PyPi: Elyra

CVE-2022-29078

Transitive

Safety vulnerability ID: 49387

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Apr 25, 2022 Updated at Nov 29, 2024
Scan your Python projects for vulnerabilities →

Advisory

Elyra 3.9.0 requires 'ejs' versions ^3.1.7 to include a security fix.

Affected package

elyra

Latest version: 3.15.0

Elyra provides AI Centric extensions to JupyterLab

Affected versions

Fixed versions

Vulnerability changelog

- [Installation documentation](https://elyra.readthedocs.io/en/v3.9.0/getting_started/installation.html)
- [Getting help](https://elyra.readthedocs.io/en/v3.9.0/getting_started/getting-help.html)

New feature highlights

Access sensitive information in generic pipeline nodes

Jupyter notebooks, Python scripts or R scripts might require access to resources that are protected using sensitive information, such as an API key or a user id and password. If you are running pipelines on Kubeflow Pipelines or Apache Airflow you can take advantage of [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) that are defined in your cluster. Starting with version 3.9 you can [configure pipelines to expose these secrets as environment variables](https://elyra.readthedocs.io/en/v3.9.0/user_guide/best-practices-file-based-nodes.html#handling-sensitive-information), which notebooks or scripts can access.

![Using secrets](https://user-images.githubusercontent.com/13068832/170140291-fbcaf5f4-1658-49e6-ad4e-5f47372c41f9.gif)


Pipeline CLI: identify pipeline dependencies

The [`elyra-pipeline describe`](https://elyra.readthedocs.io/en/v3.9.0/user_guide/pipelines.html#describing-a-pipeline-from-the-command-line-interface) CLI command output now includes information about the following dependencies for nodes that utilize [generic components](https://elyra.readthedocs.io/en/v3.9.0/user_guide/pipeline-components.html#generic-components): container images, data volumes, and Kubernetes secrets. The machine readable output (produced when the `--json` option is specified) is most commonly used to automate processes, such as impact analysis and dependency checking. In the example below the output of the command is piped to the [`jq` command-line processor](https://stedolan.github.io/jq/), which extracts information about the container images that the pipeline's notebooks or script are executed in:


$ elyra-pipeline describe --json my.pipeline | jq '.dependencies.container_images[]'
"tensorflow/tensorflow:2.8.0"


This information could be used to identify pipelines that use a specific container image version or to verify that the container images are available in a specific container registry.

Create code snippets from notebook cells

Create a code snippet by [selecting one or more cells in a Jupyter notebook](https://elyra.readthedocs.io/en/v3.9.0/user_guide/code-snippets.html#creating-a-code-snippet).

![2022-05-23_15-19-29 (1)](https://user-images.githubusercontent.com/13068832/169914420-9dbaed09-abc4-4350-a5ee-87110dbcfe3b.gif)


Documentation: Running Elyra in an air gapped environment

The new [documentation topic](https://elyra.readthedocs.io/en/v3.9.0/recipes/running-elyra-in-air-gapped-environment.html) covers considerations for running Elyra in an air gapped environment.

<!-- Release notes generated using configuration in .github/release.yml at v3.9.0 -->

What's Changed
New Features
* Add backend support for Kubernetes secrets environment variables by kiersten-stokes in https://github.com/elyra-ai/elyra/pull/2715
* Elyra pipeline describe enhancements by binayakdutta in https://github.com/elyra-ai/elyra/pull/2722
* Add 'Running Elyra in an air gapped environment' topic to documentation by ptitzler in https://github.com/elyra-ai/elyra/pull/2744
* Update 'elyra-pipeline describe' command by ptitzler in https://github.com/elyra-ai/elyra/pull/2742
* Create code snippet from whole cells (1199) by xlegs in https://github.com/elyra-ai/elyra/pull/2726
Bug Fixes
* Simplify R and Python icon svgs by ajbozarth in https://github.com/elyra-ai/elyra/pull/2705
* Prepend baseUrl to icon source by ajbozarth in https://github.com/elyra-ai/elyra/pull/2728
* Fix pipeline submit button reload bug by karlaspuldaro in https://github.com/elyra-ai/elyra/pull/2734
* Fix metadata dropdown style in dark mode by karlaspuldaro in https://github.com/elyra-ai/elyra/pull/2743
* Fix incorrect string replacement in release script by akchinSTC in https://github.com/elyra-ai/elyra/pull/2748
* Fix save as code snippet by marthacryan in https://github.com/elyra-ai/elyra/pull/2756
* Fix release script updates to schemas docs and package desc by akchinSTC in https://github.com/elyra-ai/elyra/pull/2752
* Fix tag bug by marthacryan in https://github.com/elyra-ai/elyra/pull/2761
* Fix metadata editor being able to open in multiple tabs by marthacryan in https://github.com/elyra-ai/elyra/pull/2762
* Fix missing placeholder text in metadata editor by marthacryan in https://github.com/elyra-ai/elyra/pull/2764
* Trim whitespace to prevent invalid tags in metadata editor by marthacryan in https://github.com/elyra-ai/elyra/pull/2768
Other
* Add link to new blog post to "published resources" documentation by kiersten-stokes in https://github.com/elyra-ai/elyra/pull/2707
* Update elyra individual extension package descriptions by akchinSTC in https://github.com/elyra-ai/elyra/pull/2708
* Remove dependency on ipython_genutils by kevin-bates in https://github.com/elyra-ai/elyra/pull/2710
* Update changelog header by ptitzler in https://github.com/elyra-ai/elyra/pull/2714
* Metadata tag whitespace proposed solution by JoshuaAlter in https://github.com/elyra-ai/elyra/pull/2538
* Improve github action workflow by ptitzler in https://github.com/elyra-ai/elyra/pull/2720
* Update node packages to fix security vulnerabilities by akchinSTC in https://github.com/elyra-ai/elyra/pull/2575
* Remove tensorflow 1.x sample runtime images by akchinSTC in https://github.com/elyra-ai/elyra/pull/2729
* Develop Elyra against the Jupyterlab source repo by ajbozarth in https://github.com/elyra-ai/elyra/pull/2709
* Validate runtime image environments in CI testing by kevin-bates in https://github.com/elyra-ai/elyra/pull/2721
* Bump NodeJS version requirement to v16 or higher by akchinSTC in https://github.com/elyra-ai/elyra/pull/2732
* Add elyra documentation link in elyra-metadata help by sgonsal in https://github.com/elyra-ai/elyra/pull/2731
* Update generic component operator to support python 3.7 by akchinSTC in https://github.com/elyra-ai/elyra/pull/2727
* Improve pipeline validation by ajbozarth in https://github.com/elyra-ai/elyra/pull/2698
* Fix processing of node properties for pipeline app commands by kiersten-stokes in https://github.com/elyra-ai/elyra/pull/2740
* Update installation topic in the 'getting started' documentation by ptitzler in https://github.com/elyra-ai/elyra/pull/2746
* Update metadata editor to use JupyterLab's new form editor by marthacryan in https://github.com/elyra-ai/elyra/pull/2464
* Fix scroll bug by marthacryan in https://github.com/elyra-ai/elyra/pull/2766

New Contributors
* JoshuaAlter made their first contribution in https://github.com/elyra-ai/elyra/pull/2538
* sgonsal made their first contribution in https://github.com/elyra-ai/elyra/pull/2731
* binayakdutta made their first contribution in https://github.com/elyra-ai/elyra/pull/2722
* xlegs made their first contribution in https://github.com/elyra-ai/elyra/pull/2726

**Full Changelog**: https://github.com/elyra-ai/elyra/compare/v3.8.1...v3.9.0

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.8

CVSS v3 Details

CRITICAL 9.8
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
HIGH
Availability Availability (A)
HIGH

CVSS v2 Details

HIGH 7.5
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
PARTIAL
Integrity Impact (I)
PARTIAL
Availability Impact (A)
PARTIAL