PyPi: Pyramid-Fullauth

CVE-2019-7548

Transitive

Safety vulnerability ID: 52577

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 06, 2019 Updated at Oct 25, 2024
Scan your Python projects for vulnerabilities →

Advisory

Pyramid-fullauth 1.0.0 updates its dependency 'SQLAlchemy' to be at least version 1.3.0 to include security fixes.

Affected package

pyramid-fullauth

Latest version: 2.1.0

pyramid_fullauth provides full authentication / authorisation implementation for pyramid applications

Affected versions

Fixed versions

Vulnerability changelog

----------

- [packaging] use setup.cfg to define package metadata nad options
- [cleanup] blackify codebase
- [enhancement] move CI to github-actions
- [breaking] removed dependency on tzf.pyramid_yml and pymlconf. All configuration has to be handled within .ini file now.
- [enhancement] refactored route_predicates. Now user_path_hash can handle all user hashes.
- [enhancement] Changed default cookie session factory from `UnencryptedCookieSessionFactoryConfig` to `SignedCookieSessionFactory`.
- [enhancement] Use require_csrf instead of use_csrf view decorator predicate.
This raises now 400 http error instead of 401 in case of bad or no csrf token when required.
- [enhancement] Set default session serializer as JSONSerializer to comply with pyramid's 2.0 change
- [enhancement] Require minimum pyramid 1.10.
- [enhancement] properly lint code through pylint an fix found issues
- [security] Set minimum requirement for SQLAlchemy to be at least 1.3.0 to protect against
`CVE-2019-7164 <https://nvd.nist.gov/vuln/detail/CVE-2019-7164>`_ and
`CVE-2019-7548 <https://nvd.nist.gov/vuln/detail/CVE-2019-7548>`_

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.8

CVSS v3 Details

HIGH 7.8
Attack Vector (AV)
LOCAL
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
REQUIRED
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
HIGH
Availability Availability (A)
HIGH

CVSS v2 Details

MEDIUM 6.8
Access Vector (AV)
NETWORK
Access Complexity (AC)
MEDIUM
Authentication (Au)
NONE
Confidentiality Impact (C)
PARTIAL
Integrity Impact (I)
PARTIAL
Availability Impact (A)
PARTIAL