El Alto MultiCloud Security/Vulnerability Report
- Amy Zwarico
Owned by Amy Zwarico
Nov 02, 2019
35 min read
Loading data...
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| multicloud-azure | Django | CVE-2016-9013 | Ineffective | False Positive, Oracle DB is not used | Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary. The Django package is vulnerable to Improper Authentication due to a hard-coded password. The _test_database_passwd() method in creation.py assigns a password to a test user which is hard-coded as a default password when no password is specified in the database settings under test dictionary. A remote attacker who has access to the local network can exploit this vulnerability by connecting to a database server with the username and password created as part of running the test suite and perform unauthorized operations such as read or delete data. Note: This vulnerability only occurs if the tests are run on an Oracle server.The application is vulnerable by using this component with test –keepdb option enabled in the Oracle server only. Reference: https://www.djangoproject.com/weblog/2016/nov/01/security-releases/ | |
| multicloud-azure | Django | CVE-2019-14234 | Ineffective | False Positive, No API exposes SQL queries | Django - SQL Injection | |
| multicloud-azure | Django | N/A | Ineffective | False positive, JQuery package is not used since no UI | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | |
| multicloud-azure | Django | CVE-2016-9014 | Ineffecitve | False Positive, settings.DEBUG should be set to False | Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS. The Django package is vulnerable to a DNS rebinding attack. The get_host() method in request.py allows the Host header without validating against settings.ALLOWED_HOSTS when settings.DEBUG is set to True. An attacker could exploit this vulnerability to execute Cross-Site Scripting (XSS), “which could be quite serious if developers load a copy of the production database in development or connect to some production services for which there's no development instance”. | |
| multicloud-azure | Django | CVE-2016-7401 | Ineffective | False Positive, Consumer of this service is ONAP components, hence cookie is not involved | The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies. Django's cookie parsing code, when used on a site with Google Analytics, is vulnerable to Cross-Site Request Forgery (CSRF). The def parse_cookie(cookie)() method of cookie.py allows arbitrary cookies without properly parsing them. A remote unauthenticated attacker can exploit this vulnerability by crafting a malformed HTTP request to set arbitrary cookies. The attacker entices the unsuspecting victim to click the malicious URI thus bypassing CSRF protection mechanism. | |
| multicloud-azure | Django | CVE-2019-14232 | Ineffective | False Positive, django.utils.text.Truncator's chars() and words() methods are not used | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | |
| multicloud-azure | Django | CVE-2019-14233 | Ineffective | False Positive, django.utils.html.strip_tags is not used | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | |
| multicloud-azure | Django | CVE-2019-14235 | Ineffective | False Positive, django.utils.encoding.uri_to_iri is not used | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | |
| multicloud-azure | Django | CVE-2019-6975 | Ineffective | False Positive, django.utils.numberformat.format() is not used | Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function. The Django package is vulnerable to Denial of Service (DoS) due to Uncontrolled Memory Consumption. The format() function in the numberformat.py file formats user-supplied number without properly handing a number with many decimal digits. This leads to Uncontrolled Memory Consumption. An attacker can exploit this vulnerability by sending a decimal number with a large number of decimal digits which would eventually cause a Denial of Service condition. | |
| multicloud-azure | Django | CVE-2016-6186 | Ineffective | False Positive, contrib/admin/static/admin/js/ admin/RelatedObjectLookups.js is not used | Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML. Django is vulnerable to Cross-Site Scripting (XSS) as it allows unsafe content via Element.innerHTML. The dismissChangeRelatedObjectPopup() of RelatedObjectLookups.js and varToggle(), switchPastebinFriendly() of debug.py allows user input text to be rendered as HTML using the innerHTML DOM property. A remote attacker can exploit this vulnerability by crafting a malicious JavaScript payload and placing it inside the name element, which allows script to be stored in the database. This leads to Cross-Site Scripting when it gets executed by the browser. A proof of concept attack is available at : https://www.vulnerability-lab.com/get_content.php?id=1869 | |
| multicloud-azure | Django | CVE-2017-12794 | Ineffective | False Positive, DEBUG should be set False | In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings. Django is vulnerable to Cross-Site Scripting (XSS). The debug.py file allows arbitrary JavaScript execution when DEBUG mode is enabled. A remote attacker could exploit this vulnerability using a specially-crafted url to execute a script in a victim's web browser within the security context of the hosting site. The application is vulnerable by using this component with DEBUG enabled. | |
| multicloud-azure | Django | CVE-2017-7233 | Ineffective | False Positive, django.utils.http.is_safe_url() is not used | Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. Django is vulnerable to Improper Input Validation. The is_safe_url() function in the http.py file does not properly validate URLs passed to it, as it marks invalid numeric URLs incorrectly. A malicious user could potentially execute an open redirect or XSS attack against functionality that relies on this function to validate user input. | |
| multicloud-azure | Django | CVE-2017-7234 | Ineffective | False Positive, django.views.static.serve() is not used. | A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability. | |
| multicloud-azure | Django | CVE-2018-14574 | Ineffective |
| django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. Django CommonMiddleware is vulnerable to an Open Redirect attack. The get_full_path_with_slash() function in common.py and _reverse_with_prefix() function in resolvers.py create URLs to redirect visitors to other locations, but do not properly ensure that the redirection does not take the visitor to another domain. An attacker can exploit this vulnerability by creating a link that appears to be to the targeted application, but actually redirects any visitors to a malicious attacker-controlled domain. | |
| multicloud-azure | Django | CVE-2019-3498 | Ineffective | False Positive,
| In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. The Django package is vulnerable to a Content Spoofing attack. The page_not_found() function in the defaults.py file, when displaying a 404 response, renders the URL (request_path) without performing proper sanitization. A remote attacker can exploit this vulnerability by crafting a URL containing malicious HTML. The attacker can then entice a victim into navigating to the malicious URL. The attacker can leverage this vulnerability to spoof the contents of the seemingly legitimate 404 page, which they can then use to perform various other attacks. | |
| multicloud-azure | Django | N/A | Ineffective |
| The jQuery package is vulnerable to Cross-Site Scripting (XSS). The parseHTML() function in the parseHTML.js, jquery.js files allow JavaScript to be executed immediately when it's embedded within the event attributes. An attacker can exploit this vulnerability by injecting malicious JavaScript containing events handlers which, when rendered, results in the execution of arbitrary script. | |
| multicloud-azure | Django | N/A | Ineffective | False Positive, JQuery is not used. | The jQuery library is vulnerable to Cross-Site Scripting (XSS) when no explicit data type is provided within an AJAX request. The ajaxSetup() method in script.js allows execution of responses from third-party origins by default. A remote attacker can exploit this vulnerability by sending a malicious response to an AJAX request, resulting in the execution of the Cross Origin response. | |
| multicloud-azure | Django | N/A | Ineffective | False Positive | Django - Permissions, Privileges and Access Controls | |
| multicloud-azure | Django | CVE-2018-7536 | Ineffective | False Positive, django.utils.html.urlize is not used. | An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. The Django package is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. The trim_punctuation() function in the html.py file uses vulnerable regular expressions to parse email addresses. A remote attacker can exploit this vulnerability by crafting an input with an email address containing a very long sequence of repetitive characters to be parsed into a URI by Django. This can potentially consume available CPU resources, leading to a DoS situation. | |
| multicloud-azure | Django | CVE-2018-7537 | Ineffective | False Positive, django.utils.text.Truncator's chars() and words() methods are not used. | An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. The Django package is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. The _truncate_html() method in the text.py file uses a vulnerable regular expression while parsing text given to it by the django.utils.text.chars() and django.utils.text.words() methods. A remote attacker can exploit this vulnerability by crafting an input string containing a very long sequence of repetitive tab space ( ) characters. This can potentially consume available CPU resources, leading to a DoS situation. | |
| multicloud-azure | Django | CVE-2019-12781 | Ineffective | False Positive, | An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. Django is vulnerable to Improperly Implemented Security Check for Standard. The scheme function in request.py does not redirect HTTP requests to go over HTTPS when SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are being used in some cases. An attacker can exploit this flaw to compromise the application security by causing, for example, Man-in-the-Middle (MitM) attacks. | |
| multicloud-azure | Django | N/A | Ineffective | False Positive, django.utils.http.is_safe_url() is not used. | Django - django.utils.http.is_safe_url() crash on invalid IPv6 URLs | |
| multicloud-azure | Django | N/A | Ineffective | False Positive, paginate_queryset is not used. | Django is vulnerable to Improper Error Handling. The paginate_queryset() function in the list.py file throws an uncaught UnicodeDecodeError if an InvalidPage error contains non-ASCII characters. A malicious user who is able to configure the InvalidPage message can exploit this vulnerability by setting it to contain a non-ASCII character. | |
| multicloud-azure | Django | CVE-2016-9013 | Ineffective | False Positive, _test_database_passwd is not used. | Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary. The Django package is vulnerable to Improper Authentication due to a hard-coded password. The _test_database_passwd() method in creation.py assigns a password to a test user which is hard-coded as a default password when no password is specified in the database settings under test dictionary. A remote attacker who has access to the local network can exploit this vulnerability by connecting to a database server with the username and password created as part of running the test suite and perform unauthorized operations such as read or delete data. Note: This vulnerability only occurs if the tests are run on an Oracle server.The application is vulnerable by using this component with test –keepdb option enabled in the Oracle server only. Reference: https://www.djangoproject.com/weblog/2016/nov/01/security-releases/ | |
| multicloud-azure | Django | CVE-2019-14234 | Ineffective | False Positive, Expose no sql queries | Django - SQL Injection | |
| multicloud-azure | Django | N/A | Ineffective | False Positive, jquery is not used. | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | |
| multicloud-azure | Django | CVE-2016-9014 | Ineffective | False Positive,
| Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS. The Django package is vulnerable to a DNS rebinding attack. The get_host() method in request.py allows the Host header without validating against settings.ALLOWED_HOSTS when settings.DEBUG is set to True. An attacker could exploit this vulnerability to execute Cross-Site Scripting (XSS), “which could be quite serious if developers load a copy of the production database in development or connect to some production services for which there's no development instance”. | |
| multicloud-azure | Django | CVE-2016-7401 | ineffective |
| The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies. Django's cookie parsing code, when used on a site with Google Analytics, is vulnerable to Cross-Site Request Forgery (CSRF). The def parse_cookie(cookie)() method of cookie.py allows arbitrary cookies without properly parsing them. A remote unauthenticated attacker can exploit this vulnerability by crafting a malformed HTTP request to set arbitrary cookies. The attacker entices the unsuspecting victim to click the malicious URI thus bypassing CSRF protection mechanism. | |
| multicloud-azure | Django | CVE-2019-14232 | Ineffective | False Positive, django.utils.text.Truncator's chars() and words() methods are not used. | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | |
| multicloud-azure | Django | CVE-2019-14233 | Ineffective | False positive. HTMLParser is not used. | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | |
| multicloud-azure | Django | CVE-2019-14235 | Ineffective | False positive. | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | |
| multicloud-azure | Django | CVE-2019-6975 | Ineffective | False positive. | Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function. The Django package is vulnerable to Denial of Service (DoS) due to Uncontrolled Memory Consumption. The format() function in the numberformat.py file formats user-supplied number without properly handing a number with many decimal digits. This leads to Uncontrolled Memory Consumption. An attacker can exploit this vulnerability by sending a decimal number with a large number of decimal digits which would eventually cause a Denial of Service condition. | |
| multicloud-azure | Django | CVE-2016-6186 | Ineffective | False positive. | Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML. Django is vulnerable to Cross-Site Scripting (XSS) as it allows unsafe content via Element.innerHTML. The dismissChangeRelatedObjectPopup() of RelatedObjectLookups.js and varToggle(), switchPastebinFriendly() of debug.py allows user input text to be rendered as HTML using the innerHTML DOM property. A remote attacker can exploit this vulnerability by crafting a malicious JavaScript payload and placing it inside the name element, which allows script to be stored in the database. This leads to Cross-Site Scripting when it gets executed by the browser. A proof of concept attack is available at : https://www.vulnerability-lab.com/get_content.php?id=1869 | |
| multicloud-azure | Django | CVE-2017-12794 | Ineffective | False positive. | In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings. Django is vulnerable to Cross-Site Scripting (XSS). The debug.py file allows arbitrary JavaScript execution when DEBUG mode is enabled. A remote attacker could exploit this vulnerability using a specially-crafted url to execute a script in a victim's web browser within the security context of the hosting site. The application is vulnerable by using this component with DEBUG enabled. | |
| multicloud-azure | Django | CVE-2017-7233 | Ineffective | False positive. | Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. Django is vulnerable to Improper Input Validation. The is_safe_url() function in the http.py file does not properly validate URLs passed to it, as it marks invalid numeric URLs incorrectly. A malicious user could potentially execute an open redirect or XSS attack against functionality that relies on this function to validate user input. | |
| multicloud-azure | Django | CVE-2017-7234 | Ineffective | False positive. | A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability. | |
| multicloud-azure | Django | CVE-2018-14574 | Ineffective | False positive. | django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. Django CommonMiddleware is vulnerable to an Open Redirect attack. The get_full_path_with_slash() function in common.py and _reverse_with_prefix() function in resolvers.py create URLs to redirect visitors to other locations, but do not properly ensure that the redirection does not take the visitor to another domain. An attacker can exploit this vulnerability by creating a link that appears to be to the targeted application, but actually redirects any visitors to a malicious attacker-controlled domain. | |
| multicloud-azure | Django | CVE-2019-3498 | Ineffective | False positive. | In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. The Django package is vulnerable to a Content Spoofing attack. The page_not_found() function in the defaults.py file, when displaying a 404 response, renders the URL (request_path) without performing proper sanitization. A remote attacker can exploit this vulnerability by crafting a URL containing malicious HTML. The attacker can then entice a victim into navigating to the malicious URL. The attacker can leverage this vulnerability to spoof the contents of the seemingly legitimate 404 page, which they can then use to perform various other attacks. | |
| multicloud-azure | Django | N/A | Ineffective | False positive. | The jQuery package is vulnerable to Cross-Site Scripting (XSS). The parseHTML() function in the parseHTML.js, jquery.js files allow JavaScript to be executed immediately when it's embedded within the event attributes. An attacker can exploit this vulnerability by injecting malicious JavaScript containing events handlers which, when rendered, results in the execution of arbitrary script. | |
| multicloud-azure | Django | N/A | Ineffective | False positive. | The jQuery library is vulnerable to Cross-Site Scripting (XSS) when no explicit data type is provided within an AJAX request. The ajaxSetup() method in script.js allows execution of responses from third-party origins by default. A remote attacker can exploit this vulnerability by sending a malicious response to an AJAX request, resulting in the execution of the Cross Origin response. | |
| multicloud-azure | Django | N/A | Ineffective | False positive. | Django - Permissions, Privileges and Access Controls | |
| multicloud-azure | Django | CVE-2018-7536 | Ineffective | False positive. | An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. The Django package is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. The trim_punctuation() function in the html.py file uses vulnerable regular expressions to parse email addresses. A remote attacker can exploit this vulnerability by crafting an input with an email address containing a very long sequence of repetitive characters to be parsed into a URI by Django. This can potentially consume available CPU resources, leading to a DoS situation. | |
| multicloud-azure | Django | CVE-2018-7537 | Ineffective | False positive. | An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. The Django package is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. The _truncate_html() method in the text.py file uses a vulnerable regular expression while parsing text given to it by the django.utils.text.chars() and django.utils.text.words() methods. A remote attacker can exploit this vulnerability by crafting an input string containing a very long sequence of repetitive tab space ( ) characters. This can potentially consume available CPU resources, leading to a DoS situation. | |
| multicloud-azure | Django | CVE-2019-12781 | Ineffective | False positive. | An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. Django is vulnerable to Improperly Implemented Security Check for Standard. The scheme function in request.py does not redirect HTTP requests to go over HTTPS when SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are being used in some cases. An attacker can exploit this flaw to compromise the application security by causing, for example, Man-in-the-Middle (MitM) attacks. | |
| multicloud-azure | Django | N/A | Ineffective | False positive. | Django - django.utils.http.is_safe_url() crash on invalid IPv6 URLs | |
| multicloud-azure | Django | N/A | Ineffective | False positive. | Django is vulnerable to Improper Error Handling. The paginate_queryset() function in the list.py file throws an uncaught UnicodeDecodeError if an InvalidPage error contains non-ASCII characters. A malicious user who is able to configure the InvalidPage message can exploit this vulnerability by setting it to contain a non-ASCII character. | |
| multicloud-azure | requests | CVE-2018-18074 | Ineffective | False positive. | The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. The requests package is vulnerable to Information Disclosure. The resolve_redirects() function in the session.py file fails to strip the Authorization header from requests that redirect from https to http on the same host. A remote attacker can exploit this vulnerability by performing a Man-in-the-Middle (MitM) attack to capture this redirect request and exfiltrate plaintext credential information from an unsuspecting victim. | |
| multicloud-azure | requests | CVE-2018-20060 | Ineffective | False positive. | urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. The urllib3 package is vulnerable to Information Exposure. The urlopen function in poolmanager.py redirects a request from the current host to another host if necessary. The function does not remove the Authorization HTTP header before redirecting the request. The Authorization header may contain credentials that should not be exposed to an untrusted host. The redirect may also be unencrypted, exposing a user's credentials to an attacker listening for the request. | |
| multicloud-azure | requests | CVE-2019-11324 | Ineffective | False positive. | The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. The urllib3 package is vulnerable to Improper Certificate Validation. The ssl_wrap_socket function in ssl_.py loads system CA certificates even if a different set of CA certificates has been specified. This vulnerability results in connections succeeding when they should have been denied. | |
| multicloud-azure | requests | CVE-2019-11236 | Ineffective | False positive. | In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. The urllib3 package is vulnerable to CRLF Injection. The parse_url() function in the url.py file does not properly escape Carriage Return and Line Feed (CRLF) characters when parsing URLs. A remote attacker with control of the requesting address parameter (request) can exploit this vulnerability with a maliciously crafted request containing CRLF characters within the query string. This will effectively give the attacker control of the response body, which may then be used to perform various other attacks. | |
| multicloud-azure | requests | CVE-2019-9740 | Ineffective | False positive. | An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. The urllib3 package is vulnerable to Response Splitting attacks. The parse_url() function in url.py fails to sanitize URL paths containing carriage return and linefeed (CRLF) characters. A remote attacker can exploit this behavior by submitting a crafted request containing CRLF characters that are propagated to the path parameter of the Url constructor which later forms a malformed HTTP response sent to a user. Attackers may leverage Response Splitting to inject HTTP response headers and control the body of the response. | |
| multicloud-azure | requests | CVE-2018-18074 | Ineffective | False positive. | The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. The requests package is vulnerable to Information Disclosure. The resolve_redirects() function in the session.py file fails to strip the Authorization header from requests that redirect from https to http on the same host. A remote attacker can exploit this vulnerability by performing a Man-in-the-Middle (MitM) attack to capture this redirect request and exfiltrate plaintext credential information from an unsuspecting victim. | |
| multicloud-azure | requests | CVE-2018-20060 | Ineffective | False positive. | urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. The urllib3 package is vulnerable to Information Exposure. The urlopen function in poolmanager.py redirects a request from the current host to another host if necessary. The function does not remove the Authorization HTTP header before redirecting the request. The Authorization header may contain credentials that should not be exposed to an untrusted host. The redirect may also be unencrypted, exposing a user's credentials to an attacker listening for the request. | |
| multicloud-azure | requests | CVE-2019-11324 | Ineffective | False positive. | The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. The urllib3 package is vulnerable to Improper Certificate Validation. The ssl_wrap_socket function in ssl_.py loads system CA certificates even if a different set of CA certificates has been specified. This vulnerability results in connections succeeding when they should have been denied. | |
| multicloud-azure | requests | CVE-2019-11236 | Ineffective | False positive. | In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. The urllib3 package is vulnerable to CRLF Injection. The parse_url() function in the url.py file does not properly escape Carriage Return and Line Feed (CRLF) characters when parsing URLs. A remote attacker with control of the requesting address parameter (request) can exploit this vulnerability with a maliciously crafted request containing CRLF characters within the query string. This will effectively give the attacker control of the response body, which may then be used to perform various other attacks. | |
| multicloud-azure | requests | CVE-2019-9740 | Ineffective | False positive. | An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. The urllib3 package is vulnerable to Response Splitting attacks. The parse_url() function in url.py fails to sanitize URL paths containing carriage return and linefeed (CRLF) characters. A remote attacker can exploit this behavior by submitting a crafted request containing CRLF characters that are propagated to the path parameter of the Url constructor which later forms a malformed HTTP response sent to a user. Attackers may leverage Response Splitting to inject HTTP response headers and control the body of the response. | |
| multicloud-azure | djangorestframework | CVE-2018-14042 | Ineffective | False positive. | In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The show() function in the tooltip.js file allows HTML and scripts in the data-container tooltip attribute values in the DOM elements without proper sanitization. This can be misused to cause XSS. | |
| multicloud-azure | djangorestframework | CVE-2018-20676 | Ineffective | False positive. | In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The Tooltip.prototype.init() function in the tooltip.js' file does not properly sanitize values for thedata-viewportattribute, allowing for scripts/HTML. A remote attacker can exploit this by injecting malicious HTML/JavaScript in thedata-viewport` attribute of a tooltip that would then be executed upon hovering the mouse over the tooltip. | |
| multicloud-azure | djangorestframework | CVE-2018-20677 | Ineffective | False positive. | In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The Affix() function in the affix.js file allows scripts/HTML data via the target attribute that is stored in DOM elements without properly being sanitized. A remote attacker can exploit this by injecting malicious HTML/JavaScript code in the target attribute of affix and entice a victim to click on it, triggering the XSS. | |
| multicloud-azure | djangorestframework | CVE-2019-8331 | Ineffective | False positive. | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | |
| multicloud-azure | djangorestframework | N/A | Ineffective | False positive. | NO INFORMATION | |
| multicloud-azure | djangorestframework | N/A | Ineffective | False positive. | The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The data-target attribute in bootstrap.js interprets encoded HTML entities as standard HTML entities when data-target is based on user supplied input. A remote attacker can exploit this vulnerability by crafting input containing malicious JavaScript, and injecting it into a data-target attribute, which results in Cross-Site Scripting (XSS). | |
| multicloud-azure | djangorestframework | CVE-2018-14042 | Ineffective | False positive. | In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The show() function in the tooltip.js file allows HTML and scripts in the data-container tooltip attribute values in the DOM elements without proper sanitization. This can be misused to cause XSS. | |
| multicloud-azure | djangorestframework | CVE-2018-20676 | Ineffective | False positive. | In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The Tooltip.prototype.init() function in the tooltip.js' file does not properly sanitize values for thedata-viewportattribute, allowing for scripts/HTML. A remote attacker can exploit this by injecting malicious HTML/JavaScript in thedata-viewport` attribute of a tooltip that would then be executed upon hovering the mouse over the tooltip. | |
| multicloud-azure | djangorestframework | CVE-2018-20677 | Ineffective | False positive. | In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The Affix() function in the affix.js file allows scripts/HTML data via the target attribute that is stored in DOM elements without properly being sanitized. A remote attacker can exploit this by injecting malicious HTML/JavaScript code in the target attribute of affix and entice a victim to click on it, triggering the XSS. | |
| multicloud-azure | djangorestframework | CVE-2019-8331 | Ineffective | False positive. | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | |
| multicloud-azure | djangorestframework | N/A | Ineffective | False positive. | NO INFORMATION | |
| multicloud-azure | djangorestframework | N/A | Ineffective | False positive. | The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The data-target attribute in bootstrap.js interprets encoded HTML entities as standard HTML entities when data-target is based on user supplied input. A remote attacker can exploit this vulnerability by crafting input containing malicious JavaScript, and injecting it into a data-target attribute, which results in Cross-Site Scripting (XSS). | |
| multicloud-azure | httplib2 | N/A | Ineffective | False positive. | The httplib2 package is vulnerable to Improper Validation of Certificate with Host Mismatch. The connect() function in the _init_.py file fails to properly validate hostnames of SSL certificates. An attacker can exploit this vulnerability by executing a Man-in-the-Middle (MitM) attack in order to intercept requests and provide a valid attacker-controlled certificate to the client. This allows the attacker to decrypt, read, and modify data in transit, thus effectively spoofing the vulnerable server. | |
| multicloud-azure | httplib2 | N/A | Ineffective | False positive. | The httplib2 package is vulnerable to Improper Validation of Certificate with Host Mismatch. The connect() function in the _init_.py file fails to properly validate hostnames of SSL certificates. An attacker can exploit this vulnerability by executing a Man-in-the-Middle (MitM) attack in order to intercept requests and provide a valid attacker-controlled certificate to the client. This allows the attacker to decrypt, read, and modify data in transit, thus effectively spoofing the vulnerable server. |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| multicloud-framework-artifactbroker | com.fasterxml.jackson.core | N/A | Ineffective | False positive the lib is part of the sdcTosca parser which is used as a library. the parser only runs on predefined objects and will not attempt to run on an object that was not validated. the parser is protected by the application using it and the information supplied is coming from the using application. There is no non vulnerable version of this component. |
Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization. | N/A |
| multicloud-framework-artifactbroker | com.fasterxml.jackson.core | CVE-2019-12086 | Ineffective | False Positive - we are not using any DurationDeserializer or InstantDeserializer. | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. The jackson-databind component contains an Insecure Deserialization Vulnerability. The validateSubType() function in the SubTypeValidator class allows untrusted input to be deserialized as a com.mysql.cj.jdbc.admin.MiniAdmin instance. A remote attacker can exploit this behavior by submitting a crafted JSON payload to a deserializing endpoint that uses jackson-databind. The attacker's deserialized Java object may then create a connection with an attacker controlled MySql server. When running a mysql-connector-java jar versioned 8.0.14 and earlier, the attacker's MySql server may read arbitrary files accessible by the vulnerable application when the connection is established. The application is vulnerable by using this component if a mysql-connector-java jar versioned 8.0.14 or lower is in the classpath while Default Typing is enabled. | |
| multicloud-framework-artifactbroker | commons-codec | N/A | Ineffective | False Positive Its not direct dependency and is caused via 3rd party lib dependency. And it does not harm anyway to atifactbtoker. | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | |
| multicloud-framework-artifactbroker | commons-codec | N/A | Ineffective | False Positive Its not direct dependency and is caused via 3rd party lib dependency. And it does not harm anyway to atifactbtoker. | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | |
| multicloud-framework-artifactbroker | org.eclipse.jetty | CVE-2019-10241 | Ineffective | False Positive, Jetty is merely a runtime container for artifactbroker, and it's not a direct dependency for artifactbroke. Thus, Jetty will not harm anyway to atifactbtoker. | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | |
| multicloud-framework-artifactbroker | org.eclipse.jetty | CVE-2019-10247 CVE-2019-8331 | Ineffective | False Positive, Jetty is merely a runtime container for artifactbroker, and it's not a direct dependency for artifactbroke. Thus, Jetty will not harm anyway to atifactbtoker. | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. The jetty package is vulnerable to sensitive Information Exposure. The handle() method of the DefaultHandler.class file discloses sensitive information via the context object. The method outputs the value of context.toString() within the error responses which will reveal the base resource path of each context. | |
| multicloud-framework-artifactbroker | org.eclipse.jetty | CVE-2019-10241 | Ineffective | False Positive, Jetty is merely a runtime container for artifactbroker, and it's not a direct dependency for artifactbroke. Thus, Jetty will not harm anyway to atifactbtoker. | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | |
| multicloud-framework-artifactbroker | org.eclipse.jetty | CVE-2019-10246 | Ineffective | False Positive, Jetty is merely a runtime container for artifactbroker, and it's not a direct dependency for artifactbroke. Thus, Jetty will not harm anyway to atifactbtoker. | In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. The jetty-util package running on Windows is vulnerable to sensitive Information Exposure. The getListHTML() method of the Resource.class file reveals the resource base path as it does not properly generate HTML content and includes the base path in the result. |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| multicloud-framework-multivimbroker | Django | CVE-2019-1423 4 | Ineffective | postgres (django.contrib.postgres.fields.JSONField) is not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function. | |
| multicloud-framework-multivimbroker | Django | N/A | Ineffective | multicloud services exposes API response, MIME is not used at all | The Django package is vulnerable to Cross-Site Scripting (XSS). The global_settings.py file sets the SECURE_CONTENT_TYPE_NOSNIFF security header to False by default, allowing browsers to sniff the content types of assets being fetched from a server. A remote attacker who can place input in a non-executable MIME type can exploit this behavior to trick a victim's browser into rendering the response as an executable MIME type with arbitrary content. | |
| multicloud-framework-multivimbroker | Django | N/A | Ineffective | multicloud services exposes API response, MIME is not used at all | The Django package is vulnerable to Cross-Site Scripting (XSS). The global_settings.py file sets the SECURE_CONTENT_TYPE_NOSNIFF security header to False by default, allowing browsers to sniff the content types of assets being fetched from a server. A remote attacker who can place input in a non-executable MIME type can exploit this behavior to trick a victim's browser into rendering the response as an executable MIME type with arbitrary content. | |
| multicloud-framework-multivimbroker | Django | N/A | Ineffective | MultiCloud services have been designed to be a mediation layer , hence does not authenticate clients which should be the responsibility of consumers of multicloud services. | Django - Cross-Site Request Forgery (CSRF) Project: https://docs.djangoproject.com/en/dev/releases/3.0/#security | |
| multicloud-framework-multivimbroker | Django | N/A | Ineffective | MultiCloud services have been designed to be a mediation layer , hence does not authenticate clients which should be the responsibility of consumers of multicloud services. | Django - Cross-Site Request Forgery (CSRF) Project: https://docs.djangoproject.com/en/dev/releases/3.0/#security | |
| multicloud-framework-multivimbroker | Django | N/A | Ineffective | MultiCloud services have been designed to be a mediation layer , hence does not authenticate clients which should be the responsibility of consumers of multicloud services. | The Django package is vulnerable to Clickjacking. The global_settings.py file and the get_xframe_options_value function in clickjacking.py by default allowed the site to be framed by the same origin. An attacker who is able to generate content on the same origin as the vulnerable site could use this to social engineer users into interacting with functionality unintentionally. | |
| multicloud-framework-multivimbroker | Django | N/A | Ineffective | MultiCloud services have been designed to be a mediation layer , hence does not authenticate clients which should be the responsibility of consumers of multicloud services. | The Django package is vulnerable to Clickjacking. The global_settings.py file and the get_xframe_options_value function in clickjacking.py by default allowed the site to be framed by the same origin. An attacker who is able to generate content on the same origin as the vulnerable site could use this to social engineer users into interacting with functionality unintentionally. | |
| multicloud-framework-multivimbroker | Django | CVE-2019-1423 4 | Ineffective | postgres (django.contrib.postgres.fields.JSONField) is not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function. | |
| multicloud-framework-multivimbroker | Django | CVE-2019-1423 2 | Ineffective | django.utils.text.Truncator is not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | |
| multicloud-framework-multivimbroker | Django | CVE-2019-1423 2 | Ineffective | django.utils.text.Truncator is not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | |
| multicloud-framework-multivimbroker | Django | CVE-2019-1423 3 | Ineffective | HTMLParser, django.utils.html.strip_tags are not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | |
| multicloud-framework-multivimbroker | Django | CVE-2019-1423 3 | Ineffective | HTMLParser, django.utils.html.strip_tags are not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | |
| multicloud-framework-multivimbroker | Django | CVE-2019-1423 5 | Ineffective | django.utils.encoding.uri_to_iri is not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | |
| multicloud-framework-multivimbroker | Django | CVE-2019-1423 5 | Ineffective | django.utils.encoding.uri_to_iri is not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | |
| multicloud-framework-multivimbroker | djangorestframework | CVE-2019-8331 | Ineffective | bootstrap is not used, hence false positive | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. | |
| multicloud-framework-multivimbroker | djangorestframework | CVE-2019-11358 | Ineffective | jquery is not used, hence false positive | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | |
| multicloud-framework-multivimbroker | djangorestframework | CVE-2019-8331 | Ineffective | bootstrap is not used, hence false positive | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. | |
| multicloud-framework-multivimbroker | djangorestframework | CVE-2019-11358 | Ineffective | jquery is not used, hence false positive | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | |
| multicloud-framework-multivimbroker | Django | N/A | Ineffective | qunit.js is not used, hence false positive | The qunit package is vulnerable to Cross-Site Scripting (XSS). The |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| multicloud-openstack | Django | CVE-2019-1423 4 | Ineffective | postgres (django.contrib.postgres.fields.JSONField) is not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function. | |
| multicloud-openstack | Django | CVE-2019-1423 4 | Ineffective | postgres (django.contrib.postgres.fields.JSONField) is not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function. | |
| multicloud-openstack | Django | N/A | Ineffective | jquery is not used, hence false positive | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | |
| multicloud-openstack | Django | N/A | Ineffective | jquery is not used, hence false positive | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | |
| multicloud-openstack | Django | CVE-2019-1423 2 | Ineffective | django.utils.text.Truncator is not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | |
| multicloud-openstack | Django | CVE-2019-1423 2 | Ineffective | django.utils.text.Truncator is not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | |
| multicloud-openstack | Django | CVE-2019-1423 3 | Ineffective | HTMLParser, django.utils.html.strip_tags are not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | |
| multicloud-openstack | Django | CVE-2019-1423 3 | Ineffective | HTMLParser, django.utils.html.strip_tags are not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | |
| multicloud-openstack | Django | CVE-2019-1423 5 | Ineffective | django.utils.encoding.uri_to_iri is not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | |
| multicloud-openstack | Django | CVE-2019-1423 5 | Ineffective | django.utils.encoding.uri_to_iri is not used, hence false positive | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | |
| multicloud-openstack | djangorestframework | CVE-2019-8331 | Ineffective | bootstrap is not used, hence false positive | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. | |
| multicloud-openstack | djangorestframework | CVE-2019-8331 | Ineffective | bootstrap is not used, hence false positive | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. | |
| multicloud-openstack | httplib2 | N/A | Ineffective | httplib2.connect is not used, hence false positive | The httplib2 package is vulnerable to Improper Validation of Certificate with Host Mismatch. The connect() function in the _init_.py file fails to properly validate hostnames of SSL certificates. An attacker can exploit this vulnerability by executing a Man-in-the-Middle (MitM) attack in order to intercept requests and provide a valid attacker-controlled certificate to the client. This allows the attacker to decrypt, read, and modify data in transit, thus effectively spoofing the vulnerable server. | |
| multicloud-openstack | httplib2 | N/A | Ineffective | httplib2.connect is not used, hence false positive | The httplib2 package is vulnerable to Improper Validation of Certificate with Host Mismatch. The connect() function in the _init_.py file fails to properly validate hostnames of SSL certificates. An attacker can exploit this vulnerability by executing a Man-in-the-Middle (MitM) attack in order to intercept requests and provide a valid attacker-controlled certificate to the client. This allows the attacker to decrypt, read, and modify data in transit, thus effectively spoofing the vulnerable server. | |
| multicloud-openstack | Django | N/A | Ineffective | qunit.js is not used, hence false positive | The qunit package is vulnerable to Cross-Site Scripting (XSS). The |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| multicloud-openstack-vmware | Django | N/A | Ineffective | multicloud services exposes API response, MIME is not used at all | The Django package is vulnerable to Cross-Site Scripting (XSS). The global_settings.py file sets the SECURE_CONTENT_TYPE_NOSNIFF security header to False by default, allowing browsers to sniff the content types of assets being fetched from a server. A remote attacker who can place input in a non-executable MIME type can exploit this behavior to trick a victim's browser into rendering the response as an executable MIME type with arbitrary content. | |
| multicloud-openstack-vmware | Django | N/A | Ineffective | MultiCloud services have been designed to be a mediation layer , hence does not authenticate clients which should be the responsibility of consumers of multicloud services. | Django - Cross-Site Request Forgery (CSRF) Project: https://docs.djangoproject.com/en/dev/releases/3.0/#security | |
| multicloud-openstack-vmware | Django | N/A | Ineffective | MultiCloud services have been designed to be a mediation layer , hence does not authenticate clients which should be the responsibility of consumers of multicloud services. | The Django package is vulnerable to Clickjacking. The global_settings.py file and the get_xframe_options_value function in clickjacking.py by default allowed the site to be framed by the same origin. An attacker who is able to generate content on the same origin as the vulnerable site could use this to social engineer users into interacting with functionality unintentionally. | |
| multicloud-openstack-vmware | Django | N/A | Ineffective | multicloud services exposes API response, MIME is not used at all | The Django package is vulnerable to Cross-Site Scripting (XSS). The global_settings.py file sets the SECURE_CONTENT_TYPE_NOSNIFF security header to False by default, allowing browsers to sniff the content types of assets being fetched from a server. A remote attacker who can place input in a non-executable MIME type can exploit this behavior to trick a victim's browser into rendering the response as an executable MIME type with arbitrary content. | |
| multicloud-openstack-vmware | Django | N/A | Ineffective | MultiCloud services have been designed to be a mediation layer , hence does not authenticate clients which should be the responsibility of consumers of multicloud services. | Django - Cross-Site Request Forgery (CSRF) Project: https://docs.djangoproject.com/en/dev/releases/3.0/#security | |
| multicloud-openstack-vmware | Django | N/A | Ineffective | qunit.js is not used, hence false positive | The qunit package is vulnerable to Cross-Site Scripting (XSS). The | |
| multicloud-openstack-vmware | Django | N/A | Ineffective | MultiCloud services have been designed to be a mediation layer , hence does not authenticate clients which should be the responsibility of consumers of multicloud services. | The Django package is vulnerable to Clickjacking. The global_settings.py file and the get_xframe_options_value function in clickjacking.py by default allowed the site to be framed by the same origin. An attacker who is able to generate content on the same origin as the vulnerable site could use this to social engineer users into interacting with functionality unintentionally. |