Product Research Enterprise Plans Docs

PyPi: Prefect

CVE-2021-41249

Transitive

Safety vulnerability ID: 42552

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Nov 04, 2021 Updated at Nov 23, 2024

Scan your Python projects for vulnerabilities →

Advisory

Prefect 0.15.8 includes a Prefect Server update that bumps an upstream dependency to fix a security vulnerability. See CVE-2021-41249.

Affected package

prefect

Latest version: 3.1.4

Workflow orchestration and management.

Affected versions

Fixed versions

Vulnerability changelog

Released on November 10, 2021.

Features

- Add support for rich iCal style scheduling via RRules - [4901](https://github.com/PrefectHQ/prefect/pull/4901)
- Add Google Cloud Vertex agent and run configuration - [4989](https://github.com/PrefectHQ/prefect/pull/4989)

Enhancements

- Allow `Azure` flow storage to overwrite existing blobs - [5103](https://github.com/PrefectHQ/prefect/pull/5103)
- Provide option to specify a dockerignore when using Docker storage - [4980](https://github.com/PrefectHQ/prefect/pull/4980)
- Add keep-alive connections for kubernetes client API connections - [5066](https://github.com/PrefectHQ/prefect/pull/5066)
- Add `idempotency_key` to `create_flow_run` task - [5125](https://github.com/PrefectHQ/prefect/pull/5125)
- Add `raise_final_state` to `wait_for_flow_run` task to reflect child flow run state - [5129](https://github.com/PrefectHQ/prefect/pull/5129)

Task Library

- Bump maximum `google-cloud-bigquery` version to support 2.x - [5084](https://github.com/PrefectHQ/prefect/pull/5084)
- Add `Glob` task for collecting files in directories - [5077](https://github.com/PrefectHQ/prefect/pull/5077)
- Add `DbtCloudRunJob` task for triggering dbt cloud run jobs - [5085](https://github.com/PrefectHQ/prefect/pull/5085)
- Added Kafka Tasks entry to website docs - [5094](https://github.com/PrefectHQ/prefect/pull/5094)

Fixes

- Update the `FlowView` to be more robust to serialized flow changes in the backend - [5116](https://github.com/PrefectHQ/prefect/pull/5116)

Deprecations

- Move artifacts functions to `prefect.backend.artifacts` - [5117](https://github.com/PrefectHQ/prefect/pull/5117)

Server

This release includes a Prefect Server update that updates an upstream dependency to fix a security vulnerability. See the [release changelog](https://github.com/PrefectHQ/server/blob/master/Changelog.md#november-09-2021-) for more details.

Contributors

- [Alessandro Lollo](https://github.com/AlessandroLollo)
- [Bradley Axen](https://github.com/baxen)
- [Damien Ramunno-Johnson](https://github.com/damienrj)
- [Jonas Miederer](https://github.com/jonasmiederer)
- [Josh Wang](https;//github.com/wangjoshuah)
- [Nitay Joffe](https://github.com/nitay)
- [Timo S.](https://github.com/sti0)
- [Brett Naul](https://github.com/bnaul)

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41249

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 4.7

CVSS v3 Details

MEDIUM 4.7

Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality Impact (C): LOW
Integrity Impact (I): LOW
Availability Availability (A): NONE

CVSS v2 Details

LOW 2.6

Access Vector (AV): NETWORK
Access Complexity (AC): HIGH
Authentication (Au): NONE
Confidentiality Impact (C): NONE
Integrity Impact (I): PARTIAL
Availability Impact (A): NONE