Vulnerability analysis in contraints.txt/versions.cfg - Plone 6.0.13

[claytonc]

Vulnerability analysis of Plone 6.0.13 dependencies using Trivy.
https://dist.plone.org/release/6.0.13/constraints.txt

Total: 18 (UNKNOWN: 0, LOW: 1, MEDIUM: 8, HIGH: 8, CRITICAL: 1)

Library	Vulnerability	Severity	Status	Installed Version	Fixed Version	Title
Jinja2	CVE-2024-22195 -- CVE-2024-34064	MEDIUM	fixed	3.1.2	3.1.3 -- 3.1.4	jinja2: HTML attribute injection when passing user input as keys to xmlattr... https://avd.aquasec.com/nvd/cve-2024-22195 -- jinja2: accepts keys containing non-attribute characters https://avd.aquasec.com/nvd/cve-2024-34064
Pillow	CVE-2023-44271 -- CVE-2023-4863 -- CVE-2023-50447 -- GHSA-56pw-mpj4-fxww -- CVE-2024-28219	HIGH -- MEDIUM	fixed	9.5.0	10.0.0 -- 10.0.1 -- 10.2.0 -- 10.0.1 -- 10.3.0	python-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on... https://avd.aquasec.com/nvd/cve-2023-44271 -- libwebp: Heap buffer overflow in WebP Codec https://avd.aquasec.com/nvd/cve-2023-4863 -- pillow: Arbitrary Code Execution via the environment parameter https://avd.aquasec.com/nvd/cve-2023-50447 -- Bundled libwebp in Pillow vulnerable GHSA-56pw-mpj4-fxww -- python-pillow: buffer overflow in _imagingcms.c https://avd.aquasec.com/nvd/cve-2024-28219
RestrictedPython	CVE-2024-47532	HIGH	fixed	7.1	7.3	RestrictedPython is a restricted execution environment for Python to r ... https://avd.aquasec.com/nvd/cve-2024-47532
WebOb	CVE-2024-42353	MEDIUM	fixed	1.8.7	1.8.8	webob: WebOb's location header normalization during redirect leads to open redirect https://avd.aquasec.com/nvd/cve-2024-42353
certifi	CVE-2024-39689	LOW	fixed	2024.2.2	2024.07.04	python-certifi: Remove root certificates from GLOBALTRUST from the root store https://avd.aquasec.com/nvd/cve-2024-39689
gunicorn	CVE-2024-1135	HIGH	fixed	21.2.0	22.0.0	python-gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers https://avd.aquasec.com/nvd/cve-2024-1135
idna	CVE-2024-3651	MEDIUM	fixed	3.4	3.7	python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()... https://avd.aquasec.com/nvd/cve-2024-3651
py	CVE-2022-42969	HIGH	affected	1.11.0		py: ReDoS in py library when used with subversion https://avd.aquasec.com/nvd/cve-2022-42969
requests	CVE-2024-35195	MEDIUM	fixed	2.31.0	2.32.0	requests: subsequent requests to the same host ignore cert verification https://avd.aquasec.com/nvd/cve-2024-35195
urllib3	CVE-2024-37891	MEDIUM	fixed	2.1.0	1.26.19, 2.2.2	urllib3: proxy-authorization request header is not stripped during cross-origin redirects https://avd.aquasec.com/nvd/cve-2024-37891
waitress	CVE-2024-49768 -- CVE-2024-49769	CRITICAL -- HIGH	fixed	2.1.2	3.0.1	waitress: python-waitress: request processing race condition in HTTP pipelining with invalid first... https://avd.aquasec.com/nvd/cve-2024-49768 -- waitress: Waitress has a denial of service leading to high CPU usage/resource... https://avd.aquasec.com/nvd/cve-2024-49769
zipp	CVE-2024-5569	MEDIUM	fixed	3.17.0	3.19.1	github.com/jaraco/zipp: Denial of Service (infinite loop) via crafted zip file in jaraco/zipp... https://avd.aquasec.com/nvd/cve-2024-5569