Top issues
Detected presence of software components with potentially unwanted dependencies.
Causes risk: undesirable dependencies found
threats
Problem
Potentially unwanted applications (PUAs) can be considered a risk by some software users. This threat type typically collects private user data, or in more extreme cases, tampers with system security settings. Most threat prevention solutions detect and block PUAs. Some software dependencies may be optional, and could be installed or downloaded only if a certain pre-defined condition is met. When software dependencies are confirmed to be found within the software package, additional issues might also be reported. Software packages that trigger security solution detections also tend to increase the number of support calls and open tickets from users.Prevalence in PyPI community
0 packages
found in
Top 100
0 packages
found in
Top 1k
4 packages
found in
Top 10k
43 packages
in community
Next steps
Revise the use of components that raise these alarms. If you can't deprecate those components, make sure they are well-documented.
Detected presence of severe vulnerabilities with active exploitation.
Causes risk: actively exploited vulnerabilities
vulnerabilities
Problem
Software composition analysis has identified a component with one or more known severe vulnerabilities. Available threat intelligence telemetry has confirmed that the reported high or critical severity vulnerabilities are actively being exploited by malicious actors.Prevalence in PyPI community
38 packages
found in
Top 100
303 packages
found in
Top 1k
2611 packages
found in
Top 10k
103184 packages
in community
Next steps
We strongly advise updating the component to the latest version.
If the update can't resolve the issue, create a plan to isolate or replace the affected component.
Detected presence of critical severity vulnerabilities.
Causes risk: critical severity vulnerabilities
vulnerabilities
Problem
Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as critical severity.Prevalence in PyPI community
25 packages
found in
Top 100
212 packages
found in
Top 1k
1951 packages
found in
Top 10k
77976 packages
in community
Next steps
Perform impact analysis for the reported CVEs.
We strongly advise updating the component to the latest version.
If the update can't resolve the issue, create a plan to isolate or replace the affected component.
Detected presence of high severity vulnerabilities.
Causes risk: high severity vulnerabilities
vulnerabilities
Problem
Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as high severity.Prevalence in PyPI community
50 packages
found in
Top 100
352 packages
found in
Top 1k
2858 packages
found in
Top 10k
108771 packages
in community
Next steps
Perform impact analysis for the reported CVEs.
Update the component to the latest version.
If the update can't resolve the issue, create a plan to isolate or replace the affected component.
Detected Windows shared library files that do not suppress exports which reduces CFG vulnerability mitigation protection effectiveness.
Causes risk: low priority mitigations absent
hardening
Problem
Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that dynamic calls are made only to vetted functions. Trusted execution paths rely on the ability of the operating system to build a list of valid function targets. Certain functions can intentionally be disallowed to prevent malicious code from deactivating vulnerability mitigation features. A list of such invalid function targets can include publicly exported symbols. Applications that enhance control flow integrity through export suppression rely on libraries to mark their publicly visible symbols as suppressed. This is done for all symbols that are considered to be sensitive functions, and to which access should be restricted. It is considered dangerous to mix applications that perform export suppression with libraries that do not.Prevalence in PyPI community
26 packages
found in
Top 100
130 packages
found in
Top 1k
732 packages
found in
Top 10k
14459 packages
in community
Next steps
To enable this mitigation on library code, refer to your programming language toolchain documentation.
In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.
Top behaviors
Sends data on a connected TCP socket.
network
Prevalence in PyPI community
Behavior often found in this community (Common)
13 packages
found in
Top 100
99 packages
found in
Top 1k
566 packages
found in
Top 10k
19246 packages
in community
Receives data from a connected TCP socket.
network
Prevalence in PyPI community
Behavior often found in this community (Common)
9 packages
found in
Top 100
94 packages
found in
Top 1k
476 packages
found in
Top 10k
16117 packages
in community
Permits an incoming connection on a TCP socket.
network
Prevalence in PyPI community
Behavior often found in this community (Common)
8 packages
found in
Top 100
64 packages
found in
Top 1k
281 packages
found in
Top 10k
8972 packages
in community
Opens a socket listening for an incoming connection.
network
Prevalence in PyPI community
Behavior often found in this community (Common)
9 packages
found in
Top 100
75 packages
found in
Top 1k
309 packages
found in
Top 10k
9292 packages
in community
Uses a Python script interpreter.
execution
Prevalence in PyPI community
Behavior often found in this community (Common)
23 packages
found in
Top 100
112 packages
found in
Top 1k
620 packages
found in
Top 10k
10791 packages
in community
Top vulnerabilities
Vulnerability Exploitation Lifecycle
(2 Active Vulnerabilities)
None
2 (2 Fixable)
CVE-2022-37434c
CVE-2018-25032h
None
None
Exploits Unknown
Exploits Exist
Exploited by Malware
Patching Mandated