Lucene search
K
PypaMost viewed

5624 matches found

PyPA
PyPA
•added 2020/10/21 9:15 p.m.•9 views

PYSEC-2020-138

In Tensorflow before version 2.4.0, an attacker can pass an invalid axis value to tf.quantization.quantizeanddequantize. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dimsize only does a DCHECK to validate the argument and th...

7.5CVSS6.8AI score0.00886EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2020/09/25 7:15 p.m.•9 views

PYSEC-2020-271

In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes an invalid argument to dlpack.todlpack the expected validations will cause variables to bind to nullptr while setting a status variable to the error condition. However, this status argument is not properly checked. Hence, code...

5.3CVSS7.1AI score0.00749EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2020/09/25 7:15 p.m.•9 views

PYSEC-2020-119

In Tensorflow version 2.3.0, the SparseCountSparseOutput and RaggedCountSparseOutput implementations don't validate that the weights tensor has the same shape as the data. The check exists for DenseCountSparseOutput, where both tensors are fully specified. In the sparse and ragged count weights a...

9.9CVSS7AI score0.00902EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2020/09/09 6:15 p.m.•9 views

PYSEC-2020-145

Python TUF The Update Framework reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata i.e. by a...

8.7CVSS6.9AI score0.00553EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2020/05/22 4:15 p.m.•9 views

PYSEC-2020-239

meinheld prior to 1.0.2 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing...

6.1CVSS7.1AI score0.00686EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2020/05/07 12:15 a.m.•9 views

PYSEC-2020-56

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times...

5.5CVSS7AI score0.00705EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2020/04/30 5:15 p.m.•9 views

PYSEC-2020-102

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the...

9.8CVSS7.3AI score0.96405EPSS
Exploits24References12Affected Software1
PyPA
PyPA
•added 2020/04/30 5:15 p.m.•9 views

PYSEC-2020-103

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users...

6.5CVSS6.9AI score0.86063EPSS
Exploits17References13Affected Software1
PyPA
PyPA
•added 2020/03/24 10:15 p.m.•9 views

PYSEC-2020-27

In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option...

6.1CVSS6.2AI score0.01688EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2020/03/19 5:15 p.m.•9 views

PYSEC-2020-41

In EasyBuild before version 4.1.2, the GitHub Personal Access Token PAT used by EasyBuild for the GitHub integration features like --new-pr, --fro,-pr, etc. is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the master+ develop branches of the...

7.7CVSS6.8AI score0.00538EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2020/03/18 3:15 p.m.•9 views

PYSEC-2020-229

django-nopassword before 5.0.0 stores cleartext secrets in the database...

7.5CVSS7AI score0.00953EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2020/03/12 1:15 p.m.•9 views

PYSEC-2020-259

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request...

9.8CVSS6.9AI score0.04083EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2020/03/12 1:15 p.m.•9 views

PYSEC-2020-260

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request...

9.8CVSS6.9AI score0.03298EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 2020/03/11 7:15 p.m.•9 views

PYSEC-2020-5

A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask...

5CVSS6.7AI score0.004EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 2020/01/29 3:15 p.m.•9 views

PYSEC-2020-156

flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...

8.8CVSS6.9AI score0.00488EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2020/01/02 6:15 p.m.•9 views

PYSEC-2020-245

ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name CN or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an...

5.9CVSS6.9AI score0.00413EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/12/10 8:15 p.m.•9 views

PYSEC-2019-105

The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection XXE attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML...

7.5CVSS7.2AI score0.01465EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2019/11/08 12:15 a.m.•9 views

PYSEC-2019-186

Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /sendjoin, /sendleave, and /invite may not be correctly signed, or may not come from the expected servers...

9.8CVSS7AI score0.00864EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/10/31 4:15 p.m.•9 views

PYSEC-2019-176

python-docutils allows insecure usage of temporary files...

9.1CVSS7AI score0.01116EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/08/27 3:15 p.m.•9 views

PYSEC-2019-174

Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /change-password-by-admin/, /api/settings/add/, /cases/create/, /change-password-by-admin/, /comment/add/, /documents/1/view/, /documents/create/, /opportunities/create/, and /login/...

8.8CVSS7.1AI score0.01149EPSS
Exploits2References4Affected Software1
PyPA
PyPA
•added 2019/08/18 8:15 p.m.•9 views

PYSEC-2019-104

DISPUTED core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected. NOTE: the vendor disputes this issue because it is exploitable only in conjunction with...

9.8CVSS7.1AI score0.01632EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/08/02 3:15 p.m.•9 views

PYSEC-2019-11

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars and words methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability i...

7.5CVSS7AI score0.03502EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2019/07/29 3:15 p.m.•9 views

PYSEC-2019-27

invenio-records before 1.2.2 allows XSS...

5.4CVSS7AI score0.00659EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2019/07/28 7:15 p.m.•9 views

PYSEC-2019-244

Exiv2 0.27.99.0 has a heap-based buffer over-read in Exiv2::RafImage::readMetadata in rafimage.cpp...

7.8CVSS7.2AI score0.00988EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2019/07/28 7:15 p.m.•9 views

PYSEC-2019-245

Exiv2::PngImage::readMetadata in pngimage.cpp in Exiv2 0.27.99.0 allows attackers to cause a denial of service heap-based buffer over-read via a crafted image file...

6.5CVSS6.8AI score0.01116EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2019/04/10 8:29 p.m.•9 views

PYSEC-2019-215

A number of HTTP endpoints in the Airflow webserver both RBAC and classic did not have adequate protection and were vulnerable to cross-site request forgery attacks...

8.8CVSS6.9AI score0.01563EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/04/06 8:29 p.m.•9 views

PYSEC-2019-201

Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgihandler.py mishandle 404 errors...

6.1CVSS6.3AI score0.01568EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2019/03/21 4:1 p.m.•9 views

PYSEC-2019-203

Splunk-SDK-Python before 1.6.6 does not properly verify untrusted TLS server certificates, which could result in man-in-the-middle attacks...

8.1CVSS6.8AI score0.00549EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/02/04 9:29 p.m.•9 views

PYSEC-2019-121

slixmpp version before commit 7cd73b594e8122dddf847953fcfc85ab4d316416 contains an incorrect Access Control vulnerability in XEP-0223 plugin Persistent Storage of Private Data via PubSub options profile, used for the configuration of default access model that can result in all of the contacts of...

7.5CVSS6.8AI score0.02323EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2018/12/17 7:29 a.m.•9 views

PYSEC-2018-9

DISPUTED OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should ha...

5.3CVSS7AI score0.0111EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2018/11/18 5:29 p.m.•9 views

PYSEC-2018-18

Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely...

6.1CVSS6.1AI score0.01323EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2018/10/08 3:29 p.m.•9 views

PYSEC-2018-20

privacyIDEA version 2.23.1 and earlier contains a Improper Input Validation vulnerability in token validation api that can result in Denial-of-Service. This attack appear to be exploitable via http request with user== to /validate/check url. This vulnerability appears to have been fixed in 2.23.2...

7.5CVSS6.9AI score0.01675EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2018/08/28 7:29 p.m.•9 views

PYSEC-2018-64

In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call...

7.8CVSS7.9AI score0.02391EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2018/08/10 3:29 p.m.•9 views

PYSEC-2018-1

Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles...

6.1CVSS7.1AI score0.00463EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2018/07/26 2:29 p.m.•9 views

PYSEC-2018-58

An input validation vulnerability was found in Ansible's mysqluser module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed...

4.9CVSS6.9AI score0.01428EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2018/07/19 1:29 p.m.•9 views

PYSEC-2018-41

Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2...

9.8CVSS7.5AI score0.04804EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2018/06/26 4:29 p.m.•9 views

PYSEC-2018-76

topydo contains a CWE-20: Improper Input Validation vulnerability in ListFormatParser::parse, file topydo/lib/ListFormat.py line 292 as of d4f843dac71308b2f29a7c2cdc76f055c3841523 that can result in Injection of arbitrary bytes to the terminal, including terminal escape code sequences. This attac...

8.1CVSS7.4AI score0.01155EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2018/06/26 4:29 p.m.•9 views

PYSEC-2018-149

The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability in Many templates used in the Galaxy server did not properly sanitize user's input, which would allow for cross-site scripting XSS attacks. In this form of attack,...

6.1CVSS6.6AI score0.01042EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2018/03/13 6:29 p.m.•9 views

PYSEC-2018-19

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as...

9.8CVSS7.2AI score0.27065EPSS
Exploits10References18Affected Software1
PyPA
PyPA
•added 2018/03/13 3:29 p.m.•9 views

PYSEC-2018-112

Ajenti version version 2 contains a Improper Error Handling vulnerability in Login JSON request that can result in The requisition leaks a path of the server. This attack appear to be exploitable via By sending a malformed JSON, the tool responds with a traceback error that leaks a path of the...

5.3CVSS6.9AI score0.01279EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2018/03/12 7:29 p.m.•9 views

PYSEC-2018-108

The SSH server implementation of AsyncSSH before 1.12.1 does not properly check whether authentication is completed before processing other requests. A customized SSH client can simply skip the authentication step...

9.8CVSS7.2AI score0.0178EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2018/02/18 3:29 a.m.•9 views

PYSEC-2018-68

An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0.6.x before 0.6.2 and 0.7.x before 0.7.3. When using JupyterHub with GitLab group whitelisting for access control, group membership was not checked correctly, allowing members not in the whitelisted groups to create accounts on...

8.8CVSS7.1AI score0.01771EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/11/27 10:29 a.m.•9 views

PYSEC-2017-149

Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117...

9.3CVSS7.1AI score0.05978EPSS
Exploits0References8
PyPA
PyPA
•added 2017/11/21 1:29 p.m.•9 views

PYSEC-2017-84

An issue was discovered in middleware.py in OpenStack Swauth through 1.2.0 when used with OpenStack Swift through 2.15.1. The Swift object store and proxy server are saving unhashed tokens retrieved from the Swauth middleware authentication mechanism to a log file as part of a GET URI. This allow...

9.8CVSS7.1AI score0.08354EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2017/11/08 3:29 a.m.•9 views

PYSEC-2017-22

An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. A "Load YAML" string or file aka loadyaml or loadyamlf can execute arbitrary Python commands resulting in command execution because load is used where safeload should have been used. An...

9.8CVSS7.9AI score0.04435EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2017/10/06 5:29 p.m.•9 views

PYSEC-2017-144

Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around blacklisted paths for build submission...

7.5CVSS7AI score0.01142EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/10/05 1:29 a.m.•9 views

PYSEC-2017-88

Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository...

7.5CVSS6.8AI score0.04815EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2017/09/26 2:29 p.m.•9 views

PYSEC-2017-38

When using the localbatch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed...

8.8CVSS7.1AI score0.01681EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/09/25 5:29 p.m.•9 views

PYSEC-2017-150

protobuf allows remote authenticated attackers to cause a heap-based buffer overflow...

8.8CVSS6.9AI score0.05106EPSS
Exploits0References32Affected Software1
PyPA
PyPA
•added 2017/08/29 8:29 p.m.•9 views

PYSEC-2017-111

Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to cross frame scripting...

6.1CVSS6.8AI score0.01812EPSS
Exploits0References2Affected Software1
Total number of security vulnerabilities5000