[Snyk] Fix for 13 vulnerabilities #850
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-5914629 - https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6036192 - https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6050294 - https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6092044 - https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6126975 - https://snyk.io/vuln/SNYK-PYTHON-GITPYTHON-5871282 - https://snyk.io/vuln/SNYK-PYTHON-GITPYTHON-5876644 - https://snyk.io/vuln/SNYK-PYTHON-GITPYTHON-6150683 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-5918878 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6043904 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6182918 - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-5926907 - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459
|
Unrestricted File Download
DescriptionUnrestricted File Downloads are a type of vulnerability that allow a malicious actor to download internal files, resulting in the potential, unintentional exposure of sensitive files, such as the configuration file, which contains credentials for the database. In milder forms, Unrestricted File Download attacks allow access to a specific directory subtree but could still enable cross-user breaches or access to crucial configuration and sensitive files. Read moreImpactThe damage an attacker can cause by employing this type of attack is really only limited by the value of the exposed information. If a developer has structured their web root folder to include sensitive configuration files, for example, the fallout will, of course, be highly damaging. Furthermore, as with many other attacks that are a part of the attacker's toolkit, the vulnerability can be used by an attacker as a stepping stone, leading to the full compromise of the system. ScenariosA classic scenario is a web application that dynamically fetches resources according to a query parameter; and the available resources are stored in a particular directory within the file systems. For example, the following URL fetches the The Directory Traversal technique is commonly used to exploit this type of vulnerability in file systems; the nickname "dot-dot-slash" is often used as an alternative label given the punctuated order of symbols ( If no checks or sanitisation are in place, it is possible to traverse the resources directory and target any file on the file system. For example, the following fetches the sensitive PreventionIf possible, developers should avoid building file path strings with user-provided input. Many functions of an application can be rewritten to deliver functionally identical behavior but in a safer manner. If passing user-supplied input to a filesystem API is absolutely necessary, developers must ensure the following:
As defense in depth, developers should never run a server component with TestingVerify that user-submitted filename metadata is not used directly by system or framework filesystems and that a URL API is used to protect against path traversal.
|
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
By pinning:
Why? Has a fix available, CVSS 6.5
SNYK-PYTHON-CRYPTOGRAPHY-5914629
cryptography:41.0.3 -> 42.0.0Why? Has a fix available, CVSS 5.3
SNYK-PYTHON-CRYPTOGRAPHY-6036192
cryptography:41.0.3 -> 42.0.0Why? Has a fix available, CVSS 5.3
SNYK-PYTHON-CRYPTOGRAPHY-6050294
cryptography:41.0.3 -> 42.0.0Why? Proof of Concept exploit, Has a fix available, CVSS 5.9
SNYK-PYTHON-CRYPTOGRAPHY-6092044
cryptography:41.0.3 -> 42.0.0Why? Proof of Concept exploit, Has a fix available, CVSS 5.9
SNYK-PYTHON-CRYPTOGRAPHY-6126975
cryptography:41.0.3 -> 42.0.0Why? Proof of Concept exploit, Has a fix available, CVSS 7.8
SNYK-PYTHON-GITPYTHON-5871282
gitpython:3.1.32 -> 3.1.41Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
SNYK-PYTHON-GITPYTHON-5876644
gitpython:3.1.32 -> 3.1.41Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.8
SNYK-PYTHON-GITPYTHON-6150683
gitpython:3.1.32 -> 3.1.41Why? Mature exploit, Has a fix available, CVSS 9.6
SNYK-PYTHON-PILLOW-5918878
pillow:9.5.0 -> 10.2.0Why? Has a fix available, CVSS 7.5
SNYK-PYTHON-PILLOW-6043904
pillow:9.5.0 -> 10.2.0Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.1
SNYK-PYTHON-PILLOW-6182918
pillow:9.5.0 -> 10.2.0Why? Has a fix available, CVSS 5.9
SNYK-PYTHON-URLLIB3-5926907
urllib3:1.26.11 -> 1.26.18Why? Has a fix available, CVSS 4.2
SNYK-PYTHON-URLLIB3-6002459
urllib3:1.26.11 -> 1.26.18(*) Note that the real score may have changed since the PR was raised.
Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Denial of Service (DoS)
🦉 NULL Pointer Dereference
🦉 Directory Traversal
🦉 More lessons are available in Snyk Learn