Product Research Enterprise Plans Docs

PyPi: Exasol-Python-Test-Framework

CVE-2024-37891

Transitive

Safety vulnerability ID: 72072

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jun 17, 2024 Updated at Jul 31, 2024

Scan your Python projects for vulnerabilities →

Advisory

Exasol-python-test-framework addresses CVE-2024-37891's transitive dependency via boto3 to urllib3 by updating urllib3 to version 2.2.2. This vulnerability is caused by the Proxy-Authorization request header not being stripped during cross-origin redirects, which could lead to security risks.

Affected package

exasol-python-test-framework

Latest version: 0.6.1

Python Test framework for Exasol database tests

Affected versions

Fixed versions

Vulnerability changelog

Exasol Python Test Framework 0.6.0, released 2024-07-08

Code name: Configure TLS certificate validation

Summary

This release adds a CLI option controlling parameter `SSLCERTIFICATE` in file `odbc.ini`.

Starting with version `0.6.0`, EPTF is also available on pypi.

Additionally, the release fixes vulnerabilities by updating dependencies:
* CVE-2024-35195 in dependency `requests` in versions < `2.32.0` caused by requests `Session` object not verifying requests after making first request with `verify=False`
* CVE-2024-37891 in transitive dependency via `boto3` to `urllib3` in versions < `2.2.2` caused by proxy-authorization request header not to be stripped during cross-origin redirects as no update of notebook-connector is available, yet.
* GHSA-w235-7p84-xx57 in transitive dependency via `luigi` to `tornado` in versions < `6.4.1` enabling CRLF injection in `CurlAsyncHTTPClient` headers.
* GHSA-753j-mpmx-qq6g in transitive dependency via `luigi` to `tornado` in versions < `6.4.1` due to inconsistent interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

However, the release ignores the following vulnerabilities
* GHSA-753j-mpmx-qq6g in dependency `configobj` in versions ≤ `5.0.8` being ReDoS exploitable by developers using values in a server-side configuration file as SLCT is used only client side and a patched version is not available, yet.

Security Fixes

* 70: Fixed vulnerabilities by updating dependencies.

Features

* 66: Added CLI option controlling parameter `SSLCERTIFICATE` in file `odbc.ini`.

Refactorings

* 67: Enabled publication on pypi

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37891

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application