We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The dependencies pinned in requirements.txt contain multiple vulnerabilities, several of them critical. Please upgrade them ASAP.
$ trivy fs requirements.txt requirements.txt (pip) Total: 18 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 9, CRITICAL: 4) ┌──────────────┬─────────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├──────────────┼─────────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ Pillow │ CVE-2022-22817 │ CRITICAL │ fixed │ 9.0.0 │ 9.0.1 │ python-pillow: PIL.ImageMath.eval allows evaluation of │ │ │ │ │ │ │ │ arbitrary expressions │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22817 │ │ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-24303 │ │ │ │ │ temporary directory with a space character allows removal of │ │ │ │ │ │ │ │ unrelated file after... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24303 │ │ ├─────────────────────┼──────────┤ │ ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-45198 │ HIGH │ │ │ 9.2.0 │ Pillow before 9.2.0 performs Improper Handling of Highly │ │ │ │ │ │ │ │ Compressed GI ... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-45198 │ │ ├─────────────────────┤ │ │ ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-44271 │ │ │ │ 10.0.0 │ python-pillow: uncontrolled resource consumption when │ │ │ │ │ │ │ │ textlength in an ImageDraw instance operates on... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44271 │ │ ├─────────────────────┤ │ │ ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-4863 │ │ │ │ 10.0.1 │ libwebp: Heap buffer overflow in WebP Codec │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4863 │ │ ├─────────────────────┤ │ │ ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-50447 │ │ │ │ 10.2.0 │ pillow:Arbitrary Code Execution via the environment │ │ │ │ │ │ │ │ parameter │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-50447 │ │ ├─────────────────────┤ │ │ ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ GHSA-56pw-mpj4-fxww │ │ │ │ 10.0.1 │ Bundled libwebp in Pillow vulnerable │ │ │ │ │ │ │ │ https://github.com/advisories/GHSA-56pw-mpj4-fxww │ ├──────────────┼─────────────────────┤ │ ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ ipython │ CVE-2022-21699 │ │ │ 7.16.1 │ 5.11, 7.16.3, 7.31.1, 8.0.1 │ IPython (Interactive Python) is a command shell for │ │ │ │ │ │ │ │ interactive comput ... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-21699 │ │ ├─────────────────────┼──────────┤ │ ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-24816 │ MEDIUM │ │ │ 8.10 │ IPython vulnerable to command injection via set_term_title │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24816 │ ├──────────────┼─────────────────────┼──────────┤ ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ jupyterlab │ CVE-2024-22421 │ HIGH │ │ 3.1.7 │ 4.0.11, 3.6.7 │ JupyterLab vulnerable to potential authentication and CSRF │ │ │ │ │ │ │ │ tokens leak │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-22421 │ ├──────────────┼─────────────────────┼──────────┤ ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ numpy │ CVE-2021-33430 │ MEDIUM │ │ 1.19.2 │ 1.21 │ numpy: buffer overflow in the PyArray_NewFromDescr_int() in │ │ │ │ │ │ │ │ ctors.c │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33430 │ │ ├─────────────────────┤ │ │ ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-34141 │ │ │ │ 1.22 │ numpy: incomplete string comparison in the numpy.core │ │ │ │ │ │ │ │ component │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-34141 │ ├──────────────┼─────────────────────┤ │ ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ scipy │ CVE-2023-25399 │ │ │ 1.6.2 │ 1.10.0 │ scipy: refcounting issue leads to potential memory leak │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-25399 │ ├──────────────┼─────────────────────┼──────────┤ ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ setuptools │ CVE-2022-40897 │ HIGH │ │ 59.6.0 │ 65.5.1 │ pypa-setuptools: Regular Expression Denial of Service │ │ │ │ │ │ │ │ (ReDoS) in package_index.py │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-40897 │ ├──────────────┼─────────────────────┼──────────┤ ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ torch │ CVE-2022-45907 │ CRITICAL │ │ 1.10.2+cu113 │ 1.13.1 │ In PyTorch before trunk/89695, │ │ │ │ │ │ │ │ torch.jit.annotations.parse_type_line c ... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-45907 │ ├──────────────┼─────────────────────┤ │ ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ transformers │ CVE-2023-6730 │ │ │ 4.12.5 │ 4.36.0 │ transformers has a Deserialization of Untrusted Data │ │ │ │ │ │ │ │ vulnerability │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6730 │ │ ├─────────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-7018 │ HIGH │ │ │ │ transformers has a Deserialization of Untrusted Data │ │ │ │ │ │ │ │ vulnerability │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-7018 │ │ ├─────────────────────┼──────────┤ │ ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-2800 │ MEDIUM │ │ │ 4.30.0 │ transformers has Insecure Temporary File │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2800 │ └──────────────┴─────────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────┴──────────────────────────────────────────────────────────────┘
The text was updated successfully, but these errors were encountered:
No branches or pull requests
The dependencies pinned in requirements.txt contain multiple vulnerabilities, several of them critical. Please upgrade them ASAP.
The text was updated successfully, but these errors were encountered: