Product Research Enterprise Plans Docs

PyPi: Openapi-Core

CVE-2019-19844

Transitive

Safety vulnerability ID: 37894

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Dec 18, 2019 Updated at Sep 02, 2024

Scan your Python projects for vulnerabilities →

Advisory

Openapi-core 0.13.0 includes a fix for CVE-2019-19844. It also introduces security validation with an API Key and support for HTTP security types.
https://github.com/python-openapi/openapi-core/commit/745736b5c202ab9768bf4efb869934897d667647

Affected package

openapi-core

Latest version: 0.19.4

client-side and server-side support for the OpenAPI Specification v3

Affected versions

Fixed versions

Vulnerability changelog

openapi-core 0.13 is scheduled to be the last major version in the 0.x series.

Changelog
* Validation result datatypes (165)
* OpenAPI request/response factories introduction (166)
* Django OpenAPI request/response factories (167)
* Schema exceptions refactor (168)
* Operations fields (169)
* Validation schema errors iter fix (170)
* webob support (173)
* CVE-2019-19844 fix (182)
* Move Unmarshallers to separate subpackage (183)
* Flask OpenAPI view & decorator (177)
* Flask OpenAPI request parameters (185)
* Move casters to separate subpackage (184)
* Move schema validator to separate subpackage (186)
* Move unmarshal out of schema models (188)
* Deserialise models without schema fix (190)
* Move deserialize/cast out of schema models (191)
* Custom media type deserializers (192)
* Missing Info models (193)
* Free-form objects unmarshal (194)
* Security validation with API Key and HTTP security types support (195)
* Missing path model fields (196)
* OpenAPI request datatype refactor (197)
* readOnly and writeOnly support (152)

Backward incompatibility

* new datatype `RequestParameters`. That means `parameters` in `RequestValidationResult` is no longer `dict` type but you can still access parameter types (path, query, heder, cookie) lika a dict.
* `validate_body`, `validate_parameters` and `validate_data` no longer accept `wrapper_class`, `request_wrapper_class` and `response_wrapper_class` keyword arguments. Use `request_factory` and `response_factory` instead.
* `openapi_core.wrappers.flask` module moved to `openapi_core.contrib.flask`
* `openapi_core.wrappers.mock` module moved to `openapi_core.testing.mock`
* validation is now part of unmarshalling process
* `strict` parameter removed
* standardized formatting process with `Formatter` class. Custom formatters should inherit from the class.
* unmarshalling process no longer raise `InvalidMediaTypeValue ` and `InvalidParameterValue ` exceptions
* casting process no longer raise `InvalidParameterValue` exception
* deserializing process no longer raise `InvalidMediaTypeValue` exception
* `OpenAPIRequest `'s `host_url ` and `path_pattern ` attributes replaced with `full_url_pattern ` attribute

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.8

CVSS v3 Details

CRITICAL 9.8

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH

CVSS v2 Details

MEDIUM 5.0

Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (Au): NONE
Confidentiality Impact (C): NONE
Integrity Impact (I): PARTIAL
Availability Impact (A): NONE