Product Research Enterprise Plans Docs

PyPi: Nemo

CVE-2020-36242

Transitive

Safety vulnerability ID: 40129

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 07, 2021 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Nemo 3.8.0 updates its 'cryptography' dependency to v3.3.2 to include a security fix.

Affected package

nemo

Latest version: 6.0.3

NEMO is a laboratory logistics web application. Use it to schedule reservations, control tool access, track maintenance issues, and more.

Affected versions

Fixed versions

Vulnerability changelog

New Features
* Added list views for Accounts and Projects and Users pages (thanks to [4D Labs](http://www.4dlabs.ca/) for the contribution)
* Supplies/Consumables withdrawal can now be done in bulk. A flat list is displayed and users can add supplies to they cart, and checkout all the items at once.
* Added a way to bypass interlock errors on both desktop and kiosk. If there is an error with an interlock command, the user will now be able to:
* enable anyway (so that time tracking can still take place - when staff can override interlocks manually)
* try again
* cancel

The "enable anyway" option can be turned on or off in customizations, and the error messages for both tool and door interlock failures can be customized as well.

Improvements
* Billing pages (billing and project billing) will now redirect to usage/project usage if billing service is not defined or not available
* Added notification message when post usage questions are linked to consumables/supplies withdrawals so that the user is aware that they are being billed for those.
* Added 11:59pm time option for access level exception (end of the day)
* Updated resources page so resizing would not mess with the layout
* Made required tool fields bold and capitalized in detailed admin for consistency

Bug Fix
* Fixed issue with upcoming reservation showing when delayed logoff is in effect (60)
* Fixed an error when creating a user would fail if identity service was not defined
* Fixed an error when adding access level exception with blank start or end time would break (added validation)
* Added locking mechanism to enable/disable tools and area login to prevent race condition (enabling the same tool at the same time - through js or "double click")

Security
* Updated dependency version of cryptography library (due to vulnerability in previous version)

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.1

CVSS v3 Details

CRITICAL 9.1

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): NONE
Availability Availability (A): HIGH

CVSS v2 Details

MEDIUM 6.4

Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (Au): NONE
Confidentiality Impact (C): PARTIAL
Integrity Impact (I): NONE
Availability Impact (A): PARTIAL