PyPi: Exasol-Python-Test-Framework

CVE-2024-35195

Transitive

Safety vulnerability ID: 72062

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at May 20, 2024 Updated at Jul 31, 2024
Scan your Python projects for vulnerabilities →

Advisory

Exasol-python-test-framework addresses CVE-2024-35195 in its requests dependency by updating to versions 2.32.0 and above. This vulnerability arises from the requests.Session object not verifying SSL certificates after making an initial request with verify=False. This could allow man-in-the-middle (MITM) attacks and other security risks.

Affected package

exasol-python-test-framework

Latest version: 0.6.1

Python Test framework for Exasol database tests

Affected versions

Fixed versions

Vulnerability changelog

Exasol Python Test Framework 0.6.0, released 2024-07-08

Code name: Configure TLS certificate validation

Summary

This release adds a CLI option controlling parameter `SSLCERTIFICATE` in file `odbc.ini`.

Starting with version `0.6.0`, EPTF is also available on pypi.

Additionally, the release fixes vulnerabilities by updating dependencies:
* CVE-2024-35195 in dependency `requests` in versions < `2.32.0` caused by requests `Session` object not verifying requests after making first request with `verify=False`
* CVE-2024-37891 in transitive dependency via `boto3` to `urllib3` in versions < `2.2.2` caused by proxy-authorization request header not to be stripped during cross-origin redirects as no update of notebook-connector is available, yet.
* GHSA-w235-7p84-xx57 in transitive dependency via `luigi` to `tornado` in versions < `6.4.1` enabling CRLF injection in `CurlAsyncHTTPClient` headers.
* GHSA-753j-mpmx-qq6g in transitive dependency via `luigi` to `tornado` in versions < `6.4.1` due to inconsistent interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

However, the release ignores the following vulnerabilities
* GHSA-753j-mpmx-qq6g in dependency `configobj` in versions &le; `5.0.8` being ReDoS exploitable by developers using values in a server-side configuration file as SLCT is used only client side and a patched version is not available, yet.

Security Fixes

* 70: Fixed vulnerabilities by updating dependencies.

Features

* 66: Added CLI option controlling parameter `SSLCERTIFICATE` in file `odbc.ini`.

Refactorings

* 67: Enabled publication on pypi

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application