.4.7", + "3.4.8", + "3.4.9", + "3.5.1", + "3.6.0", + "3.6.1", + "3.6.3", + "3.6.4", + "3.6.5", + "3.6.6", + "3.7.0", + "3.7.1", + "3.7.2", + "3.7.3", + "3.8.0", + "3.8.1", + "3.8.2", + "3.9.0", + "3.9.1", + "3.9.2", + "3.9.3", + "3.9.4", + "3.9.6", + "3.9.7", + "3.9.8", + "3.9.9" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/pycryptodomex/PYSEC-2024-3.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst" + }, + { + "type": "PACKAGE", + "url": "https://pypi.org/project/pycryptodomex/#history" + } + ] } ], "groups": [ { "ids": [ - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ], "aliases": [ "CVE-2023-52323", - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ] } ] diff --git a/audits/ansible-requirements.audit.json b/audits/ansible-requirements.audit.json index 050377ae..89070eaa 100644 --- a/audits/ansible-requirements.audit.json +++ b/audits/ansible-requirements.audit.json @@ -5,6 +5,9 @@ "version": "1.3.1", "ecosystem": "PyPI" }, + "dependency_groups": [ + "ansible-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T03:57:53Z", @@ -92,6 +95,9 @@ "version": "3.3.1", "ecosystem": "PyPI" }, + "dependency_groups": [ + "ansible-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:46:16Z", diff --git a/audits/athenacli-requirements.audit.json b/audits/athenacli-requirements.audit.json index 22e2b8c0..ae06ddef 100644 --- a/audits/athenacli-requirements.audit.json +++ b/audits/athenacli-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "athenacli-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", diff --git a/audits/aws-shell-requirements.audit.json b/audits/aws-shell-requirements.audit.json index 22e2b8c0..d8afc49a 100644 --- a/audits/aws-shell-requirements.audit.json +++ b/audits/aws-shell-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "aws-shell-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", diff --git a/audits/awscli-requirements.audit.json b/audits/awscli-requirements.audit.json index 22f2ca71..5b003c5a 100644 --- a/audits/awscli-requirements.audit.json +++ b/audits/awscli-requirements.audit.json @@ -5,6 +5,9 @@ "version": "40.0.1", "ecosystem": "PyPI" }, + "dependency_groups": [ + "awscli-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-09T05:40:01Z", diff --git a/audits/bbot-requirements.audit.json b/audits/bbot-requirements.audit.json index 2948c72f..801be8a4 100644 --- a/audits/bbot-requirements.audit.json +++ b/audits/bbot-requirements.audit.json @@ -5,6 +5,9 @@ "version": "7.7.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "bbot-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-02T15:28:50Z", @@ -448,6 +451,9 @@ "version": "2.14.11", "ecosystem": "PyPI" }, + "dependency_groups": [ + "bbot-requirements" + ], "vulnerabilities": [ { "modified": "2023-12-20T20:57:57Z", @@ -954,6 +960,9 @@ "version": "3.1.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "bbot-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:41:33Z", @@ -1097,14 +1106,18 @@ "version": "3.19.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "bbot-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-05T17:42:16Z", + "modified": "2024-01-17T11:41:25Z", "published": "2024-01-05T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-j225-cvw7-qrx7", "aliases": [ - "CVE-2023-52323" + "CVE-2023-52323", + "PYSEC-2024-3" ], "summary": "PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption", "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", @@ -1305,7 +1318,8 @@ ], "aliases": [ "CVE-2023-52323", - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ] } ] diff --git a/audits/breezy-requirements.audit.json b/audits/breezy-requirements.audit.json index 22e2b8c0..e0b0413d 100644 --- a/audits/breezy-requirements.audit.json +++ b/audits/breezy-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "breezy-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", diff --git a/audits/buku-requirements.audit.json b/audits/buku-requirements.audit.json index 5fdf38a5..290ca21b 100644 --- a/audits/buku-requirements.audit.json +++ b/audits/buku-requirements.audit.json @@ -5,6 +5,9 @@ "version": "2.3.6", "ecosystem": "PyPI" }, + "dependency_groups": [ + "buku-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-24T09:49:21Z", diff --git a/audits/bzt-requirements.audit.json b/audits/bzt-requirements.audit.json index 0c19d675..b78c2d82 100644 --- a/audits/bzt-requirements.audit.json +++ b/audits/bzt-requirements.audit.json @@ -5,6 +5,9 @@ "version": "1.26.16", "ecosystem": "PyPI" }, + "dependency_groups": [ + "bzt-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:13:39Z", diff --git a/audits/certbot-requirements.audit.json b/audits/certbot-requirements.audit.json index 22e2b8c0..7bb7b37e 100644 --- a/audits/certbot-requirements.audit.json +++ b/audits/certbot-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "certbot-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", diff --git a/audits/certsync-requirements.audit.json b/audits/certsync-requirements.audit.json index 10c18176..f2a7ef55 100644 --- a/audits/certsync-requirements.audit.json +++ b/audits/certsync-requirements.audit.json @@ -5,6 +5,9 @@ "version": "3.1.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "certsync-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:41:33Z", @@ -148,14 +151,18 @@ "version": "3.19.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "certsync-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-05T17:42:16Z", + "modified": "2024-01-17T11:41:25Z", "published": "2024-01-05T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-j225-cvw7-qrx7", "aliases": [ - "CVE-2023-52323" + "CVE-2023-52323", + "PYSEC-2024-3" ], "summary": "PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption", "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", @@ -356,7 +363,8 @@ ], "aliases": [ "CVE-2023-52323", - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ] } ] @@ -367,14 +375,18 @@ "version": "3.19.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "certsync-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-05T17:42:16Z", + "modified": "2024-01-17T11:41:25Z", "published": "2024-01-05T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-j225-cvw7-qrx7", "aliases": [ - "CVE-2023-52323" + "CVE-2023-52323", + "PYSEC-2024-3" ], "summary": "PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption", "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", @@ -566,16 +578,118 @@ "nvd_published_at": "2024-01-05T04:15:07Z", "severity": "MODERATE" } + }, + { + "modified": "2024-01-17T11:41:25Z", + "published": "2024-01-05T04:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2024-3", + "aliases": [ + "CVE-2023-52323", + "GHSA-j225-cvw7-qrx7" + ], + "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "pycryptodomex", + "purl": "pkg:pypi/pycryptodomex" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.19.1" + } + ] + } + ], + "versions": [ + "3.10.1", + "3.10.3", + "3.10.4", + "3.11.0", + "3.12.0", + "3.13.0", + "3.14.0", + "3.14.1", + "3.15.0", + "3.16.0", + "3.17", + "3.18.0", + "3.19.0", + "3.4.1", + "3.4.11", + "3.4.12", + "3.4.2", + "3.4.3", + "3.4.5", + "3.4.6", + "3.4.7", + "3.4.8", + "3.4.9", + "3.5.1", + "3.6.0", + "3.6.1", + "3.6.3", + "3.6.4", + "3.6.5", + "3.6.6", + "3.7.0", + "3.7.1", + "3.7.2", + "3.7.3", + "3.8.0", + "3.8.1", + "3.8.2", + "3.9.0", + "3.9.1", + "3.9.2", + "3.9.3", + "3.9.4", + "3.9.6", + "3.9.7", + "3.9.8", + "3.9.9" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/pycryptodomex/PYSEC-2024-3.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst" + }, + { + "type": "PACKAGE", + "url": "https://pypi.org/project/pycryptodomex/#history" + } + ] } ], "groups": [ { "ids": [ - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ], "aliases": [ "CVE-2023-52323", - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ] } ] diff --git a/audits/charm-tools-requirements.audit.json b/audits/charm-tools-requirements.audit.json index 701c7c4c..c9e6dca4 100644 --- a/audits/charm-tools-requirements.audit.json +++ b/audits/charm-tools-requirements.audit.json @@ -5,6 +5,9 @@ "version": "22.3.1", "ecosystem": "PyPI" }, + "dependency_groups": [ + "charm-tools-requirements" + ], "vulnerabilities": [ { "modified": "2023-12-06T01:03:17Z", @@ -432,6 +435,9 @@ "version": "2.0.6", "ecosystem": "PyPI" }, + "dependency_groups": [ + "charm-tools-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:13:39Z", diff --git a/audits/cloudiscovery-requirements.audit.json b/audits/cloudiscovery-requirements.audit.json index a435fe2b..483f6ca9 100644 --- a/audits/cloudiscovery-requirements.audit.json +++ b/audits/cloudiscovery-requirements.audit.json @@ -5,6 +5,9 @@ "version": "2.11.3", "ecosystem": "PyPI" }, + "dependency_groups": [ + "cloudiscovery-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:41:33Z", diff --git a/audits/dstack-requirements.audit.json b/audits/dstack-requirements.audit.json index 4d1dd986..9242217c 100644 --- a/audits/dstack-requirements.audit.json +++ b/audits/dstack-requirements.audit.json @@ -5,6 +5,9 @@ "version": "1.2.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "dstack-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:12:36Z", diff --git a/audits/dvc-requirements.audit.json b/audits/dvc-requirements.audit.json index 22e2b8c0..7ab19b1f 100644 --- a/audits/dvc-requirements.audit.json +++ b/audits/dvc-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "dvc-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", diff --git a/audits/esphome-requirements.audit.json b/audits/esphome-requirements.audit.json index cc2f710b..77fcf011 100644 --- a/audits/esphome-requirements.audit.json +++ b/audits/esphome-requirements.audit.json @@ -5,6 +5,9 @@ "version": "4.6.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "esphome-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-15T18:49:10Z", diff --git a/audits/fdroidserver-requirements.audit.json b/audits/fdroidserver-requirements.audit.json index 8d8d433b..09738de5 100644 --- a/audits/fdroidserver-requirements.audit.json +++ b/audits/fdroidserver-requirements.audit.json @@ -5,9 +5,12 @@ "version": "3.1.40", "ecosystem": "PyPI" }, + "dependency_groups": [ + "fdroidserver-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-11T15:46:30Z", + "modified": "2024-01-17T16:26:45Z", "published": "2024-01-10T15:46:00Z", "schema_version": "1.6.0", "id": "GHSA-2mqj-m65w-jghx", @@ -15,7 +18,7 @@ "CVE-2024-22190" ], "summary": "Untrusted search path under some conditions on Windows allows arbitrary code execution", - "details": "### Summary\n\nThis issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository.\n\n### Details\n\nAlthough GitPython often avoids executing programs found in an untrusted search path since 3.1.33, two situations remain where this still occurs. Either can allow arbitrary code execution under some circumstances.\n\n#### When a shell is used\n\nGitPython can be told to run `git` commands through a shell rather than as direct subprocesses, by passing `shell=True` to any method that accepts it, or by both setting `Git.USE_SHELL = True` and not passing `shell=False`. Then the Windows `cmd.exe` shell process performs the path search, ad GitPython does not prevent that shell from finding and running `git` in the current directory.\n\nWhen GitPython runs `git` directly rather than through a shell, the GitPython process performs the path search, and currently omits the current directory by setting `NoDefaultCurrentDirectoryInExePath` in its own environment during the `Popen` call. Although the `cmd.exe` shell will honor this environment variable when present, GitPython does not not currently pass it into the shell subprocess's environment.\n\nFurthermore, because GitPython sets the subprocess CWD to the root of a repository's working tree, using a shell will run a malicious `git.exe` in an untrusted repository even if GitPython itself is run from a trusted location.\n\nThis also applies if `Git.execute` is called directly with `shell=True` (or after `Git.USE_SHELL = True`) to run any command.\n\n#### When hook scripts are run\n\nOn Windows, GitPython uses `bash.exe` to run hooks that appear to be scripts. However, unlike when running git, no steps are taken to avoid finding and running `bash.exe` in the current directory.\n\nThis allows the author of an untrusted fork or branch to cause a malicious `bash.exe` to be run in some otherwise safe workflows. An example of such a scenario is if the user installs a trusted hook while on a trusted branch, then switches to an untrusted feature branch (possibly from a fork) to review proposed changes. If the untrusted feature branch contains a malicious `bash.exe` and the user's current working directory is the working tree, and the user performs an action that runs the hook, then although the hook itself is uncorrupted, it runs with the malicious `bash.exe`.\n\nNote that, while `bash.exe` is a shell, this is a separate scenario from when `git` is run using the unrelated Windows `cmd.exe` shell.\n\n### PoC\n\nOn Windows, create a `git.exe` file in a repository. Then create a `Repo` object, and call any method through it (directly or indirectly) that supports the `shell` keyword argument with `shell=True`:\n\n```powershell\nmkdir testrepo\ngit init testrepo\ncp ... testrepo\\git.exe # Replace \"...\" with any executable of choice.\npython -c \"import git; print(git.Repo('testrepo').git.version(shell=True))\"\n```\n\nThe `git.exe` executable in the repository directory will be run.\n\nOr use no `Repo` object, but do it from the location with the `git.exe`:\n\n```powershell\ncd testrepo\npython -c \"import git; print(git.Git().version(shell=True))\"\n```\n\nThe `git.exe` executable in the current directory will be run.\n\nFor the scenario with hooks, install a hook in a repository, create a `bash.exe` file in the current directory, and perform an operation that causes GitPython to attempt to run the hook:\n\n```powershell\nmkdir testrepo\ncd testrepo\ngit init\nmv .git/hooks/pre-commit.sample .git/hooks/pre-commit\ncp ... bash.exe # Replace \"...\" with any executable of choice.\necho \"Some text\" >file.txt\ngit add file.txt\npython -c \"import git; git.Repo().index.commit('Some message')\"\n```\n\nThe `bash.exe` executable in the current directory will be run.\n\n### Impact\n\nThe greatest impact is probably in applications that set `Git.USE_SHELL = True` for historical reasons. (Undesired console windows had, in the past, been created in some kinds of applications, when it was not used.) Such an application may be vulnerable to arbitrary code execution from a malicious repository, even with no other exacerbating conditions. This is to say that, if a shell is used to run `git`, the full effect of CVE-2023-40590 is still present. Furthermore, as noted above, running the application itself from a trusted directory is not a sufficient mitigation.\n\nAn application that does not direct GitPython to use a shell to run `git` subprocesses thus avoids most of the risk. However, there is no such straightforward way to prevent GitPython from running `bash.exe` to interpret hooks. So while the conditions needed for that to be exploited are more involved, it may be harder to mitigate decisively prior to patching.\n\n### Possible solutions\n\nA straightforward approach would be to address each bug directly:\n\n- Pass `NoDefaultCurrentDirectoryInExePath` into the subprocess environment, when a shell is used, since then the subprocess is the `cmd.exe` shell that actually performs the path search.\n- Set `NoDefaultCurrentDirectoryInExePath` in the GitPython process environment during the `Popen` call made to run hooks with a `bash.exe` subprocess.\n\nThese need only be done on Windows.\n", + "details": "### Summary\n\nThis issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository.\n\n### Details\n\nAlthough GitPython often avoids executing programs found in an untrusted search path since 3.1.33, two situations remain where this still occurs. Either can allow arbitrary code execution under some circumstances.\n\n#### When a shell is used\n\nGitPython can be told to run `git` commands through a shell rather than as direct subprocesses, by passing `shell=True` to any method that accepts it, or by both setting `Git.USE_SHELL = True` and not passing `shell=False`. Then the Windows `cmd.exe` shell process performs the path search, and GitPython does not prevent that shell from finding and running `git` in the current directory.\n\nWhen GitPython runs `git` directly rather than through a shell, the GitPython process performs the path search, and currently omits the current directory by setting `NoDefaultCurrentDirectoryInExePath` in its own environment during the `Popen` call. Although the `cmd.exe` shell will honor this environment variable when present, GitPython does not currently pass it into the shell subprocess's environment.\n\nFurthermore, because GitPython sets the subprocess CWD to the root of a repository's working tree, using a shell will run a malicious `git.exe` in an untrusted repository even if GitPython itself is run from a trusted location.\n\nThis also applies if `Git.execute` is called directly with `shell=True` (or after `Git.USE_SHELL = True`) to run any command.\n\n#### When hook scripts are run\n\nOn Windows, GitPython uses `bash.exe` to run hooks that appear to be scripts. However, unlike when running `git`, no steps are taken to avoid finding and running `bash.exe` in the current directory.\n\nThis allows the author of an untrusted fork or branch to cause a malicious `bash.exe` to be run in some otherwise safe workflows. An example of such a scenario is if the user installs a trusted hook while on a trusted branch, then switches to an untrusted feature branch (possibly from a fork) to review proposed changes. If the untrusted feature branch contains a malicious `bash.exe` and the user's current working directory is the working tree, and the user performs an action that runs the hook, then although the hook itself is uncorrupted, it runs with the malicious `bash.exe`.\n\nNote that, while `bash.exe` is a shell, this is a separate scenario from when `git` is run using the unrelated Windows `cmd.exe` shell.\n\n### PoC\n\nOn Windows, create a `git.exe` file in a repository. Then create a `Repo` object, and call any method through it (directly or indirectly) that supports the `shell` keyword argument with `shell=True`:\n\n```powershell\nmkdir testrepo\ngit init testrepo\ncp ... testrepo\\git.exe # Replace \"...\" with any executable of choice.\npython -c \"import git; print(git.Repo('testrepo').git.version(shell=True))\"\n```\n\nThe `git.exe` executable in the repository directory will be run.\n\nOr use no `Repo` object, but do it from the location with the `git.exe`:\n\n```powershell\ncd testrepo\npython -c \\\"import git; print(git.Git().version(shell=True))\\\"\n```\n\nThe `git.exe` executable in the current directory will be run.\n\nFor the scenario with hooks, install a hook in a repository, create a `bash.exe` file in the current directory, and perform an operation that causes GitPython to attempt to run the hook:\n\n```powershell\nmkdir testrepo\ncd testrepo\ngit init\nmv .git/hooks/pre-commit.sample .git/hooks/pre-commit\ncp ... bash.exe # Replace \"...\" with any executable of choice.\necho \"Some text\" >file.txt\ngit add file.txt\npython -c \"import git; git.Repo().index.commit('Some message')\"\n```\n\nThe `bash.exe` executable in the current directory will be run.\n\n### Impact\n\nThe greatest impact is probably in applications that set `Git.USE_SHELL = True` for historical reasons. (Undesired console windows had, in the past, been created in some kinds of applications, when it was not used.) Such an application may be vulnerable to arbitrary code execution from a malicious repository, even with no other exacerbating conditions. This is to say that, if a shell is used to run `git`, the full effect of CVE-2023-40590 is still present. Furthermore, as noted above, running the application itself from a trusted directory is not a sufficient mitigation.\n\nAn application that does not direct GitPython to use a shell to run `git` subprocesses thus avoids most of the risk. However, there is no such straightforward way to prevent GitPython from running `bash.exe` to interpret hooks. So while the conditions needed for that to be exploited are more involved, it may be harder to mitigate decisively prior to patching.\n\n### Possible solutions\n\nA straightforward approach would be to address each bug directly:\n\n- When a shell is used, pass `NoDefaultCurrentDirectoryInExePath` into the subprocess environment, because in that scenario the subprocess is the `cmd.exe` shell that itself performs the path search.\n- Set `NoDefaultCurrentDirectoryInExePath` in the GitPython process environment during the `Popen` call made to run hooks with a `bash.exe` subprocess.\n\nThese need only be done on Windows.", "affected": [ { "package": { @@ -193,6 +196,9 @@ "version": "3.3.1", "ecosystem": "PyPI" }, + "dependency_groups": [ + "fdroidserver-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:46:16Z", diff --git a/audits/flintrock-requirements.audit.json b/audits/flintrock-requirements.audit.json index 7b88bc88..62834bae 100644 --- a/audits/flintrock-requirements.audit.json +++ b/audits/flintrock-requirements.audit.json @@ -5,6 +5,9 @@ "version": "3.3.1", "ecosystem": "PyPI" }, + "dependency_groups": [ + "flintrock-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:46:16Z", diff --git a/audits/gyb-requirements.audit.json b/audits/gyb-requirements.audit.json index 0c19d675..a18ca8ac 100644 --- a/audits/gyb-requirements.audit.json +++ b/audits/gyb-requirements.audit.json @@ -5,6 +5,9 @@ "version": "1.26.16", "ecosystem": "PyPI" }, + "dependency_groups": [ + "gyb-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:13:39Z", diff --git a/audits/howdoi-requirements.audit.json b/audits/howdoi-requirements.audit.json index a108f5c7..f59468d4 100644 --- a/audits/howdoi-requirements.audit.json +++ b/audits/howdoi-requirements.audit.json @@ -5,6 +5,9 @@ "version": "2.10.1", "ecosystem": "PyPI" }, + "dependency_groups": [ + "howdoi-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:09:20Z", diff --git a/audits/http-prompt-requirements.audit.json b/audits/http-prompt-requirements.audit.json index 83585089..1aecd896 100644 --- a/audits/http-prompt-requirements.audit.json +++ b/audits/http-prompt-requirements.audit.json @@ -5,6 +5,9 @@ "version": "3.2.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "http-prompt-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-22T18:19:11Z", diff --git a/audits/iredis-requirements.audit.json b/audits/iredis-requirements.audit.json index 22e2b8c0..ee5e26b1 100644 --- a/audits/iredis-requirements.audit.json +++ b/audits/iredis-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "iredis-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", diff --git a/audits/jenkins-job-builder-requirements.audit.json b/audits/jenkins-job-builder-requirements.audit.json index dbcf181f..10ff5609 100644 --- a/audits/jenkins-job-builder-requirements.audit.json +++ b/audits/jenkins-job-builder-requirements.audit.json @@ -5,6 +5,9 @@ "version": "3.1.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "jenkins-job-builder-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:41:33Z", @@ -148,6 +151,9 @@ "version": "2.0.6", "ecosystem": "PyPI" }, + "dependency_groups": [ + "jenkins-job-builder-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:13:39Z", diff --git a/audits/khal-requirements.audit.json b/audits/khal-requirements.audit.json index 22e2b8c0..886ca51b 100644 --- a/audits/khal-requirements.audit.json +++ b/audits/khal-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "khal-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", diff --git a/audits/khard-requirements.audit.json b/audits/khard-requirements.audit.json index 22e2b8c0..0ccbbc3e 100644 --- a/audits/khard-requirements.audit.json +++ b/audits/khard-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "khard-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", diff --git a/audits/libplacebo-requirements.audit.json b/audits/libplacebo-requirements.audit.json index ad1fe782..e030c670 100644 --- a/audits/libplacebo-requirements.audit.json +++ b/audits/libplacebo-requirements.audit.json @@ -5,6 +5,9 @@ "version": "3.1.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "libplacebo-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:41:33Z", diff --git a/audits/litani-requirements.audit.json b/audits/litani-requirements.audit.json index ad1fe782..fdbb8254 100644 --- a/audits/litani-requirements.audit.json +++ b/audits/litani-requirements.audit.json @@ -5,6 +5,9 @@ "version": "3.1.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "litani-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:41:33Z", diff --git a/audits/litecli-requirements.audit.json b/audits/litecli-requirements.audit.json index 22e2b8c0..4d4b036f 100644 --- a/audits/litecli-requirements.audit.json +++ b/audits/litecli-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "litecli-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", diff --git a/audits/literate-git-requirements.audit.json b/audits/literate-git-requirements.audit.json index 82e7794d..2cc14019 100644 --- a/audits/literate-git-requirements.audit.json +++ b/audits/literate-git-requirements.audit.json @@ -5,6 +5,9 @@ "version": "2.11.3", "ecosystem": "PyPI" }, + "dependency_groups": [ + "literate-git-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:41:33Z", @@ -148,6 +151,9 @@ "version": "2.5.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "literate-git-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:04:36Z", diff --git a/audits/magic-wormhole-requirements.audit.json b/audits/magic-wormhole-requirements.audit.json index b9bc80af..9a15ade1 100644 --- a/audits/magic-wormhole-requirements.audit.json +++ b/audits/magic-wormhole-requirements.audit.json @@ -5,6 +5,9 @@ "version": "23.8.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "magic-wormhole-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:13:41Z", diff --git a/audits/mavsdk-requirements.audit.json b/audits/mavsdk-requirements.audit.json index ad1fe782..285d961f 100644 --- a/audits/mavsdk-requirements.audit.json +++ b/audits/mavsdk-requirements.audit.json @@ -5,6 +5,9 @@ "version": "3.1.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "mavsdk-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:41:33Z", diff --git a/audits/mentat-requirements.audit.json b/audits/mentat-requirements.audit.json index 2ad988c4..a048283d 100644 --- a/audits/mentat-requirements.audit.json +++ b/audits/mentat-requirements.audit.json @@ -5,9 +5,12 @@ "version": "3.1.37", "ecosystem": "PyPI" }, + "dependency_groups": [ + "mentat-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-11T15:46:30Z", + "modified": "2024-01-17T16:26:45Z", "published": "2024-01-10T15:46:00Z", "schema_version": "1.6.0", "id": "GHSA-2mqj-m65w-jghx", @@ -15,7 +18,7 @@ "CVE-2024-22190" ], "summary": "Untrusted search path under some conditions on Windows allows arbitrary code execution", - "details": "### Summary\n\nThis issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository.\n\n### Details\n\nAlthough GitPython often avoids executing programs found in an untrusted search path since 3.1.33, two situations remain where this still occurs. Either can allow arbitrary code execution under some circumstances.\n\n#### When a shell is used\n\nGitPython can be told to run `git` commands through a shell rather than as direct subprocesses, by passing `shell=True` to any method that accepts it, or by both setting `Git.USE_SHELL = True` and not passing `shell=False`. Then the Windows `cmd.exe` shell process performs the path search, ad GitPython does not prevent that shell from finding and running `git` in the current directory.\n\nWhen GitPython runs `git` directly rather than through a shell, the GitPython process performs the path search, and currently omits the current directory by setting `NoDefaultCurrentDirectoryInExePath` in its own environment during the `Popen` call. Although the `cmd.exe` shell will honor this environment variable when present, GitPython does not not currently pass it into the shell subprocess's environment.\n\nFurthermore, because GitPython sets the subprocess CWD to the root of a repository's working tree, using a shell will run a malicious `git.exe` in an untrusted repository even if GitPython itself is run from a trusted location.\n\nThis also applies if `Git.execute` is called directly with `shell=True` (or after `Git.USE_SHELL = True`) to run any command.\n\n#### When hook scripts are run\n\nOn Windows, GitPython uses `bash.exe` to run hooks that appear to be scripts. However, unlike when running git, no steps are taken to avoid finding and running `bash.exe` in the current directory.\n\nThis allows the author of an untrusted fork or branch to cause a malicious `bash.exe` to be run in some otherwise safe workflows. An example of such a scenario is if the user installs a trusted hook while on a trusted branch, then switches to an untrusted feature branch (possibly from a fork) to review proposed changes. If the untrusted feature branch contains a malicious `bash.exe` and the user's current working directory is the working tree, and the user performs an action that runs the hook, then although the hook itself is uncorrupted, it runs with the malicious `bash.exe`.\n\nNote that, while `bash.exe` is a shell, this is a separate scenario from when `git` is run using the unrelated Windows `cmd.exe` shell.\n\n### PoC\n\nOn Windows, create a `git.exe` file in a repository. Then create a `Repo` object, and call any method through it (directly or indirectly) that supports the `shell` keyword argument with `shell=True`:\n\n```powershell\nmkdir testrepo\ngit init testrepo\ncp ... testrepo\\git.exe # Replace \"...\" with any executable of choice.\npython -c \"import git; print(git.Repo('testrepo').git.version(shell=True))\"\n```\n\nThe `git.exe` executable in the repository directory will be run.\n\nOr use no `Repo` object, but do it from the location with the `git.exe`:\n\n```powershell\ncd testrepo\npython -c \"import git; print(git.Git().version(shell=True))\"\n```\n\nThe `git.exe` executable in the current directory will be run.\n\nFor the scenario with hooks, install a hook in a repository, create a `bash.exe` file in the current directory, and perform an operation that causes GitPython to attempt to run the hook:\n\n```powershell\nmkdir testrepo\ncd testrepo\ngit init\nmv .git/hooks/pre-commit.sample .git/hooks/pre-commit\ncp ... bash.exe # Replace \"...\" with any executable of choice.\necho \"Some text\" >file.txt\ngit add file.txt\npython -c \"import git; git.Repo().index.commit('Some message')\"\n```\n\nThe `bash.exe` executable in the current directory will be run.\n\n### Impact\n\nThe greatest impact is probably in applications that set `Git.USE_SHELL = True` for historical reasons. (Undesired console windows had, in the past, been created in some kinds of applications, when it was not used.) Such an application may be vulnerable to arbitrary code execution from a malicious repository, even with no other exacerbating conditions. This is to say that, if a shell is used to run `git`, the full effect of CVE-2023-40590 is still present. Furthermore, as noted above, running the application itself from a trusted directory is not a sufficient mitigation.\n\nAn application that does not direct GitPython to use a shell to run `git` subprocesses thus avoids most of the risk. However, there is no such straightforward way to prevent GitPython from running `bash.exe` to interpret hooks. So while the conditions needed for that to be exploited are more involved, it may be harder to mitigate decisively prior to patching.\n\n### Possible solutions\n\nA straightforward approach would be to address each bug directly:\n\n- Pass `NoDefaultCurrentDirectoryInExePath` into the subprocess environment, when a shell is used, since then the subprocess is the `cmd.exe` shell that actually performs the path search.\n- Set `NoDefaultCurrentDirectoryInExePath` in the GitPython process environment during the `Popen` call made to run hooks with a `bash.exe` subprocess.\n\nThese need only be done on Windows.\n", + "details": "### Summary\n\nThis issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository.\n\n### Details\n\nAlthough GitPython often avoids executing programs found in an untrusted search path since 3.1.33, two situations remain where this still occurs. Either can allow arbitrary code execution under some circumstances.\n\n#### When a shell is used\n\nGitPython can be told to run `git` commands through a shell rather than as direct subprocesses, by passing `shell=True` to any method that accepts it, or by both setting `Git.USE_SHELL = True` and not passing `shell=False`. Then the Windows `cmd.exe` shell process performs the path search, and GitPython does not prevent that shell from finding and running `git` in the current directory.\n\nWhen GitPython runs `git` directly rather than through a shell, the GitPython process performs the path search, and currently omits the current directory by setting `NoDefaultCurrentDirectoryInExePath` in its own environment during the `Popen` call. Although the `cmd.exe` shell will honor this environment variable when present, GitPython does not currently pass it into the shell subprocess's environment.\n\nFurthermore, because GitPython sets the subprocess CWD to the root of a repository's working tree, using a shell will run a malicious `git.exe` in an untrusted repository even if GitPython itself is run from a trusted location.\n\nThis also applies if `Git.execute` is called directly with `shell=True` (or after `Git.USE_SHELL = True`) to run any command.\n\n#### When hook scripts are run\n\nOn Windows, GitPython uses `bash.exe` to run hooks that appear to be scripts. However, unlike when running `git`, no steps are taken to avoid finding and running `bash.exe` in the current directory.\n\nThis allows the author of an untrusted fork or branch to cause a malicious `bash.exe` to be run in some otherwise safe workflows. An example of such a scenario is if the user installs a trusted hook while on a trusted branch, then switches to an untrusted feature branch (possibly from a fork) to review proposed changes. If the untrusted feature branch contains a malicious `bash.exe` and the user's current working directory is the working tree, and the user performs an action that runs the hook, then although the hook itself is uncorrupted, it runs with the malicious `bash.exe`.\n\nNote that, while `bash.exe` is a shell, this is a separate scenario from when `git` is run using the unrelated Windows `cmd.exe` shell.\n\n### PoC\n\nOn Windows, create a `git.exe` file in a repository. Then create a `Repo` object, and call any method through it (directly or indirectly) that supports the `shell` keyword argument with `shell=True`:\n\n```powershell\nmkdir testrepo\ngit init testrepo\ncp ... testrepo\\git.exe # Replace \"...\" with any executable of choice.\npython -c \"import git; print(git.Repo('testrepo').git.version(shell=True))\"\n```\n\nThe `git.exe` executable in the repository directory will be run.\n\nOr use no `Repo` object, but do it from the location with the `git.exe`:\n\n```powershell\ncd testrepo\npython -c \\\"import git; print(git.Git().version(shell=True))\\\"\n```\n\nThe `git.exe` executable in the current directory will be run.\n\nFor the scenario with hooks, install a hook in a repository, create a `bash.exe` file in the current directory, and perform an operation that causes GitPython to attempt to run the hook:\n\n```powershell\nmkdir testrepo\ncd testrepo\ngit init\nmv .git/hooks/pre-commit.sample .git/hooks/pre-commit\ncp ... bash.exe # Replace \"...\" with any executable of choice.\necho \"Some text\" >file.txt\ngit add file.txt\npython -c \"import git; git.Repo().index.commit('Some message')\"\n```\n\nThe `bash.exe` executable in the current directory will be run.\n\n### Impact\n\nThe greatest impact is probably in applications that set `Git.USE_SHELL = True` for historical reasons. (Undesired console windows had, in the past, been created in some kinds of applications, when it was not used.) Such an application may be vulnerable to arbitrary code execution from a malicious repository, even with no other exacerbating conditions. This is to say that, if a shell is used to run `git`, the full effect of CVE-2023-40590 is still present. Furthermore, as noted above, running the application itself from a trusted directory is not a sufficient mitigation.\n\nAn application that does not direct GitPython to use a shell to run `git` subprocesses thus avoids most of the risk. However, there is no such straightforward way to prevent GitPython from running `bash.exe` to interpret hooks. So while the conditions needed for that to be exploited are more involved, it may be harder to mitigate decisively prior to patching.\n\n### Possible solutions\n\nA straightforward approach would be to address each bug directly:\n\n- When a shell is used, pass `NoDefaultCurrentDirectoryInExePath` into the subprocess environment, because in that scenario the subprocess is the `cmd.exe` shell that itself performs the path search.\n- Set `NoDefaultCurrentDirectoryInExePath` in the GitPython process environment during the `Popen` call made to run hooks with a `bash.exe` subprocess.\n\nThese need only be done on Windows.", "affected": [ { "package": { diff --git a/audits/mvt-requirements.audit.json b/audits/mvt-requirements.audit.json index cbd86461..2d811b1e 100644 --- a/audits/mvt-requirements.audit.json +++ b/audits/mvt-requirements.audit.json @@ -5,14 +5,18 @@ "version": "3.19.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "mvt-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-05T17:42:16Z", + "modified": "2024-01-17T11:41:25Z", "published": "2024-01-05T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-j225-cvw7-qrx7", "aliases": [ - "CVE-2023-52323" + "CVE-2023-52323", + "PYSEC-2024-3" ], "summary": "PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption", "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", @@ -213,7 +217,8 @@ ], "aliases": [ "CVE-2023-52323", - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ] } ] diff --git a/audits/mycli-requirements.audit.json b/audits/mycli-requirements.audit.json index 22e2b8c0..cfcc0536 100644 --- a/audits/mycli-requirements.audit.json +++ b/audits/mycli-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "mycli-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", diff --git a/audits/onlykey-agent-requirements.audit.json b/audits/onlykey-agent-requirements.audit.json index bf2c399c..eb130284 100644 --- a/audits/onlykey-agent-requirements.audit.json +++ b/audits/onlykey-agent-requirements.audit.json @@ -5,14 +5,18 @@ "version": "3.18.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "onlykey-agent-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-05T17:42:16Z", + "modified": "2024-01-17T11:41:25Z", "published": "2024-01-05T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-j225-cvw7-qrx7", "aliases": [ - "CVE-2023-52323" + "CVE-2023-52323", + "PYSEC-2024-3" ], "summary": "PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption", "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", @@ -213,7 +217,8 @@ ], "aliases": [ "CVE-2023-52323", - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ] } ] @@ -224,6 +229,9 @@ "version": "2.0.4", "ecosystem": "PyPI" }, + "dependency_groups": [ + "onlykey-agent-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:13:39Z", diff --git a/audits/openai-whisper-requirements.audit.json b/audits/openai-whisper-requirements.audit.json index ad1fe782..bf11d8c7 100644 --- a/audits/openai-whisper-requirements.audit.json +++ b/audits/openai-whisper-requirements.audit.json @@ -5,6 +5,9 @@ "version": "3.1.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "openai-whisper-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:41:33Z", diff --git a/audits/pdfalyzer-requirements.audit.json b/audits/pdfalyzer-requirements.audit.json index 596ba3bc..faed0b9c 100644 --- a/audits/pdfalyzer-requirements.audit.json +++ b/audits/pdfalyzer-requirements.audit.json @@ -5,6 +5,9 @@ "version": "2.12.1", "ecosystem": "PyPI" }, + "dependency_groups": [ + "pdfalyzer-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-11T05:19:21Z", diff --git a/audits/pgcli-requirements.audit.json b/audits/pgcli-requirements.audit.json index 22e2b8c0..9c153622 100644 --- a/audits/pgcli-requirements.audit.json +++ b/audits/pgcli-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "pgcli-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", diff --git a/audits/pocsuite3-requirements.audit.json b/audits/pocsuite3-requirements.audit.json index bf8a57d2..8f59f8c8 100644 --- a/audits/pocsuite3-requirements.audit.json +++ b/audits/pocsuite3-requirements.audit.json @@ -5,14 +5,18 @@ "version": "3.19.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "pocsuite3-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-05T17:42:16Z", + "modified": "2024-01-17T11:41:25Z", "published": "2024-01-05T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-j225-cvw7-qrx7", "aliases": [ - "CVE-2023-52323" + "CVE-2023-52323", + "PYSEC-2024-3" ], "summary": "PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption", "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", @@ -204,16 +208,118 @@ "nvd_published_at": "2024-01-05T04:15:07Z", "severity": "MODERATE" } + }, + { + "modified": "2024-01-17T11:41:25Z", + "published": "2024-01-05T04:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2024-3", + "aliases": [ + "CVE-2023-52323", + "GHSA-j225-cvw7-qrx7" + ], + "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "pycryptodomex", + "purl": "pkg:pypi/pycryptodomex" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.19.1" + } + ] + } + ], + "versions": [ + "3.10.1", + "3.10.3", + "3.10.4", + "3.11.0", + "3.12.0", + "3.13.0", + "3.14.0", + "3.14.1", + "3.15.0", + "3.16.0", + "3.17", + "3.18.0", + "3.19.0", + "3.4.1", + "3.4.11", + "3.4.12", + "3.4.2", + "3.4.3", + "3.4.5", + "3.4.6", + "3.4.7", + "3.4.8", + "3.4.9", + "3.5.1", + "3.6.0", + "3.6.1", + "3.6.3", + "3.6.4", + "3.6.5", + "3.6.6", + "3.7.0", + "3.7.1", + "3.7.2", + "3.7.3", + "3.8.0", + "3.8.1", + "3.8.2", + "3.9.0", + "3.9.1", + "3.9.2", + "3.9.3", + "3.9.4", + "3.9.6", + "3.9.7", + "3.9.8", + "3.9.9" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/pycryptodomex/PYSEC-2024-3.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst" + }, + { + "type": "PACKAGE", + "url": "https://pypi.org/project/pycryptodomex/#history" + } + ] } ], "groups": [ { "ids": [ - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ], "aliases": [ "CVE-2023-52323", - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ] } ] diff --git a/audits/psutils-requirements.audit.json b/audits/psutils-requirements.audit.json index 6e650373..38316fcf 100644 --- a/audits/psutils-requirements.audit.json +++ b/audits/psutils-requirements.audit.json @@ -5,6 +5,9 @@ "version": "3.16.4", "ecosystem": "PyPI" }, + "dependency_groups": [ + "psutils-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-09T05:29:46Z", diff --git a/audits/pypy-requirements.audit.json b/audits/pypy-requirements.audit.json index 5cbf6677..69415550 100644 --- a/audits/pypy-requirements.audit.json +++ b/audits/pypy-requirements.audit.json @@ -5,6 +5,9 @@ "version": "20.3.4", "ecosystem": "PyPI" }, + "dependency_groups": [ + "pypy-requirements" + ], "vulnerabilities": [ { "modified": "2023-12-06T01:01:18Z", @@ -790,6 +793,9 @@ "version": "44.1.1", "ecosystem": "PyPI" }, + "dependency_groups": [ + "pypy-requirements" + ], "vulnerabilities": [ { "modified": "2023-12-06T01:02:35Z", diff --git a/audits/pypy3.10-requirements.audit.json b/audits/pypy3.10-requirements.audit.json index fc96ebe2..9a806c9d 100644 --- a/audits/pypy3.10-requirements.audit.json +++ b/audits/pypy3.10-requirements.audit.json @@ -5,6 +5,9 @@ "version": "59.8.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "pypy3.10-requirements" + ], "vulnerabilities": [ { "modified": "2023-12-06T01:02:35Z", diff --git a/audits/pypy3.9-requirements.audit.json b/audits/pypy3.9-requirements.audit.json index fc96ebe2..fc3bbec6 100644 --- a/audits/pypy3.9-requirements.audit.json +++ b/audits/pypy3.9-requirements.audit.json @@ -5,6 +5,9 @@ "version": "59.8.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "pypy3.9-requirements" + ], "vulnerabilities": [ { "modified": "2023-12-06T01:02:35Z", diff --git a/audits/recon-ng-requirements.audit.json b/audits/recon-ng-requirements.audit.json index 015365cf..75cfc1fc 100644 --- a/audits/recon-ng-requirements.audit.json +++ b/audits/recon-ng-requirements.audit.json @@ -5,6 +5,9 @@ "version": "2.2.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "recon-ng-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:12:28Z", @@ -349,6 +352,9 @@ "version": "3.1.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "recon-ng-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:41:33Z", @@ -492,6 +498,9 @@ "version": "4.4.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "recon-ng-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:12:15Z", @@ -1022,6 +1031,9 @@ "version": "2.28.1", "ecosystem": "PyPI" }, + "dependency_groups": [ + "recon-ng-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-11T05:29:19Z", @@ -1345,6 +1357,9 @@ "version": "1.26.13", "ecosystem": "PyPI" }, + "dependency_groups": [ + "recon-ng-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:13:39Z", @@ -2139,6 +2154,9 @@ "version": "2.2.2", "ecosystem": "PyPI" }, + "dependency_groups": [ + "recon-ng-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-24T09:49:21Z", diff --git a/audits/scoutsuite-requirements.audit.json b/audits/scoutsuite-requirements.audit.json index cbd86461..f1cd87cc 100644 --- a/audits/scoutsuite-requirements.audit.json +++ b/audits/scoutsuite-requirements.audit.json @@ -5,14 +5,18 @@ "version": "3.19.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "scoutsuite-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-05T17:42:16Z", + "modified": "2024-01-17T11:41:25Z", "published": "2024-01-05T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-j225-cvw7-qrx7", "aliases": [ - "CVE-2023-52323" + "CVE-2023-52323", + "PYSEC-2024-3" ], "summary": "PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption", "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", @@ -213,7 +217,8 @@ ], "aliases": [ "CVE-2023-52323", - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ] } ] diff --git a/audits/scrapy-requirements.audit.json b/audits/scrapy-requirements.audit.json index ddea17a0..bec1c6e7 100644 --- a/audits/scrapy-requirements.audit.json +++ b/audits/scrapy-requirements.audit.json @@ -5,6 +5,9 @@ "version": "22.10.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "scrapy-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:13:41Z", diff --git a/audits/sickchill-requirements.audit.json b/audits/sickchill-requirements.audit.json index 22e2b8c0..1d737874 100644 --- a/audits/sickchill-requirements.audit.json +++ b/audits/sickchill-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "sickchill-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", diff --git a/audits/slither-analyzer-requirements.audit.json b/audits/slither-analyzer-requirements.audit.json index cbd86461..0f278437 100644 --- a/audits/slither-analyzer-requirements.audit.json +++ b/audits/slither-analyzer-requirements.audit.json @@ -5,14 +5,18 @@ "version": "3.19.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "slither-analyzer-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-05T17:42:16Z", + "modified": "2024-01-17T11:41:25Z", "published": "2024-01-05T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-j225-cvw7-qrx7", "aliases": [ - "CVE-2023-52323" + "CVE-2023-52323", + "PYSEC-2024-3" ], "summary": "PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption", "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", @@ -213,7 +217,8 @@ ], "aliases": [ "CVE-2023-52323", - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ] } ] diff --git a/audits/snapcraft-requirements.audit.json b/audits/snapcraft-requirements.audit.json index 0c19d675..197eff8e 100644 --- a/audits/snapcraft-requirements.audit.json +++ b/audits/snapcraft-requirements.audit.json @@ -5,6 +5,9 @@ "version": "1.26.16", "ecosystem": "PyPI" }, + "dependency_groups": [ + "snapcraft-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:13:39Z", diff --git a/audits/ssh-mitm-requirements.audit.json b/audits/ssh-mitm-requirements.audit.json index 7b88bc88..d8861af3 100644 --- a/audits/ssh-mitm-requirements.audit.json +++ b/audits/ssh-mitm-requirements.audit.json @@ -5,6 +5,9 @@ "version": "3.3.1", "ecosystem": "PyPI" }, + "dependency_groups": [ + "ssh-mitm-requirements" + ], "vulnerabilities": [ { "modified": "2024-01-11T15:46:16Z", diff --git a/audits/terminator-requirements.audit.json b/audits/terminator-requirements.audit.json index 22e2b8c0..ca5df89b 100644 --- a/audits/terminator-requirements.audit.json +++ b/audits/terminator-requirements.audit.json @@ -5,6 +5,9 @@ "version": "5.0.8", "ecosystem": "PyPI" }, + "dependency_groups": [ + "terminator-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:11:58Z", diff --git a/audits/tern-requirements.audit.json b/audits/tern-requirements.audit.json index 2bee612d..e2d47c48 100644 --- a/audits/tern-requirements.audit.json +++ b/audits/tern-requirements.audit.json @@ -5,9 +5,12 @@ "version": "3.1.32", "ecosystem": "PyPI" }, + "dependency_groups": [ + "tern-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-11T15:46:30Z", + "modified": "2024-01-17T16:26:45Z", "published": "2024-01-10T15:46:00Z", "schema_version": "1.6.0", "id": "GHSA-2mqj-m65w-jghx", @@ -15,7 +18,7 @@ "CVE-2024-22190" ], "summary": "Untrusted search path under some conditions on Windows allows arbitrary code execution", - "details": "### Summary\n\nThis issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository.\n\n### Details\n\nAlthough GitPython often avoids executing programs found in an untrusted search path since 3.1.33, two situations remain where this still occurs. Either can allow arbitrary code execution under some circumstances.\n\n#### When a shell is used\n\nGitPython can be told to run `git` commands through a shell rather than as direct subprocesses, by passing `shell=True` to any method that accepts it, or by both setting `Git.USE_SHELL = True` and not passing `shell=False`. Then the Windows `cmd.exe` shell process performs the path search, ad GitPython does not prevent that shell from finding and running `git` in the current directory.\n\nWhen GitPython runs `git` directly rather than through a shell, the GitPython process performs the path search, and currently omits the current directory by setting `NoDefaultCurrentDirectoryInExePath` in its own environment during the `Popen` call. Although the `cmd.exe` shell will honor this environment variable when present, GitPython does not not currently pass it into the shell subprocess's environment.\n\nFurthermore, because GitPython sets the subprocess CWD to the root of a repository's working tree, using a shell will run a malicious `git.exe` in an untrusted repository even if GitPython itself is run from a trusted location.\n\nThis also applies if `Git.execute` is called directly with `shell=True` (or after `Git.USE_SHELL = True`) to run any command.\n\n#### When hook scripts are run\n\nOn Windows, GitPython uses `bash.exe` to run hooks that appear to be scripts. However, unlike when running git, no steps are taken to avoid finding and running `bash.exe` in the current directory.\n\nThis allows the author of an untrusted fork or branch to cause a malicious `bash.exe` to be run in some otherwise safe workflows. An example of such a scenario is if the user installs a trusted hook while on a trusted branch, then switches to an untrusted feature branch (possibly from a fork) to review proposed changes. If the untrusted feature branch contains a malicious `bash.exe` and the user's current working directory is the working tree, and the user performs an action that runs the hook, then although the hook itself is uncorrupted, it runs with the malicious `bash.exe`.\n\nNote that, while `bash.exe` is a shell, this is a separate scenario from when `git` is run using the unrelated Windows `cmd.exe` shell.\n\n### PoC\n\nOn Windows, create a `git.exe` file in a repository. Then create a `Repo` object, and call any method through it (directly or indirectly) that supports the `shell` keyword argument with `shell=True`:\n\n```powershell\nmkdir testrepo\ngit init testrepo\ncp ... testrepo\\git.exe # Replace \"...\" with any executable of choice.\npython -c \"import git; print(git.Repo('testrepo').git.version(shell=True))\"\n```\n\nThe `git.exe` executable in the repository directory will be run.\n\nOr use no `Repo` object, but do it from the location with the `git.exe`:\n\n```powershell\ncd testrepo\npython -c \"import git; print(git.Git().version(shell=True))\"\n```\n\nThe `git.exe` executable in the current directory will be run.\n\nFor the scenario with hooks, install a hook in a repository, create a `bash.exe` file in the current directory, and perform an operation that causes GitPython to attempt to run the hook:\n\n```powershell\nmkdir testrepo\ncd testrepo\ngit init\nmv .git/hooks/pre-commit.sample .git/hooks/pre-commit\ncp ... bash.exe # Replace \"...\" with any executable of choice.\necho \"Some text\" >file.txt\ngit add file.txt\npython -c \"import git; git.Repo().index.commit('Some message')\"\n```\n\nThe `bash.exe` executable in the current directory will be run.\n\n### Impact\n\nThe greatest impact is probably in applications that set `Git.USE_SHELL = True` for historical reasons. (Undesired console windows had, in the past, been created in some kinds of applications, when it was not used.) Such an application may be vulnerable to arbitrary code execution from a malicious repository, even with no other exacerbating conditions. This is to say that, if a shell is used to run `git`, the full effect of CVE-2023-40590 is still present. Furthermore, as noted above, running the application itself from a trusted directory is not a sufficient mitigation.\n\nAn application that does not direct GitPython to use a shell to run `git` subprocesses thus avoids most of the risk. However, there is no such straightforward way to prevent GitPython from running `bash.exe` to interpret hooks. So while the conditions needed for that to be exploited are more involved, it may be harder to mitigate decisively prior to patching.\n\n### Possible solutions\n\nA straightforward approach would be to address each bug directly:\n\n- Pass `NoDefaultCurrentDirectoryInExePath` into the subprocess environment, when a shell is used, since then the subprocess is the `cmd.exe` shell that actually performs the path search.\n- Set `NoDefaultCurrentDirectoryInExePath` in the GitPython process environment during the `Popen` call made to run hooks with a `bash.exe` subprocess.\n\nThese need only be done on Windows.\n", + "details": "### Summary\n\nThis issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository.\n\n### Details\n\nAlthough GitPython often avoids executing programs found in an untrusted search path since 3.1.33, two situations remain where this still occurs. Either can allow arbitrary code execution under some circumstances.\n\n#### When a shell is used\n\nGitPython can be told to run `git` commands through a shell rather than as direct subprocesses, by passing `shell=True` to any method that accepts it, or by both setting `Git.USE_SHELL = True` and not passing `shell=False`. Then the Windows `cmd.exe` shell process performs the path search, and GitPython does not prevent that shell from finding and running `git` in the current directory.\n\nWhen GitPython runs `git` directly rather than through a shell, the GitPython process performs the path search, and currently omits the current directory by setting `NoDefaultCurrentDirectoryInExePath` in its own environment during the `Popen` call. Although the `cmd.exe` shell will honor this environment variable when present, GitPython does not currently pass it into the shell subprocess's environment.\n\nFurthermore, because GitPython sets the subprocess CWD to the root of a repository's working tree, using a shell will run a malicious `git.exe` in an untrusted repository even if GitPython itself is run from a trusted location.\n\nThis also applies if `Git.execute` is called directly with `shell=True` (or after `Git.USE_SHELL = True`) to run any command.\n\n#### When hook scripts are run\n\nOn Windows, GitPython uses `bash.exe` to run hooks that appear to be scripts. However, unlike when running `git`, no steps are taken to avoid finding and running `bash.exe` in the current directory.\n\nThis allows the author of an untrusted fork or branch to cause a malicious `bash.exe` to be run in some otherwise safe workflows. An example of such a scenario is if the user installs a trusted hook while on a trusted branch, then switches to an untrusted feature branch (possibly from a fork) to review proposed changes. If the untrusted feature branch contains a malicious `bash.exe` and the user's current working directory is the working tree, and the user performs an action that runs the hook, then although the hook itself is uncorrupted, it runs with the malicious `bash.exe`.\n\nNote that, while `bash.exe` is a shell, this is a separate scenario from when `git` is run using the unrelated Windows `cmd.exe` shell.\n\n### PoC\n\nOn Windows, create a `git.exe` file in a repository. Then create a `Repo` object, and call any method through it (directly or indirectly) that supports the `shell` keyword argument with `shell=True`:\n\n```powershell\nmkdir testrepo\ngit init testrepo\ncp ... testrepo\\git.exe # Replace \"...\" with any executable of choice.\npython -c \"import git; print(git.Repo('testrepo').git.version(shell=True))\"\n```\n\nThe `git.exe` executable in the repository directory will be run.\n\nOr use no `Repo` object, but do it from the location with the `git.exe`:\n\n```powershell\ncd testrepo\npython -c \\\"import git; print(git.Git().version(shell=True))\\\"\n```\n\nThe `git.exe` executable in the current directory will be run.\n\nFor the scenario with hooks, install a hook in a repository, create a `bash.exe` file in the current directory, and perform an operation that causes GitPython to attempt to run the hook:\n\n```powershell\nmkdir testrepo\ncd testrepo\ngit init\nmv .git/hooks/pre-commit.sample .git/hooks/pre-commit\ncp ... bash.exe # Replace \"...\" with any executable of choice.\necho \"Some text\" >file.txt\ngit add file.txt\npython -c \"import git; git.Repo().index.commit('Some message')\"\n```\n\nThe `bash.exe` executable in the current directory will be run.\n\n### Impact\n\nThe greatest impact is probably in applications that set `Git.USE_SHELL = True` for historical reasons. (Undesired console windows had, in the past, been created in some kinds of applications, when it was not used.) Such an application may be vulnerable to arbitrary code execution from a malicious repository, even with no other exacerbating conditions. This is to say that, if a shell is used to run `git`, the full effect of CVE-2023-40590 is still present. Furthermore, as noted above, running the application itself from a trusted directory is not a sufficient mitigation.\n\nAn application that does not direct GitPython to use a shell to run `git` subprocesses thus avoids most of the risk. However, there is no such straightforward way to prevent GitPython from running `bash.exe` to interpret hooks. So while the conditions needed for that to be exploited are more involved, it may be harder to mitigate decisively prior to patching.\n\n### Possible solutions\n\nA straightforward approach would be to address each bug directly:\n\n- When a shell is used, pass `NoDefaultCurrentDirectoryInExePath` into the subprocess environment, because in that scenario the subprocess is the `cmd.exe` shell that itself performs the path search.\n- Set `NoDefaultCurrentDirectoryInExePath` in the GitPython process environment during the `Popen` call made to run hooks with a `bash.exe` subprocess.\n\nThese need only be done on Windows.", "affected": [ { "package": { @@ -859,6 +862,9 @@ "version": "2.0.3", "ecosystem": "PyPI" }, + "dependency_groups": [ + "tern-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:13:39Z", diff --git a/audits/textract-requirements.audit.json b/audits/textract-requirements.audit.json index 48cfeba6..0fed3a7a 100644 --- a/audits/textract-requirements.audit.json +++ b/audits/textract-requirements.audit.json @@ -5,14 +5,18 @@ "version": "3.15.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "textract-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-05T17:42:16Z", + "modified": "2024-01-17T11:41:25Z", "published": "2024-01-05T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-j225-cvw7-qrx7", "aliases": [ - "CVE-2023-52323" + "CVE-2023-52323", + "PYSEC-2024-3" ], "summary": "PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption", "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", @@ -213,7 +217,8 @@ ], "aliases": [ "CVE-2023-52323", - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ] } ] diff --git a/audits/torchvision-requirements.audit.json b/audits/torchvision-requirements.audit.json index 0ed6575e..90de9bc4 100644 --- a/audits/torchvision-requirements.audit.json +++ b/audits/torchvision-requirements.audit.json @@ -5,6 +5,9 @@ "version": "2.0.6", "ecosystem": "PyPI" }, + "dependency_groups": [ + "torchvision-requirements" + ], "vulnerabilities": [ { "modified": "2023-11-08T04:13:39Z", diff --git a/audits/trezor-agent-requirements.audit.json b/audits/trezor-agent-requirements.audit.json index 81221fd4..ecf2e4da 100644 --- a/audits/trezor-agent-requirements.audit.json +++ b/audits/trezor-agent-requirements.audit.json @@ -5,14 +5,18 @@ "version": "3.19.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "trezor-agent-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-05T17:42:16Z", + "modified": "2024-01-17T11:41:25Z", "published": "2024-01-05T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-j225-cvw7-qrx7", "aliases": [ - "CVE-2023-52323" + "CVE-2023-52323", + "PYSEC-2024-3" ], "summary": "PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption", "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", @@ -213,7 +217,8 @@ ], "aliases": [ "CVE-2023-52323", - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ] } ] @@ -224,14 +229,18 @@ "version": "3.19.0", "ecosystem": "PyPI" }, + "dependency_groups": [ + "trezor-agent-requirements" + ], "vulnerabilities": [ { - "modified": "2024-01-05T17:42:16Z", + "modified": "2024-01-17T11:41:25Z", "published": "2024-01-05T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-j225-cvw7-qrx7", "aliases": [ - "CVE-2023-52323" + "CVE-2023-52323", + "PYSEC-2024-3" ], "summary": "PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption", "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", @@ -423,16 +432,118 @@ "nvd_published_at": "2024-01-05T04:15:07Z", "severity": "MODERATE" } + }, + { + "modified": "2024-01-17T11:41:25Z", + "published": "2024-01-05T04:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2024-3", + "aliases": [ + "CVE-2023-52323", + "GHSA-j225-cvw7-qrx7" + ], + "details": "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "pycryptodomex", + "purl": "pkg:pypi/pycryptodomex" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.19.1" + } + ] + } + ], + "versions": [ + "3.10.1", + "3.10.3", + "3.10.4", + "3.11.0", + "3.12.0", + "3.13.0", + "3.14.0", + "3.14.1", + "3.15.0", + "3.16.0", + "3.17", + "3.18.0", + "3.19.0", + "3.4.1", + "3.4.11", + "3.4.12", + "3.4.2", + "3.4.3", + "3.4.5", + "3.4.6", + "3.4.7", + "3.4.8", + "3.4.9", + "3.5.1", + "3.6.0", + "3.6.1", + "3.6.3", + "3.6.4", + "3.6.5", + "3.6.6", + "3.7.0", + "3.7.1", + "3.7.2", + "3.7.3", + "3.8.0", + "3.8.1", + "3.8.2", + "3.9.0", + "3.9.1", + "3.9.2", + "3.9.3", + "3.9.4", + "3.9.6", + "3.9.7", + "3.9.8", + "3.9.9" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/pycryptodomex/PYSEC-2024-3.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst" + }, + { + "type": "PACKAGE", + "url": "https://pypi.org/project/pycryptodomex/#history" + } + ] } ], "groups": [ { "ids": [ - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ], "aliases": [ "CVE-2023-52323", - "GHSA-j225-cvw7-qrx7" + "GHSA-j225-cvw7-qrx7", + "PYSEC-2024-3" ] } ] diff --git a/requirements/cfn-lint-requirements.txt b/requirements/cfn-lint-requirements.txt index 5da63f2a..6871e5a9 100644 --- a/requirements/cfn-lint-requirements.txt +++ b/requirements/cfn-lint-requirements.txt @@ -1,19 +1,19 @@ annotated-types==0.6.0 aws-sam-translator==1.83.0 -boto3==1.34.14 -botocore==1.34.14 +boto3==1.34.21 +botocore==1.34.21 jmespath==1.0.1 jschema-to-python==1.2.3 jsonpatch==1.33 jsonpickle==3.0.2 jsonpointer==2.4 -jsonschema==4.20.0 +jsonschema==4.21.0 jsonschema-specifications==2023.12.1 junit-xml==1.9 pydantic==2.5.3 pydantic-core==2.14.6 referencing==0.32.1 regex==2023.12.25 -rpds-py==0.16.2 +rpds-py==0.17.1 s3transfer==0.10.0 sarif-om==1.0.4 diff --git a/requirements/crytic-compile-requirements.txt b/requirements/crytic-compile-requirements.txt index 3527171a..3045808e 100644 --- a/requirements/crytic-compile-requirements.txt +++ b/requirements/crytic-compile-requirements.txt @@ -1 +1 @@ -cbor2==5.4.6 +cbor2==5.6.0 diff --git a/requirements/dolphie-requirements.txt b/requirements/dolphie-requirements.txt index 1dc87195..616715cb 100644 --- a/requirements/dolphie-requirements.txt +++ b/requirements/dolphie-requirements.txt @@ -1,4 +1,3 @@ -importlib-metadata==6.8.0 linkify-it-py==2.0.2 markdown-it-py==3.0.0 mdit-py-plugins==0.4.0 @@ -7,7 +6,6 @@ myloginpath==0.0.4 plotext==5.2.8 pymysql==1.1.0 rich==13.7.0 -textual==0.41.0 +textual==0.47.1 textual-autocomplete==2.1.0b0 uc-micro-py==1.0.2 -zipp==3.17.0 diff --git a/requirements/dstack-requirements.txt b/requirements/dstack-requirements.txt index 72768c44..2b94807c 100644 --- a/requirements/dstack-requirements.txt +++ b/requirements/dstack-requirements.txt @@ -26,21 +26,21 @@ azure-mgmt-subscription==3.1.1 azure-monitor-query==1.2.0 azure-storage-blob==12.19.0 bcrypt==4.1.2 -boto3==1.34.16 -botocore==1.34.16 +boto3==1.34.21 +botocore==1.34.21 cachetools==5.3.2 charset-normalizer==3.3.2 cursor==1.3.5 dnspython==2.4.2 docker==7.0.0 -fastapi==0.108.0 +fastapi==0.109.0 filelock==3.13.1 frozenlist==1.4.1 git-url-parse==1.2.2 gitdb==4.0.11 gitpython==3.1.41 google-api-core==2.15.0 -google-api-python-client==2.113.0 +google-api-python-client==2.114.0 google-auth==2.26.2 google-auth-httplib2==0.2.0 google-cloud-appengine-logging==1.4.0 @@ -63,7 +63,7 @@ httplib2==0.22.0 idna==3.6 isodate==0.6.1 jmespath==1.0.1 -jsonschema==4.20.0 +jsonschema==4.21.0 jsonschema-specifications==2023.12.1 markdown-it-py==3.0.0 mdurl==0.1.2 @@ -89,7 +89,7 @@ requests==2.31.0 requests-oauthlib==1.3.1 rich==13.7.0 rich-argparse==1.4.0 -rpds-py==0.16.2 +rpds-py==0.17.1 rsa==4.9 s3transfer==0.10.0 sentry-sdk==1.39.2 @@ -98,12 +98,12 @@ smmap==5.0.1 sniffio==1.3.0 sqlalchemy==2.0.25 sqlalchemy-utils==0.41.1 -starlette==0.32.0.post1 +starlette==0.35.1 tqdm==4.66.1 tzlocal==5.2 uritemplate==4.1.1 urllib3==2.0.7 -uvicorn==0.25.0 +uvicorn==0.26.0 watchfiles==0.21.0 websocket-client==1.7.0 yarl==1.9.4 diff --git a/requirements/dvc-requirements.txt b/requirements/dvc-requirements.txt index a6b13de0..f14bc9cf 100644 --- a/requirements/dvc-requirements.txt +++ b/requirements/dvc-requirements.txt @@ -1,5 +1,5 @@ adlfs==2023.12.0 -aiobotocore==2.9.0 +aiobotocore==2.9.1 aiohttp==3.9.1 aiohttp-retry==2.8.3 aioitertools==0.11.0 @@ -64,7 +64,7 @@ gcsfs==2023.12.2.post1 gitdb==4.0.11 gitpython==3.1.41 google-api-core==2.15.0 -google-api-python-client==2.113.0 +google-api-python-client==2.114.0 google-auth==2.26.2 google-auth-httplib2==0.2.0 google-auth-oauthlib==1.2.0 @@ -85,7 +85,7 @@ isodate==0.6.1 iterative-telemetry==0.0.8 jmespath==0.10.0 knack==0.11.0 -kombu==5.3.4 +kombu==5.3.5 markdown-it-py==3.0.0 mdurl==0.1.2 msal==1.26.0 diff --git a/requirements/gnuradio-requirements.txt b/requirements/gnuradio-requirements.txt index e9d40c61..78bfdfc5 100644 --- a/requirements/gnuradio-requirements.txt +++ b/requirements/gnuradio-requirements.txt @@ -1,2 +1,2 @@ -cheetah3==3.2.6 +cheetah3==3.2.6.post1 click-plugins==1.1.1 diff --git a/requirements/sigstore-requirements.txt b/requirements/sigstore-requirements.txt index 7c955a24..66d5558f 100644 --- a/requirements/sigstore-requirements.txt +++ b/requirements/sigstore-requirements.txt @@ -1,24 +1,27 @@ annotated-types==0.6.0 appdirs==1.4.4 betterproto==2.0.0b6 -charset-normalizer==3.3.1 +charset-normalizer==3.3.2 dnspython==2.4.2 email-validator==2.1.0.post1 -grpclib==0.4.6 +grpclib==0.4.7 h2==4.1.0 hpack==4.0.0 hyperframe==6.0.1 -id==1.1.0 -idna==3.4 +id==1.3.0 +idna==3.6 +markdown-it-py==3.0.0 +mdurl==0.1.2 multidict==6.0.4 -pydantic==2.4.2 -pydantic-core==2.10.1 +pydantic==2.5.3 +pydantic-core==2.14.6 pyjwt==2.8.0 -pyopenssl==23.2.0 +pyopenssl==23.3.0 python-dateutil==2.8.2 requests==2.31.0 -securesystemslib==0.30.0 +rich==13.7.0 +securesystemslib==0.31.0 sigstore-protobuf-specs==0.2.2 sigstore-rekor-types==0.0.11 tuf==3.1.0 -urllib3==2.0.7 +urllib3==2.1.0 diff --git a/requirements/snakemake-requirements.txt b/requirements/snakemake-requirements.txt index d6d43f03..efbbcb37 100644 --- a/requirements/snakemake-requirements.txt +++ b/requirements/snakemake-requirements.txt @@ -14,7 +14,7 @@ humanfriendly==10.0 idna==3.6 immutables==0.20 jinja2==3.1.3 -jsonschema==4.20.0 +jsonschema==4.21.0 jsonschema-specifications==2023.12.1 jupyter-core==5.7.1 nbformat==5.9.2 @@ -27,7 +27,7 @@ reretry==0.11.8 rpds-py==0.17.1 smart-open==6.4.0 smmap==5.0.1 -snakemake-interface-common==1.15.0 +snakemake-interface-common==1.15.1 snakemake-interface-executor-plugins==8.2.0 snakemake-interface-storage-plugins==3.0.0 stopit==1.1.2