Malicious code in cccxt (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx bbf77e85143db2624a1691f94e6382f42d72ab92eec168499ba0ac0b1f0081d3 Attacker distributed 900+ malicious packages via PyPi, infecting local browsers with malicious extension to manipulate clipboard and replace crypto wallet...

0lever-utils (>=0.0.2 <=0.0.7), 0x-web3 (=5.0.0a5) +1567 more potentially affected by CVE-2023-0286 via cryptography (>=0.8.1 <=39.0.0)

cryptography PYPI version =0.8.1, =0.0.2, =0.1.0, =0.5.0rc5, =1.0.0, =2.6.3, =1.0.4, =2.8.1, =0.4.0, =2.0.0, =0.1.1, =0.1.15 and more Source cves: CVE-2023-0286 Source advisory: OSV:GHSA-X4QR-2FVF-3MR5...

aws-syndicate (>=0.9.2 <=1.9.4), bcipy (>=1.1.1 <=1.4.2) +40 more potentially affected by CVE-2023-26112 via configobj (>=5.0.0 <=5.0.8)

configobj PYPI version =5.0.0, =0.9.2, =1.1.1, =0.4.1, =1.0.0, =1.0.0, =1.7.0, =0.0.2, =0.1.5, =0.1.2, =0.0.26, =0.1.0, =2.1.0, =0.1.5, =0.1.14, =2018.4.2.1 and more Source cves: CVE-2023-26112 Source advisory: SNYK:PYTHON-CONFIGOBJ-3252494...

Researchers Uncover 3 PyPI Packages Spreading Malware to Developer Systems

A threat actor by the name Lolip0p has uploaded three rogue packages to the Python Package Index PyPI repository that are designed to drop malware on compromised developer systems. The packages – named colorslib versions 4.6.11 and 4.6.12, httpslib versions 4.6.9 and 4.6.11, and libhttps version...

MGASA-2023-0001 Updated python-gitpython packages fix security vulnerability

Remote Code Execution RCE due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments...

aap-client-python (>=0.1.1 <=0.1.3), activedirectoryenum (>=0.4.0 <=0.5.0) +538 more potentially affected by CVE-2022-40899 via future (>=0.11.4 <=0.18.2)

future PYPI version =0.11.4, =0.1.1, =0.4.0, =1.3.3, =0.1.0, =1.3.0, =0.5.1, =1.0.0, =0.1.2, =1.0.0, =1.10.0, =0.3.3, =0.8.0 - anomalydetection =0.0.0.dev1 and more Source cves: CVE-2022-40899 Source advisory: OSV:PYSEC-2022-42991...

PYSEC-2022-42994

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine...

PYSEC-2022-42994

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine...

GuardDog 路径遍历漏洞

GuardDog is an open source CLI tool from GuardDog that allows the identification of malicious PyPI packages. A security vulnerability exists in GuardDog versions prior to 0.1.5, which stems from vulnerability to relative path traversal attacks when scanning specially crafted native PyPI packages...

GuardDog 路径遍历漏洞

GuardDog is GuardDog open source a CLI tool that allows to identify malicious PyPI packages. A path traversal vulnerability exists in GuardDog versions prior to v0.1.8, which stems from the vulnerability to arbitrary file writes when scanning specially crafted remote PyPI packages, and the use of...

animl (>=1.1.2 <=1.1.4), arekit (>=0.21.0 <=0.22.1) +188 more potentially affected by CVE-2022-41890 via tensorflow-gpu (>=1.10.1 <=2.8.3)

tensorflow-gpu PYPI version =1.10.1, =1.1.2, =0.21.0, =0.23.0, =0.9.2, =1.0.0, =0.1.0, =0.0.1, =0.0.9, =0.1.0, =0.0.1, =1.0.0, =1.0.3 - brainhance =0.0.1 and more Source cves: CVE-2022-41890 Source advisory: OSV:GHSA-H246-CGH4-7475...

125softnlp (=0.0.1), a2 (>=0.10.11 <=0.10.13) +4868 more potentially affected by CVE-2022-41885 via tensorflow (>=1.0.1 <=2.7.3)

tensorflow PYPI version =1.0.1, =0.10.11, =0.1.0, =0.0.0, =0.5.0, =0.1.6, =1.0.0, =2.0.0, =1.0.0, =0.0.1, =0.0.7 and more Source cves: CVE-2022-41885 Source advisory: OSV:GHSA-762H-VPVW-3RCX...

a-poem (=0.12.3), active-wrapper (>=0.1.0 <=0.1.4) +146 more potentially affected by CVE-2022-42966 via cleo (>=0.6.8 <=1.0.0a5)

cleo PYPI version =0.6.8, =0.1.0, =0.1.3, =0.1.0, =0.1.1, =0.1.0, =0.1.0a0, =0.1.1.1, =0.1.0, =0.2.7, =0.0.465, =0.0.503 and more Source cves: CVE-2022-42966 Source advisory: OSV:GHSA-2P9H-CCW7-33GF...

PYSEC-2022-43126

The d8s-dates for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-timezones package. The affected version of d8s-htm is 0.1.0...

PT-2022-37356 · Pypi · D8S-Htm +2

Name of the Vulnerable Software and Affected Versions: d8s-xml version 0.1.0 d8s-htm version 0.1.0 Description: A potential code-execution backdoor was inserted by a third party into the d8s-xml package for python distributed on PyPI. Another affected package is democritus-utility, which also...

azure-arm-nb-extensions (>=0.0.1 <=0.0.2), chemscraper (>=0.1.0 <=0.2.0) +18 more potentially affected by CVE-2022-39286 via jupyter-core (>=4.10.0 <=4.11.1)

jupyter-core PYPI version =4.10.0, =0.0.1, =0.1.0, =1.0.0, =0.0.5, =0.0.6, =0.2.8, =9.0.2, =0.3.20, =0.0.2, =0.0.4, =1.0.0, =0.3.5.dev2659611866, =0.3.5.dev2797484311 and more Source cves: CVE-2022-39286 Source advisory: OSV:PYSEC-2022-42974...

Updated python packages fix security vulnerability

The mailcap module does not add escape characters into commands discovered in the system mailcap file. CVE-2015-20107 Allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. CVE-2021-4189 The urlparse method does not...

MGASA-2022-0367 Updated python packages fix security vulnerability

The mailcap module does not add escape characters into commands discovered in the system mailcap file. CVE-2015-20107 Allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. CVE-2021-4189 The urlparse method does not...

d8s-asns (>=0.2.0 <=0.7.0), d8s-html (>=0.2.0 <=0.6.1) +5 more potentially affected by CVE-2022-41384 via d8s-domains (=0.6.0)

d8s-domains PYPI version =0.6.0 is affected by a known vulnerability. The following packages have a transitive dependency on d8s-domains and may be impacted: - d8s-asns =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.8.0 Source cves: CVE-2022-41384 Source advisory: OSV:PYSEC-2022-43023...

Important Photon OS Security Update - PHSA-2022-3.0-0463

Updates of 'python3', 'python2' packages of Photon OS have been released...