Lucene search
K
PypaMost viewed

5631 matches found

PyPA
PyPA
•added 2022/10/11 2:15 p.m.•10 views

PYSEC-2022-303

mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage...

7.5CVSS6.8AI score0.01005EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/09/26 10:15 p.m.•10 views

PYSEC-2022-294

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.4.8...

7.5CVSS6.8AI score0.00951EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/09/21 8:15 a.m.•10 views

PYSEC-2022-280

In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's /confirm endpoint...

6.1CVSS6.9AI score0.01452EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/09/19 4:15 p.m.•10 views

PYSEC-2022-43111

The d8s-html for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package. The affected version is 0.1.0...

9.8CVSS7AI score0.01033EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/09/19 3:15 p.m.•10 views

PYSEC-2022-43103

The d8s-uuids for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0...

9.8CVSS7AI score0.01033EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/09/17 8:15 p.m.•10 views

PYSEC-2022-281

Cross-Site Request Forgery CSRF in GitHub repository ikus060/rdiffweb prior to 2.4.5...

6.5CVSS6.7AI score0.00331EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/09/13 9:15 p.m.•10 views

PYSEC-2022-274

LIEF commit 5d1d643 was discovered to contain a heap-buffer overflow in the component /core/CorePrPsInfo.tcc...

7.8CVSS7.6AI score0.00328EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/09/07 7:15 p.m.•10 views

PYSEC-2022-266

Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as git clone. These commands are constructed using user input e.g. the repository URL. When building the commands, Poetry correctly avoid...

7.3CVSS7.6AI score0.01413EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/08/25 6:15 p.m.•10 views

PYSEC-2022-255

There is a NULL pointer dereference vulnerability in VTK, and it lies in IO/Infovis/vtkXMLTreeReader.cxx. The vendor didn't check the return value of libxml2 API 'xmlDocGetRootElement', and try to dereference it. It is unsafe as the return value can be NULL and that NULL pointer dereference may...

7.5CVSS6.8AI score0.01066EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/08/25 6:15 p.m.•10 views

PYSEC-2022-254

A vulnerability was found in modwsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing...

7.5CVSS6.8AI score0.0069EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/07/28 11:15 p.m.•10 views

PYSEC-2022-43174

WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package...

9.8CVSS7.8AI score0.01011EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/07/25 2:15 p.m.•10 views

PYSEC-2022-43182

Withdrawn as duplicate of PYSEC-2022-239. The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim...

8CVSS6.8AI score0.00698EPSS
Exploits1References2
PyPA
PyPA
•added 2022/07/05 12:15 p.m.•10 views

PYSEC-2022-43185

A stored Cross-site Scripting XSS vulnerability was identified in the Data Import functionality of OpenCTI through 5.2.4. An attacker can abuse the vulnerability to upload a malicious file that will then be executed by a victim when they open the file location...

5.4CVSS6AI score0.00484EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/06/24 9:15 p.m.•10 views

PYSEC-2022-43176

The Zibal package in PyPI v1.0.0 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges...

9.8CVSS7.9AI score0.01333EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/05/24 3:15 p.m.•10 views

PYSEC-2022-202

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can...

7.5CVSS9AI score0.012EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2022/04/12 5:15 a.m.•10 views

PYSEC-2022-190

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate, aggregate, and extra methods are subject to SQL injection in column aliases via a crafted dictionary with dictionary expansion as the passed kwargs...

9.8CVSS8AI score0.18516EPSS
Exploits3References6Affected Software1
PyPA
PyPA
•added 2022/03/05 10:15 p.m.•10 views

PYSEC-2022-181

Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0...

10CVSS7.1AI score0.00965EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•10 views

PYSEC-2022-95

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a SavedModel such that assertions in function.cc would be falsified and crash the Python interpreter. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this comm...

6.5CVSS6.8AI score0.008EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•10 views

PYSEC-2022-72

Tensorflow is an Open Source Machine Learning Framework. In multiple places, TensorFlow uses tempfile.mktemp to create temporary files. While this is acceptable in testing, in utilities and libraries it is dangerous as a different process can create the file between the check for the filename in...

7.1CVSS6.9AI score0.0011EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•10 views

PYSEC-2022-134

Tensorflow is an Open Source Machine Learning Framework. When decoding a tensor from protobuf, TensorFlow might do a null-dereference if attributes of some mutable arguments to some operations are missing from the proto. This is guarded by a DCHECK. However, DCHECK is a no-op in production builds...

6.5CVSS6.9AI score0.00992EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 11:15 a.m.•10 views

PYSEC-2022-105

Tensorflow is an Open Source Machine Learning Framework. The implementation of Dequantize does not fully validate the value of axis and can result in heap OOB accesses. The axis argument can be -1 the default value for the optional argument or any other positive value at most the number of...

8.8CVSS7AI score0.00818EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/01/18 10:15 p.m.•10 views

PYSEC-2022-46

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions authenticated users or unauthenticated in public mode can send messages without being visible in the list of chat participants. Th...

5.3CVSS6.8AI score0.00849EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/12/09 5:15 p.m.•10 views

PYSEC-2021-851

Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected RE...

8.8CVSS7.1AI score0.0125EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/11/05 11:15 p.m.•10 views

PYSEC-2021-637

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's savedmodelcli tool is vulnerable to a code injection as it calls eval on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given...

7.8CVSS7.8AI score0.00208EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 11:15 p.m.•10 views

PYSEC-2021-629

TensorFlow is an open source platform for machine learning. In affected versions the async implementation of CollectiveReduceV2 suffers from a memory leak and a use after free. This occurs due to the asynchronous computation and the fact that objects that have been std::moved from are still...

7.8CVSS6.9AI score0.00204EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/09/27 6:15 a.m.•10 views

PYSEC-2021-353

furlongm openvpn-monitor through 1.1.3 allows %0a command injection via the OpenVPN management interface socket. This can shut down the server via signal%20SIGTERM...

7.8CVSS7.7AI score0.03314EPSS
Exploits2References3Affected Software1
PyPA
PyPA
•added 2021/09/17 9:15 p.m.•10 views

PYSEC-2021-321

Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when running Wasm that uses externrefs in Wasmtime. To trigger thi...

6.3CVSS7.2AI score0.003EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/08/19 10:15 p.m.•10 views

PYSEC-2021-885

A stack exhaustion issue in the printIFDStructure function of Exiv2 0.27 allows remote attackers to cause a denial of service DOS via a crafted file...

6.5CVSS6.8AI score0.01432EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/08/16 8:15 a.m.•10 views

PYSEC-2021-117

This affects the package bikeshed before 3.0.0. This can occur when an untrusted source file containing include, include-code or include-raw block is processed. The contents of arbitrary files could be disclosed in the HTML output...

7.5CVSS6.9AI score0.01106EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•10 views

PYSEC-2021-788

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the shape inference code for tf.rawops.Dequantize has a vulnerability that could trigger a denial of service via a segfault if an attacker provides invalid arguments. The shape inference implementation use...

5.5CVSS7.1AI score0.00148EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 6:15 p.m.•10 views

PYSEC-2021-555

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.rawops.ResourceScatterDiv is vulnerable to a division by 0 error. The implementation uses a common class for all binary operations but fails to treat the division by 0 case...

5.5CVSS7AI score0.00154EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 6:15 p.m.•10 views

PYSEC-2021-566

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a crash via a floating point exception in tf.rawops.ResourceGather. The implementation computes the value of a value, batchsize, and then divides by it without checking that this...

5.5CVSS7AI score0.00152EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/06/08 6:15 p.m.•10 views

PYSEC-2021-104

Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL...

8.8CVSS6.9AI score0.01574EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/06/02 3:15 p.m.•10 views

PYSEC-2021-139

An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load...

5.5CVSS6.8AI score0.0096EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•10 views

PYSEC-2021-642

TensorFlow is an end-to-end open source platform for machine learning. Calling tf.rawops.RaggedTensorToVariant with arguments specifying an invalid ragged tensor results in a null pointer dereference. The implementation of RaggedTensorToVariant...

5.5CVSS6.9AI score0.00198EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•10 views

PYSEC-2021-655

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a heap buffer overflow in tf.rawops.QuantizedResizeBilinear by manipulating input values so that float rounding results in off-by-one error in accessing image elements. This is because the...

7.8CVSS7.6AI score0.00251EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•10 views

PYSEC-2021-668

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow by passing crafted inputs to tf.rawops.StringNGrams. This is because the...

5.5CVSS7.4AI score0.00198EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•10 views

PYSEC-2021-465

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in QuantizedResizeBilinear by passing in invalid thresholds for the quantization. This is because the...

7.8CVSS7.4AI score0.00211EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•10 views

PYSEC-2021-457

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a heap buffer overflow in tf.rawops.QuantizedResizeBilinear by manipulating input values so that float rounding results in off-by-one error in accessing image elements. This is because the...

7.8CVSS7.6AI score0.00251EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•10 views

PYSEC-2021-448

TensorFlow is an end-to-end open source platform for machine learning. Missing validation between arguments to tf.rawops.Conv3DBackprop operations can result in heap buffer overflows. This is because the...

7.8CVSS7.2AI score0.00224EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•10 views

PYSEC-2021-660

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a CHECK-fail in tf.rawops.SparseConcat. This is because the...

5.5CVSS6.8AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•10 views

PYSEC-2021-510

TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in tf.rawops.Dequantize, an attacker can trigger a read from outside of bounds of heap allocated data. The...

7.1CVSS6.9AI score0.00198EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2020/10/21 9:15 p.m.•10 views

PYSEC-2020-330

In Tensorflow before version 2.4.0, an attacker can pass an invalid axis value to tf.quantization.quantizeanddequantize. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dimsize only does a DCHECK to validate the argument and th...

7.5CVSS6.8AI score0.00886EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2020/10/19 1:15 p.m.•10 views

PYSEC-2020-142

A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting...

5.3CVSS6.8AI score0.0047EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2020/10/06 7:15 p.m.•10 views

PYSEC-2020-158

In xmpp-http-upload before version 0.4.0, when the GET method is attacked, attackers can read files which have a .data suffix and which are accompanied by a JSON file with the .meta suffix. This can lead to Information Disclosure and in some shared-hosting scenarios also to circumvention of...

4CVSS6.8AI score0.01489EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2020/09/25 7:15 p.m.•10 views

PYSEC-2020-129

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, changing the TensorFlow's SavedModel protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products using tensorflow-servin...

9CVSS7AI score0.00944EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2020/09/25 7:15 p.m.•10 views

PYSEC-2020-284

In eager mode, TensorFlow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 does not set the session state. Hence, calling tf.rawops.GetSessionHandle or tf.rawops.GetSessionHandleV2 results in a null pointer dereference In linked snippet, in eager mode, ctx-sessionstate returns nullptr. Since...

5.3CVSS7.1AI score0.00903EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2020/09/25 7:15 p.m.•10 views

PYSEC-2020-113

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the tf.rawops.Switch operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the tensors is exactly the input tensor whereas the other one should be an empty tensor. Howeve...

5.3CVSS6.8AI score0.00943EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2020/09/25 7:15 p.m.•10 views

PYSEC-2020-308

In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of dlpack.todlpack can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing ...

7.1CVSS7.1AI score0.00681EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2020/08/21 5:15 p.m.•10 views

PYSEC-2020-265

In Red Discord Bot before version 3.3.11, a RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module's leaderboard command. By abusing this exploit, it's possible to perform destructive action...

9.6CVSS7AI score0.00923EPSS
Exploits0References2Affected Software1
Total number of security vulnerabilities5000