Vulnerabilities in Python Dependencies

Issue Summary

The Docker image for Redash 10 (i.e. redash/redash:10.1.0.b50633 (debian 10.11)) includes several Python libraries that have high and critical CVEs.

  • PyYAML 5.1.2 → 5.4
  • httplib2 0.14.0 → 0.19.0
  • pyarrow 0.13.0 → 0.15.0
  • pycrypto 2.6.1 → No known fix, suggested to use pycryptodome
  • sqlparse 0.3.0 → 0.4.2
  • urllib3 1.24.3 → 1.26.5

What is the recommended remediation? Has Redash been tested against any of these newer versions?

List of vulnerabilities:

LIBRARY VULNERABILITY ID SEVERITY INSTALLED VERSION FIXED VERSION
PyYAML CVE-2019-20477 CRITICAL 5.1.2 5.2b1
CVE-2020-14343 CRITICAL 5.4
CVE-2020-1747 CRITICAL 5.3.1
httplib2 CVE-2021-21240 HIGH 0.14.0 0.19.0
pyarrow CVE-2019-12410 HIGH 0.13.0 0.15.0
pycrypto CVE-2013-7459 CRITICAL 2.6.1
CVE-2018-6594 HIGH
sqlparse CVE-2021-32839 HIGH 0.3.0 0.4.2
urllib3 CVE-2021-33503 HIGH 1.24.3 1.26.5

Technical details:

  • Redash Version: 10.1.0.b50633
  • Browser/OS: N/A
  • How did you install Redash: Docker

Thanks for bringing this to our attention. Will need to consider each one more closely.

re: pyarrow and pycrypto, these are only used in specific query runners. So possible vulnerability would only affect users who create those kinds of datasources.

urllib3, sqlparse, PyYAML, httplib2 and urllib3 are used by the core application. So will need to be evaluated as to whether the vulnerability is able to be exploited on Redash v10 (latest release).

2 Likes