PyPi: Smqtk-Dataprovider

CVE-2021-33503

Transitive

Safety vulnerability ID: 52409

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jun 29, 2021 Updated at Nov 29, 2024
Scan your Python projects for vulnerabilities →

Advisory

Smqtk-dataprovider 0.17.0 updates its dependency 'urllib3' to v1.26.5 to include a security fix.

Affected package

smqtk-dataprovider

Latest version: 0.18.0

SMQTK Data provision abstractions and implementations

Affected versions

Fixed versions

Vulnerability changelog

=======
This minor release removes support for python version 3.6 which has since
reached EoL.


Updates / New Features
----------------------

CI

* Updated CI unittests workflow to include codecov reporting.
Reduced CodeCov report submission by skipping this step on scheduled runs.

* Update GitHub actions workflows with pinned python versions to use 3.7.

* Update code-cov action usage to use v3.

* Added properties file for use with SonarQube and SonarCloud.

* Added script and workflow to support release process as described in
smqtk-core shared document.

* Added explicit provision of codecov repository token to github action.

* Add testing for py3.11.

* Use modern numpy for python 3.8 and beyond.

Data Elements

* Memory

* Removed assertion that given data was specifically a bytes instance via
superfluous ``memoryview`` construction.

* PostgreSQL

* Removed outdated defaults for host and port.

* URL

* Removed injection of ``http`` on construction to the beginning of a given
URL if any schema was missing.

Dependencies

* Updated minimum required python version to 3.7 to follow python end of life.

* Updated development abstract dep versions to "*" since we do not currently
require any specific versions.

Documentation

* Updated CONTRIBUTING.md to reference smqtk-core's CONTRIBUTING.md file.

Fixes
-----

CI

* Modified CI unittests workflow to run for PRs targeting branches that match
the `release*` glob.

* Fixed new issues raised by updated version of ``mypy``.

Dependency Versions

* Updated the locked version of urllib3 to address a security vulnerability.

* Updated the developer dependency and locked version of ipython to address a
security vulnerability.

* Removed `jedi = "^0.17.2"` requirement since recent `ipython = "^7.17.3"`
update appropriately addresses the dependency.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Availability (A)
HIGH

CVSS v2 Details

MEDIUM 5.0
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Impact (A)
PARTIAL