PyPi: Connexion

CVE-2021-41945

Transitive

Safety vulnerability ID: 62142

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Apr 28, 2022 Updated at Nov 29, 2024
Scan your Python projects for vulnerabilities →

Advisory

Connexion 3.0 updates its dependency 'httpx' to include a security fix.

Affected package

connexion

Latest version: 3.1.0

Connexion - API first applications with OpenAPI/Swagger

Affected versions

Fixed versions

Vulnerability changelog

We are excited to announce the release of Connexion 3.0! 🎉

Connexion 3 fundamentally changes how Connexion is designed and implemented, and how it
fits into the wider Python API ecosystem. We adopted the ASGI interface, which makes Connexion both
modular and well-integrated with most modern Python API tooling.

**It brings some major changes compared to 2.X:**

* The improved ``App`` and new ``AsyncApp`` allow you to use Connexion as a stand-alone framework
* The ``App`` interface was extended so you no longer have to care about the framework used
underneath
* Connexion can now be used as middleware to supercharge any ASGI or WSGI-compatible framework
with its spec-based functionality
* Connexion is now pluggable in many dimensions:
* All Connexion functionality is pluggable by adding or removing middleware from its stack
* Validation is now pluggable by content type, solving longstanding issues regarding endpoints
with multiple content types and making it easy to add validation for additional content types
* Authentication is now pluggable by security scheme, making it easy to customize the behavior or
add support for additional security schemes.
* Aiohttp support has been dropped due to lack of ASGI support
* We spent a lot of effort on extending and improving `our documentation`_

**For further details, check:**
* Our [Connexion 3 documentation page][v3 docs] for a high level overview of the changes
* Our [in-depth blog post][v3 blog] on the redesign for technical details
* Below for a detailed overview of all changes 👇

[v3 blog]: https://medium.com/robbe.sneyders/a5dc17e81ff8?source=friends_link&sk=de5a7a67ccae8a03752f5e8e1dc68d48
[v3 docs]: https://connexion.readthedocs.io/en/stable/v3.html

Full changelog
* Drop aiohttp support by RobbeSneyders in https://github.com/spec-first/connexion/pull/1491
* Add Python 3.10 in favor of 3.6 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1494
* Add empty connexion middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1502
* Extract Swagger UI functionality into middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1496
* Add pre-commit hook by RobbeSneyders in https://github.com/spec-first/connexion/pull/1511
* Add routing middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1497
* Extract security to middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1514
* Remove myself (Rafael Caricio) as maintainer by rafaelcaricio in https://github.com/spec-first/connexion/pull/1517
* Merge V2 to main by RobbeSneyders in https://github.com/spec-first/connexion/pull/1518
* Fix deprecation warning for Validator.iter_errors by jonasboecquaert in https://github.com/spec-first/connexion/pull/1536
* Refactor routing into middleware-api-operation model by RobbeSneyders in https://github.com/spec-first/connexion/pull/1533
* Clean up operation classes by RobbeSneyders in https://github.com/spec-first/connexion/pull/1535
* Removed jsonschema version check by jonasboecquaert in https://github.com/spec-first/connexion/pull/1540
* Remove built-in support for uWSGI by jacobstanly89 in https://github.com/spec-first/connexion/pull/1544
* Fix for bug of the function is_json_mimetype() by jacobstanly89 in https://github.com/spec-first/connexion/pull/1541
* Use resolver in security middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1553
* call as_view in methodresolver by bluebrown in https://github.com/spec-first/connexion/pull/1552
* Fix async tests by Ruwann in https://github.com/spec-first/connexion/pull/1558
* Add test for MethodViewResolver by RobbeSneyders in https://github.com/spec-first/connexion/pull/1559
* debug mode interaction for non-flask server by thvu11 in https://github.com/spec-first/connexion/pull/1556
* Add .git-blame-ignore-revs file with black commit by RobbeSneyders in https://github.com/spec-first/connexion/pull/1561
* Feature/method views args by bluebrown in https://github.com/spec-first/connexion/pull/1564
* Activate mypy check in pre-commit by RobbeSneyders in https://github.com/spec-first/connexion/pull/1560
* Remove "type: ignore" by using list(dict), not dict.keys() by cclauss in https://github.com/spec-first/connexion/pull/1575
* Merge v2 to main by RobbeSneyders in https://github.com/spec-first/connexion/pull/1579
* Resolve $ref referring to another $ref by chibacchie in https://github.com/spec-first/connexion/pull/1584
* Update json for Flask 2.3 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1582
* Use Flask request_ctx instead of _request_ctx_stack by RobbeSneyders in https://github.com/spec-first/connexion/pull/1583
* setup.py: Update url by jayvdb in https://github.com/spec-first/connexion/pull/1586
* Extract JSON request body validation to middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1588
* Remove AbstractSwaggerUIAPI class by RobbeSneyders in https://github.com/spec-first/connexion/pull/1589
* Removed internal variable pass_context_arg_name by leonardofesta in https://github.com/spec-first/connexion/pull/1568
* Explicitly support Flask async routes by RobbeSneyders in https://github.com/spec-first/connexion/pull/1592
* Extract boilerplate code into Routed base classes by RobbeSneyders in https://github.com/spec-first/connexion/pull/1590
* Move JSON response body validation to middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1591
* Remove support for deprecated x-body-name position by RobbeSneyders in https://github.com/spec-first/connexion/pull/1600
* Avoid warning with jsonschema 4.16.0 by gaetano-guerriero in https://github.com/spec-first/connexion/pull/1601
* Add form data validator for validation middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1595
* Flask apps only signal an exception on real server errors by enerqi in https://github.com/spec-first/connexion/pull/1611
* Move parameter validation to middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1610
* Add async app by RobbeSneyders in https://github.com/spec-first/connexion/pull/1613
* Update examples for Connexion 3.0 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1615
* Refactor decorators by RobbeSneyders in https://github.com/spec-first/connexion/pull/1618
* Switch to own maintained version of swagger-ui by RobbeSneyders in https://github.com/spec-first/connexion/pull/1619
* Expose additional context by RobbeSneyders in https://github.com/spec-first/connexion/pull/1620
* Implement user facing interface for ConnexionMiddleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1621
* Enable enforcing defaults by RobbeSneyders in https://github.com/spec-first/connexion/pull/1616
* Cache operation body definition by RobbeSneyders in https://github.com/spec-first/connexion/pull/1626
* Coerce types only in uri parser by RobbeSneyders in https://github.com/spec-first/connexion/pull/1627
* Introduce poetry by RobbeSneyders in https://github.com/spec-first/connexion/pull/1628
* Bump httpx version to 0.23 to mitigate GHSA-h8pj-cxx2-jfg2 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1632
* Refactor tests by RobbeSneyders in https://github.com/spec-first/connexion/pull/1631
* Define request interface and align WSGI and ASGI by RobbeSneyders in https://github.com/spec-first/connexion/pull/1636
* Feature/request context by RobbeSneyders in https://github.com/spec-first/connexion/pull/1639
* Add error handlers for AsyncApp by RobbeSneyders in https://github.com/spec-first/connexion/pull/1640
* Make tests framework agnostic by RobbeSneyders in https://github.com/spec-first/connexion/pull/1634
* Bump starlette version by Ruwann in https://github.com/spec-first/connexion/pull/1641
* Bump a2wsgi and drop monkeypatch by RobbeSneyders in https://github.com/spec-first/connexion/pull/1647
* Update NumberConverter regex to match new Werkzeug behavior (v3) by RobbeSneyders in https://github.com/spec-first/connexion/pull/1644
* Re-add tests for multiple and mixed file uploads by RobbeSneyders in https://github.com/spec-first/connexion/pull/1642
* Add support for relative refs in spec by RobbeSneyders in https://github.com/spec-first/connexion/pull/1648
* Clean up errors and fix hierarchy by RobbeSneyders in https://github.com/spec-first/connexion/pull/1649
* Enforce required RequestBody by RobbeSneyders in https://github.com/spec-first/connexion/pull/1652
* Create abstract validator classes by RobbeSneyders in https://github.com/spec-first/connexion/pull/1653
* Enable response mimetype validation for non-error responses by RobbeSneyders in https://github.com/spec-first/connexion/pull/1654
* Don't return 400 when read-only property is provided by RobbeSneyders in https://github.com/spec-first/connexion/pull/1655
* Add jsonifier as argument to app / api by RobbeSneyders in https://github.com/spec-first/connexion/pull/1656
* Add high-level documentation for 3.0 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1646
* Run release pipeline for pre-releases as well by RobbeSneyders in https://github.com/spec-first/connexion/pull/1658
* Fix filter pattern in release pipeline by RobbeSneyders in https://github.com/spec-first/connexion/pull/1659
* Fix ReadTheDocs config for Poetry by RobbeSneyders in https://github.com/spec-first/connexion/pull/1663
* Update quickstart.rst to include example of passing server arguments by rkrishnasanka in https://github.com/spec-first/connexion/pull/1645
* Fix and extend v3 documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1664
* Update docs index page by RobbeSneyders in https://github.com/spec-first/connexion/pull/1665
* Delay import error for optional flask depencendy by RobbeSneyders in https://github.com/spec-first/connexion/pull/1668
* Update Operations to act as wrapper of wrapped view function by RobbeSneyders in https://github.com/spec-first/connexion/pull/1669
* Add explicit asgiref dependency by RobbeSneyders in https://github.com/spec-first/connexion/pull/1667
* Pass through lifespan events by RobbeSneyders in https://github.com/spec-first/connexion/pull/1673
* Add lifespan middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1676
* Fix examples links in security doc page by opheron in https://github.com/spec-first/connexion/pull/1677
* Fix stream replay in validators by RobbeSneyders in https://github.com/spec-first/connexion/pull/1678
* Make security pluggable by Ruwann in https://github.com/spec-first/connexion/pull/1671
* Add tests for strict validation in combination with api key in query by Ruwann in https://github.com/spec-first/connexion/pull/1681
* Update CLI for 3.0 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1687
* Add `add_middleware` interface by RobbeSneyders in https://github.com/spec-first/connexion/pull/1683
* Add test for security_map argument by Ruwann in https://github.com/spec-first/connexion/pull/1691
* Inspect middleware parameters before passing in lifespan by RobbeSneyders in https://github.com/spec-first/connexion/pull/1686
* Remove context keyword from security handlers by Ruwann in https://github.com/spec-first/connexion/pull/1690
* Unpack error handler when registering on middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1695
* Use logger error instead of exception by Ruwann in https://github.com/spec-first/connexion/pull/1692
* Fix add_middleware enum comparison by RobbeSneyders in https://github.com/spec-first/connexion/pull/1698
* Move from caret to inequality requirements by marcin-lulek-cint in https://github.com/spec-first/connexion/pull/1704
* Improve and fix docs index page by RobbeSneyders in https://github.com/spec-first/connexion/pull/1700
* Update quickstart documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1701
* Add traceback info to common error handler by Ruwann in https://github.com/spec-first/connexion/pull/1708
* Add middleware documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1706
* Deepcopy only headers in validator by RobbeSneyders in https://github.com/spec-first/connexion/pull/1710
* Use repr for error logging by Ruwann in https://github.com/spec-first/connexion/pull/1711
* Fix typo by julienschuermans in https://github.com/spec-first/connexion/pull/1713
* Bugfix/basepath by Ruwann in https://github.com/spec-first/connexion/pull/1716
* Bump starlette by RobbeSneyders in https://github.com/spec-first/connexion/pull/1734
* Make middleware_app property private by RobbeSneyders in https://github.com/spec-first/connexion/pull/1737
* Update routing documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1738
* chore: fix typos by afuetterer in https://github.com/spec-first/connexion/pull/1740
* Add swagger-ui docs and clean up swagger-ui options by RobbeSneyders in https://github.com/spec-first/connexion/pull/1739
* Update request handling documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1741
* Update response handling documenation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1742
* Support multiple APIs with same base path by RobbeSneyders in https://github.com/spec-first/connexion/pull/1736
* Add validation documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1743
* Remove debug argument from example by RobbeSneyders in https://github.com/spec-first/connexion/pull/1749
* Add context documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1747
* Feature/get delete body by Ruwann in https://github.com/spec-first/connexion/pull/1712
* Drop Python 3.7 in favor of 3.11 and 3.12 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1752
* Create FUNDING.yml by RobbeSneyders in https://github.com/spec-first/connexion/pull/1753
* Centralize error handling in ExceptionMiddleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1754
* Add lifespan documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1759
* Add testing documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1760
* Update Exceptions documentations by RobbeSneyders in https://github.com/spec-first/connexion/pull/1758
* Fix CLI and drop click dependency by RobbeSneyders in https://github.com/spec-first/connexion/pull/1762
* Update cli docs by RobbeSneyders in https://github.com/spec-first/connexion/pull/1763
* Remove cookbook docs and sort index better by RobbeSneyders in https://github.com/spec-first/connexion/pull/1765
* Update security docs by RobbeSneyders in https://github.com/spec-first/connexion/pull/1764
* Add gunicorn with uvicorn workers to docs by RobbeSneyders in https://github.com/spec-first/connexion/pull/1766
* Import WSGIDecorator under connexion.decorators by RobbeSneyders in https://github.com/spec-first/connexion/pull/1768
* Add new authors' copyright notice by RobbeSneyders in https://github.com/spec-first/connexion/pull/1770
* Improve JSON req error on disallowed empty body by uranusjr in https://github.com/spec-first/connexion/pull/1761
* Update readme by RobbeSneyders in https://github.com/spec-first/connexion/pull/1769
* Update v3 documentation for release by RobbeSneyders in https://github.com/spec-first/connexion/pull/1771
* Switch back from py-swagger-ui to swagger-ui-bundle by RobbeSneyders in https://github.com/spec-first/connexion/pull/1756
* Convert README from rst to md by RobbeSneyders in https://github.com/spec-first/connexion/pull/1772
* Fix images on PyPI by RobbeSneyders in https://github.com/spec-first/connexion/pull/1773

New Contributors
* jacobstanly89 made their first contribution in https://github.com/spec-first/connexion/pull/1544
* bluebrown made their first contribution in https://github.com/spec-first/connexion/pull/1552
* thvu11 made their first contribution in https://github.com/spec-first/connexion/pull/1556
* chibacchie made their first contribution in https://github.com/spec-first/connexion/pull/1584
* jayvdb made their first contribution in https://github.com/spec-first/connexion/pull/1586
* leonardofesta made their first contribution in https://github.com/spec-first/connexion/pull/1568
* gaetano-guerriero made their first contribution in https://github.com/spec-first/connexion/pull/1601
* enerqi made their first contribution in https://github.com/spec-first/connexion/pull/1611
* rkrishnasanka made their first contribution in https://github.com/spec-first/connexion/pull/1645
* opheron made their first contribution in https://github.com/spec-first/connexion/pull/1677
* marcin-lulek-cint made their first contribution in https://github.com/spec-first/connexion/pull/1704
* julienschuermans made their first contribution in https://github.com/spec-first/connexion/pull/1713
* afuetterer made their first contribution in https://github.com/spec-first/connexion/pull/1740
* uranusjr made their first contribution in https://github.com/spec-first/connexion/pull/1761

**Full Changelog**: https://github.com/spec-first/connexion/compare/2.13.0...3.0.0

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.1

CVSS v3 Details

CRITICAL 9.1
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
HIGH
Availability Availability (A)
NONE

CVSS v2 Details

MEDIUM 6.4
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
PARTIAL
Integrity Impact (I)
PARTIAL
Availability Impact (A)
NONE