Author: Paul Sommers
Course: SDEV245 - Secure Software Development
Assignment: Third-Party Vulnerability Scanning
Base Project: Module 4 - Secure Message Encryption
This assignment scans the Module 4 Secure Message Encryption project for third-party dependency vulnerabilities using pip-audit. The scan identified 8 security issues across Flask's cryptography and Werkzeug libraries.
Module 6 - Assignment - 3rd Party Vulnerability/
├── app.py # Flask application (from Module 4)
├── requirements.txt # Python dependencies
├── VULNERABILITY_REPORT.md # Detailed vulnerability analysis
├── audit-results.json # Raw pip-audit scan output
├── templates/ # Flask HTML templates
│ └── index.html
├── .gitignore
├── Dockerfile
├── docker-compose.yml
└── README.md # This file
This project covers the following:
-
Project Selection
- Used Module 4 Secure Message Encryption Flask application
- Has requirements.txt dependency file
-
Vulnerability Scan
- Ran pip-audit on project dependencies
- Found 8 vulnerabilities across 2 packages
-
Documentation
- Three main vulnerabilities documented in detail
- Includes CVE identifiers, severity levels, affected versions
- Impact analysis for each vulnerability
-
Mitigation
- Upgrade commands provided for fixing vulnerabilities
- Code examples showing secure implementations
- Long-term security best practices
-
Report
- Full vulnerability report in VULNERABILITY_REPORT.md
- Includes executive summary and references
Current project dependencies (intentionally vulnerable for this assessment):
Flask==3.0.0
cryptography==41.0.7 (4 vulnerabilities)
Werkzeug==3.0.1 (4 vulnerabilities)
- Total Vulnerabilities: 8
- Affected Packages: 2 (cryptography, Werkzeug)
- Severity: 6 High, 2 Medium
- CVE-2023-50782 - NULL pointer dereference in PKCS #12 parsing
- GHSA-h4gh-qq45-vh27 - Memory corruption in X.509 certificate handling
- CVE-2024-0727 - Cryptographic algorithm weakness
- PYSEC-2024-225 - Timing attack vulnerability
- CVE-2024-34069 - Path traversal vulnerability
- CVE-2024-49766 - Improper input validation
- CVE-2024-49767 - HTTP header injection
- CVE-2025-66221 - Denial of service
pip install pip-audit# Basic scan
python -m pip_audit -r requirements.txt
# JSON output
python -m pip_audit -r requirements.txt --format json > audit-results.jsonTo resolve all identified vulnerabilities, update to these versions:
# Updated requirements.txt
Flask>=3.0.0
cryptography>=43.0.1
Werkzeug>=3.1.4
# Install updates
pip install --upgrade -r requirements.txt
# Verify fixes
python -m pip_audit -r requirements.txtSee VULNERABILITY_REPORT.md for complete analysis including:
- Executive summary
- Detailed vulnerability analysis
- Technical specifications
- Impact assessments
- Mitigation strategies
- Risk evaluation
- References
- How to use pip-audit for Python dependency scanning
- Identifying and documenting CVEs
- Understanding security advisories
- Creating mitigation strategies
- Keeping dependencies updated
- Defense-in-depth security practices
-
Dependency Management
- Regular vulnerability scanning
- Automated updates
- Version pinning
-
Defense in Depth
- Input validation
- Path sanitization
- Error handling
-
Monitoring
- CI/CD integration
- Security alerts
- Regular audits
This vulnerability scan was performed on Module 4 Secure Message Encryption, which implements AES encryption/decryption through a Flask web interface.
https://github.com/psommers1/Module-6-Assignment-3rd-Party-Vulnerability
Paul Sommers
GitHub: @psommers1
Course: SDEV245 - Secure Software Development
Ivy Tech Community College
This project uses vulnerable package versions intentionally for educational purposes. Do not deploy these versions in production.
Always use the latest secure versions of all dependencies in production applications.
- pip-audit Documentation
- Python Security Response Team
- OWASP Dependency Check
- GitHub Security Advisories
- National Vulnerability Database
Last Updated: December 7, 2025