Lucene search

K
rosalinuxROSA LABROSA-SA-2023-2203
HistoryAug 01, 2023 - 12:58 p.m.

Advisory ROSA-SA-2023-2203

2023-08-0112:58:39
ROSA LAB
abf.rosalinux.ru
17
security advisory
python 2.7.5
rosa-server79
cve-2023-24329
python interpreter
urllib.parse
remote attacker
cr-lf characters
pycarg_repr
ctypes/callproc.c
http request
output encoding
urllib3 module
lib/tarfile.py
tar archive

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.038

Percentile

91.9%

Software: python 2.7.5
OS: rosa-server79

package_evr_string: python-2.7.5-93.res7

CVE-ID: CVE-2023-24329
BDU-ID: None
CVE-Crit: HIGH
CVE-DESC.: A problem in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blacklisting methods by providing a URL that starts with empty characters.
CVE-STATUS: Fixed
CVE-REV: Run the yum update python command to close it

CVE-ID: CVE-2022-0391
BDU-ID: 2022-02302
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the urllib.parse module of the Python programming language interpreter is related to the failure to neutralize CRLF sequences. Exploitation of the vulnerability could allow an attacker acting remotely to pass specially crafted data containing CR-LF characters to an application and alter the application’s behavior
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update python command

CVE-ID: CVE-2021-3177
BDU-ID: 2021-01781
CVE-Crit: CRITICAL.
CVE-DESC.: A vulnerability in the PyCArg_repr (ctypes/callproc.c) function of the Python programming language interpreter is related to buffer copying without checking the size of the input data. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update python command.

CVE-ID: CVE-2020-26116
BDU-ID: 2021-03738
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the HTTP request method of the Python programming language is related to a flaw in the output encoding or escaping mechanism. Exploitation of the vulnerability could allow an attacker acting remotely to gain access to sensitive data and compromise its integrity
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update python command

CVE-ID: CVE-2020-26137
BDU-ID: 2021-05230
CVE-Crit: MEDIUM
CVE-DESC.: Vulnerability in the urllib3 module of the Python programming language interpreter due to insufficient neutralization of special elements in a request, allowing an attacker to access sensitive data and compromise its integrity
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update python command

CVE-ID: CVE-2019-20907
BDU-ID: None
CVE-Crit: HIGH
CVE-DESC.: In Lib/tarfile.py in Python before 3.8.3, an attacker could create a TAR archive leading to an infinite loop when opened with tarfile.open because _proc_pax lacks header validation.
CVE-STATUS: Fixed
CVE-REV: Run the yum update python command to close it

OSVersionArchitecturePackageVersionFilename
rosaanynoarchpython<Β 2.7.5UNKNOWN

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.038

Percentile

91.9%