Advisory ROSA-SA-2021-1957

Software: python 2.7.5
OS: Cobalt 7.9

CVE-ID: CVE-2013-7040
CVE-Crit: CRITICAL.
CVE-DESC: Python 2.7 through 3.4 uses only the last eight bits of the prefix to randomize hash values, causing it to compute hash values without limiting the ability to predictably initiate hash code collisions and making it easy for context-dependent attacks by attackers. denial of service (CPU consumption) via crafted input for an application that maintains a hash table. NOTE: this vulnerability exists due to an incomplete patch for CVE-2012-1150.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2013-7440
CVE-Crit: MEDIUM
CVE-DESC: The ssl.match_hostname function in CPython (also known as Python) before 2.7.9 and 3.x before 3.3.3 incorrectly handles wildcards in hostnames, which could allow intermediary attackers to spoof servers via a manufactured certificate.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2014-1912
CVE-Crit: MEDIUM
CVE-DESC: Buffer overflow in socket.recvfrom_into function in Modules / socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4 and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a processed string.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2014-9365
CVE-Crit: HIGH
CVE-DESC: HTTP clients in libraries (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib in CPython (aka Python) 2.x through 2.7.9 and 3.x through 3.4. 3, when accessing an HTTPS URL, do not (a) check the certificate against the trusted certificate store and do not check if the server hostname matches the domain name in the (b) Common Name or © subjectAltName field of the X.509 certificate. which allows “man-in-the-middle” attackers to spoof SSL servers using an arbitrary valid certificate.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-0740
CVE-Crit: MEDIUM
CVE-DESC: Buffer overflow in ImagingLibTiffDecode function in libImaging / TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-0775
CVE-Crit: MEDIUM
CVE-DESC: Buffer overflow in ImagingFliDecode function in libImaging / FliDecode.c in Pillow before version 3.1.1 allows remote attackers to cause a denial of service (failure) via a crafted FLI file.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-1494
CVE-Crit: MEDIUM
CVE-DESC: The verify feature in the RSA for Python (Python-RSA) package prior to version 3.3 allows attackers to forge signatures using a small publicly available degree indicator through artificial signature completion, also known as the BERserk attack.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-2533
CVE-Crit: MEDIUM
CVE-DESC: A buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (failure) via a crafted PhotoCD file.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-4009
CVE-Crit: CRITICAL
CVE-DESC: Integer overflow in the ImagingResampleHorizontal function in libImaging / Resample.c in Pillow before version 3.1.1 allows remote attackers to have undefined impact via negative new size values, causing a heap-based buffer overflow.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-9189
CVE-Crit: MEDIUM
CVE-DESC: Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information using a “created image file” approach, related to an “integer overflow” issue affecting Image.core.map_buffer in the map.c component.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-9190
CVE-Crit: HIGH
CVE-DESC: Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code using the “created image file” approach associated with the “Insecure sign extension” issue affecting the ImagingNew component in Storage.c.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-1000158
CVE-Crit: CRITICAL
CVE-DESC: CPython (aka Python) before 2.7.13 is vulnerable to integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in a heap-based buffer overflow (and possible execution of arbitrary code)
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-1000030
CVE-Crit: LOW
CVE-DESC: Python 2.7.14 is vulnerable to both Heap-Buffer-Overflow and Heap-Use-After-Free. Versions of Python prior to 2.7.14 may also be vulnerable, and it appears that Python 2.7.17 and earlier may also be vulnerable, but this has not been confirmed. The vulnerability involves multiple threads processing large amounts of data. In both cases, a race condition essentially occurs. For Heap-Buffer-Overflow, Thread2 creates a buffer size, but Thread1 is already writing to the buffer without knowing how much to write. Therefore, when a large amount of data is being processed, it is very easy to cause memory corruption with Heap-Buffer-Overflow. As for Use-After-Free, Thread3-> Malloc-> Thread1-> Free’s-> Thread2-Re-uses-Free’d Memory. PSRT stated that this is not a security vulnerability due to the fact that an attacker should be able to run code, however in some situations, such as when running as a service, this vulnerability could potentially be exploited by an attacker to violate trust. Boundary, as such DWF believes this issue deserves a CVE.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-15560
CVE-Crit: HIGH
CVE-DESC: PyCryptodome before 3.6.6 has an integer overflow in the data_len variable in AESNI.c associated with the AESNI_encrypt and AESNI_decrypt functions, which causes messages shorter than 16 bytes to be processed incorrectly.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-18074
CVE-Crit: HIGH
CVE-DESC: The Requests package before 2.20.0 for Python sends an HTTP authorization header to an http URI after receiving an https-to-http redirect with the same hostname, making it easier for remote attackers to discover credentials by sniffing the network.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2019-16865
CVE-Crit: HIGH
CVE-DESC: a problem was discovered in Pillow before 6.2.0. When reading specially created invalid image files, the library could either allocate a very large amount of memory or take a very long time to process the image.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-18348
CVE-Crit: MEDIUM
CVE-DESC: An issue was found in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if an attacker manipulates the url parameter, as demonstrated by the first argument of urllib.request.urlopen with \ r \ n (specifically in the host component of the URL) followed by an HTTP header. This is similar to the CVE-2019-9740 request string problem and the CVE-2019-9947 path string problem. (This is not possible if glibc has the CVE-2016-10739 bug fixed.). This is fixed in v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-19911
CVE-Crit: HIGH
CVE-DESC: In Pillow before 6.2.2, there is a DoS vulnerability caused by FpxImagePlugin.py calling a range function for an unchecked 32-bit integer if the number of strips is high. On Windows with 32-bit Python, this results in an OverflowError or MemoryError due to the 2GB limit. However, on Linux with 64-bit Python, this causes the process to terminate with an OOM killer.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-20907
CVE-Crit: HIGH
CVE-DESC: In Lib / tarfile.py in Python before 3.8.3, an attacker could create a TAR archive that, when opened by tarfile.open, results in an infinite loop because _proc_pax does not check the header.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-7617
CVE-Crit: HIGH
CVE-DESC: When the Elastic APM agent for Python versions prior to 5.1.0 is run as a CGI script, a variable name conflict error occurs if a remote attacker can control the proxy header. This can cause an attacker to redirect the collected APM data to a proxy of their choice.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2019-9674
CVE-Crit: HIGH
CVE-DESC: Lib / zipfile.py in Python before 3.7.2 allows remote attackers to cause a denial of service (resource consumption) with a zip bomb.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-10378
CVE-Crit: MEDIUM
CVE-DESC: In libImaging / PcxDecode.c in Pillow before 7.1.0, reading PCX files may result in out-of-bounds reads when the state-> shuffle is instructed to read outside the state-> buffer.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-10379
CVE-Crit: HIGH
CVE-DESC: Pillow before 7.1.0 had two buffer overflows in libImaging / TiffDecode.c.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-10994
CVE-Crit: MEDIUM
CVE-DESC: In libImaging / Jpeg2KDecode.c in Pillow before 7.1.0, there are several read operations outside the defined range through the created JP2 file.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-11538
CVE-Crit: HIGH
CVE-DESC: In libImaging / SgiRleDecode.c in Pillow before 7.0.0, there are a number of read operations outside the valid range when parsing SGI image files, which is different from CVE-2020-5311.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-10177
CVE-Crit: MEDIUM
CVE-DESC: Pillow before version 7.1.0 has several out-of-bounds read operations in libImaging / FliDecode.c.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-35653
CVE-Crit: HIGH
CVE-DESC: In Pillow before 8.1.0, PcxDecode has a buffer reread when decoding a created PCX file because the user-specified step value is trusted for buffer calculations.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-36242
CVE-Crit: CRITICAL
CVE-DESC: In the crypto package prior to 3.3.2 for Python, certain update call sequences for symmetric encryption of multi-GB values could result in integer overflows and buffer overflows, as demonstrated by the Fernet class.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-35654
CVE-Crit: HIGH
CVE-DESC: In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding created YCbCr files due to certain interpretation conflicts with LibTIFF in RGBA mode.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-5310
CVE-Crit: HIGH
CVE-DESC: libImaging / TiffDecode.c in Pillow before 6.2.2 has an integer TIFF decode overflow related to redistribution.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-5313
CVE-Crit: HIGH
CVE-DESC: libImaging / FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-5311
CVE-Crit: CRITICAL
CVE-DESC: libImaging / SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-5312
CVE-Crit: CRITICAL
CVE-DESC: libImaging / PcxDecode.c in Pillow before 6.2.2 has a P-mode PCX buffer overflow.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-8492
CVE-Crit: MEDIUM
CVE-DESC: Python 2.7-2.7.17, 3.5-3.5.9, 3.6-3.6.10, 3.7-3.7.6, and 3.8-3.8.1 allows an HTTP server to conduct denial of service attacks using regular expressions (ReDoS). against the client due to a catastrophic return urllib.request.AbstractBasicAuthHandler.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-23336
CVE-Crit: MEDIUM
CVE-DESC: python / cpython package 0 and up to 3.6.13, 3.7.0 and up to 3.7.10, 3.8.0 and up to 3.8.8, 3.9.0 and up to 3.9.2 is vulnerable to the Internet. Cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs using a vector called parameter masking. When an attacker can separate request parameters with semicolons (;), this can cause a difference in the interpretation of the request between the proxy (running with the default configuration) and the server. This can cause malicious requests to be cached as completely safe, since the proxy server typically does not see the semicolon as a delimiter and therefore does not include it in the non-key parameter cache key.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-25289
CVE-Crit: CRITICAL
CVE-DESC: an issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding created YCbCr files due to certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue occurs due to an incomplete fix for CVE-2020-35654.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-25290
CVE-Crit: HIGH
CVE-DESC: The problem was found in Pillow before 8.1.1. TiffDecode.c has memcpy with negative offset and invalid size.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-25291
CVE-Crit: HIGH
CVE-DESC: problem was found in Pillow before 8.1.1. TiffDecode.c in TiffreadRGBATile reads out of bounds through invalid tile boundaries.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-25292
CVE-Crit: MEDIUM
CVE-DESC: An issue was discovered in Pillow before 8.1.1. The PDF analyzer allows a regular expression DoS attack (ReDoS) through a generated PDF file due to a catastrophic regular expression return.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-25293
CVE-Crit: HIGH
CVE-DESC: problem was found in Pillow before 8.1.1. SGIRleDecode.c has an out-of-bounds entry.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-27921
CVE-Crit: HIGH
CVE-DESC: Pillow before version 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of the contained image is not properly validated for the BLP container, and thus the attempted memory allocation can be very large.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-27922
CVE-Crit: HIGH
CVE-DESC: Pillow before version 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of the contained image is not properly validated for the ICNS container, and thus the attempted memory allocation can be very large.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-27923
CVE-Crit: HIGH
CVE-DESC: Pillow before version 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of the contained image is not properly validated for the ICO container, and thus the attempted memory allocation can be very large.
CVE-STATUS: default
CVE-REV: default