DEBIAN-CVE-2013-1753

The gzipdecode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service memory consumption via a crafted HTTP request...

DEBIAN-CVE-2014-4650

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as...

AZL-6826 CVE-2019-9674 affecting package python2 for versions less than 2.7.18-8

Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service resource consumption via a ZIP bomb...

DEBIAN-CVE-2020-8492

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service ReDoS attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking...

UBUNTU-CVE-2020-8492

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service ReDoS attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking...

PT-2020-6268 · Python +9 · Python +9

Name of the Vulnerable Software and Affected Versions: Python versions 2.7 through 2.7.17 Python versions 3.5 through 3.5.9 Python versions 3.6 through 3.6.10 Python versions 3.7 through 3.7.6 Python versions 3.8 through 3.8.1 Description: The issue is related to an uncontrolled consumption of...

Vulmap

This is a Python script for a local vulnerability scanner, specifically designed for Linux systems. The script, named Vulmap, is part of the Vulmap Local Vulnerability Scanners project. It scans the host for installed packages, queries the Vulmon API for vulnerabilities, and prints the results,...

python: Cookie domain check returns incorrect results

http.cookiejar.DefaultPolicy.domainreturnok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostnam...

python: CRLF injection via the path part of the url passed to urlopen()

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the path component of a URL that...

python: Cookie domain check returns incorrect results

http.cookiejar.DefaultPolicy.domainreturnok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostnam...

python: CRLF injection via the query part of the url passed to urlopen()

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the query string after a ? charact...

PT-2019-13316 · Python · Python

Name of the Vulnerable Software and Affected Versions: Python versions prior to 2.7.17 Python versions 3.x prior to 3.5 Description: The MSI installer for Python on Windows defaults to the C:Python27 directory, making it easier for local users to deploy Trojan horse code. The vendor's position is...

Design/Logic Flaw

Rejected reason: Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service memory consumption via a long string, related to 1 httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; 2 ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; 3 imaplib - not y...

PT-2019-6075 · Python +8 · Python +8

Name of the Vulnerable Software and Affected Versions: Python versions prior to 3.9.5 Python versions 3.8.0 through 3.10 Description: The issue is related to the ipaddress library in Python, which mishandles leading zero characters in the octets of an IP address string. This can allow attackers t...

PT-2019-5894 · Python +8 · Urllib2 +10

Name of the Vulnerable Software and Affected Versions: Python versions 2.x through 2.7.16 Python versions 3.x through 3.7.3 Description: The issue is related to the urllib2 module in Python, which does not properly neutralize CRLF sequences. This allows for CRLF injection if an attacker controls ...

DEBIAN-CVE-2019-9636

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding with an incorrect netloc during NFKC normalization. The impact is: Information disclosure credentials, cookies, etc. that are cached against a given hostname. The components are:...

PT-2019-2581 · Python +6 · Python +6

Name of the Vulnerable Software and Affected Versions: Python versions 2.7.11 through 3.6.6 Description: The issue is related to a denial-of-service vulnerability in the X509 certificate parser. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of...

Reconnaissance Swiss Army Knife: ReconDog

Main Features Wizard + CLA interface Can extracts targets from STDIN piped input and act upon them All the information is extracted with APIs, no direct contact is made to the target Utilities Censys : Uses censys.io to gather massive amount of information about an IP address. NS Lookup : Does na...

PT-2019-5708 · Python +8 · Python +8

Name of the Vulnerable Software and Affected Versions: Python versions 2.x through 2.7.16 Python versions 3.x before 3.4.10 Python versions 3.5.x before 3.5.7 Python versions 3.6.x before 3.6.9 Python versions 3.7.x before 3.7.3 Description: The issue is related to the incorrect domain validation...

DEBIAN-CVE-2018-14647

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming...