Filtered by vendor Python
Subscribe
Total
217 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-20907 | 7 Canonical, Debian, Fedoraproject and 4 more | 8 Ubuntu Linux, Debian Linux, Fedora and 5 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. | |||||
CVE-2019-5010 | 4 Debian, Opensuse, Python and 1 more | 7 Debian Linux, Leap, Python and 4 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability. | |||||
CVE-2020-5310 | 1 Python | 1 Pillow | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. | |||||
CVE-2012-5577 | 2 Debian, Python | 2 Debian Linux, Keyring | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Python keyring lib before 0.10 created keyring files with world-readable permissions. | |||||
CVE-2020-7212 | 1 Python | 1 Urllib3 | 2024-02-04 | 7.8 HIGH | 7.5 HIGH |
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2). | |||||
CVE-2012-0877 | 2 Python, Redhat | 3 Pyxml, Enterprise Linux, Enterprise Virtualization Hypervisor | 2024-02-04 | 7.8 HIGH | 7.5 HIGH |
PyXML: Hash table collisions CPU usage Denial of Service | |||||
CVE-2019-16935 | 1 Python | 1 Python | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. | |||||
CVE-2013-1895 | 2 Fedoraproject, Python | 2 Fedora, Py-bcrypt | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten. | |||||
CVE-2020-5313 | 2 Fedoraproject, Python | 2 Fedora, Pillow | 2024-02-04 | 5.8 MEDIUM | 7.1 HIGH |
libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. | |||||
CVE-2016-1000110 | 3 Debian, Fedoraproject, Python | 3 Debian Linux, Fedora, Python | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests. | |||||
CVE-2019-16865 | 2 Fedoraproject, Python | 2 Fedora, Pillow | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image. | |||||
CVE-2019-19274 | 1 Python | 1 Typed Ast | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.) | |||||
CVE-2020-5311 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. | |||||
CVE-2019-18348 | 1 Python | 1 Python | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1. | |||||
CVE-2013-1753 | 1 Python | 1 Python | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request. | |||||
CVE-2020-8315 | 1 Python | 1 Python | 2024-02-04 | 4.3 MEDIUM | 5.5 MEDIUM |
In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected. | |||||
CVE-2014-4650 | 2 Python, Redhat | 3 Python, Enterprise Linux, Software Collections | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator. | |||||
CVE-2019-19911 | 1 Python | 1 Pillow | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer. | |||||
CVE-2020-5312 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. | |||||
CVE-2020-8492 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2024-02-04 | 7.1 HIGH | 6.5 MEDIUM |
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. |