VulnerableCode Package Details - pkg:rpm/redhat/automation-controller@4.5.5-2?arch=el8ap

Vulnerabilities affecting this package (9)

Vulnerability	Summary	Fixed by
VCID-43fr-z5nf-cqax Aliases: CVE-2023-41040 GHSA-cwvm-v4w8-q58c PYSEC-2023-165	GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.	There are no reported fixed by versions.
VCID-48jq-1u5d-tkan Aliases: CVE-2023-49083 GHSA-jfhm-5ghh-2f97 PYSEC-2023-254	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.	There are no reported fixed by versions.
VCID-7rdk-mw2k-eqdx Aliases: CVE-2023-45857 GHSA-wf5p-g6vw-rhxx	Axios Cross-Site Request Forgery Vulnerability An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.	There are no reported fixed by versions.
VCID-8xgs-8xjr-cber Aliases: BIT-django-2024-24680 CVE-2024-24680 GHSA-xxj9-f6rv-m3x4 PYSEC-2024-28	An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.	There are no reported fixed by versions.
VCID-jxqg-x9dh-z3hb Aliases: CVE-2024-23829 GHSA-8qpw-xqxj-h4r2 PYSEC-2024-26	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.	There are no reported fixed by versions.
VCID-np94-ghhk-nug4 Aliases: CVE-2024-22195 GHSA-h5c8-rqwp-cp95	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix.	There are no reported fixed by versions.
VCID-pmr9-w1fc-93cm Aliases: CVE-2023-47627 GHSA-gfw2-4jvh-wgfg PYSEC-2023-246	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.	There are no reported fixed by versions.
VCID-pqus-ew4j-k7da Aliases: CVE-2024-23334 GHSA-5h86-8mv2-jq9f PYSEC-2024-24	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.	There are no reported fixed by versions.
VCID-y7f5-9nmg-w7b3 Aliases: CVE-2023-46137 GHSA-xc8x-vp79-p3wm PYSEC-2023-224	Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.	There are no reported fixed by versions.

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	10.0

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:52:51.156501+00:00	RedHat Importer	Affected by	VCID-43fr-z5nf-cqax	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-41040.json	38.0.0
2026-04-01T13:51:19.738135+00:00	RedHat Importer	Affected by	VCID-y7f5-9nmg-w7b3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46137.json	38.0.0
2026-04-01T13:51:15.406322+00:00	RedHat Importer	Affected by	VCID-7rdk-mw2k-eqdx	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45857.json	38.0.0
2026-04-01T13:51:11.407066+00:00	RedHat Importer	Affected by	VCID-pmr9-w1fc-93cm	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-47627.json	38.0.0
2026-04-01T13:51:04.418471+00:00	RedHat Importer	Affected by	VCID-48jq-1u5d-tkan	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49083.json	38.0.0
2026-04-01T13:50:27.571491+00:00	RedHat Importer	Affected by	VCID-np94-ghhk-nug4	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22195.json	38.0.0
2026-04-01T13:50:02.855833+00:00	RedHat Importer	Affected by	VCID-jxqg-x9dh-z3hb	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23829.json	38.0.0
2026-04-01T13:50:02.701730+00:00	RedHat Importer	Affected by	VCID-pqus-ew4j-k7da	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23334.json	38.0.0
2026-04-01T13:49:59.388781+00:00	RedHat Importer	Affected by	VCID-8xgs-8xjr-cber	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24680.json	38.0.0