Security Advisory

This page gives an overview of the already known vulnerabilities of the different components we deliver. Those vulnerabilities have been automatically detected and reported by scanning both the code and the dependencies using CodeQL and Docker Scout.

Report a vulnerability

In order for the vulnerability reports to reach maintainers as soon as possible, the preferred way is to use the Report a vulnerability button on the Security tab in the respective GitHub repository. It creates a private communication channel between the reporter and the maintainers.

If you are absolutely unable to or have strong reasons not to use GitHub reporting workflow, please reach out to the maintainers at contact[at]defensive-lab.agency, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.

Please refer to our Vulnerability Disclosure Policy.

Vulnerabilities in dependencies

ComponentSeverityRule / Vulnerability
colander HIGHCVE-2024-6345: Improper Control of Generation of Code ('Code Injection')
colander HIGHCVE-2024-39614: Allocation of Resources Without Limits or Throttling
colander HIGHCVE-2024-39330: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
colander HIGHCVE-2024-38875: Improper Handling of Length Parameter Inconsistency
colander HIGHCVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
colander HIGHUseless regular-expression character escape
colander HIGHIncomplete string escaping or encoding
playwright-rest-api HIGHCVE-2023-4863: Out-of-bounds Write
playwright-rest-api HIGHCVE-2024-27983
playwright-rest-api HIGHCVE-2024-1135: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
playwright-rest-api HIGHCVE-2023-50447: Improper Control of Generation of Code ('Code Injection')
playwright-rest-api HIGHCVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
playwright-rest-api HIGHCVE-2024-24762: Uncontrolled Resource Consumption
playwright-rest-api HIGHCVE-2024-24762: Uncontrolled Resource Consumption
playwright-rest-api HIGHCVE-2023-44271: Uncontrolled Resource Consumption
playwright-rest-api HIGHGHSA-56pw-mpj4-fxww
threatr HIGHCVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
threatr HIGHCVE-2023-52425
threatr HIGHCVE-2023-49081: Improper Input Validation

Detected vulnerabilities

PiRogueToolSuite/colander
HIGH CVE-2024-6345: Improper Control of Generation of Code ('Code Injection')
  • Date of analysis: 2024-08-02T13:12:05Z
  • Rule: CVE-2024-6345
  • Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
  • Location: /usr/local/lib/python3.10/site-packages/setuptools-65.5.1.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2024-6345                                 
          Severity        : HIGH                                          
          Package         : pkg:pypi/setuptools@65.5.1                    
          Affected range  : <70.0.0                                       
          Fixed version   : 70.0.0                                        
          CVSS Score      : 8.8                                           
          CVSS Vector     : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  
          EPSS Score      : 0.000430                                      
          EPSS Percentile : 0.094040                                      
        
PiRogueToolSuite/colander
HIGH CVE-2024-39614: Allocation of Resources Without Limits or Throttling
  • Date of analysis: 2024-08-02T13:12:05Z
  • Rule: CVE-2024-39614
  • Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
  • Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2024-39614                                
          Severity        : HIGH                                          
          Package         : pkg:pypi/django@4.2.8                         
          Affected range  : >=4.2,<4.2.14                                 
          Fixed version   : 4.2.14                                        
          CVSS Score      : 7.5                                           
          CVSS Vector     : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
          EPSS Score      : 0.000450                                      
          EPSS Percentile : 0.162260                                      
        
PiRogueToolSuite/colander
HIGH CVE-2024-39330: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • Date of analysis: 2024-08-02T13:12:05Z
  • Rule: CVE-2024-39330
  • Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
  • Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2024-39330                                
          Severity        : HIGH                                          
          Package         : pkg:pypi/django@4.2.8                         
          Affected range  : >=4.2,<4.2.14                                 
          Fixed version   : 4.2.14                                        
          CVSS Score      : 7.5                                           
          CVSS Vector     : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  
          EPSS Score      : 0.000450                                      
          EPSS Percentile : 0.162260                                      
        
PiRogueToolSuite/colander
HIGH CVE-2024-38875: Improper Handling of Length Parameter Inconsistency
  • Date of analysis: 2024-08-02T13:12:05Z
  • Rule: CVE-2024-38875
  • Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
  • Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2024-38875                                
          Severity        : HIGH                                          
          Package         : pkg:pypi/django@4.2.8                         
          Affected range  : >=4.2,<4.2.14                                 
          Fixed version   : 4.2.14                                        
          CVSS Score      : 7.5                                           
          CVSS Vector     : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
          EPSS Score      : 0.000450                                      
          EPSS Percentile : 0.162260                                      
        
PiRogueToolSuite/colander
HIGH CVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
  • Date of analysis: 2024-04-20T07:28:12Z
  • Rule: CVE-2018-20225
  • Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
  • Location: /usr/local/lib/python3.10/site-packages/pip-23.0.1.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2018-20225                                
          Severity        : HIGH                                          
          Package         : pkg:pypi/pip@23.0.1                           
          Affected range  : >=0                                           
          Fixed version   : not fixed                                     
          CVSS Score      : 7.8                                           
          CVSS Vector     : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  
          EPSS Score      : 0.001120                                      
          EPSS Percentile : 0.451440                                      
        
PiRogueToolSuite/colander
HIGH Useless regular-expression character escape
  • correctness external/cwe/cwe-020 security
  • Date of analysis: 2024-04-19T07:59:45Z
  • Rule: js/useless-regexp-character-escape
  • Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
  • Location: colander/static/js/colander-text-editor.js
  • Details:
    The escape sequence '\\b' is a backspace, and not a word-boundary assertion when it is used in a regular expression.
PiRogueToolSuite/colander
HIGH Incomplete string escaping or encoding
  • correctness external/cwe/cwe-020 external/cwe/cwe-080 external/cwe/cwe-116 security
  • Date of analysis: 2024-04-19T07:59:45Z
  • Rule: js/incomplete-sanitization
  • Reference: refs/heads/main #b6d14fdbc906e92dd0101dee46b7a595a15fda9b
  • Location: colander/static/js/colander-text-editor.js
  • Details:
    This replaces only the first occurrence of /&/.
PiRogueToolSuite/playwright-rest-api
HIGH CVE-2023-4863: Out-of-bounds Write
  • Date of analysis: 2024-04-19T17:09:29Z
  • Rule: CVE-2023-4863
  • Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
  • Location: /usr/local/lib/python3.10/dist-packages/Pillow-9.5.0.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2023-4863                                 
          Severity        : HIGH                                          
          Package         : pkg:pypi/pillow@9.5.0                         
          Affected range  : <10.0.1                                       
          Fixed version   : 10.0.1                                        
          CVSS Score      : 8.8                                           
          CVSS Vector     : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  
          EPSS Score      : 0.490950                                      
          EPSS Percentile : 0.974660                                      
        
  • Date of analysis: 2024-04-19T17:09:29Z
  • Rule: CVE-2024-27983
  • Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
  • Location: /usr/local/lib/python3.10/dist-packages/playwright/driver/node
  • Details:
      Vulnerability   : CVE-2024-27983            
          Severity        : HIGH                      
          Package         : pkg:generic/node@20.11.0  
          Affected range  : >=20.0.0,<20.12.1         
          Fixed version   : 20.12.1                   
          EPSS Score      : 0.000430                  
          EPSS Percentile : 0.082100                  
        
PiRogueToolSuite/playwright-rest-api
HIGH CVE-2024-1135: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
  • Date of analysis: 2024-04-19T17:09:29Z
  • Rule: CVE-2024-1135
  • Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
  • Location: /usr/local/lib/python3.10/dist-packages/gunicorn-20.1.0.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2024-1135                                 
          Severity        : HIGH                                          
          Package         : pkg:pypi/gunicorn@20.1.0                      
          Affected range  : <22.0.0                                       
          Fixed version   : 22.0.0                                        
          CVSS Score      : 8.2                                           
          CVSS Vector     : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N  
          EPSS Score      : 0.000430                                      
          EPSS Percentile : 0.082100                                      
        
PiRogueToolSuite/playwright-rest-api
HIGH CVE-2023-50447: Improper Control of Generation of Code ('Code Injection')
  • Date of analysis: 2024-04-19T17:09:29Z
  • Rule: CVE-2023-50447
  • Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
  • Location: /usr/local/lib/python3.10/dist-packages/Pillow-9.5.0.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2023-50447                                
          Severity        : HIGH                                          
          Package         : pkg:pypi/pillow@9.5.0                         
          Affected range  : <10.2.0                                       
          Fixed version   : 10.2.0                                        
          CVSS Score      : 8.1                                           
          CVSS Vector     : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H  
          EPSS Score      : 0.000740                                      
          EPSS Percentile : 0.309840                                      
        
PiRogueToolSuite/playwright-rest-api
HIGH CVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
  • Date of analysis: 2024-04-19T17:09:29Z
  • Rule: CVE-2018-20225
  • Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
  • Location: /root/.local/share/virtualenv/wheel/3.10/image/1/CopyPipInstall/pip-24.0-py3-none-any/pip-24.0.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2018-20225                                
          Severity        : HIGH                                          
          Package         : pkg:pypi/pip@24.0                             
          Affected range  : >=0                                           
          Fixed version   : not fixed                                     
          CVSS Score      : 7.8                                           
          CVSS Vector     : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  
          EPSS Score      : 0.001120                                      
          EPSS Percentile : 0.441280                                      
        
PiRogueToolSuite/playwright-rest-api
HIGH CVE-2024-24762: Uncontrolled Resource Consumption
  • Date of analysis: 2024-04-19T17:09:29Z
  • Rule: CVE-2024-24762
  • Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
  • Location: /usr/local/lib/python3.10/dist-packages/fastapi-0.95.1.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2024-24762                                
          Severity        : HIGH                                          
          Package         : pkg:pypi/fastapi@0.95.1                       
          Affected range  : <=0.109.0                                     
          Fixed version   : 0.109.1                                       
          CVSS Score      : 7.5                                           
          CVSS Vector     : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
          EPSS Score      : 0.001240                                      
          EPSS Percentile : 0.464090                                      
        
PiRogueToolSuite/playwright-rest-api
HIGH CVE-2024-24762: Uncontrolled Resource Consumption
  • Date of analysis: 2024-04-19T17:09:29Z
  • Rule: CVE-2024-24762
  • Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
  • Location: /usr/local/lib/python3.10/dist-packages/starlette-0.26.1.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2024-24762                                
          Severity        : HIGH                                          
          Package         : pkg:pypi/starlette@0.26.1                     
          Affected range  : <=0.36.1                                      
          Fixed version   : 0.36.2                                        
          CVSS Score      : 7.5                                           
          CVSS Vector     : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
          EPSS Score      : 0.001240                                      
          EPSS Percentile : 0.464090                                      
        
PiRogueToolSuite/playwright-rest-api
HIGH CVE-2023-44271: Uncontrolled Resource Consumption
  • Date of analysis: 2024-04-19T17:09:29Z
  • Rule: CVE-2023-44271
  • Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
  • Location: /usr/local/lib/python3.10/dist-packages/Pillow-9.5.0.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2023-44271                                
          Severity        : HIGH                                          
          Package         : pkg:pypi/pillow@9.5.0                         
          Affected range  : <10.0.0                                       
          Fixed version   : 10.0.0                                        
          CVSS Score      : 7.5                                           
          CVSS Vector     : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
          EPSS Score      : 0.000550                                      
          EPSS Percentile : 0.214920                                      
        
PiRogueToolSuite/playwright-rest-api
HIGH GHSA-56pw-mpj4-fxww
  • Date of analysis: 2024-04-19T17:09:29Z
  • Rule: GHSA-56pw-mpj4-fxww
  • Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
  • Location: /usr/local/lib/python3.10/dist-packages/Pillow-9.5.0.dist-info/METADATA
  • Details:
      Vulnerability  : GHSA-56pw-mpj4-fxww    
          Severity       : HIGH                   
          Package        : pkg:pypi/pillow@9.5.0  
          Affected range : <10.0.1                
          Fixed version  : 10.0.1                 
        
PiRogueToolSuite/threatr
HIGH CVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
  • Date of analysis: 2024-04-20T07:21:22Z
  • Rule: CVE-2018-20225
  • Reference: refs/heads/main #e165de1b6006d14a626ba07bcc78b43b3549f548
  • Location: /usr/local/lib/python3.10/site-packages/pip-23.0.1.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2018-20225                                
          Severity        : HIGH                                          
          Package         : pkg:pypi/pip@23.0.1                           
          Affected range  : >=0                                           
          Fixed version   : not fixed                                     
          CVSS Score      : 7.8                                           
          CVSS Vector     : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  
          EPSS Score      : 0.001120                                      
          EPSS Percentile : 0.441280                                      
        
PiRogueToolSuite/threatr
HIGH CVE-2023-52425
  • Date of analysis: 2024-04-20T07:21:22Z
  • Rule: CVE-2023-52425
  • Reference: refs/heads/main #e165de1b6006d14a626ba07bcc78b43b3549f548
  • Location: Dockerfile
  • Details:
      Vulnerability   : CVE-2023-52425                                                                
          Severity        : HIGH                                                                          
          Package         : pkg:deb/debian/expat@2.5.0-1?os_distro=bookworm&os_name=debian&os_version=12  
          Affected range  : >=2.5.0-1                                                                     
          Fixed version   : not fixed                                                                     
          EPSS Score      : 0.000570                                                                      
          EPSS Percentile : 0.224550                                                                      
        
PiRogueToolSuite/threatr
HIGH CVE-2023-49081: Improper Input Validation
  • Date of analysis: 2024-04-20T07:21:22Z
  • Rule: CVE-2023-49081
  • Reference: refs/heads/main #e165de1b6006d14a626ba07bcc78b43b3549f548
  • Location: /usr/local/lib/python3.10/site-packages/aiohttp-3.8.6.dist-info/METADATA
  • Details:
      Vulnerability   : CVE-2023-49081                                
          Severity        : HIGH                                          
          Package         : pkg:pypi/aiohttp@3.8.6                        
          Affected range  : <3.9.0                                        
          Fixed version   : 3.9.0                                         
          CVSS Score      : 7.2                                           
          CVSS Vector     : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N  
          EPSS Score      : 0.000510                                      
          EPSS Percentile : 0.183870