Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
pyload Unauthenticated Flask Configuration Leakage vulnerability
GHSA-mqpq-2p68-46fv CVE-2024-21644 HIGH almost 2 years ago
### Summary Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. ### Details Any...
pypi
No PRs yet
pyload Log Injection vulnerability
GHSA-ghmw-rwh8-6qmr CVE-2024-21645 MODERATE almost 2 years ago
### Summary A log injection vulnerability was identified in `pyload`. This vulnerability allows any unauthenticated actor to inject arbitrary messa...
pypi
No PRs yet
D-Tale server-side request forgery through Web uploads
GHSA-7hfx-h3j3-rwq4 CVE-2024-21642 HIGH almost 2 years ago
### Impact Users hosting D-Tale publicly can be vulnerable to server-side request forgery (SSRF) allowing attackers to access files on the server. ...
pypi
No PRs yet
PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption
GHSA-j225-cvw7-qrx7 CVE-2023-52323 HIGH almost 2 years ago
PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.
pypi
78
Dependabot PRs
16%
Merged
PaddlePaddle command injection in _wget_download
GHSA-rf7p-79xq-8xwm CVE-2023-52311 CRITICAL almost 2 years ago
PaddlePaddle before 2.6.0 has a command injection in _wget_download. This resulted in the ability to execute arbitrary commands on the operating sy...
pypi
No PRs yet
PaddlePaddle stack overflow in paddle.searchsorted
GHSA-4rrv-8gcp-24v8 CVE-2023-52304 HIGH almost 2 years ago
Stack overflow in paddle.searchsorted in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.topk
GHSA-rx2r-q96c-w5cc CVE-2023-52305 MODERATE almost 2 years ago
FPE in paddle.topk in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle command injection in get_online_pass_interval
GHSA-j5h9-9r39-43q5 CVE-2023-52310 CRITICAL almost 2 years ago
PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the op...
pypi
No PRs yet
PaddlePaddle command injection in convert_shape_compare
GHSA-3cr5-2446-8pg3 CVE-2023-52314 CRITICAL almost 2 years ago
PaddlePaddle before 2.6.0 has a command injection in convert_shape_compare. This resulted in the ability to execute arbitrary commands on the opera...
pypi
No PRs yet
PaddlePaddle stack overflow in paddle.linalg.lu_unpack
GHSA-g57v-2687-jx33 CVE-2023-52307 HIGH almost 2 years ago
Stack overflow in paddle.linalg.lu_unpack in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.
pypi
No PRs yet
PaddlePaddle heap buffer overflow in paddle.repeat_interleave
GHSA-8fp7-jwv2-49x9 CVE-2023-52309 HIGH almost 2 years ago
Heap buffer overflow in paddle.repeat_interleave in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, information disclosure, o...
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.argmin and paddle.argmax
GHSA-275c-w5mq-v5m2 CVE-2023-52313 MODERATE almost 2 years ago
FPE in paddle.argmin and paddle.argmax in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle nullptr dereference in paddle.crop
GHSA-qppw-c37g-xwcc CVE-2023-52312 MODERATE almost 2 years ago
Nullptr dereference in paddle.crop in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.lerp
GHSA-rg9q-m8hv-xxr6 CVE-2023-52306 MODERATE almost 2 years ago
FPE in paddle.lerp in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.amin
GHSA-v9pg-qw6x-w5r2 CVE-2023-52308 MODERATE almost 2 years ago
FPE in paddle.amin in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle segfault in paddle.dot
GHSA-x3q9-c788-j7c8 CVE-2023-38676 MODERATE almost 2 years ago
Nullptr in paddle.dot in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.linalg.eig
GHSA-c6ph-m8cw-rfqh CVE-2023-38677 MODERATE almost 2 years ago
FPE in paddle.linalg.eig in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle null pointer dereference in paddle.nextafter
GHSA-547m-23x7-cxg5 CVE-2023-52302 MODERATE almost 2 years ago
Nullptr in paddle.nextafter in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle segfault in paddle.put_along_axis
GHSA-2wcj-qr76-9768 CVE-2023-52303 MODERATE almost 2 years ago
Nullptr in paddle.put_along_axis in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.linalg.matrix_rank
GHSA-jm68-fpmr-8j2g CVE-2023-38675 MODERATE almost 2 years ago
FPE in paddle.linalg.matrix_rank in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle segfault in paddle.mode
GHSA-mr78-v55p-7777 CVE-2023-38678 MODERATE almost 2 years ago
OOB access in paddle.mode in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.nanmedian
GHSA-xjpw-hx47-rccv CVE-2023-38674 MODERATE almost 2 years ago
FPE in paddle.nanmedian in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
Hail relies on OIDC email claims to verify the validity of a user's domain.
GHSA-487p-qx68-5vjw CVE-2023-51663 MODERATE almost 2 years ago
### Impact All Hail Batch clusters are affected. An attacker is able to: 1. Create one or more accounts with Hail Batch without corresponding rea...
pypi
No PRs yet
Ansible symlink attack vulnerability
GHSA-jpvw-p8pr-9g2x CVE-2023-5115 MODERATE almost 2 years ago
An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and mak...
pypi
No PRs yet
DoS with algorithms that use PBKDF2 due to unbounded PBES2 Count value
GHSA-cw2r-4p82-qv79 CVE-2023-6681 MODERATE almost 2 years ago
### Impact Denial of Service, Applications that allow the use of the PBKDF2 algorithm. ### Patches A [patch](https://github.com/latchset/jwcrypto/...
pypi
No PRs yet
Open redirect vulnerability in Flask-Security-Too
GHSA-672h-6x89-76m5 CVE-2023-49438 MODERATE almost 2 years ago
An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites ...
pypi
1
Dependabot PRs
Nautobot missing object-level permissions enforcement when running Job Buttons
GHSA-vf5m-xrhm-v999 CVE-2023-51649 LOW almost 2 years ago
### Impact When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have pe...
pypi
No PRs yet
Gradio makes the `/file` secure against file traversal and server-side request forgery attacks
GHSA-6qm2-wpxq-7qh2 CVE-2023-51449 HIGH almost 2 years ago
Older versions of `gradio` contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacke...
pypi
No PRs yet
Apache Airflow Improper Access Control vulnerability
GHSA-5938-79hg-xh3q CVE-2023-50783 MODERATE almost 2 years ago
Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to up...
pypi
No PRs yet
Apache Airflow Cross-Site Request Forgery vulnerability
GHSA-6m9r-7wrx-xmr6 CVE-2023-49920 MODERATE almost 2 years ago
Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation....
pypi
No PRs yet
Apache Airflow has a stored cross-site scripting vulnerability
GHSA-pxch-wr7m-rwxj CVE-2023-47265 MODERATE almost 2 years ago
Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascri...
pypi
No PRs yet
Apache Airflow vulnerable to Exposure of Resource to Wrong Sphere
GHSA-8f57-wcmg-4jmh CVE-2023-48291 MODERATE almost 2 years ago
Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, t...
pypi
No PRs yet
transformers has a Deserialization of Untrusted Data vulnerability
GHSA-v68g-wm8c-6x7j CVE-2023-7018 HIGH almost 2 years ago
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
pypi
No PRs yet
MLflow Path Traversal Vulnerability
GHSA-wv8q-4f85-2p8p CVE-2023-6976 HIGH almost 2 years ago
This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.
pypi
No PRs yet
MLflow Local File Disclosure Vulnerability
GHSA-qg8p-32gr-gh6x CVE-2023-6977 HIGH almost 2 years ago
This vulnerability enables malicious users to read sensitive files on the server.
pypi
No PRs yet
MLflow Path Traversal Vulnerability
GHSA-5r3q-93q3-f978 CVE-2023-6909 HIGH almost 2 years ago
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
pypi
No PRs yet
MLflow Server-Side Request Forgery (SSRF)
GHSA-59v3-898r-qwhj CVE-2023-6974 CRITICAL almost 2 years ago
A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abused to get a remot...
pypi
No PRs yet
MLFlow Path Traversal Vulnerability
GHSA-hh8p-p8mp-gqhm CVE-2023-6975 CRITICAL almost 2 years ago
A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.
pypi
No PRs yet
Expired tokens can be renewed without validating the account password
GHSA-9wgg-m99q-hhfc HIGH almost 2 years ago
### Impact In versions of the proxy from `2022-09-05` onwards (since 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f), expired OAuth 2.0 client credential...
pypi
No PRs yet
transformers has a Deserialization of Untrusted Data vulnerability
GHSA-3863-2447-669p CVE-2023-6730 CRITICAL almost 2 years ago
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.0.
pypi
No PRs yet
Apache Superset incorrect write permissions vulnerability
GHSA-g49j-j489-3xpf CVE-2023-49734 HIGH almost 2 years ago
An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of t...
pypi
No PRs yet
Apache Superset SQL injection vulnerability
GHSA-jfxj-xf67-x723 CVE-2023-49736 MODERATE almost 2 years ago
A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache S...
pypi
No PRs yet
Apache Superset uncontrolled resource consumption
GHSA-95mg-jgfx-54v9 CVE-2023-46104 MODERATE almost 2 years ago
Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or dataset...
pypi
No PRs yet
mlflow Command Injection vulnerability
GHSA-hvc6-42vf-jhf8 CVE-2023-6940 HIGH almost 2 years ago
with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.
pypi
No PRs yet
Maloja error page XSS vulnerability
GHSA-4h72-34j6-j8x7 MODERATE almost 2 years ago
### Impact The error page for a missing path echoes the path back to the user. If this contains HTML, an attacker could execute a script on the use...
pypi
No PRs yet
AsyncSSH vulnerable to Prefix Truncation Attack (a.k.a. Terrapin Attack) against ChaCha20-Poly1305 and Encrypt-then-MAC
GHSA-hfmc-7525-mj55 MODERATE almost 2 years ago
### Summary AsyncSSH v2.14.1 and earlier is vulnerable to a novel prefix truncation attack (a.k.a. Terrapin attack), which allows a man-in-the-mid...
pypi
2
Dependabot PRs
User accounts disclosed to unauthenticated actors on the LAN
GHSA-jqpc-rc7g-vf83 CVE-2023-50715 MODERATE almost 2 years ago
### Summary The login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. ### ...
pypi
No PRs yet
GitHub Security Lab (GHSL) Vulnerability Report: Arbitary write GHSL-2023-182
GHSA-j8w6-2r9h-cxhj CVE-2023-50731 HIGH almost 2 years ago
### Impact Issue: Arbitrary file write in file.py (GHSL-2023-183) ### Patches Use mindsdb staging branch or v23.11.4.1
pypi
No PRs yet
Path traversal in MLflow
GHSA-554w-xh4j-8w64 CVE-2023-6831 CRITICAL almost 2 years ago
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
pypi
No PRs yet
Gradio Exposure of Sensitive Information to an Unauthorized Actor vulnerability
GHSA-gqvf-3hgp-5hxv CVE-2023-6572 CRITICAL almost 2 years ago
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository gradio-app/gradio prior to main.
pypi
No PRs yet