Check logs Sprint 17.4 week 2 (03/09/2022)

[pkfec]

Log review needs to be completed per the Security Event Review Checklist (https://github.com/fecgov/FEC/wiki/Security-Event-Review-Checklist)

Ref: Check logs sprint 17.4 week 1

• Make new tickets for sprint 17.5 weeks1 & 2

[hcaofec]

FEC-CMS:
package.json: 0

requirements.txt: 4 Medium, 3 Low
[Snyk:Medium]: django Denial of Service (DoS) will solve in fecgov/fec-cms#5030
[Snyk:Medium]: [django Cross-site Scripting (XSS)] will solve in fecgov/fec-cms#5030
[Snyk:Medium]: [pillow Improper Input Validation] will solve in fecgov/fec-cms#5071
[Snyk:Medium new]: [gitpython Regular Expression Denial of Service (ReDoS)] will solve in fecgov/fec-cms#5081

[Snyk:Low]: [django Directory Traversal]will solve in fecgov/fec-cms#5030
[Snyk:Low]: [django Information Exposure]will solve in fecgov/fec-cms#5030
[Snyk:Low]: [wagtail Information Exposure] will solve in fecgov/fec-cms#5043

OPEN-FEC:
package.json: 1 Medium
[SNYK: Medium]: [@braintree/sanitize-url Cross-site Scripting (XSS)]. #5075

requirements.txt: 1 High, 2 Medium
[SNYK: High ] [ujson Out-of-Bounds Write] (#5058)
[Snyk: Medium]: [Celery Stored Command Injection] (#5017)
[Snyk: Medium]: [gitpython Regular Expression Denial of Service (ReDoS)] (#5065)

FEC-EREGS:
package.json: 0
requirements.txt: 0
requirements-parsing.txt: 1 High
Note : _Starting from Jan 2022, Team decided to exclude parser requirements from the weekly security log review. Parser requirements are monitored and upgraded during the monthly check in tickets_
See fecgov/fec-eregs#672
[SNYK: High]: [networkx Deserialization of Untrusted Data]. (fecgov/fec-eregs#674)

FEC-PATTERN-LIBRARY:
package.json: None

Search logs:
No log results for "User change"

Cloud.gov Dashboard:
9 deployer accounts, same as last week.

Off-boarding:
None for this week