Vulnerabilities

 4 via 4 paths

Dependencies

 14

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 3
Status
  • 4
  • 0
  • 0

high severity

Insufficient Verification of Data Authenticity

  • Vulnerable module: cryptography
  • Introduced through: cryptography@45.0.7

Detailed paths

  • Introduced through: ctera/ctera-python-sdk@ctera/ctera-python-sdk cryptography@45.0.7
    Remediation: Upgrade to cryptography@46.0.5.

Overview

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in public key functions public_key_from_numbers, EllipticCurvePublicNumbers.public_key, load_der_public_key, and load_pem_public_key, which may reveal bits from a private key when provided with a malicious public key as input. When the application is using sect* binary curves for verification - which is a rare use case - these functions do not verify that the provided point belongs to the expected prime-order subgroup of the curve. An attacker can thus expose partial private keys or forge signatures.

Remediation

Upgrade cryptography to version 46.0.5 or higher.

References

Insufficient Verification of Data Authenticity vulnerability report

medium severity

Infinite loop

  • Vulnerable module: zipp
  • Introduced through: pydantic@2.5.3

Detailed paths

  • Introduced through: ctera/ctera-python-sdk@ctera/ctera-python-sdk pydantic@2.5.3 importlib-metadata@6.7.0 zipp@3.15.0
    Remediation: Upgrade to pydantic@2.6.0.

Overview

Affected versions of this package are vulnerable to Infinite loop where an attacker can cause the application to stop responding by initiating a loop through functions affecting the Path module, such as joinpath, the overloaded division operator, and iterdir.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade zipp to version 3.19.1 or higher.

References

Infinite loop vulnerability report

medium severity

Improper Certificate Validation

  • Vulnerable module: cryptography
  • Introduced through: cryptography@45.0.7

Detailed paths

  • Introduced through: ctera/ctera-python-sdk@ctera/ctera-python-sdk cryptography@45.0.7
    Remediation: Upgrade to cryptography@46.0.6.

Overview

Affected versions of this package are vulnerable to Improper Certificate Validation through the NameChain DNS verification logic in src/rust/cryptography-x509-verification. An attacker can make a peer name, such as bar.example.com, validate against a wildcard leaf certificate like *.example.com even when an issuing certificate in the chain excludes that DNS subtree, causing improper certificate acceptance.

Notes

  • The flaw affects X.509 path validation when DNS name constraints are present, and the leaf certificate uses a wildcard DNS SAN.
  • The maintainers note that ordinary X.509 topologies, including those used by the Web PKI, are not affected, and exploitation requires an uncommon certificate hierarchy.

Remediation

Upgrade cryptography to version 46.0.6 or higher.

References

Improper Certificate Validation vulnerability report

medium severity
new

Out-of-bounds Write

  • Vulnerable module: cryptography
  • Introduced through: cryptography@45.0.7

Detailed paths

  • Introduced through: ctera/ctera-python-sdk@ctera/ctera-python-sdk cryptography@45.0.7
    Remediation: Upgrade to cryptography@46.0.7.

Overview

Affected versions of this package are vulnerable to Out-of-bounds Write in the update function when non-contiguous buffers are provided as input. An attacker can cause memory corruption or unintended behavior by supplying specially crafted non-contiguous buffers to APIs that accept Python buffers.

Note: This is only exploitable if the Python version is greater than 3.11.

Remediation

Upgrade cryptography to version 46.0.7 or higher.

References

Out-of-bounds Write vulnerability report