Fedora: Security Advisory (FEDORA-2024-2e802cdb4b)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 38 Update: python-fastapi-0.99.0-7.fc38

FastAPI is a modern, fast high-performance, web framework for building APIs with Python 3.7+ based on standard Python type hints. The key features are: =EF=BF=BD=EF=BF=BD=EF=BF=BD Fast: Very high performance, on par with NodeJS and Go thanks to Starlette and Pydantic. One of the fastest Python...

[SECURITY] Fedora 39 Update: python-fastapi-0.103.0-10.fc39

FastAPI is a modern, fast high-performance, web framework for building APIs with Python 3.7+ based on standard Python type hints. The key features are: =EF=BF=BD=EF=BF=BD=EF=BF=BD Fast: Very high performance, on par with NodeJS and Go thanks to Starlette and Pydantic. One of the fastest Python...

Fedora 38 : python-fastapi / python-multipart (2024-09c7f715c9)

The remote Fedora 38 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2024-09c7f715c9 advisory. python-multipart 0.0.7 2024-02-03 Refactor header option parser to use the standard library instead of a custom RegEx 75. Fixes a denial of service...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service due to [CVE-2023-24762]

Summary FastAPI is used by IBM App Connect Enterprise Certified Container for internal HTTP communications. IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service. This bulletin provides patch information to addres...

Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities

Summary QRadar Suite Software includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version. Vulnerability Details...

Regular Expression Denial Of Service (ReDoS)

fastapi is vulnerable to Regular Expression Denial Of Service ReDoS. The vulnerability is due to the python-multipart dependency which utilized a Regex expression with inefficient complexity. An attacker can inject a malicious Content-Type header, which causes the application to hang while it...

Duplicate Advisory: FastAPI Content-Type Header ReDoS

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2jv5-9r88-3w3p. This link is maintained to preserve external references. Original Description Summary When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header,...

GHSA-93GM-QMQ6-W238 Duplicate Advisory: Starlette Content-Type Header ReDoS

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2jv5-9r88-3w3p. This link is maintained to preserve external references. Original Description Summary When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header,...

Duplicate Advisory: Starlette Content-Type Header ReDoS

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2jv5-9r88-3w3p. This link is maintained to preserve external references. Original Description Summary When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header,...

PYSEC-2024-38

FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options. An attacker could send a custom-made Content-Type option that is very...

PYSEC-2024-38

FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options. An attacker could send a custom-made Content-Type option that is very...

CVE-2024-24762

CVE-2024-24762 affects python-multipart and describes a ReDoS in parsing the HTTP Content-Type header (options). An attacker can send a crafted Content-Type to exhaust CPU and stall the event loop. The vulnerability is fixed in version 0.0.7 by upstream patching the regex. Remediation is to upgra...

PT-2024-20540

Name of the Vulnerable Software and Affected Versions python-multipart versions prior to 0.0.7 FastAPI version 0.109.0 Description The vulnerability is related to a Regular Expression Denial of Service ReDoS in the python-multipart library, which is used by FastAPI to parse form data. An attacker...

GHSA-7VWR-G6PM-9HC8 Cookie leakage between different users in fastapi-proxy-lib

Impact In the implementation of version 0.0.1, requests from different user clients are processed using a shared httpx.AsyncClient. However, one oversight is that the httpx.AsyncClient will persistently store cookies based on the set-cookie response header sent by the target server and share thes...

Cookie leakage between different users in fastapi-proxy-lib

Impact In the implementation of version 0.0.1, requests from different user clients are processed using a shared httpx.AsyncClient. However, one oversight is that the httpx.AsyncClient will persistently store cookies based on the set-cookie response header sent by the target server and share thes...

PT-2023-32993 · Unknown · Fastapi-Proxy-Lib

Name of the Vulnerable Software and Affected Versions: fastapi-proxy-lib version 0.0.1 Description: The issue arises from the shared use of httpx.AsyncClient across different user clients, leading to the persistent storage of cookies based on the set-cookie response header. This results in a cook...

aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +1263 more potentially affected by CVE-2023-49083 via cryptography (>=3.1.0 <=41.0.5)

cryptography PYPI version =3.1.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =0.1.1, =0.4.7, =0.0.1, =0.1.1, =0.0.1, =1.77.3, =1.2.4, =0.0.3, =0.0.8 - aioasuswrt =1.3.3 and more Source cves: CVE-2023-49083 Source advisory: OSV:PYSEC-2023-254...

aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +1263 more potentially affected by CVE-2023-49083 via cryptography (>=3.1.0 <=41.0.5)

cryptography PYPI version =3.1.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =0.1.1, =0.4.7, =0.0.1, =0.1.1, =0.0.1, =1.77.3, =1.2.4, =0.0.3, =0.0.8 - aioasuswrt =1.3.3 and more Source cves: CVE-2023-49083 Source advisory: OSV:GHSA-JFHM-5GHH-2F97...

piccolo SQL Injection via named transaction savepoints

Summary The handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection as user provided input is passed directly to connection.execute... via f-strings. Details An excerpt of the Postgres savepoint handling: python async def savepointself, name:...