python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect i.e., a redirect that differs in host, port, or scheme. This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext...

DEBIAN-CVE-2020-7212

The encodeinvalidchars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service CPU consumption because of an inefficient algorithm. The percentencodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length ...

PT-2020-5140

Name of the Vulnerable Software and Affected Versions urllib3 library versions 1.25.2 through 1.25.7 Description The issue is related to an inefficient algorithm in the encode invalid chars function, which can lead to a denial of service due to CPU consumption. This happens because the percent...

ambition-edc (>=0.3.68 <=0.3.72), caluma (>=5.2.1 <=5.3.1) +28 more potentially affected by CVE-2020-9402 via django (>=2.2.0 <=2.2.10)

django PYPI version =2.2.0, =0.3.68, =5.2.1, =0.1.0, =0.0.1, =0.0.1, =0.0.1, =0.0.26 - django-smorest =0.1.3 - djangorestframework-simplejwt-captcha =1.1.4 - djpub =0.0.1 and more Source cves: CVE-2020-9402 Source advisory: OSV:PYSEC-2020-345...

Blinder - A Python Library To Automate Time-Based Blind SQL Injection

Blidner is a small python library to automate time-based blind SQL injection by using a pre defined queries as a functions to automate a rapid PoC development. Installation You can install Blinder using the following command: pip install blinder Or by downloading the source and importing it...

[SECURITY] [DLA 2057-1] pillow security update

Package : pillow Version : 2.6.1-2+deb8u4 CVE IDs : CVE-2019-19911 CVE-2020-5312 CVE-2020-5313 Debian Bug : 948224 It was discovered that there were three vulnerabilities in Pillow, an imaging library for the Python programming language: CVE-2019-19911: Prevent a denial-of-service vulnerability...

acclaim-badges (=0.1.0), admindjango-ckeditor-blog (=0.1.0) +158 more potentially affected by CVE-2019-19844 via django (>=1.10.0 <=1.11.26)

django PYPI version =1.10.0, =0.2.0.dev20181221, =0.1.0b2696.post0.dev1, =0.2.1, =3.1.4, =2.0.0, =0.3.1, =0.0.19, =0.0.24 and more Source cves: CVE-2019-19844 Source advisory: OSV:PYSEC-2019-16...

DEBIAN-CVE-2019-18874

psutil aka python-psutil through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object...

python-urllib3: Certification mishandle when error should be thrown

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use o...

python: CRLF injection via the path part of the url passed to urlopen()

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the path component of a URL that...

USN-4171-3 apport regression

USN-4171-1 fixed vulnerabilities in Apport. The update caused a regression in the Python Apport library. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user...

PESTO - PE (files) Statistical Tool

PESTO is a Python script that extracts and saves in a database some PE file security characteristics or flags searching for every PE binary in a whole directory, and saving results in a database. It checks for architecture flag in the header, and for the following security flags: ASLR, NOSEH, DEP...

UBUNTU-CVE-2019-15790

Apport reads and writes information on a crashed process to /proc/pid with elevated privileges. Apport then determines which user the crashed process belongs to by reading /proc/pid through getpidinfo in data/apport. An unprivileged user could exploit this to read information about a privileged...

[SECURITY] Fedora 31 Update: python-ecdsa-0.13.3-1.fc31

This is an easy-to-use implementation of ECDSA cryptography Elliptic Curve Digital Signature Algorithm, implemented purely in Python, released under the MIT license. With this library, you can quickly create keypairs signing key and verifying key, sign messages, and verify the signatures. The key...

UBUNTU-CVE-2019-17626

ReportLab through 3.5.26 allows remote code execution because of toColorevalarg in colors.py, as demonstrated by a crafted XML document with 'span color="' followed by arbitrary Python code...

UBUNTU-CVE-2019-16328

In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings...

PYSEC-2019-240

An issue was discovered in py-lmdb 0.97. There is a divide-by-zero error in the function mdbenvopen2 if mdbenvreadheader obtains a zero value for a certain size field. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker...

UBUNTU-CVE-2019-16226

An issue was discovered in py-lmdb 0.97. mdbnodedel does not validate a memmove in the case of an unexpected node-mnhi, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker...

Fedora Update for python-mitogen FEDORA-2019-1f17485159

The remote host is missing an update for the Copyright C 2019 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

a3m (=0.1.0), aa-fleet (>=1.0.0 <=1.1.0) +656 more potentially affected by CVE-2019-14234 via django (>=2.2.0 <=2.2.3)

django PYPI version =2.2.0, =1.0.0, =1.1.12, =0.1.0a0, =0.1.0a0, =1.2.0a1, =2.0.0, =0.1.0, =1.1.0, =1.4.1, =1.6.0 - aiida-crystal17 =0.11.0 and more Source cves: CVE-2019-14234 Source advisory: OSV:PYSEC-2019-13...