Skip to content
This repository has been archived by the owner on Aug 5, 2020. It is now read-only.

Replaced vulnerable functions and outdated dependencies #273

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

bugrevelio
Copy link

Potential vulnerability risks were detected in your dependencies and used functions.
Some vulnerabilities have been replaced by safe alternatives.

Vulnerable Functions

puid_map.py:143:76: pickle.load

  • Reason: Untrusted input can result in arbitrary code execution.
  • Severity: warning

xiaoi.py:66:15: hashlib.sha1

  • Reason: Attacks can find collisions in the full version of SHA-1.
  • Replacement: hashlib.sha512()
  • Severity: critical

xiaoi.py:68:15: hashlib.sha1

  • Reason: Attacks can find collisions in the full version of SHA-1.
  • Replacement: hashlib.sha512()
  • Severity: critical

xiaoi.py:71:20: hashlib.sha1

  • Reason: Attacks can find collisions in the full version of SHA-1.
  • Replacement: hashlib.sha512()
  • Severity: critical

Vulnerable Dependencies

Some versions of dependencies used in the project might pose security threads. Please make sure to inform users to use safe versions.

Dependency Vulnerable Versions Reason
setuptools <0.9.5 setuptools 0.9.5 fixes a security vulnerability in SSL certificate validation.
setuptools <1.3 setuptools before 1.3 has a security vulnerability in SSL match_hostname check as reported in Python 17997.
setuptools <3.0 setuptools 3.0 avoids the potential security vulnerabilities presented by use of tar archives in ez_setup.py. It also leverages the security features added to ZipFile.extract in Python 2.7.4.
requests <2.3.0 requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect. Fix CVE-2014-1829 and CVE-2014-1830 respectively
requests <2.6.0 requests 2.6.0 fixes handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.
requests >=2.1,<=2.5.3 The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.

Source: Safety

Test Report

No tests found or tests could not be executed


This tool was developed as part of a Software Engineering course. The intention is to make project maintainers aware of potential vulnerabilities. If you have feedback then please reply to this pull-request. Thank you!

ZhiyuanChen pushed a commit to ZhiyuanChen/openwc that referenced this pull request Aug 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant