Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

requests-2.19.1-py2.py3-none-any.whl: 4 vulnerabilities (highest severity is: 7.5) #13

Open
dev-mend-for-github-com bot opened this issue Apr 3, 2024 · 0 comments
Open

requests-2.19.1-py2.py3-none-any.whl: 4 vulnerabilities (highest severity is: 7.5) #13

dev-mend-for-github-com bot opened this issue Apr 3, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@dev-mend-for-github-com
Copy link

dev-mend-for-github-com bot commented Apr 3, 2024
edited
Loading

Vulnerable Library - requests-2.19.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (requests version) Remediation Possible**
CVE-2018-18074 High 7.5 requests-2.19.1-py2.py3-none-any.whl Direct 2.20.0
CVE-2020-26137 Medium 6.5 urllib3-1.23-py2.py3-none-any.whl Transitive N/A*
CVE-2019-9740 Medium 6.1 urllib3-1.23-py2.py3-none-any.whl Transitive N/A*
CVE-2019-11324 Medium 5.3 urllib3-1.23-py2.py3-none-any.whl Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2018-18074

Vulnerable Library - requests-2.19.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

  • requests-2.19.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

Publish Date: 2018-10-09

URL: CVE-2018-18074

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-18074

Release Date: 2018-10-09

Fix Resolution: 2.20.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-26137

Vulnerable Library - urllib3-1.23-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • requests-2.19.1-py2.py3-none-any.whl (Root Library)
    • urllib3-1.23-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-29

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution: 1.25.9

CVE-2019-9740

Vulnerable Library - urllib3-1.23-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • requests-2.19.1-py2.py3-none-any.whl (Root Library)
    • urllib3-1.23-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Publish Date: 2019-03-13

URL: CVE-2019-9740

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740

Release Date: 2019-03-13

Fix Resolution: v2.7.17,v3.5.8,v3.6.9,3.7.4,3.7.5

CVE-2019-11324

Vulnerable Library - urllib3-1.23-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • requests-2.19.1-py2.py3-none-any.whl (Root Library)
    • urllib3-1.23-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Publish Date: 2019-04-18

URL: CVE-2019-11324

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324

Release Date: 2019-04-18

Fix Resolution: 1.24.2

⛑️Automatic Remediation will be attempted for this issue.
@dev-mend-for-github-com dev-mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Apr 3, 2024
@dev-mend-for-github-com dev-mend-for-github-com bot changed the title requests-2.19.1-py2.py3-none-any.whl: 4 vulnerabilities (highest severity is: 7.5) requests-2.19.1-py2.py3-none-any.whl: 3 vulnerabilities (highest severity is: 7.5) Jan 12, 2025
@dev-mend-for-github-com dev-mend-for-github-com bot changed the title requests-2.19.1-py2.py3-none-any.whl: 3 vulnerabilities (highest severity is: 7.5) requests-2.19.1-py2.py3-none-any.whl: 2 vulnerabilities (highest severity is: 7.5) Jan 16, 2025
@dev-mend-for-github-com dev-mend-for-github-com bot changed the title requests-2.19.1-py2.py3-none-any.whl: 2 vulnerabilities (highest severity is: 7.5) requests-2.19.1-py2.py3-none-any.whl: 4 vulnerabilities (highest severity is: 7.5) Jan 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants