Miggo Logo
Miggo Vulnerability Database
GHSA-pp84-v3mw-gg4w

GHSA-pp84-v3mw-gg4w: Taipy 3.1.1 affected by CVEs on flask-core and pymongo

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-pp84-v3mw-gg4w
EPSS Score
-
CWE
-
Published
8/27/2024
Updated
10/10/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
taipypip<= 3.1.14.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. For CVE-2024-1681 (flask-cors):

    • The GitHub advisory explicitly references line 194 in flask_cors/extension.py
    • The _log_headers() method directly logs unsanitized headers
    • Matches CWE-117 for improper log neutralization

  2. For CVE-2024-5629 (pymongo):

    • The CVE description implicates BSON deserialization in the bson module
    • While no exact function is specified, pymongo's BSON decoding logic (likely in _decode.py) would handle input validation
    • Confidence is medium due to lack of explicit function names in disclosures

Both vulnerabilities stem from Taipy's dependencies rather than Taipy itself, but meet the 'system' scope definition through transitive dependencies.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry In*ir**t *V*s *****t T*ipy *.*.* ### **t*ils T*ipy *.*.* is *****t** *y two *xistin* *V*s: *V*-****-**** *****ts *l*sk-*or* <*.*.* *n* t*ipy *.*.* n***s <=*.*.* *V*-****-**** *****ts pymon*o <*.*.* *n* t*ipy *.*.* n***s <=*.*.* Pl**s* s

Reasoning

*. *or *V*-****-**** (*l*sk-*ors): - T** *it*u* **visory *xpli*itly r***r*n**s lin* *** in *l*sk_*ors/*xt*nsion.py - T** _lo*_*****rs() m*t*o* *ir**tly lo*s uns*nitiz** *****rs - M*t***s *W*-*** *or improp*r lo* n*utr*liz*tion *. *or *V*-**