collerek
Security Alert: CVE-2024-6345 Vulnerability in `setuptools` Dependency
While scanning our project's dependencies, we identified a critical security vulnerability, CVE-2024-6345, in setuptools, a package that ormar depends on. This vulnerability is a path traversal issue in the PackageIndex component of setuptools and was fixed in version 78.1.1.
Vulnerability Details
- CVE ID: CVE-2024-6345
- CVSS Score: 7.7 (High)
- Description: This vulnerability could allow an attacker to access or overwrite arbitrary files on the server.
- Further Details: Huntr Bounty Report
The Dependency Issue
ormar requires a vulnerable version of setuptools, which prevents us from upgrading to a secure version in our project. This dependency constraint exposes our application to the potential security risks associated with this CVE.
The current output from poetry is as follows:
poetry show setuptools
name : setuptools
version : 75.9.1
description : Easily download, build, install, upgrade, and uninstall Python packages
required by
- ormar >=75.1.0,<76.0.0
Proposed Solution
We kindly request that the setuptools dependency in ormar be updated to a secure version, 78.1.1 or higher. This update would ensure that all projects relying on ormar remain secure.
Versions
Database backend used: mysql 8
Python version: 3.12.3
ormar version: 0.20.2
pydantic version: 2.8.2
fastapi version: 0.115.14
Additional Context
The CVE was publicly disclosed on July 15, 2024, and a patch has been available since then. An immediate update is crucial to mitigate the risk.
I have the same issue. @collerek could you take a look at this, please?
Is setuptools even necessary to have in the package dependencies?
IMO this should be in the dev deps so we don't have to install setuptools when we install the library.
