Product Research Enterprise Plans Docs

PyPi: Evidently

CVE-2021-38296

Transitive

Safety vulnerability ID: 66739

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Mar 10, 2022 Updated at Nov 19, 2024

Scan your Python projects for vulnerabilities →

Advisory

Evidently 0.4.17 upgrades its pyspark dependency to version 3.3.2 or later in response to CVE-2021-38296.
https://github.com/evidentlyai/evidently/pull/1013/commits/a4423bff8e8eab56306a2686d66a1a3e80d62755

Affected package

evidently

Latest version: 0.4.40

Open-source tools to analyze, monitor, and debug machine learning model in production.

Affected versions

Fixed versions

Vulnerability changelog

What's Changed
* List fields tags for filtering by mike0sv in https://github.com/evidentlyai/evidently/pull/1004
* Spark vulnerability by mike0sv in https://github.com/evidentlyai/evidently/pull/1013
* Update min dependencies by Liraim in https://github.com/evidentlyai/evidently/pull/1017
* UI: add types to dashboard by DimaAmega in https://github.com/evidentlyai/evidently/pull/1015
* Pin min version for certifi. by Liraim in https://github.com/evidentlyai/evidently/pull/1016
* Added Cloud Quickstart tutorial by elenasamuylova in https://github.com/evidentlyai/evidently/pull/1019
* UI: Better panels by DimaAmega in https://github.com/evidentlyai/evidently/pull/1022
* add data definition to snapshot by mike0sv in https://github.com/evidentlyai/evidently/pull/1020
* fix pd types for dataset summary metric by mike0sv in https://github.com/evidentlyai/evidently/pull/1025
* Update CONTRIBUTING.md with Python version and black configuration changes by c0t0ber in https://github.com/evidentlyai/evidently/pull/1011
* Fix issue in calculating NDCG when input data is smaller than K by oriol-guitart-edo in https://github.com/evidentlyai/evidently/pull/1007
* fix CONTRIBUTING.md: py 3.7 -> py 3.8 by emeli-dral in https://github.com/evidentlyai/evidently/pull/1026
* Feature/add new snapshot trigger and fix collector startup by c0t0ber in https://github.com/evidentlyai/evidently/pull/1014
* remove nbextension by DimaAmega in https://github.com/evidentlyai/evidently/pull/1027

New Contributors
* c0t0ber made their first contribution in https://github.com/evidentlyai/evidently/pull/1011
* oriol-guitart-edo made their first contribution in https://github.com/evidentlyai/evidently/pull/1007

**Full Changelog**: https://github.com/evidentlyai/evidently/compare/v0.4.16...v0.4.17

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38296

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): NONE
Availability Availability (A): NONE

CVSS v2 Details

MEDIUM 5.0

Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (Au): NONE
Confidentiality Impact (C): PARTIAL
Integrity Impact (I): NONE
Availability Impact (A): NONE