Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Apache Airflow Improper Access Control vulnerability
GHSA-5938-79hg-xh3q CVE-2023-50783 MODERATE almost 2 years ago
Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to up...
pypi
No PRs yet
Apache Airflow Cross-Site Request Forgery vulnerability
GHSA-6m9r-7wrx-xmr6 CVE-2023-49920 MODERATE almost 2 years ago
Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation....
pypi
No PRs yet
Apache Airflow has a stored cross-site scripting vulnerability
GHSA-pxch-wr7m-rwxj CVE-2023-47265 MODERATE almost 2 years ago
Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascri...
pypi
No PRs yet
Apache Airflow vulnerable to Exposure of Resource to Wrong Sphere
GHSA-8f57-wcmg-4jmh CVE-2023-48291 MODERATE almost 2 years ago
Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, t...
pypi
No PRs yet
transformers has a Deserialization of Untrusted Data vulnerability
GHSA-v68g-wm8c-6x7j CVE-2023-7018 HIGH almost 2 years ago
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
pypi
No PRs yet
MLflow Path Traversal Vulnerability
GHSA-5r3q-93q3-f978 CVE-2023-6909 HIGH almost 2 years ago
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
pypi
No PRs yet
MLflow Path Traversal Vulnerability
GHSA-wv8q-4f85-2p8p CVE-2023-6976 HIGH almost 2 years ago
This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.
pypi
No PRs yet
MLflow Local File Disclosure Vulnerability
GHSA-qg8p-32gr-gh6x CVE-2023-6977 HIGH almost 2 years ago
This vulnerability enables malicious users to read sensitive files on the server.
pypi
No PRs yet
MLflow Server-Side Request Forgery (SSRF)
GHSA-59v3-898r-qwhj CVE-2023-6974 CRITICAL almost 2 years ago
A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abused to get a remot...
pypi
No PRs yet
MLFlow Path Traversal Vulnerability
GHSA-hh8p-p8mp-gqhm CVE-2023-6975 CRITICAL almost 2 years ago
A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.
pypi
No PRs yet
Expired tokens can be renewed without validating the account password
GHSA-9wgg-m99q-hhfc HIGH almost 2 years ago
### Impact In versions of the proxy from `2022-09-05` onwards (since 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f), expired OAuth 2.0 client credential...
pypi
No PRs yet
transformers has a Deserialization of Untrusted Data vulnerability
GHSA-3863-2447-669p CVE-2023-6730 CRITICAL almost 2 years ago
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.0.
pypi
No PRs yet
Apache Superset incorrect write permissions vulnerability
GHSA-g49j-j489-3xpf CVE-2023-49734 HIGH almost 2 years ago
An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of t...
pypi
No PRs yet
Apache Superset SQL injection vulnerability
GHSA-jfxj-xf67-x723 CVE-2023-49736 MODERATE almost 2 years ago
A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache S...
pypi
No PRs yet
Apache Superset uncontrolled resource consumption
GHSA-95mg-jgfx-54v9 CVE-2023-46104 MODERATE almost 2 years ago
Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or dataset...
pypi
No PRs yet
mlflow Command Injection vulnerability
GHSA-hvc6-42vf-jhf8 CVE-2023-6940 HIGH almost 2 years ago
with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.
pypi
No PRs yet
Maloja error page XSS vulnerability
GHSA-4h72-34j6-j8x7 MODERATE almost 2 years ago
### Impact The error page for a missing path echoes the path back to the user. If this contains HTML, an attacker could execute a script on the use...
pypi
No PRs yet
AsyncSSH vulnerable to Prefix Truncation Attack (a.k.a. Terrapin Attack) against ChaCha20-Poly1305 and Encrypt-then-MAC
GHSA-hfmc-7525-mj55 MODERATE almost 2 years ago
### Summary AsyncSSH v2.14.1 and earlier is vulnerable to a novel prefix truncation attack (a.k.a. Terrapin attack), which allows a man-in-the-mid...
pypi
2
Dependabot PRs
User accounts disclosed to unauthenticated actors on the LAN
GHSA-jqpc-rc7g-vf83 CVE-2023-50715 MODERATE almost 2 years ago
### Summary The login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. ### ...
pypi
No PRs yet
GitHub Security Lab (GHSL) Vulnerability Report: Arbitary write GHSL-2023-182
GHSA-j8w6-2r9h-cxhj CVE-2023-50731 HIGH almost 2 years ago
### Impact Issue: Arbitrary file write in file.py (GHSL-2023-183) ### Patches Use mindsdb staging branch or v23.11.4.1
pypi
No PRs yet
Path traversal in MLflow
GHSA-554w-xh4j-8w64 CVE-2023-6831 CRITICAL almost 2 years ago
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
pypi
No PRs yet
Gradio Exposure of Sensitive Information to an Unauthorized Actor vulnerability
GHSA-gqvf-3hgp-5hxv CVE-2023-6572 CRITICAL almost 2 years ago
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository gradio-app/gradio prior to main.
pypi
No PRs yet
External Control of File Name or Path in h2oai/h2o-3
GHSA-gqrq-j6pm-98c2 CVE-2023-6569 CRITICAL almost 2 years ago
Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data. The data that the attacker can control is no...
pypi
No PRs yet
Out of memory error when submitting the dataset form with a specially-crafted field
GHSA-7fgc-89cx-w8j5 CVE-2023-50248 MODERATE almost 2 years ago
### Impact When submitting a POST request to the `/dataset/new` endpoint (including either the auth cookie or the `Authorization` header) with a s...
pypi
No PRs yet
Unauthenticated db-file-storage views
GHSA-75mc-3pjc-727q CVE-2023-50263 LOW almost 2 years ago
### Impact In Nautobot 1.x and 2.0.x, the URLs `/files/get/?name=...` and `/files/download/?name=...` are used to provide admin access to files t...
pypi
No PRs yet
Improper validation in meraki
GHSA-6x4h-9622-fqr6 HIGH almost 2 years ago
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the ...
pypi
No PRs yet
Improper Privilege Management in sap-xssec
GHSA-6mjg-37cp-42x5 CVE-2023-50423 CRITICAL almost 2 years ago
### Impact SAP BTP Security Services Integration Library ([Python] sap-xssec) allows under certain conditions an escalation of privileges. On succ...
pypi
No PRs yet
incorrect storage layout for contracts containing large arrays
GHSA-6m97-7527-mh74 CVE-2023-46247 HIGH almost 2 years ago
### Impact contracts containing large arrays might underallocate the number of slots they need. prior to v0.3.8, the calculation to determine how m...
pypi
No PRs yet
Ansible template injection vulnerability
GHSA-7j69-qfc3-2fq9 CVE-2023-5764 MODERATE almost 2 years ago
A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from temp...
pypi
No PRs yet
Path traversal in MLflow
GHSA-v945-r3rc-6fjm CVE-2023-6753 HIGH almost 2 years ago
Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.
pypi
No PRs yet
Exposure of Sensitive Information in mltable
GHSA-m5pc-86x8-wcxg CVE-2023-35625 MODERATE almost 2 years ago
Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability
pypi
No PRs yet
Jinja2 template injection in mlflow
GHSA-cxfr-5q3r-2rc2 CVE-2023-6709 HIGH almost 2 years ago
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.
pypi
No PRs yet
Improper Input Validation in mindsdb
GHSA-crhp-7c74-cg4c CVE-2023-49796 MODERATE almost 2 years ago
### Impact The put method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled `name` value, which is used in a ...
pypi
No PRs yet
Server-Side Request Forgery in mindsdb
GHSA-34mr-6q8x-g9r6 CVE-2023-49795 MODERATE almost 2 years ago
### Impact The put method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled URL in the source variable and us...
pypi
No PRs yet
Local Privilege Escalation in Windows
GHSA-9w2p-rh8c-v9g5 CVE-2023-49797 HIGH almost 2 years ago
### Impact A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the u...
pypi
No PRs yet
dbt-core's secret env vars written to package-lock.json in plaintext
GHSA-j4g3-3q8x-jxqp LOW almost 2 years ago
### Impact When used to pull source code from a private repository using a Personal Access Token (PAT), some versions of dbt-core write a URL with...
pypi
No PRs yet
DockerSpawner allows any image by default
GHSA-hfgr-h3vc-p6c2 CVE-2023-48311 MODERATE almost 2 years ago
### Impact Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying `DockerSpawner.allowed_images` configurat...
pypi
No PRs yet
Cross-site Scripting (XSS) in MLflow
GHSA-vwhf-3v6x-wff8 CVE-2023-6568 MODERATE about 2 years ago
A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type h...
pypi
No PRs yet
pubnub Insufficient Entropy vulnerability
GHSA-5844-q3fc-56rh CVE-2023-26154 MODERATE about 2 years ago
Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versi...
cargo go maven +6 more
No PRs yet
PyDrive2's unsafe YAML deserialization in LoadSettingsFile allows arbitrary code execution
GHSA-v5f6-hjmf-9mc5 CVE-2023-49297 LOW about 2 years ago
### Summary Unsafe YAML deserilization will result in arbitrary code execution. A maliciously crafted YAML file can cause arbitrary code execution ...
pypi
No PRs yet
jupyter-server errors include tracebacks with path information
GHSA-h56g-gq9v-vc8r CVE-2023-49080 MODERATE about 2 years ago
### Impact Unhandled errors in API requests include traceback information, which can include path information. There is no known mechanism by whic...
pypi
7
Dependabot PRs
57%
Merged
Information exposure in MLflow
GHSA-wqxf-447m-6f5f CVE-2023-43472 HIGH about 2 years ago
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
pypi
No PRs yet
Cookie leakage between different users in fastapi-proxy-lib
GHSA-7vwr-g6pm-9hc8 HIGH about 2 years ago
### Impact In the implementation of version `0.0.1`, requests from different user clients are processed using a shared `httpx.AsyncClient`. Howev...
pypi
No PRs yet
Reflected XSS Vulnerability in dpaste
GHSA-r8j9-5cj7-cv39 CVE-2023-49277 MODERATE about 2 years ago
### Impact A security vulnerability has been identified in the expires parameter of the dpaste API, allowing for a POST Reflected XSS attack. This ...
pypi
No PRs yet
cryptography vulnerable to NULL-dereference when loading PKCS7 certificates
GHSA-jfhm-5ghh-2f97 CVE-2023-49083 MODERATE about 2 years ago
### Summary Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. ### PoC...
pypi
26
Dependabot PRs
8%
Merged
Apache Superset - Elevation of Privilege
GHSA-f678-j579-4xf5 CVE-2023-40610 HIGH about 2 years ago
### Overview An attacker with access to the SQL Lab and the ab_user and ab_user_role tables can elevate his privileges to become administrator. ##...
pypi
No PRs yet
Apache Superset Allocation of Resources Without Limits or Throttling vulnerability
GHSA-3hp7-4qq4-v5c6 CVE-2023-42504 MODERATE about 2 years ago
An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible deni...
pypi
No PRs yet
Apache Superset Exposure of Sensitive Information to an Unauthorized Actor vulnerability
GHSA-fgpw-4w69-j256 CVE-2023-42505 MODERATE about 2 years ago
An authenticated user with read permissions on database connections metadata could potentially access sensitive information such as the connection'...
pypi
No PRs yet
Apache Superset Open Redirect vulnerability
GHSA-hc74-9vjm-c9xv CVE-2023-42502 MODERATE about 2 years ago
An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users ...
pypi
No PRs yet
Ray has arbitrary code execution via jobs submission API
GHSA-6wgj-66m2-xxp2 CVE-2023-48022 CRITICAL about 2 years ago
Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irre...
pypi
No PRs yet