PyPi: Octue

CVE-2023-23934

Transitive

Safety vulnerability ID: 53404

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 14, 2023 Updated at Dec 13, 2024
Scan your Python projects for vulnerabilities →

Advisory

Octue 0.43.3 updates its dependency 'werkzeug' to v2.2.3 to include security fixes.

Affected package

octue

Latest version: 0.61.0

A package providing template applications for data services, and a python SDK to the Octue API.

Affected versions

Fixed versions

Vulnerability changelog

Summary
Make a number of improvements and fixes to message handling when using pull subscriptions. Also update the small amount of testing that interacts with GCP to use a dedicated separate GCP project.

<!--- SKIP AUTOGENERATED NOTES --->
Contents ([558](https://github.com/octue/octue-sdk-python/pull/558))

Enhancements
- Increase number of questions that can be asked concurrently in `Child.ask_multiple` to 32
- Make delivery acknowledgement and maximum hearbeat interval kwargs available in `Child.ask`
- Allow parents to start handling child responses from the first non-missed message (`n + 1`) if the first `n` were missed
- Add question UUID to heartbeat log messages
- Improve `PushSubscriptionCannotBePulled` error message

Fixes
- Mark question as delivered on receipt of first response from child in case the delivery acknowledgement message is missed
- Stop loss of delivered question UUIDs if local metadata file does not yet exist
- Avoid message gap greater than the delivery acknowledgement timeout causing failure to receive child messages
- Allow a start time of zero in message handler

Dependencies
- Update to latest versions of `protobuf` and `werkzeug` to avoid security issues

Operations
- Add terraform configuration for new test project

Refactoring
- Simplify nested conditional
- Minimise code within try/except block in `OrderedMessageHandler`
- Move message recording into `OrderedMessageHandler._handle_message`
- Factor out raising message handling error in message handler
- Rename `OrderedMessageHandler.received_messages` to `handled_messages`

Testing
- Use new URI for Strands JSON schemas in tests
- Use dedicated GCP project for testing services
<!--- END AUTOGENERATED NOTES --->

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

LOW 3.5

CVSS v3 Details

LOW 3.5
Attack Vector (AV)
ADJACENT_NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
REQUIRED
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
LOW
Availability Availability (A)
NONE