Safety vulnerability ID: 72062
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Exasol-python-test-framework addresses CVE-2024-35195 in its requests dependency by updating to versions 2.32.0 and above. This vulnerability arises from the requests.Session object not verifying SSL certificates after making an initial request with verify=False. This could allow man-in-the-middle (MITM) attacks and other security risks.
Latest version: 0.6.1
Python Test framework for Exasol database tests
Exasol Python Test Framework 0.6.0, released 2024-07-08
Code name: Configure TLS certificate validation
Summary
This release adds a CLI option controlling parameter `SSLCERTIFICATE` in file `odbc.ini`.
Starting with version `0.6.0`, EPTF is also available on pypi.
Additionally, the release fixes vulnerabilities by updating dependencies:
* CVE-2024-35195 in dependency `requests` in versions < `2.32.0` caused by requests `Session` object not verifying requests after making first request with `verify=False`
* CVE-2024-37891 in transitive dependency via `boto3` to `urllib3` in versions < `2.2.2` caused by proxy-authorization request header not to be stripped during cross-origin redirects as no update of notebook-connector is available, yet.
* GHSA-w235-7p84-xx57 in transitive dependency via `luigi` to `tornado` in versions < `6.4.1` enabling CRLF injection in `CurlAsyncHTTPClient` headers.
* GHSA-753j-mpmx-qq6g in transitive dependency via `luigi` to `tornado` in versions < `6.4.1` due to inconsistent interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
However, the release ignores the following vulnerabilities
* GHSA-753j-mpmx-qq6g in dependency `configobj` in versions ≤ `5.0.8` being ReDoS exploitable by developers using values in a server-side configuration file as SLCT is used only client side and a patched version is not available, yet.
Security Fixes
* 70: Fixed vulnerabilities by updating dependencies.
Features
* 66: Added CLI option controlling parameter `SSLCERTIFICATE` in file `odbc.ini`.
Refactorings
* 67: Enabled publication on pypi
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application