Skip to content

Add demo files with intentional security vulnerabilities for GitHub A… #142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
CalinL wants to merge 1 commit into
base: main
Choose a base branch
from

Add demo files with intentional security vulnerabilities for GitHub A…

81c56ca
Select commit
Loading
Failed to load commit list.
Open

Add demo files with intentional security vulnerabilities for GitHub A… #142

Add demo files with intentional security vulnerabilities for GitHub A…
81c56ca
Select commit
Loading
Failed to load commit list.
GitHub Advanced Security / trivy failed Feb 12, 2026 in 13s

14 new alerts including 6 high severity security vulnerabilities

New alerts in code changed by this pull request

Security Alerts:

  • 6 high
  • 7 medium
  • 1 low

See annotations below for details.

View all branch alerts.

Annotations

Check failure on line 34 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header High

Package: flask
Installed Version: 2.0.2
Vulnerability CVE-2023-30861
Severity: HIGH
Fixed Version: 2.3.2, 2.2.5
Link: CVE-2023-30861

Check failure on line 50 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

jinja2: Jinja has a sandbox breakout through malicious filenames High

Package: jinja2
Installed Version: 3.0.2
Vulnerability CVE-2024-56201
Severity: MEDIUM
Fixed Version: 3.1.5
Link: CVE-2024-56201

Check failure on line 50 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

jinja2: Jinja has a sandbox breakout through indirect reference to format method High

Package: jinja2
Installed Version: 3.0.2
Vulnerability CVE-2024-56326
Severity: MEDIUM
Fixed Version: 3.1.5
Link: CVE-2024-56326

Check failure on line 126 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

python-werkzeug: high resource usage when parsing multipart form data with many fields High

Package: werkzeug
Installed Version: 2.0.2
Vulnerability CVE-2023-25577
Severity: HIGH
Fixed Version: 2.2.3
Link: CVE-2023-25577

Check failure on line 126 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

python-werkzeug: user may execute code on a developer's machine High

Package: werkzeug
Installed Version: 2.0.2
Vulnerability CVE-2024-34069
Severity: HIGH
Fixed Version: 3.0.3
Link: CVE-2024-34069

Check failure on line 126 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

werkzeug: python-werkzeug: Werkzeug possible resource exhaustion when parsing file data in forms High

Package: werkzeug
Installed Version: 2.0.2
Vulnerability CVE-2024-49767
Severity: MEDIUM
Fixed Version: 3.0.6
Link: CVE-2024-49767

Check warning on line 50 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

jinja2: HTML attribute injection when passing user input as keys to xmlattr filter Medium

Package: jinja2
Installed Version: 3.0.2
Vulnerability CVE-2024-22195
Severity: MEDIUM
Fixed Version: 3.1.3
Link: CVE-2024-22195

Check warning on line 50 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

jinja2: accepts keys containing non-attribute characters Medium

Package: jinja2
Installed Version: 3.0.2
Vulnerability CVE-2024-34064
Severity: MEDIUM
Fixed Version: 3.1.4
Link: CVE-2024-34064

Check warning on line 50 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

jinja2: Jinja sandbox breakout through attr filter selecting format method Medium

Package: jinja2
Installed Version: 3.0.2
Vulnerability CVE-2025-27516
Severity: MEDIUM
Fixed Version: 3.1.6
Link: CVE-2025-27516

Check warning on line 126 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

python-werkzeug: high resource consumption leading to denial of service Medium

Package: werkzeug
Installed Version: 2.0.2
Vulnerability CVE-2023-46136
Severity: MEDIUM
Fixed Version: 3.0.1, 2.3.8
Link: CVE-2023-46136

Check warning on line 126 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

werkzeug: python-werkzeug: Werkzeug safe_join not safe on Windows Medium

Package: werkzeug
Installed Version: 2.0.2
Vulnerability CVE-2024-49766
Severity: MEDIUM
Fixed Version: 3.0.6
Link: CVE-2024-49766

Check warning on line 126 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

Werkzeug: Werkzeug: Denial of service via Windows device names in path segments Medium

Package: werkzeug
Installed Version: 2.0.2
Vulnerability CVE-2025-66221
Severity: MEDIUM
Fixed Version: 3.1.4
Link: CVE-2025-66221

Check warning on line 126 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

Werkzeug safe_join() allows Windows special device names with compound extensions Medium

Package: werkzeug
Installed Version: 2.0.2
Vulnerability CVE-2026-21860
Severity: MEDIUM
Fixed Version: 3.1.5
Link: CVE-2026-21860

Check notice on line 126 in devsecops-demo/Pipfile.lock

See this annotation in the file changed.

Code scanning / Trivy

python-werkzeug: cookie prefixed with = can shadow unprefixed cookie Low

Package: werkzeug
Installed Version: 2.0.2
Vulnerability CVE-2023-23934
Severity: LOW
Fixed Version: 2.2.3
Link: CVE-2023-23934