|
|
# Known vulnerabilities of dependencies
|
|
|
|
|
|
Cyber Sandbox Creator uses external dependencies. Some of these dependencies have known security vulnerabilities. Security vulnerabilities are discussed below for each release.
|
|
|
|
|
|
## v3.0
|
|
|
|
|
|
There are no known vulnerabilities in external dependencies.
|
|
|
|
|
|
## v1.1, v2.0
|
|
|
|
|
|
| Dependency | Vulnerability | Severity | First vulnerable version | Fixed in version |
|
|
|
| --- | --- | :---: | :---: | :---: |
|
|
|
| PyYAML | [Arbitrary Code Execution](https://snyk.io/vuln/SNYK-PYTHON-PYYAML-590151) | High | 0 | 5.4 |
|
|
|
| Jinja2 | [Regular Expression Denial of Service](https://security.snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994) | Medium | unknown | 2.11.3 |
|
|
|
|
|
|
## v1.0.1
|
|
|
|
|
|
| Dependency | Vulnerability | Severity | First vulnerable version | Fixed in version |
|
|
|
| --- | --- | :---: | :---: | :---: |
|
|
|
| PyYAML | [Arbitrary Code Execution](https://snyk.io/vuln/SNYK-PYTHON-PYYAML-590151) | High | 0 | 5.4 |
|
|
|
|
|
|
Notes:
|
|
|
- PyYAML is used for parsing internal configuration files and the `topology.yml`. Topology definition is the only external input for this module.
|
|
|
|
|
|
## v1.0.0 and older versions [^1]
|
|
|
|
|
|
| Dependency | Vulnerability | Severity | First vulnerable version | Fixed in version |
|
|
|
| --- | --- | :---: | :---: | :---: |
|
|
|
| PyYAML | [Arbitrary Code Execution](https://snyk.io/vuln/SNYK-PYTHON-PYYAML-590151) | High | 0 | 5.4 |
|
|
|
| PyYAML | [Improper Access Control](https://snyk.io/vuln/SNYK-PYTHON-PYYAML-550022) | High | 5.1 | 5.2 |
|
|
|
| PyYAML | [Arbitrary Code Execution](https://snyk.io/vuln/SNYK-PYTHON-PYYAML-42159) | High | unknown | 4.2b1 |
|
|
|
| Jinja2 | [Sandbox Escape](https://snyk.io/vuln/SNYK-PYTHON-JINJA2-174126) | Medium | unknown | 2.10.1 |
|
|
|
|
|
|
Notes:
|
|
|
- PyYAML is used for parsing internal configuration files and the `topology.yml`. Topology definition is the only external input for this module.
|
|
|
- Jinja2 generates the Vagrantfile and some Ansible playbooks. Its inputs are internal variables (in some cases generated from `topology.yml`).
|
|
|
|
|
|
[^1]: We thank our colleagues from University of Trento for vulnerability assessment revealing these security issues.
|
|
|
|
|
|
# General notes
|
|
|
|
|
|
- A lot of Vagrant boxes have the default root user `vagrant` and password `vagrant`. This is a [recommendation](https://www.vagrantup.com/docs/boxes/base.html#default-user-settings) for public boxes by the creators of Vagrant.
|
|
|
|
|
|
--- |
|
|
\ No newline at end of file |