PyPi: Ggshield

CVE-2023-3817

Transitive

Safety vulnerability ID: 60443

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jul 31, 2023 Updated at Oct 29, 2024
Scan your Python projects for vulnerabilities →

Advisory

Ggshield 1.18.0 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.
https://github.com/GitGuardian/ggshield/commit/3c67771a4d66accede14fa23dfce9ea51571e082

Affected package

ggshield

Latest version: 1.33.0

Detect secrets from all sources using GitGuardian's brains

Affected versions

Fixed versions

Vulnerability changelog

Added

HMSL

- ggshield gained a new group of commands: `hmsl`, short for "Has My Secret Leaked". These commands make it possible to securely check if secrets have been leaked in a public repository.

IaC

- `ggshield iac scan` now provides three new commands for use as Git hooks:

- `ggshield iac scan pre-commit`
- `ggshield iac scan pre-push`
- `ggshield iac scan pre-receive`

They use the same arguments and options as the other `ggshield iac scan` commands.

- The new `ggshield iac scan ci` command can be used to perform IaC scans in CI environments.
It supports the same arguments as hook subcommands (in particular, `--all` to scan the whole repository).
Supported CIs are:

- Azure
- Bitbucket
- CircleCI
- Drone
- GitHub
- GitLab
- Jenkins
- Travis

SCA

- `ggshield sca scan pre-commit` now provides a `--all` option to scan all files.

- The text output of `ggshield sca` scans now includes the identifier of the SCA vulnerability.

- The new `ggshield sca scan diff` command can be used to run custom differential scans.

Other

- It is now possible to manipulate the default instance using `ggshield config`:

- `ggshield config set instance <THE_INSTANCE_URL>` defines the default instance.
- `ggshield config unset instance` removes the previously defined instance.
- The default instance can be printed with `ggshield config get instance` and `ggshield config list`.

Changed

- ggshield now requires Python 3.8.

- The IaC Github Action now runs the new `ggshield iac scan ci` command. This means the action only fails if the changes introduce a new vulnerability. To fail if any vulnerability is detected, use the `ggshield iac scan ci --all` command.

Removed

- The following options have been removed from `ggshield iac scan diff`: `--pre-commit`, `--pre-push` and `--pre-receive`. You can replace them with the new `ggshield iac scan pre-*` commands.

Fixed

- `ggshield secret scan docker` now runs as many scans in parallel as the other scan commands.

- `ggshield` now provides an easier-to-understand error message for "quota limit reached" errors (309).

- `ggshield iac scan diff` `--minimum-severity` and `--ignore-policy` options are now correctly processed.

- `ggshield secret scan` no longer tries to scan files longer than the maximum document size (561).

Security

- ggshield now depends on cryptography 41.0.3, fixing https://github.com/advisories/GHSA-jm77-qphf-c4w8.

<a id='changelog-1.17.3'></a>

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.3

CVSS v3 Details

MEDIUM 5.3
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Availability (A)
LOW