Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Medium severity] Denial of Service (DoS) (Due: 10/25/2020) #4588

Closed
5 tasks
fecjjeng opened this issue Aug 26, 2020 · 0 comments · Fixed by #4646
Closed
5 tasks

[Medium severity] Denial of Service (DoS) (Due: 10/25/2020) #4588

fecjjeng opened this issue Aug 26, 2020 · 0 comments · Fixed by #4646
Assignees
@jason-upchurch
Labels
Security: moderate Remediate within 60 days
Milestone
Sprint 13.6

Comments

@fecjjeng
Copy link
Contributor

fecjjeng commented Aug 26, 2020
edited by jason-upchurch
Loading

https://app.snyk.io/org/fecgov/project/a95ea997-b012-4b3b-a026-2fdbe6ac0398

Vulnerable module: | sqlalchemy
Introduced through: | sqlalchemy@1.3.1, sqlalchemy-postgres-copy@0.3.0 and others
Exploit maturity: | No known exploit
Fixed in: | 1.3.19

Check dependencies:

  • Flask-SQLAlchemy
    • Flask-SQLAlchemy==2.4.1
      • SQLAlchemy [required: >=0.8.0, installed: 1.3.1]
  • marshmallow-sqlalchemy
    • marshmallow-sqlalchemy [required: >=0.4.1, installed: 0.15.0]
      • SQLAlchemy [required: >=0.9.7, installed: 1.3.1]
  • sqlalchemy-postgres-copy
    • sqlalchemy [required: Any, installed: 1.3.1]

Action items:

  • Test thoroughly since we're jumping from .1 to .19, don't rely solely on automated tests

Completion criteria:

  • Verify that this is a problem and address the vulnerability appropriately
@fecjjeng fecjjeng added the Security: moderate Remediate within 60 days label Aug 26, 2020
@fecjjeng fecjjeng mentioned this issue Aug 26, 2020
Closed
1 task
@rfultz rfultz mentioned this issue Sep 2, 2020
Closed
1 task
@JonellaCulmer JonellaCulmer added this to the Sprint 13.6 milestone Sep 8, 2020
@lbeaufort lbeaufort mentioned this issue Sep 9, 2020
Closed
2 tasks
@hcaofec hcaofec mentioned this issue Sep 16, 2020
Closed
1 task
@JonellaCulmer JonellaCulmer changed the title Denial of Service (DoS) (Due: 10/25/2020) [Medium severity] Denial of Service (DoS) (Due: 10/25/2020) Sep 16, 2020
@pkfec pkfec mentioned this issue Sep 23, 2020
Closed
1 task
@jason-upchurch jason-upchurch mentioned this issue Sep 29, 2020
Merged
@lbeaufort lbeaufort mentioned this issue Oct 1, 2020
Closed
1 task
@fecjjeng fecjjeng mentioned this issue Oct 7, 2020
Closed
1 task
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jason-upchurch jason-upchurch

Labels
Security: moderate Remediate within 60 days
Projects
None yet
Milestone
Sprint 13.6
Development

Successfully merging a pull request may close this issue.

Bump sqlalchemy to 1.3.19 fecgov/openFEC
3 participants
@fecjjeng @JonellaCulmer @jason-upchurch