PyPi: Fractal-Server

CVE-2023-2650

Transitive

Safety vulnerability ID: 59002

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at May 30, 2023 Updated at Dec 12, 2024
Scan your Python projects for vulnerabilities →

Advisory

Fractal-server 1.3.0a3 updates its dependency 'cryptography' to version '41.0.1' to include a security fix.
https://github.com/fractal-analytics-platform/fractal-server/pull/739/commits/ec5bbd57acabf5a1fc357cfb96c21e059c619475

Affected package

fractal-server

Latest version: 2.10.1

Server component of the Fractal analytics platform

Affected versions

Fixed versions

Vulnerability changelog

* Refactor user model:
* Switch from UUID4 to int for IDs (\660, \684).
* Fix many-to-many relationship between users and project (\660).
* Rename `Project.user_member_list` into `Project.user_list` (\660).
* Add `username` column (\704).
* Update endpoints (see also [1.2->1.3 upgrade info](../internals/version_upgrades/upgrade_1_2_5_to_1_3_0/) in the documentation):
* Review endpoint URLs (\669).
* Remove foreign keys from payloads (\669).
* Update `Task` models, task collection and task-related endpoints:
* Add `args_schema` and `args_schema_version` to `Task` model (\707).
* Remove `default_args` from `Tasks` model and from manifest tasks (\707).
* Add `version` and `owner` columns to `Task` model (\704).
* Set `Task.version` during task collection (\719).
* Set `Task.owner` as part of create-task endpoint (\704).
* For custom tasks, prepend `owner` to user-provided `source` (\725).
* Make `Task.source` task-specific rather than package-specific (\719).
* Make `Task.source` unique (\725).
* When importing a workflow, only use tasks' `source` values, instead of `(source,name)` pairs (\719).
* Update `_TaskCollectPip` methods, attributes and properties (\719).
* Remove private/public options for task collection (\704).
* Improve error message for missing package manifest (\704).
* Improve behavior when task-collection folder already exists (\704).
* Add warning when exporting workflows which include custom tasks (\728).
* Restrict Task editing to superusers and task owners (\733).
* Job execution:
* Add `FractalSlurmExecutor.shutdown` and corresponding endpoint (\631, \691, \696).
* In `FractalSlurmExecutor`, make `working_dir*` attributes required (\679).
* Remove `ApplyWorkflow.overwrite_input` column (\684, \694).
* Make `output_dataset_id` a required argument of apply-workflow endpoint (\681).
* Improve error message related to out-of-space disk (\699).
* Other updates to endpoints and database:
* Add `ApplyWorkflow.end_timestamp` column (\687, \684).
* Prevent deletion of a `Workflow`/`Dataset` in relationship with existing `ApplyWorkflow` (\703).
* Add project-name uniqueness constraint in project-edit endpoint (\689).
* Other updates to internal logic:
* Drop `WorkflowTask.arguments` property and `WorkflowTask.assemble_args` method (\742).
* Add test for collection of tasks packages with tasks in a subpackage (\743).
* Expose `FRACTAL_CORS_ALLOW_ORIGIN` environment variable (\688).
* Package and repository:
* Remove `fastapi-users-db-sqlmodel` dependency (\660).
* Make coverage measure more accurate (\676) and improve coverage (\678).
* Require pydantic version to be `>=1.10.8` (\711, \713).
* Include multiple `fractal-common` updates (\705, \719).
* Add test equivalent to `alembic check` (\722).
* Update `poetry.lock` to address security alerts (\723).
* Remove `sqlmodel` from `fractal-common`, and declare database models with multiple inheritance (\710).
* Make email generation more robust in `MockCurrentUser` (\730).
* Update `poetry.lock` to `cryptography=41`, to address security alert (\739).

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.5

CVSS v3 Details

MEDIUM 6.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
REQUIRED
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Availability (A)
HIGH