test_python_dependency_issues/requirements.txt at main · testing-gh-org-2/test_python_dependency_issues · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# Vulnerable dependencies with known CVEs for testing purposes
# DO NOT use these versions in production!

# CRITICAL Severity CVEs
Django==3.2.12         # CVE-2022-28346 (SQL Injection) - CRITICAL 9.8
Pillow==8.3.2          # CVE-2022-22817 (Buffer Overflow) - CRITICAL 9.8
paramiko==2.10.1       # CVE-2022-24302 (Race condition auth bypass) - CRITICAL 9.8

# HIGH Severity CVEs
Flask==2.0.0           # CVE-2023-30861 (Cookie parsing vulnerability) - HIGH 7.5
requests==2.25.0       # CVE-2023-32681 (Proxy-Authorization header leak) - HIGH 6.1
Jinja2==2.11.3         # CVE-2024-22195 (XSS vulnerability) - HIGH 6.1
lxml==4.6.3            # CVE-2021-43818 (XXE vulnerability) - HIGH 7.1
PyYAML==5.3.1          # CVE-2020-14343 (Arbitrary code execution) - HIGH 9.8

# MEDIUM Severity CVEs
Werkzeug==2.0.0        # CVE-2023-25577 (Security bypass) - MEDIUM 5.3
cryptography==3.3.1    # CVE-2023-23931 (Cipher weakness) - MEDIUM 6.5
certifi==2021.5.30     # CVE-2022-23491 (Certificate validation) - MEDIUM 6.8

# Additional vulnerable dependencies for comprehensive testing
pyyaml==5.0            # CVE-2016-7401 (Unsafe load vulnerability) - CRITICAL
urllib3==1.26.4        # CVE-2021-33503 (Header injection) - HIGH 7.5
httplib2==0.19.0       # CVE-2021-21240 (CRLF injection) - MEDIUM 6.5
pycryptodome==3.9.0    # CVE-2022-48422 (Side-channel attack) - MEDIUM 5.9
setuptools==49.0.0     # CVE-2022-40897 (ReDoS vulnerability) - HIGH 7.5
wheel==0.37.0          # CVE-2022-40898 (Path traversal) - HIGH 7.5
pip==21.0.1            # CVE-2021-3572 (Incorrect permission) - MEDIUM 5.7
SQLAlchemy==1.3.0      # CVE-2019-7164 (SQL injection) - HIGH 8.1
Twisted==21.2.0        # CVE-2022-21716 (SSH security) - CRITICAL 9.8
numpy==1.19.0          # CVE-2021-41495 (Buffer overflow) - HIGH 7.5
scipy==1.4.1           # CVE-2020-21658 (Memory corruption) - HIGH 7.5
pandas==1.0.0          # CVE-2020-13091 (Code execution) - CRITICAL 9.8
pymongo==3.11.0        # CVE-2021-32837 (Injection) - HIGH 8.1
redis==3.5.3           # CVE-2021-32677 (Integer overflow) - HIGH 7.5
celery==4.4.0          # CVE-2021-23727 (Command injection) - CRITICAL 9.8
aiohttp==3.7.3         # CVE-2021-21330 (Open redirect) - MEDIUM 6.1
tornado==6.0.3         # CVE-2021-46829 (Open redirect) - MEDIUM 6.1
bottle==0.12.18        # CVE-2020-28473 (Path traversal) - HIGH 7.5
cherrypy==18.6.0       # CVE-2020-11768 (XSS) - MEDIUM 6.1
beautifulsoup4==4.9.0  # CVE-2021-43818 (XXE via lxml) - HIGH 7.1
scrapy==2.4.0          # CVE-2022-0577 (XSS) - MEDIUM 6.1
nltk==3.5              # CVE-2021-3828 (Path traversal) - HIGH 7.5
opencv-python==4.5.1.48 # CVE-2021-41129 (Buffer overflow) - HIGH 7.5
tensorflow==2.4.0      # CVE-2021-29618 (Division by zero) - MEDIUM 5.5
keras==2.4.3           # Depends on vulnerable TensorFlow
scikit-learn==0.24.0   # CVE-2020-28975 (Memory corruption) - MEDIUM 5.5
matplotlib==3.3.2      # CVE-2021-30110 (Code execution) - HIGH 8.8
seaborn==0.11.0        # Depends on vulnerable matplotlib
PyJWT==1.7.1           # CVE-2022-29217 (Key confusion) - HIGH 7.5
python-jose==3.2.0     # CVE-2022-29217 (Key confusion via PyJWT) - HIGH 7.5
passlib==1.7.2         # CVE-2020-10735 (Integer overflow) - HIGH 7.5
bcrypt==3.1.7          # CVE-2022-4886 (Hash collision) - MEDIUM 5.9
pycrypto==2.6.1        # CVE-2013-7459 (Weak random) - CRITICAL 9.8
ecdsa==0.14            # CVE-2019-14853 (Signature malleability) - HIGH 7.4
pyOpenSSL==19.1.0      # CVE-2020-25659 (Certificate validation) - HIGH 7.5
ldap3==2.8.0           # CVE-2021-39862 (LDAP injection) - HIGH 8.1
defusedxml==0.6.0      # No known CVEs but older version
python-multipart==0.0.5 # CVE-2023-49438 (DoS) - HIGH 7.5

# Additional dependencies for CodeQL testing
python-ldap==3.3.1     # CVE-2021-46823 (LDAP injection) - HIGH 7.5
PyJWT==1.7.1           # CVE-2022-29217 (Key confusion) - HIGH 7.5
pymongo==3.11.0        # CVE-2021-32837 (Injection) - HIGH 8.1
jsonpickle==1.4.1      # CVE-2020-22083 (Unsafe deserialization) - CRITICAL 9.8
pycryptodome==3.9.0    # CVE-2022-48422 (Side-channel attack) - MEDIUM 5.9
python-memcached==1.59 # CVE-2020-8840 (Injection) - HIGH 8.1

# LOW Severity CVEs
urllib3==1.26.4        # CVE-2021-33503 (Catastrophic backtracking) - LOW 5.9
setuptools==56.0.0     # CVE-2022-40897 (ReDoS) - LOW 5.9