Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,820

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
tuf's Metadata API: Targets.get_delegated_role() is missing input validation
GHSA-77hh-43cm-v8j6 LOW almost 2 years ago
The security of both a TUF client and repository implementations depend on the concept of trusted Metadata objects verifying the signatures over ot...
pypi
1
Dependabot PRs
Scrapy decompression bomb vulnerability
GHSA-7j7m-v7m3-jqm7 CVE-2024-3572 HIGH almost 2 years ago
### Impact Scrapy limits allowed response sizes by default through the [`DOWNLOAD_MAXSIZE`](https://docs.scrapy.org/en/latest/topics/settings.html...
pypi
2
Dependabot PRs
Scrapy authorization header leakage on cross-domain redirect
GHSA-cw9j-q3vf-hrrv CVE-2024-3574 HIGH almost 2 years ago
### Impact When you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Scrapy’...
pypi
2
Dependabot PRs
Scrapy vulnerable to ReDoS via XMLFeedSpider
GHSA-cc65-xxvf-f7r9 CVE-2024-1892 HIGH almost 2 years ago
### Impact The following parts of the Scrapy API were found to be vulnerable to a [ReDoS attack](https://owasp.org/www-community/attacks/Regular_e...
pypi
2
Dependabot PRs
python-multipart vulnerable to Content-Type Header ReDoS
GHSA-2jv5-9r88-3w3p CVE-2024-24762 HIGH almost 2 years ago
### Summary When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An att...
pypi
No PRs yet
commonground-api-common unexploitable privilege escalation in JWT authentication middleware
GHSA-c4cm-r9fh-jgj9 LOW almost 2 years ago
### Impact This is a privilege escalation vulnerability. The impact is negligible and entirely theoretical. A non-exploitable weakness was found ...
pypi
No PRs yet
NoneBot Potential Information Leak in User-Constructed Message Templates
GHSA-59j8-776v-xxxg CVE-2024-21624 MODERATE almost 2 years ago
### Impact This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `Mes...
pypi
No PRs yet
Kinto Attachment's attachments can be replaced on read-only records
GHSA-hvp4-vrv2-8wrq CVE-2024-1314 HIGH almost 2 years ago
### Impact The attachment file of an existing record can be replaced if the user has `"read"` permission on one of the parent (collection or bucke...
pypi
No PRs yet
DIRAC's TokenManager does not check permissions on cached tokens
GHSA-59qj-jcjv-662j CVE-2024-24825 CRITICAL almost 2 years ago
### Impact Any user could get a token that has been requested by another user/agent ### Patches The vulnerability is fixed in version 8.0.37. ##...
pypi
No PRs yet
SQLAlchemyDA unauthenticated arbitrary SQL query execution
GHSA-r3jc-3qmm-w3pw CVE-2024-24811 CRITICAL almost 2 years ago
### Impact The vulnerability allows unauthenticated execution of arbitrary SQL statements on the database the SQLAlchemyDA instance is connected to...
pypi
No PRs yet
Vyper negative array index bounds checks
GHSA-52xq-j7v9-v4v2 CVE-2024-24563 CRITICAL almost 2 years ago
### Summary Arrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn't throw when spotting...
pypi
No PRs yet
Django denial-of-service attack in the intcomma template filter
GHSA-xxj9-f6rv-m3x4 CVE-2024-24680 HIGH almost 2 years ago
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a ...
pypi
67
Dependabot PRs
19%
Merged
Allegro AI ClearML path traversal vulnerability
GHSA-m95h-p4gg-wfw3 CVE-2024-24591 HIGH almost 2 years ago
A path traversal vulnerability in versions 1.4.0 to 1.14.1 of the client SDK of Allegro AI’s ClearML platform enables a maliciously uploaded datase...
pypi
No PRs yet
Allegro AI ClearML vulnerable to deserialization of untrusted data
GHSA-cpcw-9h9m-wqw9 CVE-2024-24590 HIGH almost 2 years ago
Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously...
pypi
No PRs yet
Ansible-core information disclosure flaw
GHSA-h24r-m9qc-pvpg CVE-2024-0690 MODERATE almost 2 years ago
An information disclosure flaw was found in ansible-core due to a failure to respect the `ANSIBLE_NO_LOG` configuration in some scenarios. It was d...
pypi
2
Dependabot PRs
Allegro AI ClearML Stores Credentials in Plaintext in MongoDB Instance
GHSA-gvqv-h7hh-6fcc CVE-2024-24595 MODERATE almost 2 years ago
Allegro AI’s open-source version of ClearML stores passwords in plaintext within the MongoDB instance, resulting in a compromised server leaking al...
pypi
No PRs yet
Gradio Path Traversal vulnerability
GHSA-f3h9-8phc-6gvh CVE-2024-0964 HIGH almost 2 years ago
A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.
pypi
No PRs yet
pyLoad open redirect vulnerability due to improper validation of the is_safe_url function
GHSA-g3cm-qg2v-2hj5 CVE-2024-24808 MODERATE almost 2 years ago
### Summary Open redirect vulnerability due to incorrect validation of input values when redirecting users after login. ### Details pyload is vali...
pypi
No PRs yet
m2crypto Bleichenbacher timing attack - incomplete fix for CVE-2020-25657
GHSA-944j-8ch6-rf6x CVE-2023-50781 MODERATE almost 2 years ago
A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which ...
pypi
No PRs yet
Python Cryptography package vulnerable to Bleichenbacher timing oracle attack
GHSA-3ww4-gg4f-jr7f CVE-2023-50782 HIGH almost 2 years ago
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RS...
pypi
No PRs yet
Vyper sha3 codegen bug
GHSA-6845-xw22-ffxv CVE-2024-24559 LOW almost 2 years ago
### Summary There is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated. Th...
pypi
No PRs yet
Vyper's external calls can overflow return data to return input buffer
GHSA-gp3w-2v2m-p686 CVE-2024-24560 LOW almost 2 years ago
## Summary When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at by...
pypi
No PRs yet
Dash apps vulnerable to Cross-site Scripting
GHSA-547x-748v-vp6p CVE-2024-21485 MODERATE almost 2 years ago
Versions of the package dash-core-components before 2.13.0; versions of the package dash-core-components before 2.0.0; versions of the package dash...
npm pypi
No PRs yet
Vyper's bounds check on built-in `slice()` function can be overflowed
GHSA-9x7f-gwxq-6f2c CVE-2024-24561 CRITICAL almost 2 years ago
## Summary [The bounds check for slices](https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions...
pypi
No PRs yet
glance-store logs s3 access keys
GHSA-wgpq-p2hm-56v9 CVE-2024-1141 MODERATE almost 2 years ago
A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log lev...
pypi
No PRs yet
OctoPrint Unverified Password Change via Access Control Settings
GHSA-5626-pw9c-hmjr CVE-2024-23637 MODERATE almost 2 years ago
### Impact OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other ad...
pypi
No PRs yet
Label Studio SSRF on Import Bypassing `SSRF_PROTECTION_ENABLED` Protections
GHSA-p59w-9gqw-wj8r CVE-2023-47116 MODERATE almost 2 years ago
# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source...
pypi
No PRs yet
vantage6 may create unencrypted tasks in encrypted collaboration
GHSA-rjmv-52mp-gjrr CVE-2024-22193 LOW almost 2 years ago
### Impact There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accident...
pypi
No PRs yet
vantage6 vulnerable to username timing attack
GHSA-45gq-q4xh-cp53 CVE-2024-21671 LOW almost 2 years ago
### Impact It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks ### Worka...
pypi
No PRs yet
vantage6 has insecure SSH configuration for node and server containers
GHSA-2wgc-48g2-cj5w CVE-2024-21653 MODERATE almost 2 years ago
### Impact Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH serv...
pypi
No PRs yet
vantage6 remote code execution vulnerability
GHSA-w9h2-px87-74vx CVE-2024-21649 HIGH almost 2 years ago
### Impact Authenticated users could inject code into algorithm environment variables ### Workarounds No
pypi
No PRs yet
Vyper's raw_call `value=` kwargs not disabled for static and delegate calls
GHSA-x2c2-q32w-4w6m CVE-2024-24567 MODERATE almost 2 years ago
### Summary Vyper compiler allows passing a value in builtin `raw_call` even if the call is a `delegatecall` or a `staticcall`. But in the context ...
pypi
No PRs yet
aiohttp is vulnerable to directory traversal
GHSA-5h86-8mv2-jq9f CVE-2024-23334 HIGH almost 2 years ago
### Summary Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitr...
pypi
No PRs yet
aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
GHSA-8qpw-xqxj-h4r2 CVE-2024-23829 MODERATE almost 2 years ago
### Summary Security-sensitive parts of the *Python HTTP parser* retained minor differences in allowable character sets, that must trigger error ha...
pypi
No PRs yet
ai-flow Deserialization of Untrusted Data vulnerability
GHSA-7mgg-3rq2-hff4 CVE-2024-0960 MODERATE almost 2 years ago
A vulnerability was found in flink-extended ai-flow 0.3.1. It has been declared as critical. Affected by this vulnerability is the function cloudpi...
pypi
No PRs yet
Deserialization of untrusted data in synthcity
GHSA-4957-7vhp-7v59 CVE-2024-0937 CRITICAL almost 2 years ago
A vulnerability, which was classified as critical, has been found in van_der_Schaar LAB synthcity 0.2.9. Affected by this issue is the function loa...
pypi
No PRs yet
Null pointer dereference in PKCS12 parsing
GHSA-9v9h-cgj8-h64p CVE-2024-0727 MODERATE almost 2 years ago
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact sum...
pypi
1
Dependabot PRs
Apache Airflow: pickle deserialization vulnerability in XComs
GHSA-c3c6-f2ww-xfr2 CVE-2023-50943 HIGH almost 2 years ago
Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of...
pypi
No PRs yet
Apache Airflow: Bypass permission verification to read code of other dags
GHSA-vm5m-qmrx-fw8w CVE-2023-50944 HIGH almost 2 years ago
Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don'...
pypi
No PRs yet
Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service
GHSA-mg2x-mggj-6955 CVE-2023-51702 MODERATE almost 2 years ago
Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes ...
pypi
No PRs yet
Cross-site Scripting Vulnerability on Data Import
GHSA-fq23-g58m-799r CVE-2024-23633 MODERATE almost 2 years ago
# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source...
pypi
No PRs yet
Cross-site Scripting Vulnerability on Avatar Upload
GHSA-q68h-xwq5-mm7x CVE-2023-47115 HIGH almost 2 years ago
# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source...
pypi
No PRs yet
Cross-site Scripting in Apache superset
GHSA-rwhh-6x83-84v6 CVE-2023-49657 CRITICAL almost 2 years ago
A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions ...
pypi
No PRs yet
XSS potential in rendered Markdown fields (comments, description, notes, etc.)
GHSA-v4xv-795h-rv4h CVE-2024-23345 HIGH almost 2 years ago
### Impact All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted. Due to inadequate input sanitization, any user-e...
pypi
1
Dependabot PRs
changedetection.io API endpoint is not secured with API token
GHSA-hcvp-2cc7-jrwr CVE-2024-23329 LOW almost 2 years ago
### Summary API endpoint `/api/v1/watch/<uuid>/history` can be accessed by any unauthorized user. ### Details WatchHistory resource does not hav...
pypi
No PRs yet
Minerva timing attack on P-256 in python-ecdsa
GHSA-wj6h-64fc-37mp CVE-2024-23342 HIGH almost 2 years ago
python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the `ecdsa.SigningKey.sign_digest()` API function an...
pypi
No PRs yet
html injection vulnerability in the `tuitse_html` function.
GHSA-m4m5-j36m-8x72 CVE-2024-23341 MODERATE almost 2 years ago
### Impact When using `tuitse_html` without quoting the input, there is a html injection vulnerability. It should use the django version `django.u...
pypi
No PRs yet
Code execution in pandasai
GHSA-5g73-69p4-7gvx CVE-2024-23752 CRITICAL almost 2 years ago
GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Pytho...
pypi
No PRs yet
SQL injection in llama-index
GHSA-2jxw-4hm4-6w87 CVE-2024-23751 CRITICAL almost 2 years ago
LlamaIndex (aka llama_index) through 0.9.35 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine...
pypi
No PRs yet
Code execution in metagpt
GHSA-g7ph-8423-pf4j CVE-2024-23750 HIGH almost 2 years ago
MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell metacharacters to subprocess.P...
pypi
No PRs yet