[INFO] What is the status of PVE-2021-40962?

[dmaljovec]

It looks like the latest pyup.io safety-db is listing anything less than the yet unreleased version 2.2.0 of dash as a security vulnerability:

.
.
.
    "dash": [
        {
            "advisory": "Dash 1.20.0 starts to validate callback request 'outputs' vs. 'output' to avoid a perceived security issue.",
            "cve": "PVE-2021-40183",
            "id": "pyup.io-40183",
            "specs": [
                "<1.20.0"
            ],
            "v": "<1.20.0"
        },
        {
            "advisory": "Dash 2.2.0 includes a security fix.",
            "cve": "PVE-2021-40962",
            "id": "pyup.io-40962",
            "specs": [
                "<2.2.0"
            ],
            "v": "<2.2.0"
        }
    ],
.
.
.

As this is both a major version and two minor versions off of the current latest release, I was wondering if someone could comment on the veracity of this entry? Also, if there is any more details about what the security fix entails so we can evaluate risk on our own end that would be great.

Thank!

[alexcjohnson]

Thanks for mentioning this @dmaljovec - looks like a mistake to me, we're currently working on Dash 2.0 but it has no security fixes and there are certainly no plans as yet about 2.1 let alone 2.2

The only thing I can think of that this might have been based on is plotly.js 2.2.1 https://github.com/plotly/plotly.js/blob/master/CHANGELOG.md#221----2021-07-06 which includes an XSS patch and is included in Dash 1.21 https://github.com/plotly/dash/blob/dev/CHANGELOG.md#updated

I'm not familiar with the pyup.io safety-db - where does this draw its information from?

[alexcjohnson]

I've reached out to support@pyup.io for assistance with this.

[dmaljovec]

The only thing I can think of that this might have been based on is plotly.js 2.2.1 https://github.com/plotly/plotly.js/blob/master/CHANGELOG.md#221----2021-07-06 which includes an XSS patch and is included in Dash 1.21 https://github.com/plotly/dash/blob/dev/CHANGELOG.md#updated

Yeah, this seems like a misunderstanding for whoever made or requested this entry into the database.

I'm not familiar with the pyup.io safety-db - where does this draw its information from?

For more information, this is the tidbit from the README:

Safety DB is a database of known security vulnerabilities in Python packages. The data is made available by pyup.io and synced with this repository once per month. Most of the entries are found by filtering CVEs and changelogs for certain
keywords and then manually reviewing them.

This makes it sound like a human has to review it. Unfortunately, the git history is not super informative for the changes to dash see this commit pyupio/safety-db@045d50e and I don't know much about their internal process 🤷 .

I will say that another package we use frequently for development (coverage) also had a false positive in the latest update of the database. The pyup team seemed pretty accommodating in that case: pyupio/safety-db#2335 (comment).

[alexcjohnson]

OK thanks - I've filed pyupio/safety-db#2336

[sudburyrob]

cc: @sudburyrob

[yeisonvargasf]

@dmaljovec our bot commit monthly updates of vulnerabilities already reviewed by our security team, sometimes there are false positives. This correction will show up for our paid users immediately and not until September 1st for our users without a paid subscription.

[alexcjohnson]

Thanks @yeisonvargasf - and thanks again @dmaljovec for bringing this to our attention. Closing as resolved.