Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report bug #450

Open
wangyueq0101 opened this issue Oct 26, 2024 · 0 comments
Open

Report bug #450

wangyueq0101 opened this issue Oct 26, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@wangyueq0101
Copy link

Summary

A reachable construct was identified in urllib3==1.26.6 through my static analysis database. This version has been flagged as vulnerable in PyPI's open-source vulnerability database. The analysis uncovered more than 1 call chain leading to this construct. Below is one example to illustrate the potential vulnerability:

Call Chain Analysis

tkdesigner.cli.main->tkdesigner.designer.main->tkdesigner.figma.endpoints.main->requests.main->urllib3->urllib3.poolmanager.main

(main refers to the body of the Python file, and it is invoked through import statements)

Patch and Code Changes

We suspect that this construct(urllib3.poolmanager) may be vulnerable because it was modified in a [security-related patch]. This suggests that the original code might have contained a flaw, and it may still be risky to use the affected version (urllib3==1.26.6) without further investigation.

Note:

This issue was identified through a static analysis of the project at commit [57caea0].
@wangyueq0101 wangyueq0101 added the bug Something isn't working label Oct 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wangyueq0101