ohmyzsh 操作系统命令注入漏洞

ohmyzsh is an open source, community-driven framework for managing your zsh configuration. An operating system command injection vulnerability exists in ohmyzsh, which stems from the fact that ohmyzsh's omzurldecode function uses an eval to decode input, which can be used to inject commands. This...

CentOS 8 : python38:3.8 and python38-devel:3.8 (CESA-2021:4162)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4162 advisory. - python-psutil: Double free because of refcount mishandling CVE-2019-18874 - python: Unsafe use of eval on data retrieved via HTTP in the test suite...

CentOS 8 : python27:2.7 (CESA-2021:4151)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4151 advisory. - python: Unsafe use of eval on data retrieved via HTTP in the test suite CVE-2020-27619 - python-jinja2: ReDoS vulnerability in the urlize filter...

RHEL 8 : python38:3.8 and python38-devel:3.8 (RHSA-2021:4162)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4162 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

python: Unsafe use of eval() on data retrieved via HTTP in the test suite

In Python3's Lib/test/multibytecodecsupport.py CJK codec tests call eval on content retrieved via HTTP...

Command Injection

tensorflow is vulnerable to command injection. An attacker can inject and execute malicious commands via the savedmodelcli.py when it calls the eval on user-supplied strings...

PYSEC-2021-420

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's savedmodelcli tool is vulnerable to a code injection as it calls eval on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given...

PYSEC-2021-637

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's savedmodelcli tool is vulnerable to a code injection as it calls eval on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given...

Code injection

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's savedmodelcli tool is vulnerable to a code injection as it calls eval on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given...

CVE-2021-42057

Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases...

CVE-2021-42057

Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases...

Sql injection

Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases...

CVE-2021-42057

Summary (CVE-2021-42057) Obsidian Dataview (plugin) up to 0.4.12-hotfix1 is vulnerable due to the evalInContext function executing user input, enabling an attacker to craft malicious Markdown files that will execute arbitrary code when opened. The issue is mitigated for some use cases by 0.4.13. ...

CVE-2021-42057

Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases...

obsidian-dataview 代码注入漏洞

obsidian-dataview is a software application. A complex query language implementation of the Obsidian note-taking tool. A security vulnerability exists in versions prior to Obsidian Dataview 0.4.12-hotfix1, which stems from the software's lack of effective restrictions and filters for eval...

GHSA-PGJJ-866W-FC5C Risk of code injection

Impact Some routes use eval or Function constructor, which may be injected by the target site with unsafe code, causing server-side security issues Patches Temporarily removed the problematic route and added a no-new-func rule to eslint Self-built users should upgrade to 7f1c430 and later as soon...

CLSA-2021-1633442879 Fix of CVE: CVE-2020-26116, CVE-2020-8492, CVE-2018-20852, CVE-2020-27619

Add Oracle Linux distribution in platform.py - CVE-2018-20852: Prefix dot in domain for proper subdomain validation - CVE-2020-8492: Python allows an HTTP server to conduct Regular Expression Denial of Service ReDoS attacks against a client - CVE-2020-26116: http.client allows CRLF injection if...

UBUNTU-CVE-2021-32626

Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote co...

Design/Logic Flaw

Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote co...

Fix of CVE: CVE-2018-20852, CVE-2020-8492, CVE-2020-26116, CVE-2020-27619

Add Oracle Linux distribution in platform.py - CVE-2018-20852: Prefix dot in domain for proper subdomain validation - CVE-2020-8492: Python allows an HTTP server to conduct Regular Expression Denial of Service ReDoS attacks against a client - CVE-2020-26116: http.client allows CRLF injection if...