Title here
Summary here
Security Advisory
This page gives an overview of the already known vulnerabilities of the different components we deliver. Those vulnerabilities have been automatically detected and reported by scanning both the code and the dependencies using CodeQL and Docker Scout.
Report a vulnerability
In order for the vulnerability reports to reach maintainers as soon as possible, the preferred way is to use the Report a vulnerability button on the Security tab in the respective GitHub repository. It creates a private communication channel between the reporter and the maintainers.
If you are absolutely unable to or have strong reasons not to use GitHub reporting workflow, please reach out to the maintainers at contact[at]defensive-lab.agency, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.
Please refer to our Vulnerability Disclosure Policy.
Vulnerabilities in dependencies
Detected vulnerabilities
PiRogueToolSuite/colander
HIGH CVE-2024-6345: Improper Control of Generation of Code ('Code Injection')
HIGH CVE-2024-6345: Improper Control of Generation of Code ('Code Injection')
- Date of analysis: 2024-08-02T13:12:05Z
- Rule: CVE-2024-6345
- Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
- Location: /usr/local/lib/python3.10/site-packages/setuptools-65.5.1.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-6345 Severity : HIGH Package : pkg:pypi/setuptools@65.5.1 Affected range : <70.0.0 Fixed version : 70.0.0 CVSS Score : 8.8 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score : 0.000430 EPSS Percentile : 0.094040
- Date of analysis: 2024-08-02T13:12:05Z
- Rule: CVE-2024-39614
- Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
- Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-39614 Severity : HIGH Package : pkg:pypi/django@4.2.8 Affected range : >=4.2,<4.2.14 Fixed version : 4.2.14 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score : 0.000450 EPSS Percentile : 0.162260
PiRogueToolSuite/colander
HIGH CVE-2024-39330: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
HIGH CVE-2024-39330: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Date of analysis: 2024-08-02T13:12:05Z
- Rule: CVE-2024-39330
- Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
- Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-39330 Severity : HIGH Package : pkg:pypi/django@4.2.8 Affected range : >=4.2,<4.2.14 Fixed version : 4.2.14 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score : 0.000450 EPSS Percentile : 0.162260
- Date of analysis: 2024-08-02T13:12:05Z
- Rule: CVE-2024-38875
- Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
- Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-38875 Severity : HIGH Package : pkg:pypi/django@4.2.8 Affected range : >=4.2,<4.2.14 Fixed version : 4.2.14 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score : 0.000450 EPSS Percentile : 0.162260
PiRogueToolSuite/colander
HIGH CVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
HIGH CVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
- Date of analysis: 2024-04-20T07:28:12Z
- Rule: CVE-2018-20225
- Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
- Location: /usr/local/lib/python3.10/site-packages/pip-23.0.1.dist-info/METADATA
- Details:
Vulnerability : CVE-2018-20225 Severity : HIGH Package : pkg:pypi/pip@23.0.1 Affected range : >=0 Fixed version : not fixed CVSS Score : 7.8 CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score : 0.001120 EPSS Percentile : 0.451440
- correctness external/cwe/cwe-020 security
- Date of analysis: 2024-04-19T07:59:45Z
- Rule: js/useless-regexp-character-escape
- Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
- Location: colander/static/js/colander-text-editor.js
- Details:
The escape sequence '\\b' is a backspace, and not a word-boundary assertion when it is used in a regular expression.
- correctness external/cwe/cwe-020 external/cwe/cwe-080 external/cwe/cwe-116 security
- Date of analysis: 2024-04-19T07:59:45Z
- Rule: js/incomplete-sanitization
- Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
- Location: colander/static/js/colander-text-editor.js
- Details:
This replaces only the first occurrence of /&/.
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2023-4863
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/Pillow-9.5.0.dist-info/METADATA
- Details:
Vulnerability : CVE-2023-4863 Severity : HIGH Package : pkg:pypi/pillow@9.5.0 Affected range : <10.0.1 Fixed version : 10.0.1 CVSS Score : 8.8 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score : 0.490950 EPSS Percentile : 0.974660
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2024-27983
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/playwright/driver/node
- Details:
Vulnerability : CVE-2024-27983 Severity : HIGH Package : pkg:generic/node@20.11.0 Affected range : >=20.0.0,<20.12.1 Fixed version : 20.12.1 EPSS Score : 0.000430 EPSS Percentile : 0.082100
PiRogueToolSuite/playwright-rest-api
HIGH CVE-2024-1135: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
HIGH CVE-2024-1135: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2024-1135
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/gunicorn-20.1.0.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-1135 Severity : HIGH Package : pkg:pypi/gunicorn@20.1.0 Affected range : <22.0.0 Fixed version : 22.0.0 CVSS Score : 8.2 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N EPSS Score : 0.000430 EPSS Percentile : 0.082100
PiRogueToolSuite/playwright-rest-api
HIGH CVE-2023-50447: Improper Control of Generation of Code ('Code Injection')
HIGH CVE-2023-50447: Improper Control of Generation of Code ('Code Injection')
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2023-50447
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/Pillow-9.5.0.dist-info/METADATA
- Details:
Vulnerability : CVE-2023-50447 Severity : HIGH Package : pkg:pypi/pillow@9.5.0 Affected range : <10.2.0 Fixed version : 10.2.0 CVSS Score : 8.1 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score : 0.000740 EPSS Percentile : 0.309840
PiRogueToolSuite/playwright-rest-api
HIGH CVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
HIGH CVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2018-20225
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /root/.local/share/virtualenv/wheel/3.10/image/1/CopyPipInstall/pip-24.0-py3-none-any/pip-24.0.dist-info/METADATA
- Details:
Vulnerability : CVE-2018-20225 Severity : HIGH Package : pkg:pypi/pip@24.0 Affected range : >=0 Fixed version : not fixed CVSS Score : 7.8 CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score : 0.001120 EPSS Percentile : 0.441280
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2024-24762
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/fastapi-0.95.1.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-24762 Severity : HIGH Package : pkg:pypi/fastapi@0.95.1 Affected range : <=0.109.0 Fixed version : 0.109.1 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score : 0.001240 EPSS Percentile : 0.464090
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2024-24762
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/starlette-0.26.1.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-24762 Severity : HIGH Package : pkg:pypi/starlette@0.26.1 Affected range : <=0.36.1 Fixed version : 0.36.2 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score : 0.001240 EPSS Percentile : 0.464090
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2023-44271
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/Pillow-9.5.0.dist-info/METADATA
- Details:
Vulnerability : CVE-2023-44271 Severity : HIGH Package : pkg:pypi/pillow@9.5.0 Affected range : <10.0.0 Fixed version : 10.0.0 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score : 0.000550 EPSS Percentile : 0.214920
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: GHSA-56pw-mpj4-fxww
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/Pillow-9.5.0.dist-info/METADATA
- Details:
Vulnerability : GHSA-56pw-mpj4-fxww Severity : HIGH Package : pkg:pypi/pillow@9.5.0 Affected range : <10.0.1 Fixed version : 10.0.1
PiRogueToolSuite/threatr
HIGH CVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
HIGH CVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
- Date of analysis: 2024-04-20T07:21:22Z
- Rule: CVE-2018-20225
- Reference: refs/heads/main #e165de1b6006d14a626ba07bcc78b43b3549f548
- Location: /usr/local/lib/python3.10/site-packages/pip-23.0.1.dist-info/METADATA
- Details:
Vulnerability : CVE-2018-20225 Severity : HIGH Package : pkg:pypi/pip@23.0.1 Affected range : >=0 Fixed version : not fixed CVSS Score : 7.8 CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score : 0.001120 EPSS Percentile : 0.441280
- Date of analysis: 2024-04-20T07:21:22Z
- Rule: CVE-2023-52425
- Reference: refs/heads/main #e165de1b6006d14a626ba07bcc78b43b3549f548
- Location: Dockerfile
- Details:
Vulnerability : CVE-2023-52425 Severity : HIGH Package : pkg:deb/debian/expat@2.5.0-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range : >=2.5.0-1 Fixed version : not fixed EPSS Score : 0.000570 EPSS Percentile : 0.224550
- Date of analysis: 2024-04-20T07:21:22Z
- Rule: CVE-2023-49081
- Reference: refs/heads/main #e165de1b6006d14a626ba07bcc78b43b3549f548
- Location: /usr/local/lib/python3.10/site-packages/aiohttp-3.8.6.dist-info/METADATA
- Details:
Vulnerability : CVE-2023-49081 Severity : HIGH Package : pkg:pypi/aiohttp@3.8.6 Affected range : <3.9.0 Fixed version : 3.9.0 CVSS Score : 7.2 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score : 0.000510 EPSS Percentile : 0.183870