Jay Crumb created BEAM-10180:
--------------------------------
Summary: Upgrade httplib2 to > 0.18.0 to resolve CVE-2020-11078
Key: BEAM-10180
URL: https://issues.apache.org/jira/browse/BEAM-10180
Project: Beam
Issue Type: Improvement
Components: sdk-py-core
Reporter: Jay Crumb
In versions of httplib2 before 0.18.0, an attacker who could control the url
provided to {{httplib2.Http.request()}} could modify the request's headers or
body.
As I understand from looking at BEAM-9819 the current restriction exists
because of a dependency on google-apitools so this may not be a straightforward
fix.
CVE: [https://nvd.nist.gov/vuln/detail/CVE-2020-11078]
GitHub Advisory: [https://github.com/advisories/GHSA-gg84-qgv9-w4pq]
Release Notes: https://github.com/httplib2/httplib2/blob/master/CHANGELOG#L7
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
