Product Research Enterprise Plans Docs

PyPi: Smqtk-Dataprovider

CVE-2022-21699

Transitive

Safety vulnerability ID: 52535

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jan 19, 2022 Updated at Nov 07, 2023

Scan your Python projects for vulnerabilities →

Advisory

Smqtk-dataprovider 0.17.0 updates its dependency 'ipython' to v7.16.3 to include a security fix.

Affected package

smqtk-dataprovider

Latest version: 0.18.0

SMQTK Data provision abstractions and implementations

Affected versions

Fixed versions

Vulnerability changelog

=======
This minor release removes support for python version 3.6 which has since
reached EoL.

Updates / New Features
----------------------

CI

* Updated CI unittests workflow to include codecov reporting.
Reduced CodeCov report submission by skipping this step on scheduled runs.

* Update GitHub actions workflows with pinned python versions to use 3.7.

* Update code-cov action usage to use v3.

* Added properties file for use with SonarQube and SonarCloud.

* Added script and workflow to support release process as described in
smqtk-core shared document.

* Added explicit provision of codecov repository token to github action.

* Add testing for py3.11.

* Use modern numpy for python 3.8 and beyond.

Data Elements

* Memory

* Removed assertion that given data was specifically a bytes instance via
superfluous ``memoryview`` construction.

* PostgreSQL

* Removed outdated defaults for host and port.

* URL

* Removed injection of ``http`` on construction to the beginning of a given
URL if any schema was missing.

Dependencies

* Updated minimum required python version to 3.7 to follow python end of life.

* Updated development abstract dep versions to "*" since we do not currently
require any specific versions.

Documentation

* Updated CONTRIBUTING.md to reference smqtk-core's CONTRIBUTING.md file.

Fixes
-----

CI

* Modified CI unittests workflow to run for PRs targeting branches that match
the `release*` glob.

* Fixed new issues raised by updated version of ``mypy``.

Dependency Versions

* Updated the locked version of urllib3 to address a security vulnerability.

* Updated the developer dependency and locked version of ipython to address a
security vulnerability.

* Removed `jedi = "^0.17.2"` requirement since recent `ipython = "^7.17.3"`
update appropriately addresses the dependency.

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21699

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 8.8

CVSS v3 Details

HIGH 8.8

Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH

CVSS v2 Details

MEDIUM 4.6

Access Vector (AV): LOCAL
Access Complexity (AC): LOW
Authentication (Au): NONE
Confidentiality Impact (C): PARTIAL
Integrity Impact (I): PARTIAL
Availability Impact (A): PARTIAL