Title here
Summary here
Security Advisory
This page gives an overview of the already known vulnerabilities of the different components we deliver. Those vulnerabilities have been automatically detected and reported by scanning both the code and the dependencies using CodeQL and Docker Scout.
Report a vulnerability
In order for the vulnerability reports to reach maintainers as soon as possible, the preferred way is to use the Report a vulnerability button on the Security tab in the respective GitHub repository. It creates a private communication channel between the reporter and the maintainers.
If you are absolutely unable to or have strong reasons not to use GitHub reporting workflow, please reach out to the maintainers at contact[at]defensive-lab.agency, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.
Please refer to our Vulnerability Disclosure Policy.
Vulnerabilities in dependencies
Detected vulnerabilities
PiRogueToolSuite/colander
HIGH CVE-2024-53908: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
HIGH CVE-2024-53908: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- Date of analysis: 2024-12-29T15:29:10Z
- Rule: CVE-2024-53908
- Reference: refs/heads/main #ba16e9bf539aa2d2c4fb41af714da489df9281cf
- Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-53908 Severity : HIGH Package : pkg:pypi/django@4.2.8 Affected range : >=4.2.0,<4.2.17 Fixed version : 4.2.17 CVSS Score : 7.2 CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U EPSS Score : 0.000450 EPSS Percentile : 0.174220
- Date of analysis: 2024-11-28T11:19:02Z
- Rule: CVE-2024-24680
- Reference: refs/heads/main #ba16e9bf539aa2d2c4fb41af714da489df9281cf
- Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-24680 Severity : HIGH Package : pkg:pypi/django@4.2.8 Affected range : >=4.2,<4.2.10 Fixed version : 4.2.10 CVSS Score : 8.2 CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score : 0.000810 EPSS Percentile : 0.365220
- correctness external/cwe/cwe-020 external/cwe/cwe-080 external/cwe/cwe-116 security
- Date of analysis: 2024-11-28T11:15:24Z
- Rule: js/incomplete-sanitization
- Reference: refs/heads/main #ba16e9bf539aa2d2c4fb41af714da489df9281cf
- Location: colander/static/js/colander-text-editor.js
- Details:
This replaces only the first occurrence of /&/.
- correctness external/cwe/cwe-020 security
- Date of analysis: 2024-11-28T11:15:24Z
- Rule: js/useless-regexp-character-escape
- Reference: refs/heads/main #ba16e9bf539aa2d2c4fb41af714da489df9281cf
- Location: colander/static/js/colander-text-editor.js
- Details:
The escape sequence '\b' is a backspace, and not a word-boundary assertion when it is used in a regular expression.
PiRogueToolSuite/colander
HIGH CVE-2024-6345: Improper Control of Generation of Code ('Code Injection')
HIGH CVE-2024-6345: Improper Control of Generation of Code ('Code Injection')
- Date of analysis: 2024-08-02T13:12:05Z
- Rule: CVE-2024-6345
- Reference: refs/heads/main #ba16e9bf539aa2d2c4fb41af714da489df9281cf
- Location: /usr/local/lib/python3.10/site-packages/setuptools-65.5.1.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-6345 Severity : HIGH Package : pkg:pypi/setuptools@65.5.1 Affected range : <70.0.0 Fixed version : 70.0.0 CVSS Score : 7.5 CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N EPSS Score : 0.000430 EPSS Percentile : 0.109410
- Date of analysis: 2024-08-02T13:12:05Z
- Rule: CVE-2024-39614
- Reference: refs/heads/main #ba16e9bf539aa2d2c4fb41af714da489df9281cf
- Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-39614 Severity : HIGH Package : pkg:pypi/django@4.2.8 Affected range : >=4.2,<4.2.14 Fixed version : 4.2.14 CVSS Score : 8.7 CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score : 0.000450 EPSS Percentile : 0.174220
PiRogueToolSuite/colander
HIGH CVE-2024-39330: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
HIGH CVE-2024-39330: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Date of analysis: 2024-08-02T13:12:05Z
- Rule: CVE-2024-39330
- Reference: refs/heads/main #ba16e9bf539aa2d2c4fb41af714da489df9281cf
- Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-39330 Severity : HIGH Package : pkg:pypi/django@4.2.8 Affected range : >=4.2,<4.2.14 Fixed version : 4.2.14 CVSS Score : 8.7 CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N EPSS Score : 0.000450 EPSS Percentile : 0.174220
- Date of analysis: 2024-08-02T13:12:05Z
- Rule: CVE-2024-38875
- Reference: refs/heads/main #ba16e9bf539aa2d2c4fb41af714da489df9281cf
- Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-38875 Severity : HIGH Package : pkg:pypi/django@4.2.8 Affected range : >=4.2,<4.2.14 Fixed version : 4.2.14 CVSS Score : 8.7 CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score : 0.000450 EPSS Percentile : 0.174220
PiRogueToolSuite/colander
CRITICAL CVE-2024-42005: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CRITICAL CVE-2024-42005: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CRITICAL
- Date of analysis: 2024-09-05T17:24:25Z
- Rule: CVE-2024-42005
- Reference: refs/heads/main #ba16e9bf539aa2d2c4fb41af714da489df9281cf
- Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-42005 Severity : CRITICAL Package : pkg:pypi/django@4.2.8 Affected range : >=4.2,<4.2.15 Fixed version : 4.2.15 CVSS Score : 9.3 CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N EPSS Score : 0.000520 EPSS Percentile : 0.228520
- correctness external/cwe/cwe-020 external/cwe/cwe-080 external/cwe/cwe-116 security
- Date of analysis: 2024-12-18T10:21:24Z
- Rule: js/incomplete-multi-character-sanitization
- Reference: refs/heads/main #202904f85e65b12a266effe6d34973cbddf4c361
- Location: app/lib/single-file.js
- Details:
This string may still contain ../, which may cause a path injection vulnerability.
- correctness external/cwe/cwe-020 external/cwe/cwe-184 security
- Date of analysis: 2024-12-18T10:21:24Z
- Rule: js/incomplete-url-scheme-check
- Reference: refs/heads/main #202904f85e65b12a266effe6d34973cbddf4c361
- Location: app/lib/single-file.js
- Details:
This check does not consider data: and vbscript:.
- correctness external/cwe/cwe-020 external/cwe/cwe-184 security
- Date of analysis: 2024-12-18T10:21:24Z
- Rule: js/incomplete-url-scheme-check
- Reference: refs/heads/main #202904f85e65b12a266effe6d34973cbddf4c361
- Location: app/lib/single-file.js
- Details:
This check does not consider data: and vbscript:.
- external/cwe/cwe-312 external/cwe/cwe-359 external/cwe/cwe-532 security
- Date of analysis: 2024-11-29T06:58:33Z
- Rule: py/clear-text-logging-sensitive-data
- Reference: refs/heads/main #68014586c5a9e05e2e99083011be8197c6a79817
- Location: pirogue_evidence_collector/entrypoints/pirogue_file_drop.py
- Details:
This expression logs sensitive data (secret) as clear text.
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2023-4863
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/Pillow-9.5.0.dist-info/METADATA
- Details:
Vulnerability : CVE-2023-4863 Severity : HIGH Package : pkg:pypi/pillow@9.5.0 Affected range : <10.0.1 Fixed version : 10.0.1 CVSS Score : 8.8 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score : 0.490950 EPSS Percentile : 0.974660
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2024-27983
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/playwright/driver/node
- Details:
Vulnerability : CVE-2024-27983 Severity : HIGH Package : pkg:generic/node@20.11.0 Affected range : >=20.0.0,<20.12.1 Fixed version : 20.12.1 EPSS Score : 0.000430 EPSS Percentile : 0.082100
PiRogueToolSuite/playwright-rest-api
HIGH CVE-2024-1135: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
HIGH CVE-2024-1135: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2024-1135
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/gunicorn-20.1.0.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-1135 Severity : HIGH Package : pkg:pypi/gunicorn@20.1.0 Affected range : <22.0.0 Fixed version : 22.0.0 CVSS Score : 8.2 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N EPSS Score : 0.000430 EPSS Percentile : 0.082100
PiRogueToolSuite/playwright-rest-api
HIGH CVE-2023-50447: Improper Control of Generation of Code ('Code Injection')
HIGH CVE-2023-50447: Improper Control of Generation of Code ('Code Injection')
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2023-50447
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/Pillow-9.5.0.dist-info/METADATA
- Details:
Vulnerability : CVE-2023-50447 Severity : HIGH Package : pkg:pypi/pillow@9.5.0 Affected range : <10.2.0 Fixed version : 10.2.0 CVSS Score : 8.1 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score : 0.000740 EPSS Percentile : 0.309840
PiRogueToolSuite/playwright-rest-api
HIGH CVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
HIGH CVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2018-20225
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /root/.local/share/virtualenv/wheel/3.10/image/1/CopyPipInstall/pip-24.0-py3-none-any/pip-24.0.dist-info/METADATA
- Details:
Vulnerability : CVE-2018-20225 Severity : HIGH Package : pkg:pypi/pip@24.0 Affected range : >=0 Fixed version : not fixed CVSS Score : 7.8 CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score : 0.001120 EPSS Percentile : 0.441280
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2024-24762
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/fastapi-0.95.1.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-24762 Severity : HIGH Package : pkg:pypi/fastapi@0.95.1 Affected range : <=0.109.0 Fixed version : 0.109.1 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score : 0.001240 EPSS Percentile : 0.464090
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2024-24762
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/starlette-0.26.1.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-24762 Severity : HIGH Package : pkg:pypi/starlette@0.26.1 Affected range : <=0.36.1 Fixed version : 0.36.2 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score : 0.001240 EPSS Percentile : 0.464090
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: CVE-2023-44271
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/Pillow-9.5.0.dist-info/METADATA
- Details:
Vulnerability : CVE-2023-44271 Severity : HIGH Package : pkg:pypi/pillow@9.5.0 Affected range : <10.0.0 Fixed version : 10.0.0 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score : 0.000550 EPSS Percentile : 0.214920
- Date of analysis: 2024-04-19T17:09:29Z
- Rule: GHSA-56pw-mpj4-fxww
- Reference: refs/heads/main #6ad107e479047c45dd7cabfb363b0e619e30a711
- Location: /usr/local/lib/python3.10/dist-packages/Pillow-9.5.0.dist-info/METADATA
- Details:
Vulnerability : GHSA-56pw-mpj4-fxww Severity : HIGH Package : pkg:pypi/pillow@9.5.0 Affected range : <10.0.1 Fixed version : 10.0.1
PiRogueToolSuite/threatr
HIGH CVE-2024-6345: Improper Control of Generation of Code ('Code Injection')
HIGH CVE-2024-6345: Improper Control of Generation of Code ('Code Injection')
- Date of analysis: 2024-09-21T09:52:18Z
- Rule: CVE-2024-6345
- Reference: refs/heads/main #734e443237532ed310cae1e32bf841651ccdde70
- Location: /usr/local/lib/python3.10/site-packages/setuptools-65.5.1.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-6345 Severity : HIGH Package : pkg:pypi/setuptools@65.5.1 Affected range : <70.0.0 Fixed version : 70.0.0 CVSS Score : 8.8 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score : 0.000430 EPSS Percentile : 0.096120
- Date of analysis: 2024-09-21T09:52:18Z
- Rule: CVE-2024-39614
- Reference: refs/heads/main #734e443237532ed310cae1e32bf841651ccdde70
- Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-39614 Severity : HIGH Package : pkg:pypi/django@4.2.8 Affected range : >=4.2,<4.2.14 Fixed version : 4.2.14 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score : 0.000450 EPSS Percentile : 0.163270
PiRogueToolSuite/threatr
HIGH CVE-2024-39330: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
HIGH CVE-2024-39330: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Date of analysis: 2024-09-21T09:52:18Z
- Rule: CVE-2024-39330
- Reference: refs/heads/main #734e443237532ed310cae1e32bf841651ccdde70
- Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-39330 Severity : HIGH Package : pkg:pypi/django@4.2.8 Affected range : >=4.2,<4.2.14 Fixed version : 4.2.14 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score : 0.000450 EPSS Percentile : 0.163270
- Date of analysis: 2024-09-21T09:52:18Z
- Rule: CVE-2024-38875
- Reference: refs/heads/main #734e443237532ed310cae1e32bf841651ccdde70
- Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-38875 Severity : HIGH Package : pkg:pypi/django@4.2.8 Affected range : >=4.2,<4.2.14 Fixed version : 4.2.14 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score : 0.000450 EPSS Percentile : 0.163270
PiRogueToolSuite/threatr
HIGH CVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
HIGH CVE-2018-20225: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
- Date of analysis: 2024-04-20T07:21:22Z
- Rule: CVE-2018-20225
- Reference: refs/heads/main #734e443237532ed310cae1e32bf841651ccdde70
- Location: /usr/local/lib/python3.10/site-packages/pip-23.0.1.dist-info/METADATA
- Details:
Vulnerability : CVE-2018-20225 Severity : HIGH Package : pkg:pypi/pip@23.0.1 Affected range : >=0 Fixed version : not fixed CVSS Score : 7.8 CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score : 0.001120 EPSS Percentile : 0.452940
- CRITICAL
- Date of analysis: 2024-09-21T09:52:18Z
- Rule: CVE-2024-45492
- Reference: refs/heads/main #734e443237532ed310cae1e32bf841651ccdde70
- Location: Dockerfile
- Details:
Vulnerability : CVE-2024-45492 Severity : CRITICAL Package : pkg:deb/debian/expat@2.5.0-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range : <2.5.0-1+deb12u1 Fixed version : 2.5.0-1+deb12u1 EPSS Score : 0.000910 EPSS Percentile : 0.396090
- CRITICAL
- Date of analysis: 2024-09-21T09:52:18Z
- Rule: CVE-2024-45491
- Reference: refs/heads/main #734e443237532ed310cae1e32bf841651ccdde70
- Location: Dockerfile
- Details:
Vulnerability : CVE-2024-45491 Severity : CRITICAL Package : pkg:deb/debian/expat@2.5.0-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range : <2.5.0-1+deb12u1 Fixed version : 2.5.0-1+deb12u1 EPSS Score : 0.000910 EPSS Percentile : 0.396090
- CRITICAL
- Date of analysis: 2024-09-21T09:52:18Z
- Rule: CVE-2024-45490
- Reference: refs/heads/main #734e443237532ed310cae1e32bf841651ccdde70
- Location: Dockerfile
- Details:
Vulnerability : CVE-2024-45490 Severity : CRITICAL Package : pkg:deb/debian/expat@2.5.0-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range : <2.5.0-1+deb12u1 Fixed version : 2.5.0-1+deb12u1 EPSS Score : 0.000910 EPSS Percentile : 0.396090
PiRogueToolSuite/threatr
CRITICAL CVE-2024-42005: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CRITICAL CVE-2024-42005: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CRITICAL
- Date of analysis: 2024-09-21T09:52:18Z
- Rule: CVE-2024-42005
- Reference: refs/heads/main #734e443237532ed310cae1e32bf841651ccdde70
- Location: /usr/local/lib/python3.10/site-packages/Django-4.2.8.dist-info/METADATA
- Details:
Vulnerability : CVE-2024-42005 Severity : CRITICAL Package : pkg:pypi/django@4.2.8 Affected range : >=4.2,<4.2.15 Fixed version : 4.2.15 CVSS Score : 9.1 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score : 0.000680 EPSS Percentile : 0.306890