Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/wandb@0.10.14

Type pypi

Namespace

Name wandb

Version 0.10.14

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

0

url

VCID-pq6y-hvt3-ebbc

vulnerability_id

VCID-pq6y-hvt3-ebbc

summary

Weights and Biases (wandb) has a Server-Side Request Forgery (SSRF) vulnerability
A Server-Side Request Forgery (SSRF) vulnerability exists in the wandb/wandb repository due to improper handling of HTTP 302 redirects. This issue allows team members with access to the 'User settings -> Webhooks' function to exploit this vulnerability to access internal HTTP(s) servers. In severe cases, such as on AWS instances, this could potentially be abused to achieve remote code execution on the victim's machine. The vulnerability is present in the latest version of the repository.

references

0

reference_url

https://github.com/wandb/wandb

reference_id

reference_type

scores

0

value	7.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

1

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/wandb/wandb

1

reference_url

https://github.com/wandb/wandb/blob/main/wandb/sdk/lib/import_hooks.py#L1

reference_id

reference_type

scores

0

value	7.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

1

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/wandb/wandb/blob/main/wandb/sdk/lib/import_hooks.py#L1

2

reference_url

https://huntr.com/bounties/055eb540-57f8-46d6-b858-3a9e22d347d9

reference_id

reference_type

scores

0

value	7.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

1

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://huntr.com/bounties/055eb540-57f8-46d6-b858-3a9e22d347d9

3

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-4642

reference_id

CVE-2024-4642

reference_type

scores

0

value	7.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

1

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-4642

4

reference_url

https://github.com/advisories/GHSA-cqh9-jfqr-h9jj

reference_id

GHSA-cqh9-jfqr-h9jj

reference_type

scores

0

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-cqh9-jfqr-h9jj

fixed_packages

aliases

CVE-2024-4642, GHSA-cqh9-jfqr-h9jj

risk_score

4.0

exploitability

0.5

weighted_severity

8.0

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-pq6y-hvt3-ebbc

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/wandb@0.10.14