8 matches found
GHSA-3VVQ-Q2QC-7RMP OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification
Impact B-M3: ClawHub package downloads are not enforced with integrity verification. ClawHub downloads could install plugin archives without enforcing archive or per-file integrity metadata. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and doe...
setuptools: Path Traversal Vulnerability in setuptools PackageIndex
A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unauthorized overwrites of...
Kedro allows Remote Code Execution by Pulling Micro Packages
In kedro-org/kedro version 0.19.8, the pullpackage API function allows users to download and extract micro packages from the Internet. However, the function projectwheelmetadata within the code path can execute the setup.py file inside the tar file, leading to remote code execution RCE by running...
Man-in-the-Middle (MitM)
lix is vulnerable to man-in-the-middle attack. Package downloads are allowed via an insecure HTTP channel after following the Location header redirects. This allows for an attacker in a privileged network position to intercept and modify a package installation and redirect the download to a...
Machine-In-The-Middle
Overview All versions of lix are vulnerable to Machine-In-The-Middle. The package accepts downloads with http and follows location header redirects for package downloads. This allows for an attacker in a privileged network position to intercept a lix package installation and redirect the download...
Design/Logic Flaw
OpenStack Heat Templates heat-templates, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, uses an HTTP connection to download 1 packages and 2 signing keys from Yum repositories, which allows man-in-the-middle attackers to prevent updates via unspecified vectors...
Metasploit Modules Available for Seven Open Source Packages
Open source projects with anywhere between 100,000 and 1 million downloads are pretty sizable endeavors, and with the code open for scrutiny, you would think bugs would be found and some sort of disclosure process would be in place. If a spate of recently discovered issues in seven popular softwa...
Fedora 17 : python-virtualenv-1.9.1-1.fc17 (2013-8221)
Fixes two security issues with the bundled copy of pip : - Insecure tempdir usage CVE-2013-1888 - Uses http:// to download packages instead of https:// See changelog at: http://pypi.python.org/pypi/virtualenvid2 Multiple bugfixes. See http://pypi.python.org/pypi/virtualenv/1.7.1.2 for...