nltk-3.6.5-py3-none-any.whl: 4 vulnerabilities (highest severity is: 7.5) - autoclosed

[mend-bolt-for-github]

Vulnerable Library - nltk-3.6.5-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/aa/b8/09ac15436591cefc0adc882798d5cf629f13addae0495b20b682219e3afe/nltk-3.6.5-py3-none-any.whl

Path to dependency file: /ai/requirements.txt

Path to vulnerable library: /ai/requirements.txt

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (nltk version)	Remediation Possible**
CVE-2021-43854	High	7.5	nltk-3.6.5-py3-none-any.whl	Direct	3.6.6	❌
CVE-2021-3842	High	7.5	nltk-3.6.5-py3-none-any.whl	Direct	3.6.6	❌
WS-2022-0437	Medium	6.1	nltk-3.6.5-py3-none-any.whl	Direct	3.8.1	❌
WS-2022-0438	Medium	5.0	nltk-3.6.5-py3-none-any.whl	Direct	3.8.1	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-43854

Vulnerable Library - nltk-3.6.5-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/aa/b8/09ac15436591cefc0adc882798d5cf629f13addae0495b20b682219e3afe/nltk-3.6.5-py3-none-any.whl

Path to dependency file: /ai/requirements.txt

Path to vulnerable library: /ai/requirements.txt

Dependency Hierarchy:

• ❌ nltk-3.6.5-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.

Publish Date: 2021-12-23

URL: CVE-2021-43854

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854

Release Date: 2021-12-23

Fix Resolution: 3.6.6

Step up your Open Source Security Game with Mend here

CVE-2021-3842

Vulnerable Library - nltk-3.6.5-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/aa/b8/09ac15436591cefc0adc882798d5cf629f13addae0495b20b682219e3afe/nltk-3.6.5-py3-none-any.whl

Path to dependency file: /ai/requirements.txt

Path to vulnerable library: /ai/requirements.txt

Dependency Hierarchy:

• ❌ nltk-3.6.5-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

nltk is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2022-01-04

URL: CVE-2021-3842

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f8m6-h2c7-8h9x

Release Date: 2022-01-04

Fix Resolution: 3.6.6

Step up your Open Source Security Game with Mend here

WS-2022-0437

Vulnerable Library - nltk-3.6.5-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/aa/b8/09ac15436591cefc0adc882798d5cf629f13addae0495b20b682219e3afe/nltk-3.6.5-py3-none-any.whl

Path to dependency file: /ai/requirements.txt

Path to vulnerable library: /ai/requirements.txt

Dependency Hierarchy:

• ❌ nltk-3.6.5-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

In nltk/nltk, a reflected XSS can be achieved by simply creating a URL, which leads to browser hijacking, and sensitive information loss.

Publish Date: 2022-12-23

URL: WS-2022-0437

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/861a8d11-0fe9-4c2f-9112-af3a9559fa87/

Release Date: 2022-12-23

Fix Resolution: 3.8.1

Step up your Open Source Security Game with Mend here

WS-2022-0438

Vulnerable Library - nltk-3.6.5-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/aa/b8/09ac15436591cefc0adc882798d5cf629f13addae0495b20b682219e3afe/nltk-3.6.5-py3-none-any.whl

Path to dependency file: /ai/requirements.txt

Path to vulnerable library: /ai/requirements.txt

Dependency Hierarchy:

• ❌ nltk-3.6.5-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

In nltk prior to 3.8.1, a user who visits a malicious link with wordnet browser open will execute code on system. This may lead to RCE by inducing user to visit a link.

Publish Date: 2022-12-29

URL: WS-2022-0438

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/cd3957f0-2c9c-416d-bc3a-190a5b7ce4a6/

Release Date: 2022-12-29

Fix Resolution: 3.8.1

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.