Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/webargs@5.4.0

Type pypi

Namespace

Name webargs

Version 5.4.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.5.3

Latest_non_vulnerable_version 5.5.3

Affected_by_vulnerabilities

url VCID-11rq-guar-cudu

vulnerability_id VCID-11rq-guar-cudu

summary flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.

references

reference_url	https://github.com/advisories/GHSA-fjq3-5pxw-4wj4
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-fjq3-5pxw-4wj4

reference_url	https://webargs.readthedocs.io/en/latest/changelog.html
reference_id
reference_type
scores
url	https://webargs.readthedocs.io/en/latest/changelog.html

fixed_packages

url	pkg:pypi/webargs@5.5.3
purl	pkg:pypi/webargs@5.5.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/webargs@5.5.3

aliases CVE-2020-7965, GHSA-fjq3-5pxw-4wj4, PYSEC-2020-156

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-11rq-guar-cudu

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/webargs@5.4.0

Package Instance