[jira] [Updated] (BEAM-10180) Upgrade httplib2 to > 0.18.0 to resolve CVE-2020-11078

Beam JIRA Bot (Jira) Sun, 16 Aug 2020 10:07:43 -0700


     [ 
https://issues.apache.org/jira/browse/BEAM-10180?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Beam JIRA Bot updated BEAM-10180:
---------------------------------
    Priority: P3  (was: P2)

> Upgrade httplib2 to > 0.18.0 to resolve CVE-2020-11078
> ------------------------------------------------------
>
>                 Key: BEAM-10180
>                 URL: https://issues.apache.org/jira/browse/BEAM-10180
>             Project: Beam
>          Issue Type: Improvement
>          Components: sdk-py-core
>            Reporter: Jay Crumb
>            Priority: P3
>              Labels: stale-P2
>
> In versions of httplib2 before 0.18.0, an attacker who could control the url 
> provided to {{httplib2.Http.request()}} could modify the request's headers or 
> body.
>  
> As I understand from looking at BEAM-9819 the current restriction exists 
> because of a dependency on google-apitools so this may not be a 
> straightforward fix.
>  
> CVE: [https://nvd.nist.gov/vuln/detail/CVE-2020-11078]
> GitHub Advisory: [https://github.com/advisories/GHSA-gg84-qgv9-w4pq]
> Release Notes: https://github.com/httplib2/httplib2/blob/master/CHANGELOG#L7



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (BEAM-10180) Upgrade httplib2 to > 0.18.0 to resolve CVE-2020-11078

Reply via email to