You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Although given the usage is in the BSP server, an attacker would already have control of the system to be able to invoke Pants on the system (since the BSP server listens on stdin/stdout). So the attacker can already do whatever they want.
I mostly opened this issue so we can track that.
I don't think vendoring/forking makes sense unless this doesn't solve in the next week or so.
I agree that in this context this is low risk.
https://nvd.nist.gov/vuln/detail/CVE-2021-45958
ujson is dependent upon via the seemingly unmaintained
python-lsp-jsonrpc
(added in #14329) - last commit in January 2022, but almost no commits in 2021.Hopefully this can be closed when a patched version of ujson is published (it seems to be more active).
@tdyas @stuhood fyi
The text was updated successfully, but these errors were encountered: