https
GET
api.github.com
None
/advisories?ecosystem=pub
{'Authorization': 'Basic login_and_password_removed', 'User-Agent': 'PyGithub/Python'}
None
200
[('Server', 'GitHub.com'), ('Date', 'Fri, 28 Jul 2023 18:54:41 GMT'), ('Content-Type', 'application/json; charset=utf-8'), ('Transfer-Encoding', 'chunked'), ('Cache-Control', 'private, max-age=60, s-maxage=60'), ('Vary', 'Accept, Authorization, Cookie, X-GitHub-OTP, Accept-Encoding, Accept, X-Requested-With'), ('ETag', 'W/"fba15b10069bf266cb749c09bebad4b04d4ef2c045da2a75019118a6bb4ee964"'), ('Last-Modified', 'Fri, 31 Mar 2023 05:06:53 GMT'), ('X-OAuth-Scopes', 'gist, read:org, repo'), ('X-Accepted-OAuth-Scopes', ''), ('github-authentication-token-expiration', '2023-08-25 20:47:49 UTC'), ('X-GitHub-Media-Type', 'github.v3; format=json'), ('x-github-api-version-selected', '2022-11-28'), ('X-RateLimit-Limit', '5000'), ('X-RateLimit-Remaining', '4999'), ('X-RateLimit-Reset', '1690574081'), ('X-RateLimit-Used', '1'), ('X-RateLimit-Resource', 'core'), ('Access-Control-Expose-Headers', 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset'), ('Access-Control-Allow-Origin', '*'), ('Strict-Transport-Security', 'max-age=31536000; includeSubdomains; preload'), ('X-Frame-Options', 'deny'), ('X-Content-Type-Options', 'nosniff'), ('X-XSS-Protection', '0'), ('Referrer-Policy', 'origin-when-cross-origin, strict-origin-when-cross-origin'), ('Content-Security-Policy', "default-src 'none'"), ('Content-Encoding', 'gzip'), ('X-GitHub-Request-Id', 'B1CE:21EC:825434:1075227:64C40EF1')]
[{"ghsa_id":"GHSA-9324-jv53-9cc8","cve_id":"CVE-2021-31402","url":"https://api.github.com/advisories/GHSA-9324-jv53-9cc8","html_url":"https://github.com/advisories/GHSA-9324-jv53-9cc8","summary":"dio vulnerable to CRLF injection with HTTP method string","description":"### Impact\nThe dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.\n\n### Patches\nThe vulnerability has been resolved by https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984, and included since v5.0.0.\n\n### Workarounds\nCherry-pick the commit to your own fork can resolves the vulberability too.\n\n### References\n- https://nvd.nist.gov/vuln/detail/CVE-2021-31402\n- https://osv.dev/GHSA-jwpw-q68h-r678\n- https://github.com/cfug/dio/issues/1130\n- https://github.com/cfug/dio/issues/1752\n","type":"reviewed","severity":"high","repository_advisory_url":"https://api.github.com/repos/cfug/dio/security-advisories/GHSA-9324-jv53-9cc8","source_code_location":"https://github.com/cfug/dio","identifiers":[{"value":"GHSA-9324-jv53-9cc8","type":"GHSA"},{"value":"CVE-2021-31402","type":"CVE"}],"references":["https://github.com/cfug/dio/security/advisories/GHSA-9324-jv53-9cc8","https://nvd.nist.gov/vuln/detail/CVE-2021-31402","https://github.com/cfug/dio/issues/1752","https://github.com/flutterchina/dio/issues/1130","https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984","https://osv.dev/GHSA-jwpw-q68h-r678","https://github.com/advisories/GHSA-9324-jv53-9cc8"],"published_at":"2023-03-21T22:41:11Z","updated_at":"2023-03-22T01:39:28Z","github_reviewed_at":"2023-03-21T22:41:11Z","nvd_published_at":null,"withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pub","name":"dio"},"vulnerable_version_range":"< 5.0.0","first_patched_version":"5.0.0","vulnerable_functions":[]}],"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","score":7.5},"cwes":[{"cwe_id":"CWE-74","name":"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"},{"cwe_id":"CWE-88","name":"Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"},{"cwe_id":"CWE-93","name":"Improper Neutralization of CRLF Sequences ('CRLF Injection')"}],"credits":[{"user":{"login":"licy183","id":45286352,"node_id":"MDQ6VXNlcjQ1Mjg2MzUy","avatar_url":"https://avatars.githubusercontent.com/u/45286352?v=4","gravatar_id":"","url":"https://api.github.com/users/licy183","html_url":"https://github.com/licy183","followers_url":"https://api.github.com/users/licy183/followers","following_url":"https://api.github.com/users/licy183/following{/other_user}","gists_url":"https://api.github.com/users/licy183/gists{/gist_id}","starred_url":"https://api.github.com/users/licy183/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/licy183/subscriptions","organizations_url":"https://api.github.com/users/licy183/orgs","repos_url":"https://api.github.com/users/licy183/repos","events_url":"https://api.github.com/users/licy183/events{/privacy}","received_events_url":"https://api.github.com/users/licy183/received_events","type":"User","site_admin":false},"type":"reporter"},{"user":{"login":"AlexV525","id":15884415,"node_id":"MDQ6VXNlcjE1ODg0NDE1","avatar_url":"https://avatars.githubusercontent.com/u/15884415?v=4","gravatar_id":"","url":"https://api.github.com/users/AlexV525","html_url":"https://github.com/AlexV525","followers_url":"https://api.github.com/users/AlexV525/followers","following_url":"https://api.github.com/users/AlexV525/following{/other_user}","gists_url":"https://api.github.com/users/AlexV525/gists{/gist_id}","starred_url":"https://api.github.com/users/AlexV525/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/AlexV525/subscriptions","organizations_url":"https://api.github.com/users/AlexV525/orgs","repos_url":"https://api.github.com/users/AlexV525/repos","events_url":"https://api.github.com/users/AlexV525/events{/privacy}","received_events_url":"https://api.github.com/users/AlexV525/received_events","type":"User","site_admin":false},"type":"remediation_developer"},{"user":{"login":"set0x","id":15133015,"node_id":"MDQ6VXNlcjE1MTMzMDE1","avatar_url":"https://avatars.githubusercontent.com/u/15133015?v=4","gravatar_id":"","url":"https://api.github.com/users/set0x","html_url":"https://github.com/set0x","followers_url":"https://api.github.com/users/set0x/followers","following_url":"https://api.github.com/users/set0x/following{/other_user}","gists_url":"https://api.github.com/users/set0x/gists{/gist_id}","starred_url":"https://api.github.com/users/set0x/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/set0x/subscriptions","organizations_url":"https://api.github.com/users/set0x/orgs","repos_url":"https://api.github.com/users/set0x/repos","events_url":"https://api.github.com/users/set0x/events{/privacy}","received_events_url":"https://api.github.com/users/set0x/received_events","type":"User","site_admin":false},"type":"reporter"}]},{"ghsa_id":"GHSA-9f2c-xxfm-32mj","cve_id":null,"url":"https://api.github.com/advisories/GHSA-9f2c-xxfm-32mj","html_url":"https://github.com/advisories/GHSA-9f2c-xxfm-32mj","summary":"Duplicate of GHSA-4xh4-v2pq-jvhm","description":"## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of [GHSA-4xh4-v2pq-jvhm](https://github.com/advisories/GHSA-4xh4-v2pq-jvhm). This link is maintained to preserve external references.\n\n## Original Description\n\nThe personnummer implementation before 3.0.3 for Dart mishandles numbers in which the last four digits match the ^000[0-9]$ regular expression.","type":"reviewed","severity":"low","repository_advisory_url":null,"source_code_location":"","identifiers":[{"value":"GHSA-9f2c-xxfm-32mj","type":"GHSA"}],"references":["https://github.com/personnummer/dart/security/advisories/GHSA-4xh4-v2pq-jvhm","https://nvd.nist.gov/vuln/detail/CVE-2023-22963","https://github.com/advisories/GHSA-4xh4-v2pq-jvhm","https://github.com/advisories/GHSA-9f2c-xxfm-32mj"],"published_at":"2023-01-11T06:30:20Z","updated_at":"2023-01-27T05:03:48Z","github_reviewed_at":"2023-01-11T18:58:40Z","nvd_published_at":"2023-01-11T06:15:00Z","withdrawn_at":"2023-01-11T18:58:40Z","vulnerabilities":[{"package":{"ecosystem":"pub","name":"personnummer"},"vulnerable_version_range":"< 3.0.3","first_patched_version":"3.0.3","vulnerable_functions":[]}],"cvss":{"vector_string":null,"score":null},"cwes":[],"credits":[]},{"ghsa_id":"GHSA-4xh4-v2pq-jvhm","cve_id":"CVE-2023-22963","url":"https://api.github.com/advisories/GHSA-4xh4-v2pq-jvhm","html_url":"https://github.com/advisories/GHSA-4xh4-v2pq-jvhm","summary":"personnummer/dart vulnerable to Improper Input Validation","description":"This vulnerability was reported to the personnummer team in June 2020. The slow response was due to locked ownership of some of the affected packages, which caused delays to update packages prior to disclosure.\n\nThe vulnerability is determined to be low severity.\n\n### Impact\n\nThis vulnerability impacts users who rely on the for last digits of personnummer to be a _real_ personnummer.  \n\n### Patches\n\nThe issue have been patched in all repositories. The following versions should be updated to as soon as possible:\n\n[C#](https://github.com/advisories/GHSA-qv8q-v995-72gr) 3.0.2  \nD 3.0.1  \n[Dart](https://github.com/advisories/GHSA-4xh4-v2pq-jvhm) 3.0.3  \nElixir 3.0.0  \n[Go](https://github.com/advisories/GHSA-hv53-vf5m-8q94) 3.0.1  \n[Java](https://github.com/advisories/GHSA-q3vw-4jx3-rrr2) 3.3.0  \n[JavaScript](https://github.com/advisories/GHSA-vpgc-7h78-gx8f) 3.1.0  \nKotlin 1.1.0  \nLua 3.0.1  \n[PHP](https://github.com/advisories/GHSA-2p6g-gjp8-ggg9) 3.0.2  \nPerl 3.0.0  \n[Python](https://github.com/advisories/GHSA-rxq3-5249-8hgg) 3.0.2  \n[Ruby](https://github.com/advisories/GHSA-vp9c-fpxx-744v) 3.0.1  \n[Rust](https://github.com/advisories/GHSA-28r9-pq4c-wp3c) 3.0.0  \nScala 3.0.1  \nSwift 1.0.1  \n\nIf you are using any of the earlier packages, please update to latest.\n\n### Workarounds\n\nThe issue arrieses from the regular expression allowing the first three digits in the last four digits of the personnummer to be\n000, which is invalid. To mitigate this without upgrading, a check on the last four digits can be made to make sure it's not\n000x.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Personnummer Meta](https://github.com/personnummer/meta/issues)\n* Email us at [Personnummer Email](mailto:security@personnummer.dev)","type":"reviewed","severity":"low","repository_advisory_url":"https://api.github.com/repos/personnummer/dart/security-advisories/GHSA-4xh4-v2pq-jvhm","source_code_location":"https://github.com/personnummer/dart","identifiers":[{"value":"GHSA-4xh4-v2pq-jvhm","type":"GHSA"},{"value":"CVE-2023-22963","type":"CVE"}],"references":["https://github.com/personnummer/dart/security/advisories/GHSA-4xh4-v2pq-jvhm","https://pub.dev/packages/personnummer","https://nvd.nist.gov/vuln/detail/CVE-2023-22963","https://github.com/advisories/GHSA-4xh4-v2pq-jvhm"],"published_at":"2022-09-19T22:47:29Z","updated_at":"2023-01-11T18:59:11Z","github_reviewed_at":"2022-09-19T22:47:29Z","nvd_published_at":null,"withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pub","name":"personnummer"},"vulnerable_version_range":"< 3.0.3","first_patched_version":"3.0.3","vulnerable_functions":[]}],"cvss":{"vector_string":null,"score":null},"cwes":[{"cwe_id":"CWE-20","name":"Improper Input Validation"}],"credits":[]},{"ghsa_id":"GHSA-jwpw-q68h-r678","cve_id":null,"url":"https://api.github.com/advisories/GHSA-jwpw-q68h-r678","html_url":"https://github.com/advisories/GHSA-jwpw-q68h-r678","summary":"Improper Neutralization of CRLF Sequences in dio","description":"The dio package prior to 5.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.","type":"reviewed","severity":"high","repository_advisory_url":null,"source_code_location":"https://github.com/cfug/dio","identifiers":[{"value":"GHSA-jwpw-q68h-r678","type":"GHSA"}],"references":["https://nvd.nist.gov/vuln/detail/CVE-2021-31402","https://github.com/cfug/dio/issues/1130","https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984","https://osv.dev/GHSA-jwpw-q68h-r678","https://github.com/advisories/GHSA-jwpw-q68h-r678"],"published_at":"2022-05-24T17:47:44Z","updated_at":"2023-03-31T05:06:53Z","github_reviewed_at":"2022-09-15T03:27:03Z","nvd_published_at":"2021-04-15T19:15:00Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pub","name":"dio"},"vulnerable_version_range":"< 5.0.0","first_patched_version":"5.0.0","vulnerable_functions":[]}],"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","score":7.5},"cwes":[{"cwe_id":"CWE-74","name":"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"},{"cwe_id":"CWE-88","name":"Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"},{"cwe_id":"CWE-93","name":"Improper Neutralization of CRLF Sequences ('CRLF Injection')"}],"credits":[{"user":{"login":"AlexV525","id":15884415,"node_id":"MDQ6VXNlcjE1ODg0NDE1","avatar_url":"https://avatars.githubusercontent.com/u/15884415?v=4","gravatar_id":"","url":"https://api.github.com/users/AlexV525","html_url":"https://github.com/AlexV525","followers_url":"https://api.github.com/users/AlexV525/followers","following_url":"https://api.github.com/users/AlexV525/following{/other_user}","gists_url":"https://api.github.com/users/AlexV525/gists{/gist_id}","starred_url":"https://api.github.com/users/AlexV525/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/AlexV525/subscriptions","organizations_url":"https://api.github.com/users/AlexV525/orgs","repos_url":"https://api.github.com/users/AlexV525/repos","events_url":"https://api.github.com/users/AlexV525/events{/privacy}","received_events_url":"https://api.github.com/users/AlexV525/received_events","type":"User","site_admin":false},"type":"analyst"}]},{"ghsa_id":"GHSA-4rgh-jx4f-qfcq","cve_id":"CVE-2020-35669","url":"https://api.github.com/advisories/GHSA-4rgh-jx4f-qfcq","html_url":"https://github.com/advisories/GHSA-4rgh-jx4f-qfcq","summary":"http before 0.13.3 vulnerable to header injection","description":"An issue was discovered in the http package before 0.13.3 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request via HTTP header injection. This issue has been addressed in commit abb2bb182 by validating request methods.","type":"reviewed","severity":"medium","repository_advisory_url":null,"source_code_location":"https://github.com/dart-lang/http","identifiers":[{"value":"GHSA-4rgh-jx4f-qfcq","type":"GHSA"},{"value":"CVE-2020-35669","type":"CVE"}],"references":["https://nvd.nist.gov/vuln/detail/CVE-2020-35669","https://github.com/dart-lang/http/issues/511","https://github.com/dart-lang/http/blob/master/CHANGELOG.md#0133","https://github.com/dart-lang/http/pull/512","https://github.com/dart-lang/http/commit/abb2bb182fbd7f03aafd1f889b902d7b3bdb8769","https://pub.dev/packages/http/changelog#0133","https://github.com/advisories/GHSA-4rgh-jx4f-qfcq"],"published_at":"2022-05-24T17:37:16Z","updated_at":"2023-01-27T05:03:00Z","github_reviewed_at":"2022-08-04T21:05:04Z","nvd_published_at":"2020-12-24T03:15:00Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pub","name":"http"},"vulnerable_version_range":"< 0.13.3","first_patched_version":"0.13.3","vulnerable_functions":[]}],"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","score":6.1},"cwes":[{"cwe_id":"CWE-74","name":"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}],"credits":[]}]