Skip to content

Commit 03bb441

Browse files
committed
chore(security): export issues, dependabot & codescan alerts
1 parent ee73b0d commit 03bb441

43 files changed

Lines changed: 927 additions & 0 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

issues/README.md

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
# Repository: LazyOwn
2+
3+
**Description:** LazyOwn RedTeam/APT Framework is the first RedTeam Framework with an AI-powered C&C, featuring rootkits to conceal campaigns, undetectable malleable implants compatible with Windows/Linux/Mac OSX, and self-configuring backdoors. With its Web interface and powerful Console Client, it is the best combination for your Autonomous RedTeam/APT campaigns.
4+
5+
| Metric | Value |
6+
|--------|-------|
7+
| ⭐ Stars | 213 |
8+
| 📥 Clones (last 14 days) | 518 |
9+
| 🟢 Open Issues | 1 |
10+
| 📋 Total Issues | 4 |
11+
| 🛡 Dependabot Open Alerts | 35 |
12+
| 🔍 CodeScan Open Alerts | 3 |
13+
14+
## Issues
15+
- [#84](./issue_84.md) - Lazynmap failing to execute (closed)
16+
- [#30](./issue_30.md) - Please remove ngrok as a tunneling option as this tool violates the terms of service (closed)
17+
- [#17](./issue_17.md) - Fix code scanning alert - Flask app is run in debug mode (closed)
18+
- [#16](./issue_16.md) - Fix code scanning alert - Information exposure through an exception (closed)
19+
20+
## Dependabot Alerts
21+
- [Dependabot #44](./dependabot/alert_44.md) - msgpack (high) - open
22+
- [Dependabot #43](./dependabot/alert_43.md) - pypdf (medium) - open
23+
- [Dependabot #42](./dependabot/alert_42.md) - pypdf (medium) - open
24+
- [Dependabot #41](./dependabot/alert_41.md) - pypdf (medium) - open
25+
- [Dependabot #40](./dependabot/alert_40.md) - pypdf (medium) - open
26+
- [Dependabot #39](./dependabot/alert_39.md) - pypdf (medium) - open
27+
- [Dependabot #38](./dependabot/alert_38.md) - pypdf (medium) - open
28+
- [Dependabot #37](./dependabot/alert_37.md) - cryptography (high) - open
29+
- [Dependabot #36](./dependabot/alert_36.md) - pypdf (medium) - open
30+
- [Dependabot #35](./dependabot/alert_35.md) - pypdf (medium) - open
31+
- [Dependabot #34](./dependabot/alert_34.md) - torch (low) - open
32+
- [Dependabot #33](./dependabot/alert_33.md) - torch (low) - open
33+
- [Dependabot #32](./dependabot/alert_32.md) - pypdf (medium) - open
34+
- [Dependabot #31](./dependabot/alert_31.md) - pypdf (medium) - open
35+
- [Dependabot #30](./dependabot/alert_30.md) - pypdf (medium) - open
36+
- [Dependabot #29](./dependabot/alert_29.md) - pypdf (medium) - open
37+
- [Dependabot #28](./dependabot/alert_28.md) - pypdf (medium) - open
38+
- [Dependabot #27](./dependabot/alert_27.md) - cryptography (medium) - open
39+
- [Dependabot #26](./dependabot/alert_26.md) - pypdf (medium) - open
40+
- [Dependabot #25](./dependabot/alert_25.md) - pypdf (medium) - open
41+
- [Dependabot #24](./dependabot/alert_24.md) - pypdf (medium) - open
42+
- [Dependabot #23](./dependabot/alert_23.md) - pypdf (medium) - open
43+
- [Dependabot #22](./dependabot/alert_22.md) - pypdf (medium) - open
44+
- [Dependabot #21](./dependabot/alert_21.md) - pypdf (medium) - open
45+
- [Dependabot #20](./dependabot/alert_20.md) - pypdf (low) - open
46+
- [Dependabot #19](./dependabot/alert_19.md) - pypdf (medium) - open
47+
- [Dependabot #18](./dependabot/alert_18.md) - pypdf (medium) - open
48+
- [Dependabot #17](./dependabot/alert_17.md) - pypdf (medium) - open
49+
- [Dependabot #16](./dependabot/alert_16.md) - pypdf (medium) - open
50+
- [Dependabot #15](./dependabot/alert_15.md) - pypdf (low) - open
51+
- [Dependabot #14](./dependabot/alert_14.md) - pypdf (low) - open
52+
- [Dependabot #13](./dependabot/alert_13.md) - pypdf (medium) - open
53+
- [Dependabot #12](./dependabot/alert_12.md) - pypdf (medium) - open
54+
- [Dependabot #11](./dependabot/alert_11.md) - pypdf (medium) - open
55+
- [Dependabot #7](./dependabot/alert_7.md) - paramiko (low) - open
56+
57+
## Code Scanning Alerts
58+
- [CodeScan #767](./codescan/alert_767.md) - py/bind-socket-all-network-interfaces (error) - open
59+
- [CodeScan #766](./codescan/alert_766.md) - py/bind-socket-all-network-interfaces (error) - open
60+
- [CodeScan #765](./codescan/alert_765.md) - py/bind-socket-all-network-interfaces (error) - open
61+
62+
Total issues downloaded: 4

issues/codescan/alert_765.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
# Code Scanning Alert #765: py/bind-socket-all-network-interfaces
2+
3+
- **State:** open
4+
- **Severity:** error
5+
- **Tool:** CodeQL
6+
- **Created:** 2026-05-21T04:27:05Z
7+
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/765
8+
9+
## Description
10+
Binding a socket to all network interfaces

issues/codescan/alert_766.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
# Code Scanning Alert #766: py/bind-socket-all-network-interfaces
2+
3+
- **State:** open
4+
- **Severity:** error
5+
- **Tool:** CodeQL
6+
- **Created:** 2026-05-21T04:27:05Z
7+
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/766
8+
9+
## Description
10+
Binding a socket to all network interfaces

issues/codescan/alert_767.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
# Code Scanning Alert #767: py/bind-socket-all-network-interfaces
2+
3+
- **State:** open
4+
- **Severity:** error
5+
- **Tool:** CodeQL
6+
- **Created:** 2026-05-21T04:27:05Z
7+
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/767
8+
9+
## Description
10+
Binding a socket to all network interfaces

issues/dependabot/alert_11.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
# Dependabot Alert #11: pypdf
2+
3+
- **State:** open
4+
- **Severity:** medium
5+
- **CVE:** CVE-2025-62707
6+
- **Created:** 2026-06-07T17:50:21Z
7+
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/11
8+
9+
## Summary
10+
pypdf possibly loops infinitely when reading DCT inline images without EOF marker
11+
12+
## Description
13+
### Impact
14+
15+
An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter.
16+
17+
### Patches
18+
This has been fixed in [pypdf==6.1.3](https://github.com/py-pdf/pypdf/releases/tag/6.1.3).
19+
20+
### Workarounds
21+
If you cannot upgrade yet, consider applying the changes from PR [#3501](https://github.com/py-pdf/pypdf/pull/3501).

issues/dependabot/alert_12.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
# Dependabot Alert #12: pypdf
2+
3+
- **State:** open
4+
- **Severity:** medium
5+
- **CVE:** CVE-2025-62708
6+
- **Created:** 2026-06-07T17:50:21Z
7+
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/12
8+
9+
## Summary
10+
pypdf can exhaust RAM via manipulated LZWDecode streams
11+
12+
## Description
13+
### Impact
14+
15+
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter.
16+
17+
### Patches
18+
This has been fixed in [pypdf==6.1.3](https://github.com/py-pdf/pypdf/releases/tag/6.1.3).
19+
20+
### Workarounds
21+
If you cannot upgrade yet, consider applying the changes from PR [#3502](https://github.com/py-pdf/pypdf/pull/3502).

issues/dependabot/alert_13.md

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Dependabot Alert #13: pypdf
2+
3+
- **State:** open
4+
- **Severity:** medium
5+
- **CVE:** CVE-2025-66019
6+
- **Created:** 2026-06-07T17:50:21Z
7+
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/13
8+
9+
## Summary
10+
pypdf's LZWDecode streams be manipulated to exhaust RAM
11+
12+
## Description
13+
### Impact
14+
15+
An attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter.
16+
17+
This is a follow up to [GHSA-jfx9-29x2-rv3j](https://github.com/py-pdf/pypdf/security/advisories/GHSA-jfx9-29x2-rv3j) to align the default limit with the one for *zlib*.
18+
19+
### Patches
20+
This has been fixed in [pypdf==6.4.0](https://github.com/py-pdf/pypdf/releases/tag/6.4.0).
21+
22+
### Workarounds
23+
If users cannot upgrade yet, use the line below to overwrite the default in their code:
24+
25+
```python
26+
pypdf.filters.LZW_MAX_OUTPUT_LENGTH = 75_000_000
27+
```

issues/dependabot/alert_14.md

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
# Dependabot Alert #14: pypdf
2+
3+
- **State:** open
4+
- **Severity:** low
5+
- **CVE:** CVE-2026-22690
6+
- **Created:** 2026-06-07T17:50:21Z
7+
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/14
8+
9+
## Summary
10+
pypdf has possible long runtimes for missing /Root object with large /Size values
11+
12+
## Description
13+
### Impact
14+
An attacker who exploits this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the `/Root` entry in the trailer, while using a rather large `/Size` value. Only the non-strict reading mode is affected.
15+
16+
### Patches
17+
This has been fixed in [pypdf==6.6.0](https://github.com/py-pdf/pypdf/releases/tag/6.6.0).
18+
19+
### Workarounds
20+
21+
```python
22+
from pypdf import PdfReader, PdfWriter
23+
24+
25+
# Instead of
26+
reader = PdfReader("file.pdf")
27+
# use the strict mode:
28+
reader = PdfReader("file.pdf", strict=True)
29+
30+
# Instead of
31+
writer = PdfWriter(clone_from="file.pdf")
32+
# use an explicit strict reader:
33+
writer = PdfWriter(clone_from=PdfReader("file.pdf", strict=True))
34+
```
35+
36+
### Resources
37+
This issue has been fixed in #3594.

issues/dependabot/alert_15.md

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
# Dependabot Alert #15: pypdf
2+
3+
- **State:** open
4+
- **Severity:** low
5+
- **CVE:** CVE-2026-22691
6+
- **Created:** 2026-06-07T17:50:22Z
7+
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/15
8+
9+
## Summary
10+
pypdf has possible long runtimes for malformed startxref
11+
12+
## Description
13+
### Impact
14+
An attacker who exploits this vulnerability can craft a PDF which leads to possibly long runtimes for invalid `startxref` entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected.
15+
16+
### Patches
17+
This has been fixed in [pypdf==6.6.0](https://github.com/py-pdf/pypdf/releases/tag/6.6.0).
18+
19+
### Workarounds
20+
21+
```python
22+
from pypdf import PdfReader, PdfWriter
23+
24+
25+
# Instead of
26+
reader = PdfReader("file.pdf")
27+
# use the strict mode:
28+
reader = PdfReader("file.pdf", strict=True)
29+
30+
# Instead of
31+
writer = PdfWriter(clone_from="file.pdf")
32+
# use an explicit strict reader:
33+
writer = PdfWriter(clone_from=PdfReader("file.pdf", strict=True))
34+
```
35+
36+
### Resources
37+
This issue has been fixed in #3594.

issues/dependabot/alert_16.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
# Dependabot Alert #16: pypdf
2+
3+
- **State:** open
4+
- **Severity:** medium
5+
- **CVE:** CVE-2026-24688
6+
- **Created:** 2026-06-07T17:50:22Z
7+
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/16
8+
9+
## Summary
10+
pypdf has possible Infinite Loop when processing outlines/bookmarks
11+
12+
## Description
13+
### Impact
14+
15+
An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks.
16+
17+
### Patches
18+
19+
This has been fixed in [pypdf 6.6.2](https://github.com/py-pdf/pypdf/releases/tag/6.6.2).
20+
21+
### Workarounds
22+
23+
If projects cannot upgrade yet, consider applying the changes from PR [#3610](https://github.com/py-pdf/pypdf/pull/3610).

0 commit comments

Comments
 (0)