Skip to content
This repository has been archived by the owner on Nov 4, 2024. It is now read-only.

Remediate CVEs reported by trivy #543

Open
creste opened this issue Oct 9, 2024 · 0 comments
Open

Remediate CVEs reported by trivy #543

creste opened this issue Oct 9, 2024 · 0 comments

Comments

@creste
Copy link

creste commented Oct 9, 2024

Trivy finds many vulnerable dependencies in this project. There are several dependabot pull requests that can be merged to resolve these trivy findings. Can you please merge the pull requests to upgrade the dependencies?

Here are the trivy findings:

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ Jinja2 (METADATA)     │ CVE-2024-34064 │ MEDIUM   │ fixed  │ 3.1.3             │ 3.1.4          │ jinja2: accepts keys containing non-attribute characters    │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34064                  │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ Werkzeug (METADATA)   │ CVE-2024-34069 │ HIGH     │        │ 3.0.1             │ 3.0.3          │ python-werkzeug: user may execute code on a developer's     │
│                       │                │          │        │                   │                │ machine                                                     │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34069                  │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ black (METADATA)      │ CVE-2024-21503 │ MEDIUM   │        │ 23.12.1           │ 24.3.0         │ psf/black: ReDoS via the lines_with_leading_tabs_expanded() │
│                       │                │          │        │                   │                │ function in strings.py file                                 │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-21503                  │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ idna (METADATA)       │ CVE-2024-3651  │ MEDIUM   │        │ 3.6               │ 3.7            │ python-idna: potential DoS via resource consumption via     │
│                       │                │          │        │                   │                │ specially crafted inputs to idna.encode()...                │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-3651                   │
├───────────────────────┼────────────────┤          │        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ requests (METADATA)   │ CVE-2024-35195 │          │        │ 2.31.0            │ 2.32.0         │ requests: subsequent requests to the same host ignore cert  │
│                       │                │          │        │                   │                │ verification                                                │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-35195                  │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ urllib3 (METADATA)    │ CVE-2024-37891 │ MEDIUM   │        │ 2.1.0             │ 1.26.19, 2.2.2 │ urllib3: proxy-authorization request header is not stripped │
│                       │                │          │        │                   │                │ during cross-origin redirects                               │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-37891                  │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

Here are the pull requests that need to be merged:

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant