Skip to content

Instantly share code, notes, and snippets.

@afdesk

afdesk/gist:3f52dfb9699da11ae20227ec110fb7d0

Created November 11, 2021 16:14
Show Gist options
  • Save afdesk/3f52dfb9699da11ae20227ec110fb7d0 to your computer and use it in GitHub Desktop.
Save afdesk/3f52dfb9699da11ae20227ec110fb7d0 to your computer and use it in GitHub Desktop.
Download ZIP
report-new.sarif
Raw
gistfile1.txt
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Trivy",
"informationUri": "https://github.com/aquasecurity/trivy",
"fullName": "Trivy Vulnerability Scanner",
"version": "0.15.0",
"rules": [
{
"id": "CVE-2021-42771",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2021-42771",
},
"fullDescription": {
"text": "CVE-2021-20095 CVE-2021-42771 python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary code."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2021-42771",
"properties": {
"tags": [
"vulnerability",
"HIGH"
],
"precision": "very-high"
}
},
{
"id": "CVE-2019-19844",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2019-19844",
},
"fullDescription": {
"text": "Django: crafted email address allows account takeover."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-19844",
"properties": {
"tags": [
"vulnerability",
"CRITICAL"
],
"precision": "very-high"
}
},
{
"id": "CVE-2020-7471",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2020-7471",
},
"fullDescription": {
"text": "django: potential SQL injection via StringAgg(delimiter)."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2020-7471",
"properties": {
"tags": [
"vulnerability",
"CRITICAL"
],
"precision": "very-high"
}
},
{
"id": "CVE-2019-6975",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2019-6975",
},
"fullDescription": {
"text": "python-django: memory exhaustion in django.utils.numberformat.format()."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-6975",
"properties": {
"tags": [
"vulnerability",
"HIGH"
],
"precision": "very-high"
}
},
{
"id": "CVE-2020-9402",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2020-9402",
},
"fullDescription": {
"text": "django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2020-9402",
"properties": {
"tags": [
"vulnerability",
"HIGH"
],
"precision": "very-high"
}
},
{
"id": "CVE-2019-3498",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2019-3498",
},
"fullDescription": {
"text": "python-django: Content spoofing via URL path in default 404 page."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-3498",
"properties": {
"tags": [
"vulnerability",
"MEDIUM"
],
"precision": "very-high"
}
},
{
"id": "CVE-2020-13254",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2020-13254",
},
"fullDescription": {
"text": "django: potential data leakage via malformed memcached keys."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2020-13254",
"properties": {
"tags": [
"vulnerability",
"MEDIUM"
],
"precision": "very-high"
}
},
{
"id": "CVE-2020-13596",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2020-13596",
},
"fullDescription": {
"text": "django: possible XSS via admin ForeignKeyRawIdWidget."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2020-13596",
"properties": {
"tags": [
"vulnerability",
"MEDIUM"
],
"precision": "very-high"
}
},
{
"id": "CVE-2021-33203",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2021-33203",
},
"fullDescription": {
"text": "django: Potential directory traversal via ``admindocs``."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2021-33203",
"properties": {
"tags": [
"vulnerability",
"MEDIUM"
],
"precision": "very-high"
}
},
{
"id": "pyup.io-37132",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "pyup.io-37132",
},
"fullDescription": {
"text": "In django-cors-headers version 3.0.0, ``CORS_ORIGIN_WHITELIST`` requires URI schemes, and optionally ports. This is part of the CORS specification (Section 3.2 <https://tools.ietf.org/html/rfc6454section-3.2>) that was not implemented in this library, except from with the ``CORS_ORIGIN_REGEX_WHITELIST`` setting. It fixes a security issue where the CORS middleware would allow requests between schemes, for example from insecure ``http://`` Origins to a secure ``https://`` site.\r\n\r\nYou will need to update your whitelist to include schemes, for example from this:\r\n\r\nCORS_ORIGIN_WHITELIST = ['example.com']\r\n\r\nto this:\r\n\r\nCORS_ORIGIN_WHITELIST = ['https://example.com']."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"tags": [
"vulnerability",
"UNKNOWN"
],
"precision": "very-high"
}
},
{
"id": "pyup.io-42216",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "pyup.io-42216",
},
"fullDescription": {
"text": "Django-silk version 4.0.0 masks request headers to avoid auth information leaking.\r\nhttps://github.com/jazzband/django-silk/issues/375."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"tags": [
"vulnerability",
"UNKNOWN"
],
"precision": "very-high"
}
},
{
"id": "CVE-2020-25626",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2020-25626",
},
"fullDescription": {
"text": "django-rest-framework: XSS Vulnerability in API viewer."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2020-25626",
"properties": {
"tags": [
"vulnerability",
"MEDIUM"
],
"precision": "very-high"
}
},
{
"id": "pyup.io-40104",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "pyup.io-40104",
},
"fullDescription": {
"text": "Gunicorn 20.0.1 fixes chunked encoding support to prevent any request smuggling for security purposes."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"tags": [
"vulnerability",
"UNKNOWN"
],
"precision": "very-high"
}
},
{
"id": "pyup.io-40105",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "pyup.io-40105",
},
"fullDescription": {
"text": "Gunicorn 19.10.0 includes a security fix to prevent HTTP desync attack."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"tags": [
"vulnerability",
"UNKNOWN"
],
"precision": "very-high"
}
},
{
"id": "CVE-2021-21240",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2021-21240",
},
"fullDescription": {
"text": "python-httplib2: Regular expression denial of service via malicious header."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2021-21240",
"properties": {
"tags": [
"vulnerability",
"HIGH"
],
"precision": "very-high"
}
},
{
"id": "CVE-2020-11078",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2020-11078",
},
"fullDescription": {
"text": "python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2020-11078",
"properties": {
"tags": [
"vulnerability",
"MEDIUM"
],
"precision": "very-high"
}
},
{
"id": "pyup.io-38303",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "pyup.io-38303",
},
"fullDescription": {
"text": "Httplib2 0.18.0 is an important security update to patch a CWE-93 CRLF injection vulnerability which forces %xx quote of space, CR, LF characters in uri. See: <https://cwe.mitre.org/data/definitions/93.html>."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"tags": [
"vulnerability",
"UNKNOWN"
],
"precision": "very-high"
}
},
{
"id": "CVE-2020-28493",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2020-28493",
},
"fullDescription": {
"text": "python-jinja2: ReDoS vulnerability in the urlize filter."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2020-28493",
"properties": {
"tags": [
"vulnerability",
"MEDIUM"
],
"precision": "very-high"
}
},
{
"id": "CVE-2020-29651",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2020-29651",
},
"fullDescription": {
"text": "python-py: ReDoS in the py.path.svnwc component via mailicious input to blame functionality."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2020-29651",
"properties": {
"tags": [
"vulnerability",
"HIGH"
],
"precision": "very-high"
}
},
{
"id": "CVE-2021-20270",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2021-20270",
},
"fullDescription": {
"text": "python-pygments: Infinite loop in SML lexer may lead to DoS."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2021-20270",
"properties": {
"tags": [
"vulnerability",
"HIGH"
],
"precision": "very-high"
}
},
{
"id": "CVE-2021-27291",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2021-27291",
},
"fullDescription": {
"text": "python-pygments: ReDoS in multiple lexers."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2021-27291",
"properties": {
"tags": [
"vulnerability",
"HIGH"
],
"precision": "very-high"
}
},
{
"id": "CVE-2019-20477",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2019-20477",
},
"fullDescription": {
"text": "PyYAML: command execution through python/object/apply constructor in FullLoader."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-20477",
"properties": {
"tags": [
"vulnerability",
"CRITICAL"
],
"precision": "very-high"
}
},
{
"id": "CVE-2020-14343",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2020-14343",
},
"fullDescription": {
"text": "PyYAML: incomplete fix for CVE-2020-1747."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2020-14343",
"properties": {
"tags": [
"vulnerability",
"CRITICAL"
],
"precision": "very-high"
}
},
{
"id": "CVE-2020-1747",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2020-1747",
},
"fullDescription": {
"text": "PyYAML: arbitrary command execution through python/object/new when FullLoader is used."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2020-1747",
"properties": {
"tags": [
"vulnerability",
"CRITICAL"
],
"precision": "very-high"
}
},
{
"id": "CVE-2019-11324",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2019-11324",
},
"fullDescription": {
"text": "python-urllib3: Certification mishandle when error should be thrown."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-11324",
"properties": {
"tags": [
"vulnerability",
"HIGH"
],
"precision": "very-high"
}
},
{
"id": "CVE-2021-33503",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2021-33503",
},
"fullDescription": {
"text": "python-urllib3: ReDoS in the parsing of authority part of URL."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2021-33503",
"properties": {
"tags": [
"vulnerability",
"HIGH"
],
"precision": "very-high"
}
},
{
"id": "CVE-2019-11236",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2019-11236",
},
"fullDescription": {
"text": "python-urllib3: CRLF injection due to not encoding the '\\r\\n' sequence leading to possible attack on internal service."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-11236",
"properties": {
"tags": [
"vulnerability",
"MEDIUM"
],
"precision": "very-high"
}
},
{
"id": "CVE-2020-26137",
"name": "Programming Language Vulnerability",
"shortDescription": {
"text": "CVE-2020-26137",
},
"fullDescription": {
"text": "python-urllib3: CRLF injection via HTTP request method."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2020-26137",
"properties": {
"tags": [
"vulnerability",
"MEDIUM"
],
"precision": "very-high"
}
}]
}
},
"results": [
{
"ruleId": "CVE-2021-42771",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2019-19844",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-7471",
"ruleIndex": 2,
"level": "error",
"message": {
"text": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2019-6975",
"ruleIndex": 3,
"level": "error",
"message": {
"text": "Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-9402",
"ruleIndex": 4,
"level": "error",
"message": {
"text": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2019-3498",
"ruleIndex": 5,
"level": "warning",
"message": {
"text": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-13254",
"ruleIndex": 6,
"level": "warning",
"message": {
"text": "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-13596",
"ruleIndex": 7,
"level": "warning",
"message": {
"text": "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2021-33203",
"ruleIndex": 8,
"level": "warning",
"message": {
"text": "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "pyup.io-37132",
"ruleIndex": 9,
"level": "note",
"message": {
"text": "."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "pyup.io-42216",
"ruleIndex": 10,
"level": "note",
"message": {
"text": "."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-25626",
"ruleIndex": 11,
"level": "warning",
"message": {
"text": "A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "pyup.io-40104",
"ruleIndex": 12,
"level": "note",
"message": {
"text": "."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "pyup.io-40105",
"ruleIndex": 13,
"level": "note",
"message": {
"text": "."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2021-21240",
"ruleIndex": 14,
"level": "error",
"message": {
"text": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-11078",
"ruleIndex": 15,
"level": "warning",
"message": {
"text": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "pyup.io-38303",
"ruleIndex": 16,
"level": "note",
"message": {
"text": "."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-28493",
"ruleIndex": 17,
"level": "warning",
"message": {
"text": "This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-29651",
"ruleIndex": 18,
"level": "error",
"message": {
"text": "A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2021-20270",
"ruleIndex": 19,
"level": "error",
"message": {
"text": "An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2021-27291",
"ruleIndex": 20,
"level": "error",
"message": {
"text": "In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2019-20477",
"ruleIndex": 21,
"level": "error",
"message": {
"text": "PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-14343",
"ruleIndex": 22,
"level": "error",
"message": {
"text": "A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-1747",
"ruleIndex": 23,
"level": "error",
"message": {
"text": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2019-11324",
"ruleIndex": 24,
"level": "error",
"message": {
"text": "The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2021-33503",
"ruleIndex": 25,
"level": "error",
"message": {
"text": "An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2019-11236",
"ruleIndex": 26,
"level": "warning",
"message": {
"text": "In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-26137",
"ruleIndex": 27,
"level": "warning",
"message": {
"text": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir1/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2021-42771",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2019-19844",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-7471",
"ruleIndex": 2,
"level": "error",
"message": {
"text": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2019-6975",
"ruleIndex": 3,
"level": "error",
"message": {
"text": "Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-9402",
"ruleIndex": 4,
"level": "error",
"message": {
"text": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2019-3498",
"ruleIndex": 5,
"level": "warning",
"message": {
"text": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-13254",
"ruleIndex": 6,
"level": "warning",
"message": {
"text": "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-13596",
"ruleIndex": 7,
"level": "warning",
"message": {
"text": "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2021-33203",
"ruleIndex": 8,
"level": "warning",
"message": {
"text": "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "pyup.io-37132",
"ruleIndex": 9,
"level": "note",
"message": {
"text": "."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "pyup.io-42216",
"ruleIndex": 10,
"level": "note",
"message": {
"text": "."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-25626",
"ruleIndex": 11,
"level": "warning",
"message": {
"text": "A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "pyup.io-40104",
"ruleIndex": 12,
"level": "note",
"message": {
"text": "."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "pyup.io-40105",
"ruleIndex": 13,
"level": "note",
"message": {
"text": "."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2021-21240",
"ruleIndex": 14,
"level": "error",
"message": {
"text": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-11078",
"ruleIndex": 15,
"level": "warning",
"message": {
"text": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "pyup.io-38303",
"ruleIndex": 16,
"level": "note",
"message": {
"text": "."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-28493",
"ruleIndex": 17,
"level": "warning",
"message": {
"text": "This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-29651",
"ruleIndex": 18,
"level": "error",
"message": {
"text": "A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2021-20270",
"ruleIndex": 19,
"level": "error",
"message": {
"text": "An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2021-27291",
"ruleIndex": 20,
"level": "error",
"message": {
"text": "In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2019-20477",
"ruleIndex": 21,
"level": "error",
"message": {
"text": "PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-14343",
"ruleIndex": 22,
"level": "error",
"message": {
"text": "A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-1747",
"ruleIndex": 23,
"level": "error",
"message": {
"text": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2019-11324",
"ruleIndex": 24,
"level": "error",
"message": {
"text": "The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2021-33503",
"ruleIndex": 25,
"level": "error",
"message": {
"text": "An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2019-11236",
"ruleIndex": 26,
"level": "warning",
"message": {
"text": "In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
},
{
"ruleId": "CVE-2020-26137",
"ruleIndex": 27,
"level": "warning",
"message": {
"text": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "dir2/Pipfile.lock",
"uriBaseId": "ROOTPATH"
}
}
}]
}],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "/"
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment