Skip to content

Commit

Permalink
Latest data: Thu Nov 16 08:04:08 UTC 2023
Browse files Browse the repository at this point in the history
  • Loading branch information
github.actions committed Nov 16, 2023
1 parent 5334b6d commit 585a273
Show file tree
Hide file tree
Showing 10 changed files with 319 additions and 27 deletions.
118 changes: 113 additions & 5 deletions audits/esphome-requirements.audit.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,13 @@
},
"vulnerabilities": [
{
"modified": "2023-11-09T22:41:37Z",
"modified": "2023-11-15T18:49:10Z",
"published": "2023-11-09T18:34:55Z",
"schema_version": "1.6.0",
"id": "GHSA-3f38-96qm-r3fw",
"aliases": [
"CVE-2023-46894"
"CVE-2023-46894",
"PYSEC-2023-234"
],
"summary": "esptool allows attackers to view sensitive information via weak cryptographic algorithm",
"details": "An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm.",
Expand Down Expand Up @@ -88,6 +89,12 @@
}
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"references": [
{
"type": "ADVISORY",
Expand All @@ -100,21 +107,122 @@
{
"type": "PACKAGE",
"url": "https://github.com/espressif/esptool"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/esptool/PYSEC-2023-234.yaml"
}
],
"database_specific": {
"cwe_ids": [],
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-09T22:10:33Z",
"nvd_published_at": "2023-11-09T16:15:34Z",
"severity": "MODERATE"
"severity": "HIGH"
}
},
{
"modified": "2023-11-15T15:41:15Z",
"published": "2023-11-09T16:15:00Z",
"schema_version": "1.6.0",
"id": "PYSEC-2023-234",
"aliases": [
"CVE-2023-46894",
"GHSA-3f38-96qm-r3fw"
],
"details": "An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm.",
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "esptool",
"purl": "pkg:pypi/esptool"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"versions": [
"1.0.0",
"1.0.1",
"1.1",
"1.2",
"1.2.1",
"1.3",
"2.0",
"2.0.1",
"2.1",
"2.2",
"2.2.1",
"2.3",
"2.3.1",
"2.4.0",
"2.4.1",
"2.5.0",
"2.5.1",
"2.6",
"2.7",
"2.8",
"3.0",
"3.1",
"3.2",
"3.3",
"3.3.1",
"3.3.2",
"3.3.3",
"4.0",
"4.0.1",
"4.1",
"4.2",
"4.2.1",
"4.3",
"4.4",
"4.5",
"4.5.1",
"4.5.dev0",
"4.5.dev1",
"4.5.dev2",
"4.5.dev3",
"4.6",
"4.6.1",
"4.6.2",
"4.6.dev1",
"4.7.dev1",
"4.7.dev2",
"4.7.dev3"
],
"database_specific": {
"source": "https://github.com/pypa/advisory-database/blob/main/vulns/esptool/PYSEC-2023-234.yaml"
}
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"references": [
{
"type": "EVIDENCE",
"url": "https://github.com/espressif/esptool/issues/926"
}
]
}
],
"groups": [
{
"ids": [
"GHSA-3f38-96qm-r3fw"
"GHSA-3f38-96qm-r3fw",
"PYSEC-2023-234"
]
}
]
Expand Down
171 changes: 171 additions & 0 deletions audits/pdfalyzer-requirements.audit.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
[
{
"package": {
"name": "pypdf2",
"version": "2.12.1",
"ecosystem": "PyPI",
"commit": ""
},
"vulnerabilities": [
{
"modified": "2023-11-11T05:19:21Z",
"published": "2023-06-30T20:33:57Z",
"schema_version": "1.6.0",
"id": "GHSA-4vvm-4w3v-6mr8",
"aliases": [
"CVE-2023-36464"
],
"summary": "pypdf and PyPDF2 possible Infinite Loop when a comment isn't followed by a character",
"details": "### Impact\nAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if `__parse_content_stream` is executed. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case if the user extracted text from such a PDF.\n\nExample Code and a PDF that causes the issue:\n\n```python\nfrom pypdf import PdfReader\n\n# https://objects.githubusercontent.com/github-production-repository-file-5c1aeb/3119517/11367871?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230627T201018Z&X-Amz-Expires=300&X-Amz-Signature=d71c8fd9181c4875f0c04d563b6d32f1d4da6e7b2e6be2f14479ce4ecdc9c8b2&X-Amz-SignedHeaders=host&actor_id=1658117&key_id=0&repo_id=3119517&response-content-disposition=attachment%3Bfilename%3DMiFO_LFO_FEIS_NOA_Published.3.pdf&response-content-type=application%2Fpdf\nreader = PdfReader(\"MiFO_LFO_FEIS_NOA_Published.3.pdf\")\npage = reader.pages[0]\npage.extract_text()\n```\n\nThe issue was introduced with https://github.com/py-pdf/pypdf/pull/969\n\n### Patches\n\nThe issue was fixed with https://github.com/py-pdf/pypdf/pull/1828\n\n### Workarounds\n\nIt is recommended to upgrade to `pypdf>=3.9.0`. PyPDF2 users should migrate to pypdf.\n\nIf you cannot update your version of pypdf, you should modify `pypdf/generic/_data_structures.py`:\n\n```\nOLD: while peek not in (b\"\\r\", b\"\\n\"):\nNEW: while peek not in (b\"\\r\", b\"\\n\", b\"\"):\n```",
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pypdf",
"purl": "pkg:pypi/pypdf"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.9.0"
}
]
}
],
"versions": [
"3.1.0",
"3.2.0",
"3.2.1",
"3.3.0",
"3.4.0",
"3.4.1",
"3.5.0",
"3.5.1",
"3.5.2",
"3.6.0",
"3.7.0",
"3.7.1",
"3.8.0",
"3.8.1"
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-4vvm-4w3v-6mr8/GHSA-4vvm-4w3v-6mr8.json"
}
},
{
"package": {
"ecosystem": "PyPI",
"name": "pypdf2",
"purl": "pkg:pypi/pypdf2"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "2.2.0"
},
{
"last_affected": "3.0.1"
}
]
}
],
"versions": [
"2.10.0",
"2.10.1",
"2.10.2",
"2.10.3",
"2.10.4",
"2.10.5",
"2.10.6",
"2.10.7",
"2.10.8",
"2.10.9",
"2.11.0",
"2.11.1",
"2.11.2",
"2.12.0",
"2.12.1",
"2.2.0",
"2.2.1",
"2.3.0",
"2.3.1",
"2.4.0",
"2.4.1",
"2.4.2",
"2.5.0",
"2.6.0",
"2.7.0",
"2.8.0",
"2.8.1",
"2.9.0",
"3.0.0",
"3.0.1"
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-4vvm-4w3v-6mr8/GHSA-4vvm-4w3v-6mr8.json"
}
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-4vvm-4w3v-6mr8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36464"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/pull/1828"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/pull/969"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/commit/b0e5c689df689ab173df84dacd77b6fc3c161932"
},
{
"type": "PACKAGE",
"url": "https://github.com/py-pdf/pypdf"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/releases/tag/3.9.0"
}
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-30T20:33:57Z",
"nvd_published_at": "2023-06-27T22:15:11Z",
"severity": "MODERATE"
}
}
],
"groups": [
{
"ids": [
"GHSA-4vvm-4w3v-6mr8"
]
}
]
}
]
12 changes: 6 additions & 6 deletions requirements/cfn-lint-requirements.txt
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,23 @@
annotated-types==0.6.0
attrs==23.1.0
aws-sam-translator==1.79.0
boto3==1.28.84
botocore==1.31.84
boto3==1.29.0
botocore==1.32.0
jmespath==1.0.1
jschema-to-python==1.2.3
jsonpatch==1.33
jsonpickle==3.0.2
jsonpointer==2.4
jsonschema==4.19.2
jsonschema-specifications==2023.7.1
jsonschema-specifications==2023.11.1
junit-xml==1.9
mpmath==1.3.0
networkx==3.2.1
pbr==6.0.0
pydantic==2.5.0
pydantic-core==2.14.1
pydantic==2.5.1
pydantic-core==2.14.3
python-dateutil==2.8.2
referencing==0.30.2
referencing==0.31.0
regex==2023.10.3
rpds-py==0.12.0
s3transfer==0.7.0
Expand Down
6 changes: 3 additions & 3 deletions requirements/codelimit-requirements.txt
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
charset-normalizer==3.3.1
charset-normalizer==3.3.2
colorama==0.4.6
halo==0.0.31
idna==3.4
Expand All @@ -10,11 +10,11 @@ mdit-py-plugins==0.4.0
mdurl==0.1.2
plotext==5.2.8
requests==2.31.0
rich==13.6.0
rich==13.7.0
spinners==0.0.24
termcolor==2.3.0
textual==0.34.0
typer==0.9.0
uc-micro-py==1.0.2
urllib3==2.0.7
urllib3==2.1.0
zipp==3.17.0
Loading

0 comments on commit 585a273

Please sign in to comment.