Latest data: Tue Aug 15 08:03:55 UTC 2023

audits/azure-cli-requirements.audit.json

@@ -7,7 +7,7 @@
  },
  "vulnerabilities": [
  {
- "modified": "2023-08-08T19:18:12Z",
+ "modified": "2023-08-14T13:32:03Z",
  "published": "2023-07-25T14:43:53Z",
  "schema_version": "1.4.0",
  "id": "GHSA-xqr8-7jwr-rhp7",
@@ -121,6 +121,10 @@
  {
  "type": "WEB",
  "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/"
  }
  ],
  "database_specific": {

audits/esphome-requirements.audit.json

@@ -215,5 +215,148 @@
  ]
  }
  ]
+ },
+ {
+ "package": {
+ "name": "tornado",
+ "version": "6.3.2",
+ "ecosystem": "PyPI"
+ },
+ "vulnerabilities": [
+ {
+ "modified": "2023-08-14T21:48:29Z",
+ "published": "2023-08-14T21:34:17Z",
+ "schema_version": "1.4.0",
+ "id": "GHSA-qppv-j76h-2rpx",
+ "summary": "Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths",
+ "details": "## Summary\nTornado interprets `-`, `+`, and `_` in chunk length and `Content-Length` values, which are not allowed by the HTTP RFCs. This can result in request smuggling when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older versions of haproxy, although the current release is not affected.\n\n## Details\nTornado uses the `int` constructor to parse the values of `Content-Length` headers and chunk lengths in the following locations:\n### `tornado/http1connection.py:445`\n```python3\n self._expected_content_remaining = int(headers[\"Content-Length\"])\n```\n### `tornado/http1connection.py:621`\n```python3\n content_length = int(headers[\"Content-Length\"]) # type: Optional[int]\n```\n### `tornado/http1connection.py:671`\n```python3\n chunk_len = int(chunk_len_str.strip(), 16)\n```\nBecause `int(\"0_0\") == int(\"+0\") == int(\"-0\") == int(\"0\")`, using the `int` constructor to parse and validate strings that should contain only ASCII digits is not a good strategy. \n\n",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "tornado",
+ "purl": "pkg:pypi/tornado"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "6.3.3"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.2",
+ "1.0",
+ "1.1",
+ "1.1.1",
+ "1.2",
+ "1.2.1",
+ "2.0",
+ "2.1",
+ "2.1.1",
+ "2.2",
+ "2.2.1",
+ "2.3",
+ "2.4",
+ "2.4.1",
+ "3.0",
+ "3.0.1",
+ "3.0.2",
+ "3.1",
+ "3.1.1",
+ "3.2",
+ "3.2.1",
+ "3.2.2",
+ "4.0",
+ "4.0.1",
+ "4.0.2",
+ "4.1",
+ "4.1b2",
+ "4.2",
+ "4.2.1",
+ "4.2b1",
+ "4.3",
+ "4.3b1",
+ "4.3b2",
+ "4.4",
+ "4.4.1",
+ "4.4.2",
+ "4.4.3",
+ "4.4b1",
+ "4.5",
+ "4.5.1",
+ "4.5.2",
+ "4.5.3",
+ "4.5b1",
+ "4.5b2",
+ "5.0",
+ "5.0.1",
+ "5.0.2",
+ "5.0a1",
+ "5.0b1",
+ "5.1",
+ "5.1.1",
+ "5.1b1",
+ "6.0",
+ "6.0.1",
+ "6.0.2",
+ "6.0.3",
+ "6.0.4",
+ "6.0a1",
+ "6.0b1",
+ "6.1",
+ "6.1b1",
+ "6.1b2",
+ "6.2",
+ "6.2b1",
+ "6.2b2",
+ "6.3",
+ "6.3.1",
+ "6.3.2",
+ "6.3b1"
+ ],
+ "database_specific": {
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-qppv-j76h-2rpx/GHSA-qppv-j76h-2rpx.json"
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qppv-j76h-2rpx"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/tornadoweb/tornado/commit/b7a5dd29bb02950303ae96055082c12a1ea0a4fe"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/tornadoweb/tornado"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-444"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-08-14T21:34:17Z",
+ "nvd_published_at": null,
+ "severity": "MODERATE"
+ }
+ }
+ ],
+ "groups": [
+ {
+ "ids": [
+ "GHSA-qppv-j76h-2rpx"
+ ]
+ }
+ ]
  }
 ]

audits/jenkins-job-builder-requirements.audit.json

@@ -7,7 +7,7 @@
  },
  "vulnerabilities": [
  {
- "modified": "2023-08-08T19:18:12Z",
+ "modified": "2023-08-14T13:32:03Z",
  "published": "2023-07-25T14:43:53Z",
  "schema_version": "1.4.0",
  "id": "GHSA-xqr8-7jwr-rhp7",
@@ -121,6 +121,10 @@
  {
  "type": "WEB",
  "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/"
  }
  ],
  "database_specific": {

audits/mitmproxy-requirements.audit.json

@@ -0,0 +1,145 @@
+[
+ {
+ "package": {
+ "name": "tornado",
+ "version": "6.3.2",
+ "ecosystem": "PyPI"
+ },
+ "vulnerabilities": [
+ {
+ "modified": "2023-08-14T21:48:29Z",
+ "published": "2023-08-14T21:34:17Z",
+ "schema_version": "1.4.0",
+ "id": "GHSA-qppv-j76h-2rpx",
+ "summary": "Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths",
+ "details": "## Summary\nTornado interprets `-`, `+`, and `_` in chunk length and `Content-Length` values, which are not allowed by the HTTP RFCs. This can result in request smuggling when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older versions of haproxy, although the current release is not affected.\n\n## Details\nTornado uses the `int` constructor to parse the values of `Content-Length` headers and chunk lengths in the following locations:\n### `tornado/http1connection.py:445`\n```python3\n self._expected_content_remaining = int(headers[\"Content-Length\"])\n```\n### `tornado/http1connection.py:621`\n```python3\n content_length = int(headers[\"Content-Length\"]) # type: Optional[int]\n```\n### `tornado/http1connection.py:671`\n```python3\n chunk_len = int(chunk_len_str.strip(), 16)\n```\nBecause `int(\"0_0\") == int(\"+0\") == int(\"-0\") == int(\"0\")`, using the `int` constructor to parse and validate strings that should contain only ASCII digits is not a good strategy. \n\n",
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "tornado",
+ "purl": "pkg:pypi/tornado"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "6.3.3"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.2",
+ "1.0",
+ "1.1",
+ "1.1.1",
+ "1.2",
+ "1.2.1",
+ "2.0",
+ "2.1",
+ "2.1.1",
+ "2.2",
+ "2.2.1",
+ "2.3",
+ "2.4",
+ "2.4.1",
+ "3.0",
+ "3.0.1",
+ "3.0.2",
+ "3.1",
+ "3.1.1",
+ "3.2",
+ "3.2.1",
+ "3.2.2",
+ "4.0",
+ "4.0.1",
+ "4.0.2",
+ "4.1",
+ "4.1b2",
+ "4.2",
+ "4.2.1",
+ "4.2b1",
+ "4.3",
+ "4.3b1",
+ "4.3b2",
+ "4.4",
+ "4.4.1",
+ "4.4.2",
+ "4.4.3",
+ "4.4b1",
+ "4.5",
+ "4.5.1",
+ "4.5.2",
+ "4.5.3",
+ "4.5b1",
+ "4.5b2",
+ "5.0",
+ "5.0.1",
+ "5.0.2",
+ "5.0a1",
+ "5.0b1",
+ "5.1",
+ "5.1.1",
+ "5.1b1",
+ "6.0",
+ "6.0.1",
+ "6.0.2",
+ "6.0.3",
+ "6.0.4",
+ "6.0a1",
+ "6.0b1",
+ "6.1",
+ "6.1b1",
+ "6.1b2",
+ "6.2",
+ "6.2b1",
+ "6.2b2",
+ "6.3",
+ "6.3.1",
+ "6.3.2",
+ "6.3b1"
+ ],
+ "database_specific": {
+ "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-qppv-j76h-2rpx/GHSA-qppv-j76h-2rpx.json"
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qppv-j76h-2rpx"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/tornadoweb/tornado/commit/b7a5dd29bb02950303ae96055082c12a1ea0a4fe"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/tornadoweb/tornado"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-444"
+ ],
+ "github_reviewed": true,
+ "github_reviewed_at": "2023-08-14T21:34:17Z",
+ "nvd_published_at": null,
+ "severity": "MODERATE"
+ }
+ }
+ ],
+ "groups": [
+ {
+ "ids": [
+ "GHSA-qppv-j76h-2rpx"
+ ]
+ }
+ ]
+ }
+]