PyPi: Nemo

CVE-2023-23969

Transitive

Safety vulnerability ID: 54994

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 01, 2023 Updated at Nov 29, 2024
Scan your Python projects for vulnerabilities →

Advisory

Nemo 4.5.0 updates its dependency 'django' to v3.2.18 to include security fixes.

Affected package

nemo

Latest version: 6.0.3

NEMO is a laboratory logistics web application. Use it to schedule reservations, control tool access, track maintenance issues, and more.

Affected versions

Fixed versions

Vulnerability changelog

Update notes
* The new adjustment request feature needs to be enabled in Customization -> User request and at least one user with the facility manager role needs to exist (for approval)
* A email template for the new adjustment request feature can be found in [the emails folder](https://github.com/usnistgov/NEMO/blob/master/resources/emails/adjustment_request_notification_email.html)

New features
* Added Tool qualification groups allowing to qualify a user on a group of tools at the same time. The feature is currently available in the Qualification and Training pages.
* Merged staff charges and remote work menu items. Both can now be found under `Administration -> Remote work` now
* Big expansion of the REST API now allows creating new users, accounts, projects etc. Actions available in the REST API are Creation, Update, Partial Update and Deletion. Thanks `MIT.nano` for the contribution!
* Added adjustment requests:
* If enabled in Customization, users can request adjustments from their usage page or from the global requests link
* The type of charges allowed is customizable, currently tool usage, area access and missed reservations are available
* Time limit for requesting adjustments is configurable and defaults to 2 weeks
* PIs can request adjustments for any eligible charges on their projects
* Adjustment requests can be exported in detailed administration and request page.
* Adjustments can only be reviewed by facility managers.
* If an adjustment is accepted, the user will receive confirmation, and a separate email will be sent to the User Office including optional instructions.
* If an adjustment is rejected, the user will receive notification including optional feedback.
* NOTE: Adjustment requests do not actually change charges. They are simply meant to allow users to create requests directly in NEMO, and adjustments should be made outside of NEMO in the facility's own billing system.

Improvements
* Now displaying the creator of an access request when editing/reviewing it
* Added stack trace for errors thrown during plugin loading
* Discipline is now only used for projects and was renamed "Project discipline"
* Including utility packages (vim, less) in the docker container
* Major update of the Stanford interlock implementation with error checks for returned values. Many thanks to `Dave Botsch` from `Cornell NanoScale Facility` for the suggestion and all the help debugging!
* Navigation bar will now collapse to the "hamburger" menu (similar to mobile experience) on medium sized screens
* Improved the notification model to allow for multiple notifications of the same type.
* Now allowing html in request description field (buddy requests, access requests etc.)
* Added default value for post usage questions
* Added customization to hide tool usage data history for regular users
* Staff availability can now be hidden from staff status
* The `Application identifier` display name for projects can now be customized (to PO, Project Id, etc.)
* Natural keys have been added for easier import/export of projects (by name), users (by username), accounts (by name) and any category type model (by name)
* Added Customization to make location and phone number not required when creating tools. Tool usage data history tab can also be hidden from regular users.
* Moved all policy rules into its own class
* Regular users can now be given detailed admin permissions and the will have access to the administration if applicable
* In detailed administration, locking/unlocking interlocks will now display errors
* Added access requests export button (both in detailed admin and regular page)
* Added new "checkbox" type post usage question
* Added a way to customize how the current setting for configuration is displayed
* Added remote work customizations, with options to automatically charge area access when working on remote project, to explicitly ask if work on behalf of a user should be considered remote, and to enable/disable remote charges validation
* Added a customization option to allow PIs to add/remove existing users to their projects
* Added a CSV parser for REST API as well as a file import option

Bug fixes
* Fixed project discipline not showing in project detail admin form
* Fixed 135 and more (broken links telling the admin to add model instances in detailed admin but django admin app is not installed)
* Fixed 134. Thanks r-xyz for the fix!
* Fixed User office staff not being able to see access requests
* Fixed infinite loop in authentication middleware when user doesn't have an account in NEMO.
* Fixed recurring outage across midnight not being created correctly
* Fixed issue when reading multiple sensors at once (connection not properly closed)

Libraries
* Django 3.2.16 -> 3.2.18 (vulnerability)
* cryptography 39.0.0 -> 40.0.1
* drf-excel 2.2.0 -> 2.3.0
* drf-flex-fields 1.0.0 -> 1.0.2
* pytz 2022.7.1 -> 2023.3
* django-filter 22.1 -> 23.1
* Pillow 9.4.0 -> 9.5.0
* pymodbus 3.1.1 -> 3.2.2

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Availability (A)
HIGH