Product Research Enterprise Plans Docs

PyPi: Plotly

CVE-2020-7598

Transitive

Safety vulnerability ID: 47987

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Mar 11, 2020 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Plotly 4.9.0 builds Javascript extensions using Node 12 with an updated 'package-lock.json' that has many fewer security warnings.

Affected package

plotly

Latest version: 5.24.1

An open-source, interactive data visualization library for Python

Affected versions

Fixed versions

Vulnerability changelog

Added

- Added image export support using [Kaleido](https://github.com/plotly/Kaleido). The image export backend can be configured using the new `engine` argument to `plotly.io.to_image` and `plotly.io.write_image`. The `engine` argument may be set to `"kaleido"`, `"orca"`, or `"auto"`. The default is `engine="auto"`, in which case the Kaleido backend is enabled if the `kaleido` package from PyPI is installed, otherwise Orca is used. ([#2613](https://github.com/plotly/plotly.py/pull/2613)).
- `plotly.express.timeline()` added as an official alternative to `plotly.figure_factories.create_gantt()` ([2626](https://github.com/plotly/plotly.py/pull/2626))
- `create_hexbin_mapbox()` added to Figure Factories, with thanks to [RenaudLN](https://github.com/RenaudLN) for the impressive contribution!
- `facet_row_spacing` and `facet_col_spacing` added to Plotly Express cartesian 2d functions ([2614](https://github.com/plotly/plotly.py/pull/2614))
- `base` added to Plotly Express `bar` and `bar_polar` functions ([2626](https://github.com/plotly/plotly.py/pull/2626))
- `px.NO_COLOR` constant to override wide-form color assignment in Plotly Express ([2614](https://github.com/plotly/plotly.py/pull/2614))

Fixed

- trendline traces are now of type `scattergl` when `render_mode="webgl"` in Plotly Express ([2614](https://github.com/plotly/plotly.py/pull/2614))
- regression from 4.8.1 whereby `"parent"` was not accepted as part of `path` for `px.sunburst()` and `px.treemap()` ([2640](https://github.com/plotly/plotly.py/pull/2640))
- `create_dendrogram()` figure factory now works correctly with `scipy` 1.5.1 ([2627](https://github.com/plotly/plotly.py/pull/2627))

Updated

- Updated Plotly.js to version 1.54.6. See the [plotly.js CHANGELOG](https://github.com/plotly/plotly.js/blob/v1.54.6/CHANGELOG.md) for more information.
- Added all cartesian-2d Plotly Express functions, plus `imshow`, to Pandas backend with `kind` option ([2541](https://github.com/plotly/plotly.py/pull/2541))
- `plotly.express.imshow` now uses data frame index and columns names and values to populate axis parameters by default ([2539](https://github.com/plotly/plotly.py/pull/2539))
- Javascript extensions are now build using Node 12, and have an updated `package-lock.json` with many fewer security warnings ([2636](https://github.com/plotly/plotly.py/pull/2636))

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.6

CVSS v3 Details

MEDIUM 5.6

Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): LOW
Integrity Impact (I): LOW
Availability Availability (A): LOW

CVSS v2 Details

MEDIUM 6.8

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): PARTIAL
Integrity Impact (I): PARTIAL
Availability Impact (A): PARTIAL