fastapi-0.65.2-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5) #50
Description
Vulnerable Library - fastapi-0.65.2-py3-none-any.whl
FastAPI framework, high performance, easy to learn, fast to code, ready for production
Library home page: https://files.pythonhosted.org/packages/dc/a8/a6be420593c4061c086e6d2ba47db46401d9af2b98b6cd33d35284f706d3/fastapi-0.65.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (fastapi version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-24762 |  High |
7.5 | fastapi-0.65.2-py3-none-any.whl | Direct | python-multipart - 0.0.7 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-24762
Vulnerable Library - fastapi-0.65.2-py3-none-any.whl
FastAPI framework, high performance, easy to learn, fast to code, ready for production
Library home page: https://files.pythonhosted.org/packages/dc/a8/a6be420593c4061c086e6d2ba47db46401d9af2b98b6cd33d35284f706d3/fastapi-0.65.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ fastapi-0.65.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
"python-multipart" is a streaming multipart parser for Python. When using form data, "python-multipart" uses a Regular Expression to parse the HTTP "Content-Type" header, including options. An attacker could send a custom-made "Content-Type" option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
Publish Date: 2024-02-05
URL: CVE-2024-24762
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-2jv5-9r88-3w3p
Release Date: 2024-02-05
Fix Resolution: python-multipart - 0.0.7
Step up your Open Source Security Game with Mend here