Vulnerable issues (CVE) with dependencies in Superset

[hash-data]

Superset currently using :
WTForms version: 2.3.3

In there is a CVE vulnerability that can be found here https://pyup.io/v/42852/f17/
Tried to update the version but there is an error while running the flask-server with the newest version of WTForms: pallets-eco/wtforms#781 (issue listed here)

Superset Currently using flask app-builder that is using sqlalchemy <1.5 restrict (all versions of flask app builder depend on sqlalchemy < 1.5)
Which have a CVE vulnerability for more info visit: https://pyup.io/v/51668/f17/

[hash-data]

hi @dpgaspar any update on it

[dpgaspar]

I find this confusing, could not find any related CVE, snyk for example reports that: https://security.snyk.io/package/pip/wtforms/2.3.3 so 2.3.3 is considered safe

[hash-data]

can you please check the URL's I have provided

[dpgaspar]

I've checked. I don't doubt the accuracy of pyup.io, but it's confusing to not have a CVE and having a number of non oficial security scanners with conflicting reports.

Anyway, thank you for reporting this, It's truly appreciated. Bumping wtforms should have no blockers, but the major sqlalchemy bump will require a big effort

[hash-data]

bumping wtforms will also have efforts as I tried and listed the issue on wtforms repo pallets-eco/wtforms#781

[dpgaspar]

bumping wtforms will also have efforts as I tried and listed the issue on wtforms repo wtforms/wtforms#781

Ivestigating the issue, seems like it's related with wtform_json (left a more detailed comment on the issue you created on wtforms)

looks like current master already has a **kwargs on https://github.com/kvesteri/wtforms-json/blob/9005f3466cfaa27c641a0a303b8975d53cff8782/wtforms_json/__init__.py#L176

[hash-data]

@dpgaspar any update on other vulnerability?

[dpgaspar]

I've found no CVE's that need to be patched on Superset regarding sqlalchemy: https://www.cvedetails.com/vulnerability-list/vendor_id-11979/Sqlalchemy.html

Wtforms is fixed