PyPi: Confidant

CVE-2019-14806

Transitive

Safety vulnerability ID: 45043

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Aug 09, 2019 Updated at Dec 10, 2024
Scan your Python projects for vulnerabilities →

Advisory

Confidant 5.0.0 updates its dependency 'werkzeug' to v0.15.6 to include a security fix.

Affected package

confidant

Latest version: 6.6.1

A secret management system and client.

Affected versions

Fixed versions

Vulnerability changelog

* This is a breaking release. This release slightly changes the values needed
for the ``AUTH_KEY``, ``USER_AUTH_KEY``, and ``KMS_MASTER_KEY`` settings.
The previous way these settings were set were to use the alias name, without
an ``alias/`` prefix. In this release we switched to using the kmsauth
library for kms authentication support, which supports aliases and ARNs for
keys, which means that for these three settings, it's necessary to add an
``alias/`` prefix to the value. So, for example, if your setting was
``my-auth-key``, the new value would be ``alias/my-auth-key``. Though this
change of behavior was limited to kmsauth, for consistency we also changed
``KMS_MASTER_KEY`` to use the same behavior. For all three settings, it's
also now possible to use ARNs as values, instead of just key aliases.
* confidant now supports python2 and python3.
* Requirements have been updated to resolve some reported security
vulnerabilities in a few of the frozen requirements. A library affecting
user sessions was upgraded which will cause users to be logged out after
upgrade, which means if you're doing a rolling upgrade, that during the
upgrade, you may have users that seemingly randomly get logged out. After
a finished upgrade, users should only be logged out once, if they're
currently logged in.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
NONE
Availability Availability (A)
NONE

CVSS v2 Details

MEDIUM 5.0
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
PARTIAL
Integrity Impact (I)
NONE
Availability Impact (A)
NONE