distcloud-client repo: security vulnerability found in requirement.txt

Bug #1862385 reported by Bin Qian
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Triaged
Low
Al Bailey

Bug Description

security vulnerability found in requirement.txt

1 requests vulnerability found in distributedcloud-client/requirements.txt
Remediation
Upgrade requests to version 2.20.0 or later. For example:

requests>=2.20.0
Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2018-18074
moderate severity
Vulnerable versions: <= 2.19.1
Patched version: 2.20.0
The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

2 SQLAlchemy vulnerabilities found in requirements.txt
Remediation
Upgrade SQLAlchemy to version 1.3.0 or later. For example:

SQLAlchemy>=1.3.0
Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2019-7164
moderate severity
Vulnerable versions: < 1.3.0
Patched version: 1.3.0
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

CVE-2019-7548
moderate severity
Vulnerable versions: < 1.3.0
Patched version: 1.3.0
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.

Ghada Khalil (gkhalil)
tags: added: stx.distcloud stx.security
Changed in starlingx:
importance: Undecided → Low
status: New → Triaged
assignee: nobody → Al Bailey (albailey1974)
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Low priority - would be nice to fix, but not gating since this is not a real vulnerability.
For more details, see: https://bugs.launchpad.net/starlingx/+bug/1862384/comments/1

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.