Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,040

Total Advisories

1,845

With Dependabot PRs

3,533

Critical Severity

8,709

High Severity

Clear All Filters
Ryu Infinite Loop vulnerability
GHSA-m9vm-8mv9-v5v3 CVE-2024-34487 MODERATE over 1 year ago
`OFPFlowStats` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `inst.length=0`.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-59p2-v62x-gxj8 CVE-2024-34489 HIGH over 1 year ago
`OFPHello` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `length=0`.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-fgpw-cx3v-wj95 CVE-2024-34486 HIGH over 1 year ago
`OFPPacketQueue` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `OFPQueueProp.len=0`.
pypi
No PRs yet
sagemaker-python-sdk Command Injection vulnerability
GHSA-7pc3-pr3q-58vg CVE-2024-34073 HIGH over 1 year ago
### Impact The capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils` module before version 2.214.3 allows for p...
pypi
No PRs yet
sagemaker-python-sdk vulnerable to Deserialization of Untrusted Data
GHSA-wjvx-jhpj-r54r CVE-2024-34072 HIGH over 1 year ago
### Impact sagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is ...
pypi
No PRs yet
tqdm CLI arguments injection attack
GHSA-g7vv-2v7x-gj9p CVE-2024-34062 LOW over 1 year ago
### Impact Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrar...
pypi
483
Dependabot PRs
17%
Merged
LIEF obtain sensitive information via the name parameter
GHSA-377p-g8gr-5wpg CVE-2024-31636 LOW over 1 year ago
An issue in LIEF v.0.14.1 allows a local attacker to obtain sensitive information via the name parameter of the machd_reader.c component.
pypi
No PRs yet
changedetection.io Cross-site Scripting vulnerability
GHSA-pwgc-w4x9-gw67 CVE-2024-34061 MODERATE over 1 year ago
### Summary Input in parameter notification_urls is not processed resulting in javascript execution in the application ### Details changedetectio...
pypi
No PRs yet
aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
GHSA-5m98-qgg9-wh84 CVE-2024-30251 HIGH over 1 year ago
### Summary An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will ente...
pypi
No PRs yet
pgAdmin Cross-site Scripting vulnerability in /settings/store API response json payload
GHSA-xv64-8p4r-94gq CVE-2024-4216 HIGH over 1 year ago
pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malici...
pypi
No PRs yet
pgAdmin is affected by a multi-factor authentication bypass vulnerability
GHSA-2mvc-557g-5638 CVE-2024-4215 MODERATE over 1 year ago
pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitim...
pypi
No PRs yet
CraftBeerPi 4 allows arbitrary code execution
GHSA-4f92-w438-f484 CVE-2024-3955 CRITICAL over 1 year ago
URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/http_endpoints/http_system.py" is subsequently passed to the "os....
pypi
No PRs yet
Wagtail has permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet`
GHSA-w2v8-php4-p8hc CVE-2024-32882 LOW over 1 year ago
### Impact If a model has been made available for editing through the [`wagtail.contrib.settings`](https://docs.wagtail.org/en/stable/reference/con...
pypi
No PRs yet
nautobot has reflected Cross-site Scripting potential in all object list views
GHSA-jxgr-gcj5-cqqg CVE-2024-32979 HIGH over 1 year ago
### Impact It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL coul...
pypi
No PRs yet
PyPXE Buffer Overflow vulnerability
GHSA-82wx-rxf8-fxch CVE-2023-46960 HIGH over 1 year ago
Buffer Overflow vulnerability in PyPXE v.1.8.4 allows a remote attacker to cause a denial of service via the handle function in the tftp module.
pypi
No PRs yet
dcnnt-py is vulnerable to command injection via Notification Handler
GHSA-8p42-7597-p2f6 CVE-2023-1000 MODERATE over 1 year ago
A vulnerability was found in cyanomiko dcnnt-py up to 0.9.0. It has been classified as critical. Affected is the function main of the file dcnnt/pl...
pypi
No PRs yet
python-jose denial of service via compressed JWE content
GHSA-cjwg-qfpm-7377 CVE-2024-33664 MODERATE over 1 year ago
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (J...
pypi
243
Dependabot PRs
13%
Merged
python-jose algorithm confusion with OpenSSH ECDSA keys
GHSA-6c5p-j8vq-pqhj CVE-2024-33663 CRITICAL over 1 year ago
python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.
pypi
243
Dependabot PRs
13%
Merged
vyper's range(start, start + N) reverts for negative numbers
GHSA-ppx5-q359-pvwj CVE-2024-32481 MODERATE over 1 year ago
### Summary When looping over a `range` of the form `range(start, start + N)`, if `start` is negative, the execution will always revert. ### Det...
pypi
No PRs yet
vyper performs incorrect topic logging in raw_log
GHSA-xchq-w5r3-4wg3 CVE-2024-32645 MODERATE over 1 year ago
### Summary Incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract sear...
pypi
No PRs yet
vyper performs double eval of the slice start/length args in certain cases
GHSA-r56x-j438-vw5m CVE-2024-32646 MODERATE over 1 year ago
### Summary Using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `<add...
pypi
No PRs yet
vyper performs double eval of raw_args in create_from_blueprint
GHSA-3whq-64q2-qfj6 CVE-2024-32647 MODERATE over 1 year ago
### Summary Using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has si...
pypi
No PRs yet
vyper default functions don't respect nonreentrancy keys
GHSA-m2v9-w374-5hj9 CVE-2024-32648 MODERATE over 1 year ago
### Summary Prior to v0.3.0, `__default__()` functions did not respect the `@nonreentrancy` decorator and the lock was not emitted. This is a known...
pypi
No PRs yet
vyper performs multiple eval of `sqrt()` argument built in
GHSA-5jrj-52x8-m64h CVE-2024-32649 MODERATE over 1 year ago
### Summary Using the `sqrt` builtin can result in multiple eval evaluation of side effects when the argument has side-effects. The bug is more dif...
pypi
No PRs yet
pyLoad allows upload to arbitrary folder lead to RCE
GHSA-3f7w-p8vr-4v5f CVE-2024-32880 CRITICAL over 1 year ago
### Summary An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code executio...
pypi
No PRs yet
social-auth-app-django affected by Improper Handling of Case Sensitivity
GHSA-2gr8-3wc7-xhj3 CVE-2024-32879 MODERATE over 1 year ago
### Impact Due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and ...
pypi
11
Dependabot PRs
9%
Merged
Synapse V2 state resolution weakness allows Denial of Service (DoS)
GHSA-3h7q-rfh9-xm4v CVE-2024-31208 MODERATE over 1 year ago
### Impact A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events...
pypi
No PRs yet
cg vulnerable to an Open Redirect Vulnerability on Referer Header
GHSA-w228-rfpx-fhm4 MODERATE over 1 year ago
### Summary A vulnerability has been discovered in the handling of the referrer header in the application, which could allow an attacker to conduc...
pypi
No PRs yet
dbt uses a SQLparse version with a high vulnerability
GHSA-p72q-h37j-3hq7 HIGH over 1 year ago
### Summary Using a version of `sqlparse` that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends u...
pypi
No PRs yet
OpenStack Storlets arbitrary code execution vulnerability
GHSA-rfm2-f94j-qhjp CVE-2024-28717 HIGH over 1 year ago
An issue in OpenStack Storlets yoga-eom allows a remote attacker to execute arbitrary code via the gateway.py component.
pypi
No PRs yet
Improper Certificate Validation vulnerability in Apache Airflow FTP Provider
GHSA-3gg8-mc87-cq3h CVE-2024-29733 LOW over 1 year ago
Improper Certificate Validation vulnerability in Apache Airflow FTP Provider. The FTP hook lacks complete certificate validation in FTP_TLS connec...
pypi
No PRs yet
flask-cors vulnerable to log injection when the log level is set to debug
GHSA-84pr-m4jr-85g5 CVE-2024-1681 MODERATE over 1 year ago
corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file...
pypi
713
Dependabot PRs
9%
Merged
Sentry vulnerable to leaking superuser cleartext password in logs
GHSA-6cjm-4pxw-7xp9 CVE-2024-32474 HIGH over 1 year ago
### Impact When authenticating as a superuser to a self-hosted Sentry instance with a username and password, the password is leaked as cleartext in...
pypi
No PRs yet
aiohttp Cross-site Scripting vulnerability on index pages for static file handling
GHSA-7gpw-8wmc-pm8g CVE-2024-27306 MODERATE over 1 year ago
### Summary A XSS vulnerability exists on index pages for static file handling. ### Details When using `web.static(..., show_index=True)`, the r...
pypi
No PRs yet
Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used
GHSA-2522-mrjc-m688 CVE-2024-31869 MODERATE over 1 year ago
Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "config...
pypi
No PRs yet
Pytorch use-after-free vulnerability
GHSA-pg7h-5qx3-wjr3 CVE-2024-31583 HIGH over 1 year ago
Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp.
pypi
No PRs yet
PyTorch heap buffer overflow vulnerability
GHSA-5pcm-hx3q-hm94 CVE-2024-31580 HIGH over 1 year ago
PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/vararg_functions.cpp. This vulnerabi...
pypi
No PRs yet
Keras code injection vulnerability
GHSA-x4wf-678h-2pmq CVE-2024-3660 CRITICAL over 1 year ago
A arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissio...
pypi
No PRs yet
langchain vulnerable to path traversal
GHSA-rgp8-pm28-3759 CVE-2024-3571 MODERATE over 1 year ago
langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its...
pypi
No PRs yet
mlflow vulnerable to Path Traversal
GHSA-hq88-wg7q-gp4g CVE-2024-3573 CRITICAL over 1 year ago
mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary f...
pypi
No PRs yet
llama-index-core Command Injection vulnerability
GHSA-r6gp-rff2-p3hf CVE-2024-3271 CRITICAL over 1 year ago
A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Attackers can bypass ...
pypi
No PRs yet
Cross-site Scripting (XSS) in mindsdb/mindsdb
GHSA-93c5-rj2p-w52x CVE-2024-3575 MODERATE over 1 year ago
When a user uploads a csv file that contains an javascript payload a Cross-site Scripting (XSS) is triggered when the file is viewed. This is true ...
pypi
No PRs yet
zenml Session Fixation vulnerability
GHSA-g3r5-72hf-p7p2 CVE-2024-2260 MODERATE over 1 year ago
A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon l...
pypi
No PRs yet
Directory traversal in zenml
GHSA-6h3f-43vq-53hj CVE-2024-2083 CRITICAL over 1 year ago
A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit ...
pypi
No PRs yet
gradio vulnerable to Path Traversal
GHSA-g9cj-cfpp-4g2x CVE-2024-1561 HIGH over 1 year ago
An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component...
pypi
No PRs yet
mlflow vulnerable to Path Traversal
GHSA-j62r-wxqq-f3gf CVE-2024-1558 HIGH over 1 year ago
A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to...
pypi
No PRs yet
mlflow vulnerable to Path Traversal
GHSA-f42m-mvfv-cgw5 CVE-2024-1593 HIGH over 1 year ago
A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal seque...
pypi
No PRs yet
mlflow vulnerable to Path Traversal
GHSA-m49c-5c52-6696 CVE-2024-1594 HIGH over 1 year ago
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when c...
pypi
No PRs yet
Insecure deserialization in BentoML
GHSA-hvj5-mvw9-93j3 CVE-2024-2912 CRITICAL over 1 year ago
An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST...
pypi
No PRs yet
mlflow vulnerable to Path Traversal
GHSA-5mvj-wmgj-7q8c CVE-2024-1560 HIGH over 1 year ago
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypas...
pypi
No PRs yet