PyPi: Confidant

CVE-2018-19787

Transitive

Safety vulnerability ID: 45040

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Dec 02, 2018 Updated at Dec 03, 2024
Scan your Python projects for vulnerabilities →

Advisory

In confidant 5.0.0 updates its dependency 'lxml' to v4.4.1 to include security fixes.

Affected package

confidant

Latest version: 6.6.1

A secret management system and client.

Affected versions

Fixed versions

Vulnerability changelog

* This is a breaking release. This release slightly changes the values needed
for the ``AUTH_KEY``, ``USER_AUTH_KEY``, and ``KMS_MASTER_KEY`` settings.
The previous way these settings were set were to use the alias name, without
an ``alias/`` prefix. In this release we switched to using the kmsauth
library for kms authentication support, which supports aliases and ARNs for
keys, which means that for these three settings, it's necessary to add an
``alias/`` prefix to the value. So, for example, if your setting was
``my-auth-key``, the new value would be ``alias/my-auth-key``. Though this
change of behavior was limited to kmsauth, for consistency we also changed
``KMS_MASTER_KEY`` to use the same behavior. For all three settings, it's
also now possible to use ARNs as values, instead of just key aliases.
* confidant now supports python2 and python3.
* Requirements have been updated to resolve some reported security
vulnerabilities in a few of the frozen requirements. A library affecting
user sessions was upgraded which will cause users to be logged out after
upgrade, which means if you're doing a rolling upgrade, that during the
upgrade, you may have users that seemingly randomly get logged out. After
a finished upgrade, users should only be logged out once, if they're
currently logged in.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.1

CVSS v3 Details

MEDIUM 6.1
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
REQUIRED
Scope (S)
CHANGED
Confidentiality Impact (C)
LOW
Integrity Impact (I)
LOW
Availability Availability (A)
NONE

CVSS v2 Details

MEDIUM 4.3
Access Vector (AV)
NETWORK
Access Complexity (AC)
MEDIUM
Authentication (Au)
NONE
Confidentiality Impact (C)
NONE
Integrity Impact (I)
PARTIAL
Availability Impact (A)
NONE