Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
External Control of File Name or Path in h2oai/h2o-3
GHSA-gqrq-j6pm-98c2 CVE-2023-6569 CRITICAL almost 2 years ago
Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data. The data that the attacker can control is no...
pypi
No PRs yet
Out of memory error when submitting the dataset form with a specially-crafted field
GHSA-7fgc-89cx-w8j5 CVE-2023-50248 MODERATE almost 2 years ago
### Impact When submitting a POST request to the `/dataset/new` endpoint (including either the auth cookie or the `Authorization` header) with a s...
pypi
No PRs yet
Unauthenticated db-file-storage views
GHSA-75mc-3pjc-727q CVE-2023-50263 LOW almost 2 years ago
### Impact In Nautobot 1.x and 2.0.x, the URLs `/files/get/?name=...` and `/files/download/?name=...` are used to provide admin access to files t...
pypi
No PRs yet
Improper validation in meraki
GHSA-6x4h-9622-fqr6 HIGH almost 2 years ago
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the ...
pypi
No PRs yet
Improper Privilege Management in sap-xssec
GHSA-6mjg-37cp-42x5 CVE-2023-50423 CRITICAL almost 2 years ago
### Impact SAP BTP Security Services Integration Library ([Python] sap-xssec) allows under certain conditions an escalation of privileges. On succ...
pypi
No PRs yet
incorrect storage layout for contracts containing large arrays
GHSA-6m97-7527-mh74 CVE-2023-46247 HIGH almost 2 years ago
### Impact contracts containing large arrays might underallocate the number of slots they need. prior to v0.3.8, the calculation to determine how m...
pypi
No PRs yet
Ansible template injection vulnerability
GHSA-7j69-qfc3-2fq9 CVE-2023-5764 MODERATE almost 2 years ago
A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from temp...
pypi
No PRs yet
Path traversal in MLflow
GHSA-v945-r3rc-6fjm CVE-2023-6753 HIGH almost 2 years ago
Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.
pypi
No PRs yet
Exposure of Sensitive Information in mltable
GHSA-m5pc-86x8-wcxg CVE-2023-35625 MODERATE almost 2 years ago
Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability
pypi
No PRs yet
Jinja2 template injection in mlflow
GHSA-cxfr-5q3r-2rc2 CVE-2023-6709 HIGH almost 2 years ago
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.
pypi
No PRs yet
Improper Input Validation in mindsdb
GHSA-crhp-7c74-cg4c CVE-2023-49796 MODERATE almost 2 years ago
### Impact The put method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled `name` value, which is used in a ...
pypi
No PRs yet
Server-Side Request Forgery in mindsdb
GHSA-34mr-6q8x-g9r6 CVE-2023-49795 MODERATE almost 2 years ago
### Impact The put method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled URL in the source variable and us...
pypi
No PRs yet
Local Privilege Escalation in Windows
GHSA-9w2p-rh8c-v9g5 CVE-2023-49797 HIGH almost 2 years ago
### Impact A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the u...
pypi
No PRs yet
dbt-core's secret env vars written to package-lock.json in plaintext
GHSA-j4g3-3q8x-jxqp LOW almost 2 years ago
### Impact When used to pull source code from a private repository using a Personal Access Token (PAT), some versions of dbt-core write a URL with...
pypi
No PRs yet
DockerSpawner allows any image by default
GHSA-hfgr-h3vc-p6c2 CVE-2023-48311 MODERATE almost 2 years ago
### Impact Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying `DockerSpawner.allowed_images` configurat...
pypi
No PRs yet
Cross-site Scripting (XSS) in MLflow
GHSA-vwhf-3v6x-wff8 CVE-2023-6568 MODERATE almost 2 years ago
A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type h...
pypi
No PRs yet
pubnub Insufficient Entropy vulnerability
GHSA-5844-q3fc-56rh CVE-2023-26154 MODERATE almost 2 years ago
Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versi...
cargo go maven +6 more
No PRs yet
PyDrive2's unsafe YAML deserialization in LoadSettingsFile allows arbitrary code execution
GHSA-v5f6-hjmf-9mc5 CVE-2023-49297 LOW almost 2 years ago
### Summary Unsafe YAML deserilization will result in arbitrary code execution. A maliciously crafted YAML file can cause arbitrary code execution ...
pypi
No PRs yet
jupyter-server errors include tracebacks with path information
GHSA-h56g-gq9v-vc8r CVE-2023-49080 MODERATE almost 2 years ago
### Impact Unhandled errors in API requests include traceback information, which can include path information. There is no known mechanism by whic...
pypi
7
Dependabot PRs
57%
Merged
Information exposure in MLflow
GHSA-wqxf-447m-6f5f CVE-2023-43472 HIGH almost 2 years ago
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
pypi
No PRs yet
Cookie leakage between different users in fastapi-proxy-lib
GHSA-7vwr-g6pm-9hc8 HIGH almost 2 years ago
### Impact In the implementation of version `0.0.1`, requests from different user clients are processed using a shared `httpx.AsyncClient`. Howev...
pypi
No PRs yet
Reflected XSS Vulnerability in dpaste
GHSA-r8j9-5cj7-cv39 CVE-2023-49277 MODERATE almost 2 years ago
### Impact A security vulnerability has been identified in the expires parameter of the dpaste API, allowing for a POST Reflected XSS attack. This ...
pypi
No PRs yet
cryptography vulnerable to NULL-dereference when loading PKCS7 certificates
GHSA-jfhm-5ghh-2f97 CVE-2023-49083 MODERATE about 2 years ago
### Summary Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. ### PoC...
pypi
26
Dependabot PRs
8%
Merged
Apache Superset - Elevation of Privilege
GHSA-f678-j579-4xf5 CVE-2023-40610 HIGH about 2 years ago
### Overview An attacker with access to the SQL Lab and the ab_user and ab_user_role tables can elevate his privileges to become administrator. ##...
pypi
No PRs yet
Apache Superset Allocation of Resources Without Limits or Throttling vulnerability
GHSA-3hp7-4qq4-v5c6 CVE-2023-42504 MODERATE about 2 years ago
An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible deni...
pypi
No PRs yet
Apache Superset Exposure of Sensitive Information to an Unauthorized Actor vulnerability
GHSA-fgpw-4w69-j256 CVE-2023-42505 MODERATE about 2 years ago
An authenticated user with read permissions on database connections metadata could potentially access sensitive information such as the connection'...
pypi
No PRs yet
Apache Superset Open Redirect vulnerability
GHSA-hc74-9vjm-c9xv CVE-2023-42502 MODERATE about 2 years ago
An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users ...
pypi
No PRs yet
Ray has arbitrary code execution via jobs submission API
GHSA-6wgj-66m2-xxp2 CVE-2023-48022 CRITICAL about 2 years ago
Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irre...
pypi
No PRs yet
aiohttp's ClientSession is vulnerable to CRLF injection via version
GHSA-q3qx-c6g2-7pw2 CVE-2023-49081 MODERATE about 2 years ago
### Summary Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP...
pypi
2
Dependabot PRs
aiohttp's ClientSession is vulnerable to CRLF injection via method
GHSA-qvrw-v9rv-5rjx CVE-2023-49082 MODERATE about 2 years ago
### Summary Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP r...
pypi
No PRs yet
aiohttp has vulnerable dependency that is vulnerable to request smuggling
GHSA-pjjw-qhg8-p2p9 MODERATE about 2 years ago
### Summary llhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities. Details have not been disclosed yet, so refer to llhttp for future...
pypi
18
Dependabot PRs
Apache Superset has Incorrect Default Permissions
GHSA-vv65-fjfj-4736 CVE-2023-42501 MODERATE about 2 years ago
Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue aff...
pypi
No PRs yet
Apache Superset Cross-site Scripting vulnerability
GHSA-wq8q-99p5-xfrw CVE-2023-43701 MODERATE about 2 years ago
Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code i...
pypi
No PRs yet
Ethereum ABI decoder DoS when parsing ZST
GHSA-rqr8-pxh7-cq3g MODERATE about 2 years ago
With this notification I would like to inform about a DoS vector in the Ethereum ABI decoder. We have not yet found a way to exploit this with hig...
pypi
No PRs yet
Cross-site Scripting potential in custom links, job buttons, and computed fields
GHSA-cf9f-wmhp-v4pr CVE-2023-48705 HIGH about 2 years ago
### Impact All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected. Due to incorrect usage of Django's `mark_safe()` ...
pypi
No PRs yet
SQL injection in Apache Submarine
GHSA-v5gj-fx3g-hcpw CVE-2023-37924 CRITICAL about 2 years ago
Apache Software Foundation Apache Submarine has an SQL injection vulnerability when a user logs in. This issue can result in unauthorized login. N...
pypi
No PRs yet
Clear Text Credentials Exposed via Onboarding Task
GHSA-qf3c-rw9f-jh7v CVE-2023-48700 MODERATE about 2 years ago
### Impact When credentials are provided while creating an OnboardingTask they may be visible via the Job Results view under the Additional Data ta...
pypi
No PRs yet
Download to arbitrary folder can lead to RCE
GHSA-h73m-pcfw-25h2 CVE-2023-47890 HIGH about 2 years ago
### Summary A web UI user can store files anywhere on the pyLoad server and gain command execution by abusing scripts. ### Details When a user c...
pypi
No PRs yet
Eval Injection in fastbots
GHSA-vccg-f4gp-45x9 CVE-2023-48699 HIGH about 2 years ago
### Impact An attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead t...
pypi
No PRs yet
TorchServe ZipSlip
GHSA-m2mj-pr4f-h9jp CVE-2023-48299 MODERATE about 2 years ago
### Impact Using the model/workflow management API, there is a chance of uploading potentially harmful archives that contain files that are extract...
pypi
No PRs yet
upydev has weak encryption padding
GHSA-qc4j-hrj6-cppf CVE-2023-48051 HIGH about 2 years ago
An issue in `/upydev/keygen.py` in upydev v0.4.3 allows attackers to decrypt sensitive information via weak encryption padding.
pypi
No PRs yet
Deserialization of Untrusted Data in apache-submarine
GHSA-8hcr-5x2g-9f7j CVE-2023-46302 CRITICAL about 2 years ago
Apache Software Foundation Apache Submarine has a bug when serializing against yaml. The bug is caused by snakeyaml https://nvd.nist.gov/vuln/deta...
pypi
No PRs yet
Ibis PyArrow dependency allows arbitrary code execution when loading a malicious data file
GHSA-x563-6hqv-26mr CRITICAL about 2 years ago
### Impact Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An a...
pypi
No PRs yet
MLflow authentication requirement bypass can allow a user to arbitrarily create an account
GHSA-4qq5-mxxx-m6gg CVE-2023-6014 CRITICAL about 2 years ago
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement.
pypi
No PRs yet
Ray Missing Authorization vulnerability
GHSA-6cxr-8q3m-jwrr CVE-2023-6020 CRITICAL about 2 years ago
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray m...
pypi
No PRs yet
Remote Code Execution due to Full Controled File Write in mlflow
GHSA-5p3h-7fwh-92rc CVE-2023-6018 CRITICAL about 2 years ago
The mlflow web server includes tools for tracking experiments, packaging code into reproducible runs, and sharing and deploying models. As this vul...
pypi
No PRs yet
Ray Path Traversal vulnerability
GHSA-3pww-qvr8-6mhp CVE-2023-6021 CRITICAL about 2 years ago
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray mai...
pypi
No PRs yet
Cross-Site Request Forgery vulnerability in Prefect
GHSA-4hh5-2678-83fx CVE-2023-6022 HIGH about 2 years ago
An attacker is able to steal secrets and potentially gain remote code execution via CSRF using a self-hosted, open source Prefect API.
pypi
No PRs yet
PyPinkSign uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption
GHSA-fxff-wxxv-c2jc CVE-2023-48056 HIGH about 2 years ago
PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclos...
pypi
No PRs yet
MLflow allowed arbitrary files to be PUT onto the server
GHSA-f798-qm4r-23r5 CVE-2023-6015 CRITICAL about 2 years ago
MLflow allowed arbitrary files to be PUT onto the server.
pypi
No PRs yet