Lucene search
K
PypaMost viewed

5624 matches found

PyPA
PyPA
added 2023/05/26 2:15 p.m.10 views

PYSEC-2023-66

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that...

6.5CVSS6.8AI score0.00941EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2023/05/02 6:15 p.m.10 views

PYSEC-2023-62

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session...

7.5CVSS7.5AI score0.01261EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2023/03/20 4:15 p.m.10 views

PYSEC-2023-9

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service...

9.9CVSS6.9AI score0.00722EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/03/10 2:15 a.m.10 views

PYSEC-2023-317

WebAssembly v1.0.29 was discovered to contain a heap overflow via the component component wabt::Node::operator...

7.8CVSS7.1AI score0.00318EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2023/03/01 5:15 p.m.10 views

PYSEC-2023-313

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a wrong password is...

6.5CVSS6.5AI score0.00591EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/02/21 9:15 p.m.10 views

PYSEC-2023-37

Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions earlier than 1.5.7 are impacted by a remote code execution vulnerability. Nautobot did not properly sandbox Jinja2 template rendering. In Nautobot 1.5.7 has enabled sandboxed environments for the...

9.8CVSS8AI score0.01526EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2023/02/17 10:15 p.m.10 views

PYSEC-2023-10

Changedetection.io before v0.40.1.1 was discovered to contain a stored cross-site scripting XSS vulnerability in the main page. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the "Add a new change detection...

5.4CVSS5.9AI score0.00631EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/12/27 3:15 p.m.10 views

PYSEC-2022-43005

Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.5...

9.8CVSS6.7AI score0.00967EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/10/11 10:15 p.m.10 views

PYSEC-2022-43029

The d8s-pdfs package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0...

9.8CVSS7AI score0.01168EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/10/11 10:15 p.m.10 views

PYSEC-2022-43022

The d8s-asns package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-html package. The affected version is 0.1.0...

9.8CVSS7AI score0.01168EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/10/11 2:15 p.m.10 views

PYSEC-2022-303

mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage...

7.5CVSS6.8AI score0.01005EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/09/26 10:15 p.m.10 views

PYSEC-2022-294

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.4.8...

7.5CVSS6.8AI score0.00951EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/19 4:15 p.m.10 views

PYSEC-2022-43076

The d8s-grammars for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0...

9.8CVSS7AI score0.01238EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/09/19 4:15 p.m.10 views

PYSEC-2022-43074

The d8s-archives for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0...

9.8CVSS7AI score0.01238EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/09/17 8:15 p.m.10 views

PYSEC-2022-281

Cross-Site Request Forgery CSRF in GitHub repository ikus060/rdiffweb prior to 2.4.5...

6.5CVSS6.7AI score0.00331EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/13 9:15 p.m.10 views

PYSEC-2022-274

LIEF commit 5d1d643 was discovered to contain a heap-buffer overflow in the component /core/CorePrPsInfo.tcc...

7.8CVSS7.6AI score0.00328EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2022/09/07 7:15 p.m.10 views

PYSEC-2022-266

Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as git clone. These commands are constructed using user input e.g. the repository URL. When building the commands, Poetry correctly avoid...

7.3CVSS7.6AI score0.01413EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/08/25 6:15 p.m.10 views

PYSEC-2022-255

There is a NULL pointer dereference vulnerability in VTK, and it lies in IO/Infovis/vtkXMLTreeReader.cxx. The vendor didn't check the return value of libxml2 API 'xmlDocGetRootElement', and try to dereference it. It is unsafe as the return value can be NULL and that NULL pointer dereference may...

7.5CVSS6.8AI score0.01066EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2022/08/25 6:15 p.m.10 views

PYSEC-2022-254

A vulnerability was found in modwsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing...

7.5CVSS6.8AI score0.0069EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/06/09 9:15 a.m.10 views

PYSEC-2022-43053

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address including side effects could be evaluated twice. This may result in incorrect outcomes for contracts. This issue...

8.2CVSS6.7AI score0.01209EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/05/24 3:15 p.m.10 views

PYSEC-2022-202

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can...

7.5CVSS9AI score0.012EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2022/04/12 5:15 a.m.10 views

PYSEC-2022-190

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate, aggregate, and extra methods are subject to SQL injection in column aliases via a crafted dictionary with dictionary expansion as the passed kwargs...

9.8CVSS8AI score0.18516EPSS
Exploits3References6Affected Software1
PyPA
PyPA
added 2022/03/05 10:15 p.m.10 views

PYSEC-2022-181

Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0...

10CVSS7.1AI score0.00965EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/02/04 11:15 p.m.10 views

PYSEC-2022-95

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a SavedModel such that assertions in function.cc would be falsified and crash the Python interpreter. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this comm...

6.5CVSS6.8AI score0.008EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/02/04 11:15 p.m.10 views

PYSEC-2022-72

Tensorflow is an Open Source Machine Learning Framework. In multiple places, TensorFlow uses tempfile.mktemp to create temporary files. While this is acceptable in testing, in utilities and libraries it is dangerous as a different process can create the file between the check for the filename in...

7.1CVSS6.9AI score0.0011EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2022/02/04 11:15 p.m.10 views

PYSEC-2022-134

Tensorflow is an Open Source Machine Learning Framework. When decoding a tensor from protobuf, TensorFlow might do a null-dereference if attributes of some mutable arguments to some operations are missing from the proto. This is guarded by a DCHECK. However, DCHECK is a no-op in production builds...

6.5CVSS6.9AI score0.00992EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/02/03 11:15 a.m.10 views

PYSEC-2022-105

Tensorflow is an Open Source Machine Learning Framework. The implementation of Dequantize does not fully validate the value of axis and can result in heap OOB accesses. The axis argument can be -1 the default value for the optional argument or any other positive value at most the number of...

8.8CVSS7AI score0.00818EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/01/18 10:15 p.m.10 views

PYSEC-2022-46

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions authenticated users or unauthenticated in public mode can send messages without being visible in the list of chat participants. Th...

5.3CVSS6.8AI score0.00849EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2022/01/10 2:12 p.m.10 views

PYSEC-2022-4

The dnslib package through 0.9.16 for Python does not verify that the ID value in a DNS reply matches an ID value in a query...

7.5CVSS6.9AI score0.00844EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2021/12/06 6:15 p.m.10 views

PYSEC-2021-838

Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default...

6.4CVSS7AI score0.00662EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/11/22 9:15 p.m.10 views

PYSEC-2021-860

Croatia Control Asterix 2.8.1 pythonv0.7.2 has a heap-based buffer over-read, with additional details to be disclosed at a later date...

9.1CVSS7.1AI score0.01125EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2021/09/27 6:15 a.m.10 views

PYSEC-2021-353

furlongm openvpn-monitor through 1.1.3 allows %0a command injection via the OpenVPN management interface socket. This can shut down the server via signal%20SIGTERM...

7.8CVSS7.7AI score0.03314EPSS
Exploits2References3Affected Software1
PyPA
PyPA
added 2021/09/17 9:15 p.m.10 views

PYSEC-2021-321

Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when running Wasm that uses externrefs in Wasmtime. To trigger thi...

6.3CVSS7.2AI score0.00291EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2021/08/12 11:15 p.m.10 views

PYSEC-2021-794

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of division in TFLite is vulnerable to a division by 0 error. There is no check that the divisor tensor does not contain zero elements. We have patched the issue in GitHub commit...

5.5CVSS6.9AI score0.00154EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2021/08/12 11:15 p.m.10 views

PYSEC-2021-314

TensorFlow is an end-to-end open source platform for machine learning. In affected versions under certain conditions, Go code can trigger a segfault in string deallocation. For string tensors, C.TFTStringDealloc is called during garbage collection within a finalizer function. However, tensor...

5.5CVSS7.1AI score0.00172EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2021/08/12 9:15 p.m.10 views

PYSEC-2021-279

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all operations of type tf.rawops.MatrixDiagV. The implementation has incomplete validation that the value of k is a valid...

7.8CVSS7.1AI score0.00167EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2021/08/12 6:15 p.m.10 views

PYSEC-2021-555

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.rawops.ResourceScatterDiv is vulnerable to a division by 0 error. The implementation uses a common class for all binary operations but fails to treat the division by 0 case...

5.5CVSS7AI score0.00154EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2021/06/08 6:15 p.m.10 views

PYSEC-2021-104

Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL...

8.8CVSS6.9AI score0.01574EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.10 views

PYSEC-2021-456

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a division by 0 in tf.rawops.QuantizedMul. This is because the...

5.5CVSS7AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.10 views

PYSEC-2021-660

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a CHECK-fail in tf.rawops.SparseConcat. This is because the...

5.5CVSS6.8AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.10 views

PYSEC-2021-668

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow by passing crafted inputs to tf.rawops.StringNGrams. This is because the...

5.5CVSS7.4AI score0.00198EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.10 views

PYSEC-2021-642

TensorFlow is an end-to-end open source platform for machine learning. Calling tf.rawops.RaggedTensorToVariant with arguments specifying an invalid ragged tensor results in a null pointer dereference. The implementation of RaggedTensorToVariant...

5.5CVSS6.9AI score0.00198EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.10 views

PYSEC-2021-448

TensorFlow is an end-to-end open source platform for machine learning. Missing validation between arguments to tf.rawops.Conv3DBackprop operations can result in heap buffer overflows. This is because the...

7.8CVSS7.2AI score0.00224EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.10 views

PYSEC-2021-655

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a heap buffer overflow in tf.rawops.QuantizedResizeBilinear by manipulating input values so that float rounding results in off-by-one error in accessing image elements. This is because the...

7.8CVSS7.6AI score0.00251EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2020/11/21 9:15 p.m.10 views

PYSEC-2020-108

DISPUTED svmpredictvalues in svm.cpp in Libsvm v324, as used in scikit-learn 0.23.2 and other products, allows attackers to cause a denial of service segmentation fault via a crafted model SVM introduced via pickle, json, or any other model permanence standard with a large value in the nsupport...

7.5CVSS6.7AI score0.03429EPSS
Exploits3References5Affected Software1
PyPA
PyPA
added 2020/10/21 9:15 p.m.10 views

PYSEC-2020-330

In Tensorflow before version 2.4.0, an attacker can pass an invalid axis value to tf.quantization.quantizeanddequantize. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dimsize only does a DCHECK to validate the argument and th...

7.5CVSS6.8AI score0.00886EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2020/10/19 1:15 p.m.10 views

PYSEC-2020-142

A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting...

5.3CVSS6.8AI score0.0047EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2020/10/06 7:15 p.m.10 views

PYSEC-2020-158

In xmpp-http-upload before version 0.4.0, when the GET method is attacked, attackers can read files which have a .data suffix and which are accompanied by a JSON file with the .meta suffix. This can lead to Information Disclosure and in some shared-hosting scenarios also to circumvention of...

4CVSS6.8AI score0.01489EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2020/09/25 7:15 p.m.10 views

PYSEC-2020-113

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the tf.rawops.Switch operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the tensors is exactly the input tensor whereas the other one should be an empty tensor. Howeve...

5.3CVSS6.8AI score0.00943EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2020/09/25 7:15 p.m.10 views

PYSEC-2020-308

In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of dlpack.todlpack can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing ...

7.1CVSS7.1AI score0.00681EPSS
Exploits1References4Affected Software1
Total number of security vulnerabilities5000