References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

OR
          *cpe:2.3:a:bloomberg:memray:*:*:*:*:*:python:*:* versions up to (excluding) 1.19.2

GitHub, Inc.: https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249 Types: Patch

GitHub, Inc.: https://github.com/bloomberg/memray/releases/tag/v1.19.2 Types: Product, Release Notes

GitHub, Inc.: https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9 Types: Exploit, Vendor Advisory

Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.

AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

CWE-79

https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249

https://github.com/bloomberg/memray/releases/tag/v1.19.2

https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9