Product Research Enterprise Plans Docs

PyPi: Smqtk-Core

CVE-2021-33503

Transitive

Safety vulnerability ID: 52401

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jun 29, 2021 Updated at Nov 07, 2023

Scan your Python projects for vulnerabilities →

Advisory

Smqtk-core 0.18.2 updates its dependency 'urllib3' to v1.26.5 to include a security fix.

Affected package

smqtk-core

Latest version: 0.19.0

Python toolkit for pluggable algorithms and data structures for multimedia-based machine learning.

Affected versions

Fixed versions

Vulnerability changelog

=======
This patch release updates some aspects of the CI workflow and documentation,
notably the automated package publishing upon appropriate tag pushing.

Updates / New Features
----------------------

CI

* Reverted previous release automation due to unintended side-effects.
Created a revised publish action to more simply publish the package to pypi,
guarding against activating on fork of the repository.
This workflow has been made to be reusable by other repositories' workflows.

* Modified CI unittests workflow to run for PRs targeting branches that match
the `release*` glob.

* Added additional step in unittest workflow to install optional package
requirements.

* Reduced CodeCov report submission by skipping this step on scheduled runs.

Contribution Guide

* Added instructions to update pending release when making a contribution.

Documentation

* Updated release instructions to be clear on where to push created release
branches. This now includes instructions related to a ``release`` branch.

* Expanded top-level contributing document with more details.

Plugin

* Added a suggestion to fix `NotAModuleError`.

Miscellaneous

* Removed CODE_OF_CONDUCT file. This is not something that we can enforce
at this time so it will be removed.

* Added SMQTK-Descriptors to the ``README.md`` package list and graphic.

* Added script to help with updating versioning and updating changelog during
the release process.

* Updated README to include reference to the SMQTK-IQR package.

* Periodic update of pinned dependency versions in lock file.

* Added missing assert failure message to configuration test helper.

Fixes
-----

Dependency Versions

* Updated the locked version of urllib3 to address a security vulnerability.
Due to this being an implicit dependency, this change only affects those who
create development environments from this repo using `poetry`.

* Updated the developer dependency and locked version of ipython to address a
security vulnerability.

* Removed `jedi = "^0.17.2"` requirement since recent `ipython = "^7.17.3"`
update appropriately addresses the dependency.

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): HIGH

CVSS v2 Details

MEDIUM 5.0

Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (Au): NONE
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Impact (A): PARTIAL