Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,944

Total Advisories

1,823

With Dependabot PRs

3,527

Critical Severity

8,665

High Severity

Clear All Filters
Apache Superset Open Redirect vulnerability
GHSA-hc74-9vjm-c9xv CVE-2023-42502 MODERATE about 2 years ago
An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users ...
pypi
No PRs yet
Ray has arbitrary code execution via jobs submission API
GHSA-6wgj-66m2-xxp2 CVE-2023-48022 CRITICAL about 2 years ago
Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irre...
pypi
No PRs yet
aiohttp's ClientSession is vulnerable to CRLF injection via version
GHSA-q3qx-c6g2-7pw2 CVE-2023-49081 MODERATE about 2 years ago
### Summary Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP...
pypi
2
Dependabot PRs
aiohttp's ClientSession is vulnerable to CRLF injection via method
GHSA-qvrw-v9rv-5rjx CVE-2023-49082 MODERATE about 2 years ago
### Summary Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP r...
pypi
No PRs yet
aiohttp has vulnerable dependency that is vulnerable to request smuggling
GHSA-pjjw-qhg8-p2p9 MODERATE about 2 years ago
### Summary llhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities. Details have not been disclosed yet, so refer to llhttp for future...
pypi
18
Dependabot PRs
Apache Superset has Incorrect Default Permissions
GHSA-vv65-fjfj-4736 CVE-2023-42501 MODERATE about 2 years ago
Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue aff...
pypi
No PRs yet
Apache Superset Cross-site Scripting vulnerability
GHSA-wq8q-99p5-xfrw CVE-2023-43701 MODERATE about 2 years ago
Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code i...
pypi
No PRs yet
Ethereum ABI decoder DoS when parsing ZST
GHSA-rqr8-pxh7-cq3g MODERATE about 2 years ago
With this notification I would like to inform about a DoS vector in the Ethereum ABI decoder. We have not yet found a way to exploit this with hig...
pypi
No PRs yet
Cross-site Scripting potential in custom links, job buttons, and computed fields
GHSA-cf9f-wmhp-v4pr CVE-2023-48705 HIGH about 2 years ago
### Impact All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected. Due to incorrect usage of Django's `mark_safe()` ...
pypi
No PRs yet
SQL injection in Apache Submarine
GHSA-v5gj-fx3g-hcpw CVE-2023-37924 CRITICAL about 2 years ago
Apache Software Foundation Apache Submarine has an SQL injection vulnerability when a user logs in. This issue can result in unauthorized login. N...
pypi
No PRs yet
Clear Text Credentials Exposed via Onboarding Task
GHSA-qf3c-rw9f-jh7v CVE-2023-48700 MODERATE about 2 years ago
### Impact When credentials are provided while creating an OnboardingTask they may be visible via the Job Results view under the Additional Data ta...
pypi
No PRs yet
Download to arbitrary folder can lead to RCE
GHSA-h73m-pcfw-25h2 CVE-2023-47890 HIGH about 2 years ago
### Summary A web UI user can store files anywhere on the pyLoad server and gain command execution by abusing scripts. ### Details When a user c...
pypi
No PRs yet
Eval Injection in fastbots
GHSA-vccg-f4gp-45x9 CVE-2023-48699 HIGH about 2 years ago
### Impact An attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead t...
pypi
No PRs yet
TorchServe ZipSlip
GHSA-m2mj-pr4f-h9jp CVE-2023-48299 MODERATE about 2 years ago
### Impact Using the model/workflow management API, there is a chance of uploading potentially harmful archives that contain files that are extract...
pypi
No PRs yet
upydev has weak encryption padding
GHSA-qc4j-hrj6-cppf CVE-2023-48051 HIGH about 2 years ago
An issue in `/upydev/keygen.py` in upydev v0.4.3 allows attackers to decrypt sensitive information via weak encryption padding.
pypi
No PRs yet
Deserialization of Untrusted Data in apache-submarine
GHSA-8hcr-5x2g-9f7j CVE-2023-46302 CRITICAL about 2 years ago
Apache Software Foundation Apache Submarine has a bug when serializing against yaml. The bug is caused by snakeyaml https://nvd.nist.gov/vuln/deta...
pypi
No PRs yet
Ibis PyArrow dependency allows arbitrary code execution when loading a malicious data file
GHSA-x563-6hqv-26mr CRITICAL about 2 years ago
### Impact Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An a...
pypi
No PRs yet
MLflow authentication requirement bypass can allow a user to arbitrarily create an account
GHSA-4qq5-mxxx-m6gg CVE-2023-6014 CRITICAL about 2 years ago
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement.
pypi
No PRs yet
Ray Missing Authorization vulnerability
GHSA-6cxr-8q3m-jwrr CVE-2023-6020 CRITICAL about 2 years ago
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray m...
pypi
No PRs yet
Remote Code Execution due to Full Controled File Write in mlflow
GHSA-5p3h-7fwh-92rc CVE-2023-6018 CRITICAL about 2 years ago
The mlflow web server includes tools for tracking experiments, packaging code into reproducible runs, and sharing and deploying models. As this vul...
pypi
No PRs yet
PyPinkSign uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption
GHSA-fxff-wxxv-c2jc CVE-2023-48056 HIGH about 2 years ago
PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclos...
pypi
No PRs yet
Ray Path Traversal vulnerability
GHSA-3pww-qvr8-6mhp CVE-2023-6021 CRITICAL about 2 years ago
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray mai...
pypi
No PRs yet
MLflow allowed arbitrary files to be PUT onto the server
GHSA-f798-qm4r-23r5 CVE-2023-6015 CRITICAL about 2 years ago
MLflow allowed arbitrary files to be PUT onto the server.
pypi
No PRs yet
Cross-Site Request Forgery vulnerability in Prefect
GHSA-4hh5-2678-83fx CVE-2023-6022 HIGH about 2 years ago
An attacker is able to steal secrets and potentially gain remote code execution via CSRF using a self-hosted, open source Prefect API.
pypi
No PRs yet
Ray OS Command Injection vulnerability
GHSA-h3xg-wv58-5p43 CVE-2023-6019 CRITICAL about 2 years ago
A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard rem...
pypi
No PRs yet
HTTPie allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack
GHSA-8r96-8889-qg2x CVE-2023-48052 HIGH about 2 years ago
Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-mi...
pypi
No PRs yet
Missing SSL certificate validation in localstack
GHSA-8633-g3ph-97rp CVE-2023-48054 HIGH about 2 years ago
Missing SSL certificate validation in localstack allows attackers to eavesdrop on communications between the host and server via a man-in-the-middl...
pypi
No PRs yet
Ethyca Fides Cryptographically Weak Generation of One-Time Codes for Identity Verification
GHSA-82vr-5769-6358 CVE-2023-48224 HIGH about 2 years ago
### Impact The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web app...
pypi
No PRs yet
yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection
GHSA-3ch3-jhc6-5r8x CVE-2023-46121 MODERATE about 2 years ago
### Impact The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the ...
pypi
1
Dependabot PRs
Ansible galaxy-importer Path Traversal vulnerability
GHSA-55g2-vm3q-7w52 CVE-2023-5189 MODERATE about 2 years ago
A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galax...
pypi
No PRs yet
vantage6-server node accepts non-whitelisted algorithms from malicious server
GHSA-vc3v-ppc7-v486 CVE-2023-47631 HIGH about 2 years ago
### Impact A node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the server may modify it to...
pypi
No PRs yet
AIOHTTP has problems in HTTP parser (the python one, not llhttp)
GHSA-gfw2-4jvh-wgfg CVE-2023-47627 MODERATE about 2 years ago
# Summary The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used whe...
pypi
18
Dependabot PRs
Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks
GHSA-xx9p-xxvh-7g8j CVE-2023-47641 LOW about 2 years ago
### Impact Aiohttp has a security vulnerability regarding the inconsistent interpretation of the http protocol. As we know that HTTP/1.1 is persis...
pypi
No PRs yet
Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task
GHSA-6hjj-gq77-j4qw CVE-2023-47117 HIGH about 2 years ago
# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source...
pypi
No PRs yet
Remarshal expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack
GHSA-gw7g-qr8w-3448 CVE-2023-47163 HIGH about 2 years ago
Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML ...
pypi
No PRs yet
piccolo SQL Injection via named transaction savepoints
GHSA-xq59-7jf3-rjc6 CVE-2023-47128 CRITICAL about 2 years ago
### Summary The handling of named transaction savepoints in all database implementations is vulnerable to [SQL Injection](https://owasp.org/www-com...
pypi
No PRs yet
Apache Airflow allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes
GHSA-hm9r-7f84-25c9 CVE-2023-47037 MODERATE about 2 years ago
Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG ru...
pypi
No PRs yet
Apache Airflow vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
GHSA-r7x6-xfcm-3mxv CVE-2023-42781 HIGH about 2 years ago
Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read inform...
pypi
No PRs yet
AsyncSSH Rogue Session Attack
GHSA-c35q-ffpf-5qpm CVE-2023-46446 HIGH about 2 years ago
### Summary An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/remo...
pypi
2
Dependabot PRs
esptool allows attackers to view sensitive information via weak cryptographic algorithm
GHSA-3f38-96qm-r3fw CVE-2023-46894 HIGH about 2 years ago
An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm.
pypi
No PRs yet
AsyncSSH Rogue Extension Negotiation
GHSA-cfc2-wr2v-gxm5 CVE-2023-46445 MODERATE about 2 years ago
### Summary An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle att...
pypi
2
Dependabot PRs
Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens
GHSA-f475-x83m-rx5m CVE-2023-43791 CRITICAL about 2 years ago
# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source...
pypi
No PRs yet
PyArrow: Arbitrary code execution when loading a malicious data file
GHSA-5wvp-7f3h-6wmm CVE-2023-47248 CRITICAL about 2 years ago
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application i...
pypi
No PRs yet
Ethyca Fides HTML Injection Vulnerability in HTML-Formatted DSR Packages
GHSA-3vpf-mcj7-5h38 CVE-2023-47114 MODERATE about 2 years ago
### Impact The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data co...
pypi
No PRs yet
Django Denial-of-service in django.utils.text.Truncator
GHSA-h8gc-pgj2-vjm3 CVE-2023-43665 HIGH about 2 years ago
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with h...
pypi
12
Dependabot PRs
25%
Merged
Pillow Denial of Service vulnerability
GHSA-8ghj-p4vj-mr35 CVE-2023-44271 HIGH about 2 years ago
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentiall...
pypi
No PRs yet
Django Denial of service vulnerability in django.utils.encoding.uri_to_iri
GHSA-7h4p-27mh-hmrw CVE-2023-41164 MODERATE about 2 years ago
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of s...
pypi
12
Dependabot PRs
25%
Merged
transmute-core unsafe YAML deserialization vulnerability
GHSA-w9cp-3x79-2p8p CVE-2023-47204 CRITICAL about 2 years ago
Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code.
pypi
No PRs yet
Django potential denial of service vulnerability in UsernameField on Windows
GHSA-qmf9-6jqf-j8fq CVE-2023-46695 HIGH about 2 years ago
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a conse...
pypi
58
Dependabot PRs
15%
Merged
Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF
GHSA-wjcc-cq79-p63f CVE-2023-46250 MODERATE about 2 years ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process a...
pypi
No PRs yet