Find, fix and prevent vulnerabilities in your code.

Overview

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers.

Exploiting this vulnerability is possible if the uploaded file starts with CR or LF and is followed by megabytes of data without these characters.

Remediation

Upgrade werkzeug to version 2.3.8, 3.0.1 or higher.

References

• GitHub Commit
• GitHub Commit

Overview

Affected versions of this package are vulnerable to Resource Exhaustion via the idna.encode function. An attacker can consume significant resources and potentially cause a denial-of-service by supplying specially crafted arguments to this function.

Note: This is triggered by arbitrarily large inputs that would not occur in normal usage but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

Remediation

Upgrade idna to version 3.7 or higher.

References

• GitHub Commit

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS). If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows), this results in a denial of service when the affected process hangs.

NOTE: Policy processing being enabled on a publicly-facing server is not considered to be a common setup.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade cryptography to version 39.0.1 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Issue
• GitHub Issue (Python)
• RedHat Bugzilla Bug

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a read buffer overflow in certificate name constraint checking in x509/v3_ncons.c. This occurs after certificate chain signature verification, and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade cryptography to version 39.0.1 or higher.

References

• GitHub Commit
• GitHub Issue
• Node.js Advisory
• Vulnerability Advisory

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a double free after calling the PEM_read_bio_ex() function. An attacker who supplies a malicious PEM file with a 0-length payload can trigger a crash.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade cryptography to version 39.0.1 or higher.

References

• GitHub Commit
• GitHub Issue
• Node.js Advisory
• Vulnerability Advisory

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) due to an invalid pointer dereference in the d2i_PKCS7(), d2i_PKCS7_bio() and d2i_PKCS7_fp(). An attacker could trigger a crash by supplying malicious PKCS7 data.

NOTE: The TLS implementation in OpenSSL does not call these functions.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade cryptography to version 39.0.1 or higher.

References

• GitHub Commit
• GitHub Issue
• Node.js Advisory
• Vulnerability Advisory

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a null dereference when validating DSA public keys in the EVP_PKEY_public_check() function.

NOTE: The TLS implementation in OpenSSL does not call this function.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade cryptography to version 39.0.1 or higher.

References

• GitHub Commit
• GitHub Issue
• Node.js Advisory
• Vulnerability Advisory

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) when processing specially crafted ASN.1 objects identifiers. Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a exploitation of this vulnerability.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade cryptography to version 41.0.0 or higher.

References

• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug
• Security Advisory

Overview

Affected versions of this package are vulnerable to Timing Attack. It is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext (Marvin).

Notes:

1. Version 3.2 of this package contains an incomplete fix, which might help reduce the chances of this vulnerability being exploited. We recommend updating to version 42.0.0 for the complete fix, as advised in the advisory for CVE-2023-50782.

2. This vulnerability presents a moderate severity concern due to its specific impact on applications utilizing RSA decryption with PKCS#1 v1.5 padding. While the vulnerability could potentially lead to leakage in RSA decryption operations, its severity is downgraded to medium by several factors. Firstly, the exploitability of the vulnerability is limited to scenarios where RSA decryption with PKCS#1 v1.5 padding is employed, narrowing the scope of affected systems. Additionally, the implementation of implicit rejection, such as the Marvin workaround, provides a viable mitigation strategy.

Remediation

Upgrade cryptography to version 3.2 or higher.

References

• GitHub Commit
• RedHat Bugzilla Bug
• Vulnerability Report

Overview

Affected versions of this package are vulnerable to Use After Free in the BIO_new_NDEF() function. A new filter BIO can be freed, with the function returning a NULL result indicating a failure. But the BIO passed by the caller still holds pointers to the previously freed filter BIO. This could allow an attacker to cause a crash.

Remediation

Upgrade cryptography to version 39.0.1 or higher.

References

• GitHub Commit
• GitHub PR
• Node.js Advisory
• Vulnerability Advisory

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTML package or custom PackageIndex page.

Note:

Only a small portion of the user base is impacted by this flaw. Setuptools maintainers pointed out that package_index is deprecated (not formally, but “in spirit”) and the vulnerability isn't reachable through standard, recommended workflows.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

• A The string must start with the letter 'A'
• (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
• D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

1. CCC
2. CC+C
3. C+CC
4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade setuptools to version 65.5.1 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub Release
• Pyup Blog
• Vulnerable Code

Overview

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling in the twisted.web.http module which makes non-conformant parsing and can lead to desync if requests pass through multiple HTTP parsers. Note: To be vulnerable, applications need to both use Twisted Web's HTTP server/proxy, along with some other HTTP server/proxy.

Remediation

Upgrade Twisted to version 22.4.0rc1 or higher.

References

• GitHub Commit
• GitHub Release

Overview

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Information Exposure due to improper handling of sensitive data in twisted.web.client.RedirectAgent and twisted.web.client.BrowserLikeRedirectAgent which can cause cookies and authorization headers exposure when following cross-origin redirects.

Remediation

Upgrade Twisted to version 22.1.0 or higher.

References

• GitHub Commit
• GitHub Release

Overview

Affected versions of this package are vulnerable to NULL Pointer Dereference when processing a maliciously formatted PKCS12 file. The vulnerability exists due to improper handling of optional ContentInfo fields, which can be set to null. An attacker can cause a denial of service by sending crafted input that leads to applications loading files in PKCS12 format from untrusted sources to terminate abruptly.

Remediation

Upgrade cryptography to version 42.0.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub PR
• OpenSSL Advisory

Overview

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Header Injection via the NameVirtualHost function. When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.

PoC:

from twisted.web.server import Site
from twisted.web.vhost import NameVirtualHost
from twisted.internet import reactor

resource = NameVirtualHost()
site = Site(resource)
reactor.listenTCP(8080, site)
reactor.run()

Output:

❯ curl -H"Host:<h1>HELLO THERE</h1>" http://localhost:8080/

<html>
  <head><title>404 - No Such Resource</title></head>
  <body>
    <h1>No Such Resource</h1>
    <p>host b'<h1>hello there</h1>' not in vhost map</p>
  </body>
</html>

Remediation

Upgrade Twisted to version 22.10.0rc1 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Release

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) in the DH_check(), DH_check_ex() and EVP_PKEY_param_check() functions, which are used to check a DH key or DH parameters.

When the key or parameters that are being checked contain an excessively large modulus value (the p parameter) this may cause slowness in processing. Some checks use the supplied modulus value even if it has already been found to be too large.

The OpenSSL dhparam and pkeyparam command line applications are also vulnerable, when using the -check option.

NOTE: The OpenSSL SSL/TLS implementation is not affected by this issue.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade cryptography to version 41.0.3 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug
• Vulnerability Advisory

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) when the DH_generate_key(), DH_check_pub_key(), DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate() functions are used. An attacker can cause long delays and potentially a Denial of Service by supplying excessively long X9.42 DH keys or parameters obtained from an untrusted source.

Note:

This is only exploitable if the application uses these functions to generate or check an X9.42 DH key or parameters. Also, the OpenSSL pkey command line application, when using the -pubcheck option, as well as the OpenSSL genpkey command line application, are vulnerable to this issue.

Remediation

Upgrade cryptography to version 42.0.0 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug
• Security Advisory

Overview

Affected versions of this package are vulnerable to Missing Cryptographic Step when the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() functions are used. An attacker can cause truncation or overreading of key and initialization vector (IV) lengths by altering the "keylen" or "ivlen" parameters within the OSSL_PARAM array after the key and IV have been established. This can lead to potential truncation or overruns during the initialization of some symmetric ciphers, such as RC2, RC4, RC5, CCM, GCM, and OCB. A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes.

Both truncations and overruns of the key and the IV will produce incorrect results and could, in some cases, trigger a memory exception.

Remediation

Upgrade cryptography to version 41.0.5 or higher.

References

• GitHub Commit
• GitHub Commit
• Security Advisory

Overview

Affected versions of this package are vulnerable to Timing Attack in rsa/rsa_ossl.c. An attacker can recover ciphertext with a Bleichenbacher style attack by sending a large number of trial messages (Marvin). This affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP, and RSASVE.

Remediation

Upgrade cryptography to version 39.0.1 or higher.

References

• GitHub Commit
• GitHub Issue
• Node.js Advisory
• Vulnerability Advisory
• Vulnerability Report

Overview

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') when sending multiple HTTP requests in one TCP packet, the twisted.web function processes the requests asynchronously without guaranteeing the response order. An attacker can manipulate the response of the second request by delaying the response to the first request when a victim launches two requests using the HTTP pipeline.

Remediation

Upgrade Twisted to version 23.10.0rc1 or higher.

References

• GitHub Issue
• GitHub Release

Overview

Affected versions of this package are vulnerable to Expected Behavior Violation in Cipher.update_into, which allows immutable objects (such as bytes) to be mutated, violating fundamental rules of Python. This allows programmers to misuse an API, and cannot be exploited by attacker-controlled data alone.

Remediation

Upgrade cryptography to version 39.0.1 or higher.

References

• GitHub Commit