Product Research Enterprise Plans Docs

PyPi: Python-Gitlab

CVE-2023-32681

Transitive

Safety vulnerability ID: 62151

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at May 26, 2023 Updated at Oct 28, 2024

Scan your Python projects for vulnerabilities →

Advisory

Python-gitlab 4.0.0 updates its dependency 'requests' to include a security fix.

Affected package

python-gitlab

Latest version: 5.0.0

A python wrapper for the GitLab API

Affected versions

Fixed versions

Vulnerability changelog

* feat: officially support Python 3.12 ([`2a69c0e`](https://github.com/python-gitlab/python-gitlab/commit/2a69c0ee0a86315a3ed4750f59bd6ab3e4199b8e))

* feat(packages): Allow uploading bytes and files

This commit adds a keyword argument to GenericPackageManager.upload() to
allow uploading bytes and file-like objects to the generic package
registry. That necessitates changing file path to be a keyword argument
as well, which then cascades into a whole slew of checks to not allow
passing both and to not allow uploading file-like objects as JSON data.

Closes https://github.com/python-gitlab/python-gitlab/issues/1815 ([`61e0fae`](https://github.com/python-gitlab/python-gitlab/commit/61e0faec2014919e0a2e79106089f6838be8ad0e))

* feat: Use requests AuthBase classes ([`5f46cfd`](https://github.com/python-gitlab/python-gitlab/commit/5f46cfd235dbbcf80678e45ad39a2c3b32ca2e39))

* feat(api): add support for job token scope settings ([`59d6a88`](https://github.com/python-gitlab/python-gitlab/commit/59d6a880aacd7cf6f443227071bb8288efb958c4))

* feat(api): support project remote mirror deletion ([`d900910`](https://github.com/python-gitlab/python-gitlab/commit/d9009100ec762c307b46372243d93f9bc2de7a2b))

* feat(api): add optional GET attrs for /projects/:id/ci/lint ([`40a102d`](https://github.com/python-gitlab/python-gitlab/commit/40a102d4f5c8ff89fae56cd9b7c8030c5070112c))

* feat(api): add support for new runner creation API (2635)

Co-authored-by: Nejc Habjan <hab.nejcgmail.com> ([`4abcd17`](https://github.com/python-gitlab/python-gitlab/commit/4abcd1719066edf9ecc249f2da4a16c809d7b181))

* feat(releases): Add support for direct_asset_path

This commit adds support for the “new” alias for `filepath`:
`direct_asset_path` (added in 15.10) in release links API. ([`d054917`](https://github.com/python-gitlab/python-gitlab/commit/d054917ccb3bbcc9973914409b9e34ba9301663a))

* feat: Added iteration to issue and group filters ([`8d2d297`](https://github.com/python-gitlab/python-gitlab/commit/8d2d2971c3909fb5461a9f7b2d07508866cd456c))

Fix

* fix(cli): add _from_parent_attrs to user-project manager (2558) ([`016d90c`](https://github.com/python-gitlab/python-gitlab/commit/016d90c3c22bfe6fc4e866d120d2c849764ef9d2))

* fix(cli): fix action display in --help when there are few actions

fixes 2656 ([`b22d662`](https://github.com/python-gitlab/python-gitlab/commit/b22d662a4fd8fb8a9726760b645d4da6197bfa9a))

* fix(client): support empty 204 responses in http_patch ([`e15349c`](https://github.com/python-gitlab/python-gitlab/commit/e15349c9a796f2d82f72efbca289740016c47716))

* fix(snippets): allow passing list of files ([`31c3c5e`](https://github.com/python-gitlab/python-gitlab/commit/31c3c5ea7cbafb4479825ec40bc34e3b8cb427fd))

Test

* test: add tests for token masking ([`163bfcf`](https://github.com/python-gitlab/python-gitlab/commit/163bfcf6c2c1ccc4710c91e6f75b51e630dfb719))

* test(cli): add test for user-project list ([`a788cff`](https://github.com/python-gitlab/python-gitlab/commit/a788cff7c1c651c512f15a9a1045c1e4d449d854))

* test: correct calls to `script_runner.run()`

Warnings were being raised. Resolve those warnings. ([`cd04315`](https://github.com/python-gitlab/python-gitlab/commit/cd04315de86aca2bb471865b2754bb66e96f0119))

* test: fix failing tests that use 204 (No Content) plus content

urllib3>=2 now checks for expected content length. Also codes 204 and
304 are set to expect a content length of 0 [1]

So in the unit tests stop setting content to return in these
situations.

[1] https://github.com/urllib3/urllib3/blob/88a707290b655394aade060a8b7eaee83152dc8b/src/urllib3/response.py#L691-L693 ([`3074f52`](https://github.com/python-gitlab/python-gitlab/commit/3074f522551b016451aa968f22a3dc5715db281b))

Unknown

* chore(deps): update dependency requests to v2.31.0 [security]

Also update dependency `responses==0.23.3` as it provides support for
`urllib3>=2`

Closes: 2626 ([`988a6e7`](https://github.com/python-gitlab/python-gitlab/commit/988a6e7eff5d24b2432d3d85f1e750f4f95563f7))

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32681

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.1

CVSS v3 Details

MEDIUM 6.1

Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): NONE
Availability Availability (A): NONE