diff --git a/audits/aider-requirements.audit.json b/audits/aider-requirements.audit.json index 8873e2bf..48519956 100644 --- a/audits/aider-requirements.audit.json +++ b/audits/aider-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] } diff --git a/audits/ansible-lint-requirements.audit.json b/audits/ansible-lint-requirements.audit.json index 6eeb8fe2..0e503da7 100644 --- a/audits/ansible-lint-requirements.audit.json +++ b/audits/ansible-lint-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] } diff --git a/audits/certsync-requirements.audit.json b/audits/certsync-requirements.audit.json index d552877f..1a0ffd02 100644 --- a/audits/certsync-requirements.audit.json +++ b/audits/certsync-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] }, diff --git a/audits/charmcraft-requirements.audit.json b/audits/charmcraft-requirements.audit.json index d07e8abc..cff1db89 100644 --- a/audits/charmcraft-requirements.audit.json +++ b/audits/charmcraft-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] }, diff --git a/audits/gdbgui-requirements.audit.json b/audits/gdbgui-requirements.audit.json index 167af972..74645e0f 100644 --- a/audits/gdbgui-requirements.audit.json +++ b/audits/gdbgui-requirements.audit.json @@ -272,7 +272,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -280,6 +280,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -365,6 +366,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -698,7 +703,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -708,7 +713,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -791,6 +797,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -838,7 +848,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -869,7 +879,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] }, diff --git a/audits/gi-docgen-requirements.audit.json b/audits/gi-docgen-requirements.audit.json index 61e668ef..25cf6e44 100644 --- a/audits/gi-docgen-requirements.audit.json +++ b/audits/gi-docgen-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] } diff --git a/audits/harlequin-requirements.audit.json b/audits/harlequin-requirements.audit.json index b5ddf871..f526a6db 100644 --- a/audits/harlequin-requirements.audit.json +++ b/audits/harlequin-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] } diff --git a/audits/icloudpd-requirements.audit.json b/audits/icloudpd-requirements.audit.json index 7f35261c..9e4c614c 100644 --- a/audits/icloudpd-requirements.audit.json +++ b/audits/icloudpd-requirements.audit.json @@ -385,7 +385,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -393,6 +393,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -478,6 +479,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -520,7 +525,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -530,7 +535,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -613,6 +619,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -660,7 +670,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -670,7 +680,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] }, diff --git a/audits/libplacebo-requirements.audit.json b/audits/libplacebo-requirements.audit.json index 5d72d5f8..034e4b5d 100644 --- a/audits/libplacebo-requirements.audit.json +++ b/audits/libplacebo-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] } diff --git a/audits/litani-requirements.audit.json b/audits/litani-requirements.audit.json index bf186c2a..ff91845c 100644 --- a/audits/litani-requirements.audit.json +++ b/audits/litani-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] } diff --git a/audits/mentat-requirements.audit.json b/audits/mentat-requirements.audit.json index 8abd521e..c28f7bcc 100644 --- a/audits/mentat-requirements.audit.json +++ b/audits/mentat-requirements.audit.json @@ -376,7 +376,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -384,6 +384,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -469,6 +470,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -802,7 +807,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -812,7 +817,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -895,6 +901,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -942,7 +952,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -973,7 +983,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] }, diff --git a/audits/organize-tool-requirements.audit.json b/audits/organize-tool-requirements.audit.json index d149200f..c2dbbc1b 100644 --- a/audits/organize-tool-requirements.audit.json +++ b/audits/organize-tool-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] } diff --git a/audits/pytorch-requirements.audit.json b/audits/pytorch-requirements.audit.json index 9b2e7d50..85247745 100644 --- a/audits/pytorch-requirements.audit.json +++ b/audits/pytorch-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] } diff --git a/audits/recon-ng-requirements.audit.json b/audits/recon-ng-requirements.audit.json index bc4806ac..e108d68e 100644 --- a/audits/recon-ng-requirements.audit.json +++ b/audits/recon-ng-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] }, diff --git a/audits/sail-requirements.audit.json b/audits/sail-requirements.audit.json index 8c4abe83..7dea932b 100644 --- a/audits/sail-requirements.audit.json +++ b/audits/sail-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] } diff --git a/audits/snapcraft-requirements.audit.json b/audits/snapcraft-requirements.audit.json index 9aedf936..e2c68555 100644 --- a/audits/snapcraft-requirements.audit.json +++ b/audits/snapcraft-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] } diff --git a/audits/vunnel-requirements.audit.json b/audits/vunnel-requirements.audit.json index dc24e1cf..63992a3b 100644 --- a/audits/vunnel-requirements.audit.json +++ b/audits/vunnel-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-23T21:02:04Z", + "modified": "2024-12-26T20:27:33Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -18,6 +18,7 @@ "CVE-2024-56201" ], "related": [ + "CGA-2589-9xpr-fmp7", "CGA-gvvw-7w3r-7m54", "CGA-mvqg-6j62-4pjm", "CGA-whf8-42p9-686q" @@ -103,6 +104,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -145,7 +150,7 @@ } }, { - "modified": "2024-12-23T21:00:55Z", + "modified": "2024-12-26T20:27:49Z", "published": "2024-12-23T17:56:08Z", "schema_version": "1.6.0", "id": "GHSA-q2x7-8rv6-6q7h", @@ -155,7 +160,8 @@ "related": [ "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", - "CGA-gm37-p355-3fq6" + "CGA-gm37-p355-3fq6", + "CGA-h3v9-xgx5-mrgr" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", @@ -238,6 +244,10 @@ } ], "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -285,7 +295,7 @@ "CVE-2024-56201", "GHSA-gmj6-6f8f-6699" ], - "max_severity": "5.4" + "max_severity": "8.8" }, { "ids": [ @@ -295,7 +305,7 @@ "CVE-2024-56326", "GHSA-q2x7-8rv6-6q7h" ], - "max_severity": "5.4" + "max_severity": "10.0" } ] } diff --git a/requirements/checkdmarc-requirements.txt b/requirements/checkdmarc-requirements.txt index 5281a1e5..459bd583 100644 --- a/requirements/checkdmarc-requirements.txt +++ b/requirements/checkdmarc-requirements.txt @@ -1,12 +1,12 @@ -charset-normalizer==3.4.0 +charset-normalizer==3.4.1 dnspython==2.7.0 expiringdict==1.2.2 idna==3.10 pem==23.1.0 -publicsuffixlist==1.0.2.20241102 +publicsuffixlist==1.0.2.20241225 pyleri==1.4.3 -pyopenssl==24.2.1 +pyopenssl==24.3.0 requests==2.32.3 timeout-decorator==0.5.0 -urllib3==2.2.3 +urllib3==2.3.0 xmltodict==0.14.2 diff --git a/requirements/dstack-requirements.txt b/requirements/dstack-requirements.txt index 3652e80b..129dd4d9 100644 --- a/requirements/dstack-requirements.txt +++ b/requirements/dstack-requirements.txt @@ -21,7 +21,7 @@ boto3==1.35.87 botocore==1.35.87 cached-classproperty==1.0.1 cachetools==5.5.0 -charset-normalizer==3.4.0 +charset-normalizer==3.4.1 click==8.1.8 cursor==1.3.5 deprecated==1.2.15 @@ -45,7 +45,7 @@ google-cloud-tpu==1.20.0 google-crc32c==1.6.0 google-resumable-media==2.7.2 googleapis-common-protos==1.66.0 -gpuhunt==0.0.16 +gpuhunt==0.0.17 greenlet==3.1.1 grpc-google-iam-v1==0.13.1 grpcio==1.68.1 diff --git a/requirements/kaskade-requirements.txt b/requirements/kaskade-requirements.txt index 015c2b25..31acd8e5 100644 --- a/requirements/kaskade-requirements.txt +++ b/requirements/kaskade-requirements.txt @@ -1,10 +1,16 @@ -attrs==24.2.0 +anyio==4.7.0 +attrs==24.3.0 avro==1.12.0 -charset-normalizer==3.4.0 -click==8.1.7 +cachetools==5.5.0 +charset-normalizer==3.4.1 +click==8.1.8 cloup==3.0.5 -confluent-kafka==2.6.1 -fastavro==1.9.7 +confluent-kafka==2.7.0 +fastavro==1.10.0 +googleapis-common-protos==1.66.0 +h11==0.14.0 +httpcore==1.0.7 +httpx==0.27.2 idna==3.10 jsonschema==4.23.0 jsonschema-specifications==2024.10.1 @@ -13,14 +19,15 @@ markdown-it-py==3.0.0 mdit-py-plugins==0.4.2 mdurl==0.1.2 platformdirs==4.3.6 -protobuf==5.28.3 +protobuf==5.29.2 pygments==2.18.0 pyrsistent==0.20.0 referencing==0.35.1 requests==2.32.3 rich==13.9.4 -rpds-py==0.21.0 -textual==0.87.1 +rpds-py==0.22.3 +sniffio==1.3.1 +textual==1.0.0 typing-extensions==4.12.2 uc-micro-py==1.0.3 -urllib3==2.2.3 +urllib3==2.3.0 diff --git a/requirements/moto-requirements.txt b/requirements/moto-requirements.txt index f146af09..c4f738b0 100644 --- a/requirements/moto-requirements.txt +++ b/requirements/moto-requirements.txt @@ -4,10 +4,10 @@ attrs==24.3.0 aws-sam-translator==1.94.0 aws-xray-sdk==2.14.0 blinker==1.9.0 -boto3==1.35.87 -botocore==1.35.87 +boto3==1.35.88 +botocore==1.35.88 cfn-lint==1.22.2 -charset-normalizer==3.4.0 +charset-normalizer==3.4.1 click==8.1.8 docker==7.1.0 flask==3.1.0 @@ -18,7 +18,6 @@ itsdangerous==2.2.0 jinja2==3.1.5 jmespath==1.0.1 joserfc==1.0.1 -jsondiff==2.2.1 jsonpatch==1.33 jsonpath-ng==1.7.0 jsonpointer==3.0.0 @@ -34,7 +33,7 @@ openapi-schema-validator==0.6.2 openapi-spec-validator==0.7.1 pathable==0.4.3 ply==3.11 -py-partiql-parser==0.5.6 +py-partiql-parser==0.6.1 pydantic==2.10.4 pydantic-core==2.27.2 pyparsing==3.2.0 diff --git a/requirements/peru-requirements.txt b/requirements/peru-requirements.txt index a7c70440..aa4d4d06 100644 --- a/requirements/peru-requirements.txt +++ b/requirements/peru-requirements.txt @@ -1,2 +1 @@ -docopt==0.6.2 pyyaml==6.0.2 diff --git a/requirements/schemathesis-requirements.txt b/requirements/schemathesis-requirements.txt index c7faffb8..c0656643 100644 --- a/requirements/schemathesis-requirements.txt +++ b/requirements/schemathesis-requirements.txt @@ -39,7 +39,7 @@ rpds-py==0.22.3 six==1.17.0 sniffio==1.3.1 sortedcontainers==2.4.0 -starlette==0.42.0 +starlette==0.43.0 starlette-testclient==0.4.1 tomli==2.2.1 tomli-w==1.1.0