Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential buffer-overflow from string operations in function array_from_pyobj of fortranobject.c #19000

Closed
Daybreak2019 opened this issue May 13, 2021 · 7 comments · Fixed by #20630

Comments

@Daybreak2019
Copy link

Reproducing code example:

Snippet:

    char mess[200];
    if ((intent & F2PY_INTENT_HIDE)
        || ((intent & F2PY_INTENT_CACHE) && (obj==Py_None))
        || ((intent & F2PY_OPTIONAL) && (obj==Py_None))
        ) {
        /* intent(cache), optional, intent(hide) */
        if (count_negative_dimensions(rank,dims) > 0) {
            int i;
            strcpy(mess, "failed to create intent(cache|hide)|optional array"
                   "-- must have defined dimensions but got (");  ----> 91 chars copied into mess
            for(i=0;i<rank;++i)
                sprintf(mess+strlen(mess),"%" NPY_INTP_FMT ",",dims[i]);  ----> max of rank is F2PY_MAX_DIMS (40), and all values of dims could be -1. Given the format "%d," ("-1,"), max length of this part could be 40*3=120 + 91 > 200
            strcat(mess, ")");
            PyErr_SetString(PyExc_ValueError,mess);
            return NULL;
        }
        arr = (PyArrayObject *)
            PyArray_New(&PyArray_Type, rank, dims, type_num,
                        NULL,NULL,1,
                        !(intent&F2PY_INTENT_C),
                        NULL);
        if (arr==NULL) return NULL;
        if (!(intent & F2PY_INTENT_CACHE))
            PyArray_FILLWBYTE(arr, 0);
        return arr;
    }

Error message:

File: numpy/f2py/src/fortranobject.c
Function: array_from_pyobj (line 724 : 733)
Optional call-path: External -> fortran_setattr -> array_from_pyobj
Details in description

When we run our analysis tool on NumPy, a few Inappropriate string operations are reported at call sites of function strcpy, sprintf, and strcat in array_from_pyobj. There are no boundary checks at these points despite "mess" seems large enough to ensure the operations safe except for the point shown above.
As a suggestion, it is better to replace these functions with strncpy, strncat, and snprintf.

NumPy/Python version information:

the main branch of NumPy

@Daybreak2019
Copy link
Author

Anyone can help confirm this issue? thanks.

@eric-wieser
Copy link
Member

This report is almost certainly valid, but I suspect there are lower-hanging bugs in the f2py code. It's probably easier to assemble the strings on the heap using the Python C API than mess with keeping track of buffer lengths.

@melissawm melissawm added this to To do in f2py core via automation May 31, 2021
@melissawm
Copy link
Member

Thanks @Daybreak2019 - string support in f2py is undergoing some changes, I'll include this in the things to check.

@HaoZeke HaoZeke self-assigned this Aug 26, 2021
@00xc
Copy link

00xc commented Dec 20, 2021

Hi, any update on this issue? It was recently assigned CVE-2021-41496.

@seberg
Copy link
Member

seberg commented Dec 20, 2021

I don't think the CVE text is quite correct. I do not see the "by carefully constructing an array with negative values" working (I guess "array" refers to the C array of dims), these are negative dimensions though and such an array should never exist, there would be far worse problems.

I would have to check closer, but I think that negative values are always placed there by f2py/the wrapping module itself. Users may be able to trigger the error (not quite sure how), but I do not think they can craft it or the message based on malicious data (the one exception is that there is a test function calling this more directly, but this is also not available by passing malicious data).

To be clear, this should be fixed and should be easy enough (contributions also welcome!). @melissawm, @HaoZeke do you have a bit of time to just check this off? I still doubt there is much of an attack vector at all, unless you are wrapping very high dimensional working arrays and additional expose an API that allows "malicious data" to toggle whether or not the path is taken.

@WarrenWeckesser
Copy link
Member

@seberg, I submitted a PR a few minutes ago: #20630

@seberg
Copy link
Member

seberg commented Dec 20, 2021

Ah, that was quick, cool :). Not related to this, but we may want to replace all other sprintf's here with PyErr_Format or similar, since the f2py-cleanup drive is continuing.

charris added a commit that referenced this issue Dec 20, 2021
…uffer-overflow

BUG: f2py: Simplify creation of an exception message. Closes gh-19000.
f2py core automation moved this from To do to Done Dec 20, 2021
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 2, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 24 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.26.4    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 80 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | numpy                      | 1.18.3    | <1.21.0                  | 43453    |
  +==============================================================================+
  | Numpy 1.21.0 includes a fix for CVE-2021-33430: A Buffer Overflow            |
  | vulnerability exists in the PyArray_NewFromDescr_int function of ctors.c     |
  | when specifying arrays of large dimensions (over 32) from Python code, which |
  | could let a malicious user cause a Denial of Service.                        |
  | numpy/numpy@ae317fd |
  | 2e                                                                           |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.5.28 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+

```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 2, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 24 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.26.4    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 80 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | numpy                      | 1.18.3    | <1.21.0                  | 43453    |
  +==============================================================================+
  | Numpy 1.21.0 includes a fix for CVE-2021-33430: A Buffer Overflow            |
  | vulnerability exists in the PyArray_NewFromDescr_int function of ctors.c     |
  | when specifying arrays of large dimensions (over 32) from Python code, which |
  | could let a malicious user cause a Denial of Service.                        |
  | numpy/numpy@ae317fd |
  | 2e                                                                           |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.5.28 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+

```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 2, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 24 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.26.4    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 80 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | numpy                      | 1.18.3    | <1.21.0                  | 43453    |
  +==============================================================================+
  | Numpy 1.21.0 includes a fix for CVE-2021-33430: A Buffer Overflow            |
  | vulnerability exists in the PyArray_NewFromDescr_int function of ctors.c     |
  | when specifying arrays of large dimensions (over 32) from Python code, which |
  | could let a malicious user cause a Denial of Service.                        |
  | numpy/numpy@ae317fd |
  | 2e                                                                           |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.5.28 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+

```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 2, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 24 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.26.4    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 80 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | numpy                      | 1.18.3    | <1.21.0                  | 43453    |
  +==============================================================================+
  | Numpy 1.21.0 includes a fix for CVE-2021-33430: A Buffer Overflow            |
  | vulnerability exists in the PyArray_NewFromDescr_int function of ctors.c     |
  | when specifying arrays of large dimensions (over 32) from Python code, which |
  | could let a malicious user cause a Denial of Service.                        |
  | numpy/numpy@ae317fd |
  | 2e                                                                           |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.5.28 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+

```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 2, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 24 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.26.4    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 80 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | numpy                      | 1.18.3    | <1.21.0                  | 43453    |
  +==============================================================================+
  | Numpy 1.21.0 includes a fix for CVE-2021-33430: A Buffer Overflow            |
  | vulnerability exists in the PyArray_NewFromDescr_int function of ctors.c     |
  | when specifying arrays of large dimensions (over 32) from Python code, which |
  | could let a malicious user cause a Denial of Service.                        |
  | numpy/numpy@ae317fd |
  | 2e                                                                           |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.5.28 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+

```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 2, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 24 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.26.4    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 80 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | numpy                      | 1.18.3    | <1.21.0                  | 43453    |
  +==============================================================================+
  | Numpy 1.21.0 includes a fix for CVE-2021-33430: A Buffer Overflow            |
  | vulnerability exists in the PyArray_NewFromDescr_int function of ctors.c     |
  | when specifying arrays of large dimensions (over 32) from Python code, which |
  | could let a malicious user cause a Denial of Service.                        |
  | numpy/numpy@ae317fd |
  | 2e                                                                           |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.5.28 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+

```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 2, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 24 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.26.4    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 80 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | numpy                      | 1.18.3    | <1.21.0                  | 43453    |
  +==============================================================================+
  | Numpy 1.21.0 includes a fix for CVE-2021-33430: A Buffer Overflow            |
  | vulnerability exists in the PyArray_NewFromDescr_int function of ctors.c     |
  | when specifying arrays of large dimensions (over 32) from Python code, which |
  | could let a malicious user cause a Denial of Service.                        |
  | numpy/numpy@ae317fd |
  | 2e                                                                           |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.5.28 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+

```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 3, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 24 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.26.4    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 80 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | numpy                      | 1.18.3    | <1.21.0                  | 43453    |
  +==============================================================================+
  | Numpy 1.21.0 includes a fix for CVE-2021-33430: A Buffer Overflow            |
  | vulnerability exists in the PyArray_NewFromDescr_int function of ctors.c     |
  | when specifying arrays of large dimensions (over 32) from Python code, which |
  | could let a malicious user cause a Denial of Service.                        |
  | numpy/numpy@ae317fd |
  | 2e                                                                           |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.5.28 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+

```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 3, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 24 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.26.4    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 80 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | numpy                      | 1.18.3    | <1.21.0                  | 43453    |
  +==============================================================================+
  | Numpy 1.21.0 includes a fix for CVE-2021-33430: A Buffer Overflow            |
  | vulnerability exists in the PyArray_NewFromDescr_int function of ctors.c     |
  | when specifying arrays of large dimensions (over 32) from Python code, which |
  | could let a malicious user cause a Denial of Service.                        |
  | numpy/numpy@ae317fd |
  | 2e                                                                           |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.18.3    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.5.28 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+

```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 4, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 4, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 4, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 4, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pipenv                     | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 4, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 4, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pipenv                     | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 4, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Development

Successfully merging a pull request may close this issue.

7 participants