A group of security researchers revealed that many security corrections in Python programming are “silently”, without the associated identifiers CVE. |
This trend is a danger, since an attacker can use unsolved errors in vulnerable systems. If the Python package contains a dangerous vulnerability that was not published under CVE, then the application developer may not notice it and will not correct the error. CyberPressor can use the situation by operating unpublished vulnerability. |
To solve the problem of researchers introduced a database of security corrections under the name pysecdb , which is designed to increase the appearance of important changes in the Python code for the developers community. |
Pysecdb – the first one of a kind database containing security corrections for Python. Pysecdb includes 1.258 security corrections and 2.791 security corrections from more than 351 popular GITHUB projects covering 119 additional CWE. |
Pysecdb is also based on Scopy AI models, which reveals the code changes associated with security through the sequence and structure of the semantics of the code. The authors emphasize that Scopy can identify the corrections of vulnerabilities that were not officially published. However, the model can help attackers find shortcomings in vulnerable systems. Therefore, Scopy provides information only about security corrections, and not about vulnerabilities. |
pysecdb is available for non-profit research or personal use on request in the Sun Security Laboratory in George Mason University. |
A group of security researchers has warned that a significant number of security corrections in the Python programming language are being made without an associated identifier, known as a CVE. This practice is dangerous as it allows attackers to exploit unsolved errors in vulnerable systems. If a Python package contains a critical vulnerability that has not been published under a CVE, application developers may remain unaware of the issue and fail to address it. Cyber criminals can take advantage of these undisclosed vulnerabilities, putting users at risk