urllib3: proxy-authorization request header is not stripped during cross-origin redirects

A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the Proxy-Authorization HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects...

langtrace-python-sdk (>=1.0.9 <=1.1.30), lavague (>=1.0.3.post1 <=1.0.23.post1) +8 more potentially affected by CVE-2024-45201 via llama-index (>=0.10.0 <=0.10.36)

llama-index PYPI version =0.10.0, =1.0.9, =1.0.3.post1, =0.0.0, =2.0.6, =1.0.0, =1.0.0, =0.1.0, =0.15.0, =0.26.0, =0.31.1 - void-terminal =1.1.0 Source cves: CVE-2024-45201 Source advisory: OSV:PYSEC-2024-192...

urllib3: proxy-authorization request header is not stripped during cross-origin redirects

A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the Proxy-Authorization HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects...

a2grunnerp (>=0.1.0 <=0.1.8), a3m (=0.1.0) +952 more potentially affected by CVE-2024-7246 via grpcio (>=1.0.0rc2 <=1.58.0)

grpcio PYPI version =1.0.0rc2, =0.1.0, =0.2.3, =0.0.3, =1.1.0, =1.1.0, =0.1.0, =0.1.0, =2022.9.19, =1.0.0, =0.1.3, =0.0.1, =3.4.0, =3.12.0.dev2 and more Source cves: CVE-2024-7246 Source advisory: SNYK:PYTHON-GRPCIO-9486468...

Python Library Certifi < 2024.07.04 Untrusted Root Certificate

The detected version of Certifi python package, certifi, is prior to version 2024.07.04. Therefore, it contains untrusted root certificates from GLOBALTRUST. An unauthenticated, remote attacker can exploit this to gain arbitrary permissions within the application. Note that Nessus has not tested...

urllib3: proxy-authorization request header is not stripped during cross-origin redirects

A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the Proxy-Authorization HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects...

11x-wagtail-blog (>=0.0.0 <=0.2.0), aldryn-django (>=5.0.2.0 <=5.0.11.0) +235 more potentially affected by CVE-2024-39614 via django (>=5.0.0 <=5.0.6)

django PYPI version =5.0.0, =0.0.0, =5.0.2.0, =0.0.15, =1.14.3, =0.0.20, =0.0.13, =0.0.19, =0.0.34, =0.0.50, =0.0.5, =0.0.11, =1.0.3, =0.1.0, =0.2.5 and more Source cves: CVE-2024-39614 Source advisory: OSV:PYSEC-2024-59...

CLSA-2024-1720548691 python3: Fix of 2 CVEs

CVE-2023-6597: Prevent tempfile.TemporaryDirectory class dereference symlinks - CVE-2024-0450: Make zipfile module reject zip archives which overlap entries in the archive. Prevent “quoted-overlap” zip-bombs exploit...

Malicious code in pythoncryptlibaryv2 (PyPI)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in aietelegram (PyPI)

--- -= Per source details. Do not edit below this line.=-...

OESA-2024-1745 python-scikit-learn security update

A Python module for machine learning built on top of SciPy Security Fixes: A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the...

[SECURITY] Fedora 39 Update: python-authlib-1.3.1-1.fc39

Python library for building OAuth and OpenID Connect servers. JWS, JWK, JWA, JWT are included...

[SECURITY] Fedora 40 Update: python-authlib-1.3.1-1.fc40

Python library for building OAuth and OpenID Connect servers. JWS, JWK, JWA, JWT are included...

Microsoft Authentication Library Competitive Conditions Issue Vulnerability

Microsoft Authentication Library MSAL is an authentication library from Microsoft Corporation. A competitive condition vulnerability exists in Microsoft Authentication Library. An attacker could exploit this vulnerability to elevate privileges. The following products and versions are affected:...

aa-prepflow (>=0.1.0 <=0.1.1), agentsociety2 (>=2.0.0 <=2.2.0) +114 more potentially affected by CVE-2024-37063 via ydata-profiling (>=4.0.0 <=4.7.0)

ydata-profiling PYPI version =4.0.0, =0.1.0, =2.0.0, =0.74.0, =1.0.0, =0.1.0, =0.8.0, =0.1.2, =1.0.0, =2.0.1, =2.2.1 - classifier-toolkit =0.1.0 and more Source cves: CVE-2024-37063 Source advisory: OSV:GHSA-2R57-2MRH-GGJV...

CVE-2024-37065

Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when loaded...

NASA AIT-Core vulnerable to remote code execution

An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands...

CVE-2024-35060

An issue in the YAML Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands via supplying a crafted YAML file...

CVE-2024-35059

CVE-2024-35059 affects NASA AIT-Core v2.5.2 and its Pickle-based processing. Red Hat entries describe an unencrypted network channel enabling a man-in-the-middle, which when chained with CVE-2024-35059 results in unauthenticated, fully remote code execution. The core issue is the use of Pickle wi...

CVE-2024-35060

An issue in the YAML Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands via supplying a crafted YAML file...