CLSA-2023-1696877835 python: Fix of CVE-2022-48565

CVE-2022-48565: Reject XML entity declarations in plist files...

urllib3 Information Disclosure Vulnerability

urllib3 is a Python HTTP library. It features thread-safe connection pooling, file publishing support, and more. An information disclosure vulnerability exists in urllib3 that stems from not stripping cookie request headers during cross-origin redirects, causing HTTP redirects to leak information...

CLSA-2023-1693986821 python3: Fix of 2 CVEs

CVE-2022-48565: Reject XML entity declarations in plist files - CVE-2022-48566: Remove possible time-affected optimization...

elita (>=0.60.0 <=0.64.1), slskit (>=2020.1.1 <=2020.9.0) potentially affected by CVE-2023-20897 via salt (>=2014.1.10 <=3001.8.0)

salt PYPI version =2014.1.10, =0.60.0, =2020.1.1, =2020.9.0 Source cves: CVE-2023-20897 Source advisory: OSV:PYSEC-2023-166...

[SECURITY] Fedora 37 Update: GitPython-3.1.32-1.fc37

GitPython is a python library used to interact with git repositories, high-level like git-porcelain, or low-level like git-plumbing. It provides abstractions of git objects for easy access of repository data, a nd additionally allows you to access the git repository more directly using eith er a...

CVE-2022-48566

An issue was discovered in comparedigest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.comparedigest...

[SECURITY] Fedora 38 Update: GitPython-3.1.32-1.fc38

GitPython is a python library used to interact with git repositories, high-level like git-porcelain, or low-level like git-plumbing. It provides abstractions of git objects for easy access of repository data, a nd additionally allows you to access the git repository more directly using eith er a...

USN-6203-2 python-django vulnerability

USN-6203-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 18.04 ESM. Original advisory details: Seokchan Yoon discovered that Django incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause Django to consu...

GHSA-CF7P-GM2M-833M cryptography mishandles SSH certificates

The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options...

Badsecrets - A Library For Detecting Known Secrets Across Many Web Frameworks

A pure python library for identifying the use of known or very weak cryptographic secrets across a variety of platforms. The project is designed to be both a repository of various "known secrets" for example, ASP.NET machine keys found in examples in tutorials, and to provide a language-agnostic...

agent-actors (=0.1.0), agent-reader (>=0.2.1 <=0.2.2) +176 more potentially affected by CVE-2023-36189 via langchain (>=0.0.100 <=0.0.246)

langchain PYPI version =0.0.100, =0.2.1, =0.1.0, =0.1.5, =0.0.1, =0.0.1, =0.0.1, =0.0.5, =0.0.14, =0.1.9, =0.0.33, =0.1.0a0, =0.2.0, =0.1.3, =0.1.5 and more Source cves: CVE-2023-36189 Source advisory: OSV:PYSEC-2023-110...

CVE-2023-34457

MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took...

CVE-2023-34457 MechanicalSoup vulnerable to malicious web server reading arbitrary files on client using file input inside HTML form

MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took...

CVE-2023-34457

The CVE-2023-34457 affects MechanicalSoup prior to 1.3.0, where a malicious server could cause the client to upload local files via an HTML input type="file" in forms. Root cause: form submission logic uses the tag value to read a file path and attach it to the request, enabling unintended disclo...

Command injection

jcvi is a Python library to facilitate genome assembly, annotation, and comparative genomics. A configuration injection happens when user input is considered by the application in an unsanitized format and can reach the configuration file. A malicious user may craft a special payload that may lea...

CVE-2023-35932 jcvi vulnerable to Configuration Injection due to unsanitized user input

jcvi is a Python library to facilitate genome assembly, annotation, and comparative genomics. A configuration injection happens when user input is considered by the application in an unsanitized format and can reach the configuration file. A malicious user may craft a special payload that may lea...

CVE-2023-35932

CVE-2023-35932 (jcvi) : The jcvi Python library is vulnerable to a configuration injection via unsanitized user input that reaches the configuration file (notably ~/.jcvirc). The issue centers on the code path in jcvi/apps/base.py where a user-provided value is stored as a path for binaries; unde...

CVE-2023-35932 jcvi vulnerable to Configuration Injection due to unsanitized user input

jcvi is a Python library to facilitate genome assembly, annotation, and comparative genomics. A configuration injection happens when user input is considered by the application in an unsanitized format and can reach the configuration file. A malicious user may craft a special payload that may lea...

jcvi 命令注入漏洞

jcvi is a python library. A command injection vulnerability exists in jcvi 1.3.5 and earlier versions, which stems from allowing an attacker to perform command injection by constructing a payload...

CVE-2023-34239

Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in...