Security feature bypass

An exponential ReDoS Regular Expression Denial of Service can be triggered in the eth-account PyPI package, when an attacker is able to supply arbitrary input to the encodestructureddata method...

CVE-2022-1930

CVE-2022-1930 – ReDoS in eth-account encode_structured_data Affected software: eth-account Python package. Vulnerable component: encode_structured_data function, with root cause linked to the insecure regex pattern used for TYPE_REGEX in validation.py, enabling exponential Regular Expression Deni...

Newly Uncovered PyPI Package Drops Fileless Cryptominer to Linux Systems

A now-removed rogue package pushed to the official third-party software repository for Python has been found to deploy cryptominers on Linux systems. The module, named "secretslib" and downloaded 93 times prior to its deletion, was released to the Python Package Index PyPI on August 6, 2022 and i...

CVE-2022-34501

The bin-collection package in PyPI before v0.1 included a code execution backdoor inserted by a third party...

CVE-2022-32997

The RootInteractive package in PyPI v0.0.5 to v0.0.19b0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges...

CVE-2022-30877

The keep for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.2...

Popular PyPI Package 'ctx' and PHP Library 'phpass' Hijacked to Steal AWS Keys

Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem. One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package...

CVE-2021-29471

Synapse is a Matrix reference homeserver written in python pypi package matrix-synapse. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including eventmatch, which matches event...

CVE-2022-28470

marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor...

Server-Side Request Forgery in scout-browser

Pypi package scout-browser GitHub repository clinical-genomics/scout prior to v4.52 is vulnerable to server-side request forgery. An attacker could make the application perform arbitrary requests to steal cookies, request access to private areas, or lead to cross-site scripting...

GHSA-694V-63FQ-FMR4 Path Traversal in scout-browser

Scout is a Variant Call Format VCF visualization interface. The Pypi package scout-browser is vulnerable to path traversal due to sendfile call in versions prior to 4.52...

aadhaar-detection (=0.5.0), accuinsight (>=1.0.84 <=1.0.87) +38 more potentially affected by CVE-2022-23594 via tensorflow (>=2.7.0 <=2.7.0rc1)

tensorflow PYPI version =2.7.0, =1.0.84, =3.0.22, =0.1.11, =0.1.11, =0.1.11, =0.1.0, =0.0.1, =0.1.5.dev202303131412, =0.1.0, =0.1.1 and more Source cves: CVE-2022-23594 Source advisory: OSV:GHSA-9X52-887G-FHC2...

125softnlp (=0.0.1), a2 (>=0.10.11 <=0.10.13) +4785 more potentially affected by CVE-2021-41216 via tensorflow (>=1.0.1 <=2.4.3)

tensorflow PYPI version =1.0.1, =0.10.11, =0.1.0, =0.0.0, =0.6.0, =0.1.6, =1.0.0, =2.0.0, =1.0.0, =0.0.1, =0.0.7 and more Source cves: CVE-2021-41216 Source advisory: OSV:GHSA-3FF2-R28G-W7H9...

a62-emotion (>=0.10.12 <=0.11.4), aiproteomics (=0.2.1) +96 more potentially affected by CVE-2021-41222 via tensorflow-cpu (>=1.15.0 <=2.4.0)

tensorflow-cpu PYPI version =1.15.0, =0.10.12, =2.0.0, =2.0.0, =1.0.0, =0.0.5, =0.3.0, =0.0.1, =0.8.1, =0.1.1, =1.3.0, =0.1.0.dev1, =0.0.1, =0.3.3 and more Source cves: CVE-2021-41222 Source advisory: OSV:GHSA-CPF4-WX82-GXP6...

CVE-2021-32838

CVE-2021-32838 : Flask-RESTX (flask-restx) before 0.5.1 is vulnerable to a Regular Expression Denial of Service (ReDoS) in email_regex. The issue is fixed in version 0.5.1. Affected: Flask-RESTX prior to 0.5.1. Impact details are limited to what the description states; no exploitation or scope be...

125softnlp (=0.0.1), a2 (>=0.10.11 <=0.10.13) +4664 more potentially affected by CVE-2021-29550 via tensorflow (>=1.0.1 <=2.2.0)

tensorflow PYPI version =1.0.1, =0.10.11, =0.1.0, =0.0.0, =0.6.0, =0.1.6, =1.0.0, =0.0.1, =0.2.0, =0.6.0, =0.1.0, =0.1.0, =0.2.0 and more Source cves: CVE-2021-29550 Source advisory: OSV:PYSEC-2021-187...

CVE-2021-29471

Synapse is a Matrix reference homeserver written in python pypi package matrix-synapse. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including eventmatch, which matches event...

CVE-2021-29471

Synapse is a Matrix reference homeserver written in python pypi package matrix-synapse. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including eventmatch, which matches event...

CVE-2021-21392

Synapse (matrix-synapse) prior to version 1.28.0 is affected by a vulnerability where requests to user-provided domains could escape external IP restrictions on dual-stack networks due to transitional IPv6 addresses. This may allow outbound requests to internal infrastructure during federation, i...

CVE-2021-21394 Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints

Synapse is a Matrix reference homeserver written in python pypi package matrix-synapse. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party...