Product Research Enterprise Plans Docs

PyPi: Nipyapi

CVE-2020-27783

Transitive

Safety vulnerability ID: 42904

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Dec 03, 2020 Updated at Mar 25, 2025

Scan your Python projects for vulnerabilities →

Advisory

Nipyapi 0.16.2 updates its dependency 'lxml' minimum version to v4.6.2 to include a security fix.

Affected package

nipyapi

Latest version: 0.22.0

Nifi-Python-Api: A convenient Python wrapper for the Apache NiFi Rest API

Affected versions

Fixed versions

Vulnerability changelog

-------------------

| NOTE: If you are using secured Registry, this release will enforce access controls for the swagger interface which is used to determine which version of Registry is connected in order to correctly provide features - you may have to update your authorizations

* Update requirements.txt to unpin future and lxml
* Update lxml to 4.6.2 or newer to resolve vulnerability
* Pin watchdog to <1.0.0 per their docs to maintain Python2.7 compatibility
* Revert 0.14.3 changes to Authentication handling which introduced basicAuth support but resulted in some NiFi connections appearing incorrectly as Anonymous
* Added simpler basicAuth control to force it via a config switch without changing tokenAuth and other Authorization header behavior during normal usage
* nipyapi.config.global_force_basic_auth is now available for use for this purpose
* Secured Registry users will now require the authorization policy to retrieve the swagger so we may use it to validate which version of
* Registry is in use for feature enablement
* Moved all Security controls in config.py to a common area at the foot of the file
* Removed auth_type from security.service_login as it is now redundant
* Added controls to handle certificate checking behavior which has become more strict in recently versions of Python3, ssl_verify and check_hostname are now handled
* security.set_service_auth_token now has an explicit flag for ssl host checking as well
* Fix oversight where improved model serialisation logic was not correctly applied to Registry
* Removed unusused parameter refresh from parameters.update_parameter_context
* Reduced unecessary complexity in utils.dump with no change in functionality
* Updated client gen mustache templates to reflect refactored security and api client code
* Minor linting and docstring and codestyle improvements
* Set pyUp to ignore Watchdog as it must stay between versions to statisfy py2 and py3 compatibility
* If Client is not instantiated, optimistically instantiate for version checking
* add socks proxy support

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27783

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.1

CVSS v3 Details

MEDIUM 6.1

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality Impact (C): LOW
Integrity Impact (I): LOW
Availability Availability (A): NONE

CVSS v2 Details

MEDIUM 4.3

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): NONE
Integrity Impact (I): PARTIAL
Availability Impact (A): NONE