Find, fix and prevent vulnerabilities in your code.
critical severity
- Vulnerable module: pyyaml
- Introduced through: pyyaml@5.3.1
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyyaml@5.3.1Remediation: Upgrade to pyyaml@5.4.
Overview
Affected versions of this package are vulnerable to Arbitrary Code Execution. It processes untrusted YAML files through the full_load
method or with the FullLoader
loader. This is due to an incomplete fix for CVE-2020-1747.
Remediation
Upgrade PyYAML
to version 5.4 or higher.
References
high severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@39.0.1.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS) due to a null pointer dereference in when signatures are being verified on PKCS7 signed or signedAndEnveloped data in pkcs7/pk7_doit.c
. If the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available, the digest initialization will fail.
NOTE: The TLS implementation in OpenSSL does not call these functions.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade cryptography
to version 39.0.1 or higher.
References
high severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@42.0.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Observable Timing Discrepancy. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data (Marvin).
Note:
This vulnerability exists due to an incomplete fix for CVE-2020-25659.
Remediation
Upgrade cryptography
to version 42.0.0 or higher.
References
high severity
- Vulnerable module: flask
- Introduced through: flask@2.2.2
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › flask@2.2.2Remediation: Upgrade to flask@2.2.5.
Overview
Affected versions of this package are vulnerable to Information Exposure in the form of exposing the permanent session cookie, when all of the following conditions are met:
The application is hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
The application sets
session.permanent = True
.The application does not access or modify the session at any point during a request.
SESSION_REFRESH_EACH_REQUEST
is enabled (the default).The application does not set a
Cache-Control
header to indicate that a page is private or should not be cached.
A response containing data intended for one client may be cached and sent to other clients. If the proxy also caches Set-Cookie
headers, it may send one client's session
cookie to other clients. Under these conditions, the Vary: Cookie
header is not set when a session is refreshed (re-sent to update the expiration) without being accessed or modified.
Remediation
Upgrade flask
to version 2.2.5, 2.3.2 or higher.
References
high severity
- Vulnerable module: grpcio
- Introduced through: grpcio@1.50.0 and grpcio-tools@1.50.0
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › grpcio@1.50.0Remediation: Upgrade to grpcio@1.53.2.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › grpcio-tools@1.50.0 › grpcio@1.50.0Remediation: Upgrade to grpcio-tools@1.57.0.
Overview
Affected versions of this package are vulnerable to Excessive Iteration. Specially crafted requests can cause a termination of connection between a proxy and a backend.
Remediation
Upgrade grpcio
to version 1.53.2, 1.54.3, 1.55.3, 1.56.2 or higher.
References
high severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@39.0.1.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in x509/v3_genn.c
, when processing X.400 addresses with CRL checking enabled (e.g. when X509_V_FLAG_CRL_CHECK
is set). An attacker in possession of both the certificate chain and CRL, of which neither needs a valid signature, can expose memory or cause a denial of service. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon.
Remediation
Upgrade cryptography
to version 39.0.1 or higher.
References
high severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@41.0.2.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Improper Certificate Validation in the SSH certificate decoding process. An attacker can cause the application to accept unauthorized SSH certificates generated by ssh-keygen
, or cause certificates generated by SSHCertificateBuilder
to fail when read by ssh-keygen
.
Note: This is only exploitable if the attacker controls the SSH certificate generation process or can introduce crafted SSH certificates into the system.
Remediation
Upgrade cryptography
to version 41.0.2 or higher.
References
medium severity
- Vulnerable module: werkzeug
- Introduced through: flask@2.2.2
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › flask@2.2.2 › werkzeug@2.2.3Remediation: Upgrade to flask@2.2.2.
Overview
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers.
Exploiting this vulnerability is possible if the uploaded file starts with CR
or LF
and is followed by megabytes of data without these characters.
Remediation
Upgrade werkzeug
to version 2.3.8, 3.0.1 or higher.
References
medium severity
new
- Vulnerable module: idna
- Introduced through: idna@2.6, cryptography@2.3 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › idna@2.6Remediation: Upgrade to idna@3.7.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3 › idna@2.6Remediation: Upgrade to cryptography@2.3.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3 › idna@2.6Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › twisted@20.3.0 › hyperlink@21.0.0 › idna@2.6Remediation: Upgrade to twisted@20.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3 › idna@2.6Remediation: Upgrade to service-identity@18.1.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › google-api-python-client@1.8.3 › google-api-core@1.34.1 › requests@2.31.0 › idna@2.6
Overview
Affected versions of this package are vulnerable to Resource Exhaustion via the idna.encode
function. An attacker can consume significant resources and potentially cause a denial-of-service by supplying specially crafted arguments to this function.
Note: This is triggered by arbitrarily large inputs that would not occur in normal usage but may be passed to the library assuming there is no preliminary input validation by the higher-level application.
Remediation
Upgrade idna
to version 3.7 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@39.0.1.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS). If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows), this results in a denial of service when the affected process hangs.
NOTE: Policy processing being enabled on a publicly-facing server is not considered to be a common setup.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade cryptography
to version 39.0.1 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@39.0.1.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS) due to a read buffer overflow in certificate name constraint checking in x509/v3_ncons.c
. This occurs after certificate chain signature verification, and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade cryptography
to version 39.0.1 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@39.0.1.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS) due to a double free after calling the PEM_read_bio_ex()
function. An attacker who supplies a malicious PEM file with a 0-length payload can trigger a crash.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade cryptography
to version 39.0.1 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@39.0.1.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS) due to an invalid pointer dereference in the d2i_PKCS7()
, d2i_PKCS7_bio()
and d2i_PKCS7_fp()
. An attacker could trigger a crash by supplying malicious PKCS7 data.
NOTE: The TLS implementation in OpenSSL does not call these functions.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade cryptography
to version 39.0.1 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@39.0.1.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS) due to a null dereference when validating DSA public keys in the EVP_PKEY_public_check()
function.
NOTE: The TLS implementation in OpenSSL does not call this function.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade cryptography
to version 39.0.1 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@41.0.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS) when processing specially crafted ASN.1 objects identifiers.
Applications that use OBJ_obj2txt()
directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME
, CMS
, CMP/CRMF
or TS
with no message size limit may experience notable to very long delays when processing those messages, which may lead to a exploitation of this vulnerability.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade cryptography
to version 41.0.0 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@3.2.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Timing Attack. It is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext (Marvin).
Notes:
Version 3.2 of this package contains an incomplete fix, which might help reduce the chances of this vulnerability being exploited. We recommend updating to version 42.0.0 for the complete fix, as advised in the advisory for CVE-2023-50782.
This vulnerability presents a moderate severity concern due to its specific impact on applications utilizing RSA decryption with PKCS#1 v1.5 padding. While the vulnerability could potentially lead to leakage in RSA decryption operations, its severity is downgraded to medium by several factors. Firstly, the exploitability of the vulnerability is limited to scenarios where RSA decryption with PKCS#1 v1.5 padding is employed, narrowing the scope of affected systems. Additionally, the implementation of implicit rejection, such as the Marvin workaround, provides a viable mitigation strategy.
Remediation
Upgrade cryptography
to version 3.2 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@39.0.1.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Use After Free in the BIO_new_NDEF()
function. A new filter BIO can be freed, with the function returning a NULL result indicating a failure. But the BIO passed by the caller still holds pointers to the previously freed filter BIO. This could allow an attacker to cause a crash.
Remediation
Upgrade cryptography
to version 39.0.1 or higher.
References
medium severity
- Vulnerable module: setuptools
- Introduced through: google-auth@1.35.0, grpcio-tools@1.50.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › google-auth@1.35.0 › setuptools@40.5.0Remediation: Upgrade to google-auth@2.4.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › grpcio-tools@1.50.0 › setuptools@40.5.0
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › google-api-python-client@1.8.3 › google-auth@1.35.0 › setuptools@40.5.0Remediation: Upgrade to google-api-python-client@2.109.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › twisted@20.3.0 › zope.interface@6.3 › setuptools@40.5.0
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › google-api-python-client@1.8.3 › google-api-core@1.34.1 › google-auth@1.35.0 › setuptools@40.5.0Remediation: Upgrade to google-api-python-client@2.109.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › google-api-python-client@1.8.3 › google-auth-httplib2@0.2.0 › google-auth@1.35.0 › setuptools@40.5.0
Overview
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTML package or custom PackageIndex
page.
Note:
Only a small portion of the user base is impacted by this flaw. Setuptools maintainers pointed out that package_index
is deprecated (not formally, but “in spirit”) and the vulnerability isn't reachable through standard, recommended workflows.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.
Let’s take the following regular expression as an example:
regex = /A(B|C+)+D/
This regular expression accomplishes the following:
A
The string must start with the letter 'A'(B|C+)+
The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the+
matches one or more times). The+
at the end of this section states that we can look for one or more matches of this section.D
Finally, we ensure this section of the string ends with a 'D'
The expression would match inputs such as ABBD
, ABCCCCD
, ABCBCCCD
and ACCCCCD
It most cases, it doesn't take very long for a regex engine to find a match:
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total
The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.
Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.
Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:
- CCC
- CC+C
- C+CC
- C+C+C.
The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.
From there, the number of steps the engine must use to validate a string just continues to grow.
String | Number of C's | Number of steps |
---|---|---|
ACCCX | 3 | 38 |
ACCCCX | 4 | 71 |
ACCCCCX | 5 | 136 |
ACCCCCCCCCCCCCCX | 14 | 65,553 |
By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.
Remediation
Upgrade setuptools
to version 65.5.1 or higher.
References
medium severity
- Vulnerable module: twisted
- Introduced through: twisted@20.3.0
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › twisted@20.3.0Remediation: Upgrade to twisted@22.4.0.
Overview
Twisted is an event-based network programming and multi-protocol integration framework.
Affected versions of this package are vulnerable to HTTP Request Smuggling in the twisted.web.http
module which makes non-conformant parsing and can lead to desync if requests pass through multiple HTTP parsers.
Note: To be vulnerable, applications need to both use Twisted Web's HTTP server/proxy, along with some other HTTP server/proxy.
Remediation
Upgrade Twisted
to version 22.4.0rc1 or higher.
References
medium severity
- Vulnerable module: twisted
- Introduced through: twisted@20.3.0
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › twisted@20.3.0Remediation: Upgrade to twisted@22.1.0.
Overview
Twisted is an event-based network programming and multi-protocol integration framework.
Affected versions of this package are vulnerable to Information Exposure due to improper handling of sensitive data in twisted.web.client.RedirectAgent
and twisted.web.client.BrowserLikeRedirectAgent
which can cause cookies and authorization headers exposure when following cross-origin redirects.
Remediation
Upgrade Twisted
to version 22.1.0 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@42.0.2.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to NULL Pointer Dereference when processing a maliciously formatted PKCS12 file. The vulnerability exists due to improper handling of optional ContentInfo
fields, which can be set to null. An attacker can cause a denial of service by sending crafted input that leads to applications loading files in PKCS12 format from untrusted sources to terminate abruptly.
Remediation
Upgrade cryptography
to version 42.0.2 or higher.
References
medium severity
- Vulnerable module: twisted
- Introduced through: twisted@20.3.0
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › twisted@20.3.0Remediation: Upgrade to twisted@22.10.0.
Overview
Twisted is an event-based network programming and multi-protocol integration framework.
Affected versions of this package are vulnerable to HTTP Header Injection via the NameVirtualHost
function. When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost
will return a NoResource
resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.
PoC:
from twisted.web.server import Site
from twisted.web.vhost import NameVirtualHost
from twisted.internet import reactor
resource = NameVirtualHost()
site = Site(resource)
reactor.listenTCP(8080, site)
reactor.run()
Output:
❯ curl -H"Host:<h1>HELLO THERE</h1>" http://localhost:8080/
<html>
<head><title>404 - No Such Resource</title></head>
<body>
<h1>No Such Resource</h1>
<p>host b'<h1>hello there</h1>' not in vhost map</p>
</body>
</html>
Remediation
Upgrade Twisted
to version 22.10.0rc1 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@41.0.3.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS) in the DH_check()
, DH_check_ex()
and EVP_PKEY_param_check()
functions, which are used to check a DH key or DH parameters.
When the key or parameters that are being checked contain an excessively large modulus value (the p
parameter) this may cause slowness in processing. Some checks use the supplied modulus value even if it has already been found to be too large.
The OpenSSL dhparam
and pkeyparam
command line applications are also vulnerable, when using the -check
option.
NOTE: The OpenSSL SSL/TLS implementation is not affected by this issue.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade cryptography
to version 41.0.3 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@42.0.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS) when the DH_generate_key()
, DH_check_pub_key()
, DH_check_pub_key_ex()
, EVP_PKEY_public_check()
, and EVP_PKEY_generate()
functions are used. An attacker can cause long delays and potentially a Denial of Service by supplying excessively long X9.42 DH keys or parameters obtained from an untrusted source.
Note:
This is only exploitable if the application uses these functions to generate or check an X9.42 DH key or parameters. Also, the OpenSSL pkey
command line application, when using the -pubcheck
option, as well as the OpenSSL genpkey
command line application, are vulnerable to this issue.
Remediation
Upgrade cryptography
to version 42.0.0 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@41.0.5.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Missing Cryptographic Step when the EVP_EncryptInit_ex2()
, EVP_DecryptInit_ex2()
or EVP_CipherInit_ex2()
functions are used. An attacker can cause truncation or overreading of key and initialization vector (IV) lengths by altering the "keylen" or "ivlen" parameters within the OSSL_PARAM
array after the key and IV have been established. This can lead to potential truncation or overruns during the initialization of some symmetric ciphers, such as RC2, RC4, RC5, CCM, GCM, and OCB. A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes.
Both truncations and overruns of the key and the IV will produce incorrect results and could, in some cases, trigger a memory exception.
Remediation
Upgrade cryptography
to version 41.0.5 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@39.0.1.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Timing Attack in rsa/rsa_ossl.c
. An attacker can recover ciphertext with a Bleichenbacher style attack by sending a large number of trial messages (Marvin). This affects all RSA padding modes: PKCS#1 v1.5
, RSA-OEAP
, and RSASVE
.
Remediation
Upgrade cryptography
to version 39.0.1 or higher.
References
medium severity
- Vulnerable module: twisted
- Introduced through: twisted@20.3.0
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › twisted@20.3.0Remediation: Upgrade to twisted@23.10.0.
Overview
Twisted is an event-based network programming and multi-protocol integration framework.
Affected versions of this package are vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') when sending multiple HTTP requests in one TCP packet, the twisted.web
function processes the requests asynchronously without guaranteeing the response order. An attacker can manipulate the response of the second request by delaying the response to the first request when a victim launches two requests using the HTTP pipeline.
Remediation
Upgrade Twisted
to version 23.10.0rc1 or higher.
References
medium severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@39.0.1.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Expected Behavior Violation in Cipher.update_into
, which allows immutable objects (such as bytes
) to be mutated, violating fundamental rules of Python. This allows programmers to misuse an API, and cannot be exploited by attacker-controlled data alone.
Remediation
Upgrade cryptography
to version 39.0.1 or higher.
References
low severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@41.0.3.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS) when the DH_check()
, DH_check_ex()
, or EVP_PKEY_param_check()
functions are used to check a DH key or DH parameters. An attacker can cause long delays and potentially a Denial of Service (DoS) by providing excessively long DH keys or parameters from an untrusted source. This is only exploitable if the application calls these functions and supplies a key or parameters obtained from an untrusted source.
Note: The OpenSSL SSL/TLS implementation and the OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade cryptography
to version 41.0.3 or higher.
References
low severity
- Vulnerable module: cryptography
- Introduced through: cryptography@2.3, pyopenssl@17.5.0 and others
Detailed paths
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › cryptography@2.3Remediation: Upgrade to cryptography@41.0.3.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to pyopenssl@23.3.0.
-
Introduced through: theQRL/QRL@theQRL/QRL#745ceb6d40302404a1d4582cbef23a046ca99e42 › service-identity@17.0.0 › pyopenssl@17.5.0 › cryptography@2.3Remediation: Upgrade to service-identity@18.1.0.
Overview
Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the AES-SIV cipher implementation in ciphers/cipher_aes_siv.c
, which ignores empty associated data entries, making them unauthenticated.
Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding or reordering such empty entries as these are ignored by the OpenSSL implementation.
NOTE: This issue does not affect non-empty associated data authentication and the maintainers are currently unaware of any applications that use empty associated data entries.
Remediation
Upgrade cryptography
to version 41.0.3 or higher.