This repository was archived by the owner on Nov 4, 2024. It is now read-only.
This repository was archived by the owner on Nov 4, 2024. It is now read-only.
Remediate CVEs reported by trivy #543
Open
Description
Trivy finds many vulnerable dependencies in this project. There are several dependabot pull requests that can be merged to resolve these trivy findings. Can you please merge the pull requests to upgrade the dependencies?
Here are the trivy findings:
┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ Jinja2 (METADATA) │ CVE-2024-34064 │ MEDIUM │ fixed │ 3.1.3 │ 3.1.4 │ jinja2: accepts keys containing non-attribute characters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34064 │
├───────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ Werkzeug (METADATA) │ CVE-2024-34069 │ HIGH │ │ 3.0.1 │ 3.0.3 │ python-werkzeug: user may execute code on a developer's │
│ │ │ │ │ │ │ machine │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34069 │
├───────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ black (METADATA) │ CVE-2024-21503 │ MEDIUM │ │ 23.12.1 │ 24.3.0 │ psf/black: ReDoS via the lines_with_leading_tabs_expanded() │
│ │ │ │ │ │ │ function in strings.py file │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21503 │
├───────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ idna (METADATA) │ CVE-2024-3651 │ MEDIUM │ │ 3.6 │ 3.7 │ python-idna: potential DoS via resource consumption via │
│ │ │ │ │ │ │ specially crafted inputs to idna.encode()... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-3651 │
├───────────────────────┼────────────────┤ │ ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ requests (METADATA) │ CVE-2024-35195 │ │ │ 2.31.0 │ 2.32.0 │ requests: subsequent requests to the same host ignore cert │
│ │ │ │ │ │ │ verification │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-35195 │
├───────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ urllib3 (METADATA) │ CVE-2024-37891 │ MEDIUM │ │ 2.1.0 │ 1.26.19, 2.2.2 │ urllib3: proxy-authorization request header is not stripped │
│ │ │ │ │ │ │ during cross-origin redirects │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-37891 │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘
Here are the pull requests that need to be merged:
Metadata
Metadata
Assignees
Labels
No labels