markdown_it_py-2.1.0-py3-none-any.whl: 2 vulnerabilities (highest severity is: 3.3)
mend-bolt-for-github opened this issue · comments
Vulnerable Library - markdown_it_py-2.1.0-py3-none-any.whl
Python port of markdown-it. Markdown parsing, done right!
Library home page: https://files.pythonhosted.org/packages/f9/3f/ecd1b708973b9a3e4574b43cffc1ce8eb98696da34f1a1c44a68c3c0d737/markdown_it_py-2.1.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Found in HEAD commit: 49939a7d3bf790c17e5165de2c4265f0082cc165
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (markdown_it_py version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-26303 | Low | 3.3 | markdown_it_py-2.1.0-py3-none-any.whl | Direct | 2.2.0 | ❌ |
CVE-2023-26302 | Low | 3.3 | markdown_it_py-2.1.0-py3-none-any.whl | Direct | 2.2.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-26303
Vulnerable Library - markdown_it_py-2.1.0-py3-none-any.whl
Python port of markdown-it. Markdown parsing, done right!
Library home page: https://files.pythonhosted.org/packages/f9/3f/ecd1b708973b9a3e4574b43cffc1ce8eb98696da34f1a1c44a68c3c0d737/markdown_it_py-2.1.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
- ❌ markdown_it_py-2.1.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 49939a7d3bf790c17e5165de2c4265f0082cc165
Found in base branch: main
Vulnerability Details
Denial of service could be caused to markdown-it-py, before v2.2.0, if an attacker was allowed to force null assertions with specially crafted input.
Publish Date: 2023-02-22
URL: CVE-2023-26303
CVSS 3 Score Details (3.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26303
Release Date: 2024-08-01
Fix Resolution: 2.2.0
Step up your Open Source Security Game with Mend here
CVE-2023-26302
Vulnerable Library - markdown_it_py-2.1.0-py3-none-any.whl
Python port of markdown-it. Markdown parsing, done right!
Library home page: https://files.pythonhosted.org/packages/f9/3f/ecd1b708973b9a3e4574b43cffc1ce8eb98696da34f1a1c44a68c3c0d737/markdown_it_py-2.1.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
- ❌ markdown_it_py-2.1.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 49939a7d3bf790c17e5165de2c4265f0082cc165
Found in base branch: main
Vulnerability Details
Denial of service could be caused to the command line interface of markdown-it-py, before v2.2.0, if an attacker was allowed to use invalid UTF-8 characters as input.
Publish Date: 2023-02-22
URL: CVE-2023-26302
CVSS 3 Score Details (3.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26302
Release Date: 2024-08-01
Fix Resolution: 2.2.0
Step up your Open Source Security Game with Mend here