Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

python_multipart-0.0.9-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5) #204

Open
mend-bolt-for-github bot opened this issue Dec 3, 2024 · 0 comments
Open

python_multipart-0.0.9-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5) #204

mend-bolt-for-github bot opened this issue Dec 3, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-bolt-for-github
Copy link
Contributor

Vulnerable Library - python_multipart-0.0.9-py3-none-any.whl

A streaming multipart parser for Python

Library home page: https://files.pythonhosted.org/packages/3d/47/444768600d9e0ebc82f8e347775d24aef8f6348cf00e9fa0e81910814e6d/python_multipart-0.0.9-py3-none-any.whl

Found in HEAD commit: ee8a7fea626f7ca9ddd66ed2d610124fa8612b91

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (python_multipart version) Remediation Possible**
CVE-2024-53981 High 7.5 python_multipart-0.0.9-py3-none-any.whl Direct 0.0.19

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-53981

Vulnerable Library - python_multipart-0.0.9-py3-none-any.whl

A streaming multipart parser for Python

Library home page: https://files.pythonhosted.org/packages/3d/47/444768600d9e0ebc82f8e347775d24aef8f6348cf00e9fa0e81910814e6d/python_multipart-0.0.9-py3-none-any.whl

Dependency Hierarchy:

  • python_multipart-0.0.9-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: ee8a7fea626f7ca9ddd66ed2d610124fa8612b91

Found in base branch: develop

Vulnerability Details

python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.

Publish Date: 2024-12-02

URL: CVE-2024-53981

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-12-02

Fix Resolution: 0.0.19

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Dec 3, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants