PyPi: Octue

CVE-2022-1941

Transitive

Safety vulnerability ID: 53399

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Sep 22, 2022 Updated at Dec 13, 2024
Scan your Python projects for vulnerabilities →

Advisory

Octue 0.43.3 updates its dependency 'protobuf' to v3.20.3 to include a security fix.

Affected package

octue

Latest version: 0.61.0

A package providing template applications for data services, and a python SDK to the Octue API.

Affected versions

Fixed versions

Vulnerability changelog

Summary
Make a number of improvements and fixes to message handling when using pull subscriptions. Also update the small amount of testing that interacts with GCP to use a dedicated separate GCP project.

<!--- SKIP AUTOGENERATED NOTES --->
Contents ([558](https://github.com/octue/octue-sdk-python/pull/558))

Enhancements
- Increase number of questions that can be asked concurrently in `Child.ask_multiple` to 32
- Make delivery acknowledgement and maximum hearbeat interval kwargs available in `Child.ask`
- Allow parents to start handling child responses from the first non-missed message (`n + 1`) if the first `n` were missed
- Add question UUID to heartbeat log messages
- Improve `PushSubscriptionCannotBePulled` error message

Fixes
- Mark question as delivered on receipt of first response from child in case the delivery acknowledgement message is missed
- Stop loss of delivered question UUIDs if local metadata file does not yet exist
- Avoid message gap greater than the delivery acknowledgement timeout causing failure to receive child messages
- Allow a start time of zero in message handler

Dependencies
- Update to latest versions of `protobuf` and `werkzeug` to avoid security issues

Operations
- Add terraform configuration for new test project

Refactoring
- Simplify nested conditional
- Minimise code within try/except block in `OrderedMessageHandler`
- Move message recording into `OrderedMessageHandler._handle_message`
- Factor out raising message handling error in message handler
- Rename `OrderedMessageHandler.received_messages` to `handled_messages`

Testing
- Use new URI for Strands JSON schemas in tests
- Use dedicated GCP project for testing services
<!--- END AUTOGENERATED NOTES --->

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Availability (A)
HIGH