Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
•added 2022/09/13 9:15 p.m.•8 views

PYSEC-2022-276

LIEF commit 365a16a was discovered to contain a heap-buffer overflow via the function printbinary at /c/machoreader.c...

7.8CVSS7.6AI score0.00328EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/09/13 5:15 p.m.•8 views

PYSEC-2022-272

Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.4.2...

8.8CVSS6.8AI score0.00785EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/09/13 10:15 a.m.•8 views

PYSEC-2022-273

Missing Custom Error Page in GitHub repository ikus060/rdiffweb prior to 2.4.2...

5.3CVSS6.6AI score0.00684EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/09/07 1:15 p.m.•8 views

PYSEC-2022-260

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin...

7.5CVSS7AI score0.01656EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/09/06 5:15 p.m.•8 views

PYSEC-2022-265

Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...

8.8CVSS8.1AI score0.01738EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/09/05 10:15 a.m.•8 views

PYSEC-2022-43070

Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue...

7.5CVSS7AI score0.01146EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/09/02 8:15 p.m.•8 views

PYSEC-2022-262

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of event authorization rules which must be checked when determining if an event should be accepted into a room. In versions of Synapse up to and including...

7.5CVSS6.8AI score0.00938EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/08/29 3:15 p.m.•8 views

PYSEC-2022-258

A flaw was found in python-oslo-utils. Due to improper parsing, passwords with a double quote " in them cause incorrect masking in debug logs, causing any part of the password after the double quote to be plaintext...

4.9CVSS6.7AI score0.01335EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2022/08/24 4:15 p.m.•8 views

PYSEC-2022-253

A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansiblerunner.interface.runcommand, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual...

7.8CVSS8.2AI score0.0031EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/08/18 7:15 p.m.•8 views

PYSEC-2022-249

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting XSS vulnerabilities if the...

7.5CVSS8.2AI score0.01102EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/08/03 2:15 p.m.•8 views

PYSEC-2022-245

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download RFD attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input...

8.8CVSS6.9AI score0.00654EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2022/07/28 11:15 p.m.•8 views

PYSEC-2022-43174

WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package...

9.8CVSS7.8AI score0.01011EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/07/26 6:15 a.m.•8 views

PYSEC-2022-244

untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files...

7.5CVSS6.8AI score0.01336EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/07/25 2:15 p.m.•8 views

PYSEC-2022-43182

The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim...

8CVSS6.9AI score0.00698EPSS
Exploits1References2
PyPA
PyPA
•added 2022/07/11 1:15 a.m.•8 views

PYSEC-2022-225

The ganga-devs/ganga repository before 8.5.10 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...

9.3CVSS7.1AI score0.01312EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/07/06 6:15 p.m.•8 views

PYSEC-2022-233

opensshkeyparser is an open source Python package providing utilities to parse and pack OpenSSH private and public key files. In versions prior to 0.0.6 if a field of a key is shorter than it is declared to be, the parser raises an error with a message containing the raw field value. An attacker...

7.7CVSS6.8AI score0.01239EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/07/05 12:15 p.m.•8 views

PYSEC-2022-43185

A stored Cross-site Scripting XSS vulnerability was identified in the Data Import functionality of OpenCTI through 5.2.4. An attacker can abuse the vulnerability to upload a malicious file that will then be executed by a victim when they open the file location...

5.4CVSS6AI score0.00484EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/07/04 4:15 p.m.•8 views

PYSEC-2022-213

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc and Extract database functions are subject to SQL injection if untrusted data is used as a kind/lookupname value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected...

9.8CVSS8AI score0.73274EPSS
Exploits3References4Affected Software1
PyPA
PyPA
•added 2022/06/24 9:15 p.m.•8 views

PYSEC-2022-43169

The Togglee package in PyPI version v0.0.8 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges...

9.8CVSS7.9AI score0.01931EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/06/24 9:15 p.m.•8 views

PYSEC-2022-43176

The Zibal package in PyPI v1.0.0 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges...

9.8CVSS7.9AI score0.01302EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/06/09 4:15 a.m.•8 views

PYSEC-2022-208

django-s3file is a lightweight file upload input for Django and Amazon S3 . In versions prior to 5.5.1 it was possible to traverse the entire AWS S3 bucket and in most cases to access or delete files. If the AWSLOCATION setting was set, traversal was limited to that location only. The issue was...

9.8CVSS6.9AI score0.01935EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/05/24 5:55 p.m.•8 views

PYSEC-2022-199

The ctx hosted project on PyPI was taken over via user account compromise and replaced with a malicious project which contained runtime code which collected the content of os.environ.items when instantiating Ctx objects...

7.2AI score
Exploits0References1Affected Software1
PyPA
PyPA
•added 2022/05/06 12:15 a.m.•8 views

PYSEC-2022-187

TkVideoplayer is a simple library to play video files in tkinter. Uncontrolled memory consumption in versions of TKVideoplayer prior to 2.0.0 can theoretically lead to performance degradation. There are no known workarounds. This issue has been patched and users are advised to upgrade to version...

4.3CVSS6.8AI score0.00503EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/04/25 10:15 p.m.•8 views

PYSEC-2022-193

flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he captcha.validate function would return None if passed no value e.g. by submitting an having an empty form. If implementing users...

5.3CVSS6.6AI score0.01126EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/04/13 10:15 p.m.•8 views

PYSEC-2022-198

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In affected versions, the return of .returnsint128 is not validated to fall within the bounds of int128. This issue can result in a misinterpretation of the integer value and lead to incorrect behavior. As of v0.3.0,...

9.8CVSS6.8AI score0.01377EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/04/12 5:15 a.m.•8 views

PYSEC-2022-191

A SQL injection issue was discovered in QuerySet.explain in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary with dictionary expansion as the options argument, and placing the injection payload in an option name...

9.8CVSS8AI score0.02919EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2022/03/31 11:15 p.m.•8 views

PYSEC-2022-178

Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to mntner objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perfo...

7.5CVSS7AI score0.01366EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/03/23 9:15 p.m.•8 views

PYSEC-2022-179

The Jupyter Server provides the backend i.e. the core services, APIs, and REST endpoints for Jupyter web applications. Prior to version 1.15.4, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are...

7.5CVSS6.8AI score0.01207EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/03/21 7:15 p.m.•8 views

PYSEC-2022-170

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of...

9.8CVSS6.9AI score0.01582EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/03/17 9:15 p.m.•8 views

PYSEC-2022-229

gradio is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, gradio suffers from Improper Neutralization of Formula Elements in a CSV File. The gradio library has a flagging functionality which saves input/output data into a CSV file on t...

8.8CVSS7.2AI score0.01248EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/03/17 1:15 p.m.•8 views

PYSEC-2022-169

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and...

7.5CVSS6.9AI score0.01738EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/03/07 11:15 p.m.•8 views

PYSEC-2022-34

HTTPie is a command-line HTTP client. HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage. Before 3.1.0, HTTPie didn‘t distinguish between cookies and...

6.5CVSS6.8AI score0.01625EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/25 9:15 p.m.•8 views

PYSEC-2022-35

Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed i...

5.4CVSS6.5AI score0.00741EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/02/23 11:15 p.m.•8 views

PYSEC-2022-33

b2-sdk-python is a python library to access cloud storage provided by backblaze. Linux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use TOCTOU race...

4.7CVSS6AI score0.00214EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/02/23 9:15 a.m.•8 views

PYSEC-2022-28

Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1...

8.2CVSS6.8AI score0.01551EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-85

Tensorflow is an Open Source Machine Learning Framework. The implementation of OpLevelCostEstimator::CalculateOutputSize is vulnerable to an integer overflow if an attacker can create an operation which would involve tensors with large enough number of elements. We can have a large enough number ...

6.5CVSS7.2AI score0.00783EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-155

Tensorflow is an Open Source Machine Learning Framework. The GraphDef format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a GraphDef containing a fragment such as the following can be consumed when loading a SavedModel. This...

7.5CVSS7.4AI score0.00789EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-99

Tensorflow is an Open Source Machine Learning Framework. A GraphDef from a TensorFlow SavedModel can be maliciously altered to cause a TensorFlow process to crash due to encountering a StatusOr value that is an error and forcibly extracting the value from it. We have patched the issue in multiple...

7.5CVSS7AI score0.00973EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-68

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations. Both embeddingsize and lookupsize are products of values provided by the user. Hence, a malicious user could trigger overflows in the...

8.8CVSS7.1AI score0.01173EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-87

Tensorflow is an Open Source Machine Learning Framework. If a graph node is invalid, TensorFlow can leak memory in the implementation of ImmutableExecutorState::Initialize. Here, we set item-kernel to nullptr but it is a simple OpKernel pointer so the memory that was previously allocated to it...

4.3CVSS6.9AI score0.00716EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-73

Tensorflow is an Open Source Machine Learning Framework. When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow...

6.5CVSS6.8AI score0.00469EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-83

Tensorflow is an Open Source Machine Learning Framework. There is a typo in TensorFlow's SpecializeType which results in heap OOB read/write. Due to a typo, arg is initialized to the ith mutable argument in a loop where the loop index is j. Hence it is possible to assign to arg from outside the...

8.8CVSS7AI score0.00837EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-129

Tensorflow is an Open Source Machine Learning Framework. An attacker can trigger denial of service via assertion failure by altering a SavedModel on disk such that AttrDefs of some operation are duplicated. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on...

6.5CVSS6.9AI score0.00469EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-144

Tensorflow is an Open Source Machine Learning Framework. During shape inference, TensorFlow can allocate a large vector based on a value from a tensor controlled by the user. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, a...

6.5CVSS7AI score0.00821EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-128

Tensorflow is an Open Source Machine Learning Framework. When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow...

6.5CVSS6.8AI score0.00469EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-81

Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, TensorFlow can fail to specialize a type during shape inference. This case is covered by the DCHECK function however, DCHECK is a no-op in production builds and an assertion failure in debug builds. In the first cas...

6.5CVSS7AI score0.00992EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-67

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would cause an integer overflow in TfLiteIntArrayCreate. The TfLiteIntArrayGetSizeInBytes returns an int instead of a sizet. An attacker can control model inputs such that computedsize overflows the...

8.8CVSS7.2AI score0.00811EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-130

Tensorflow is an Open Source Machine Learning Framework. TensorFlow is vulnerable to a heap OOB write in Grappler. The setoutput function writes to an array at the specified index. Hence, this gives a malicious user a write primitive. The fix will be included in TensorFlow 2.8.0. We will also...

8.8CVSS7AI score0.00924EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-148

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a use after free behavior when decoding PNG images. After png::CommonFreeDecode gets called, the values of decode.width and decode.height are in an unspecified state. The fix will be included in TensorFlow 2.8.0. ...

7.6CVSS7AI score0.00725EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 2:15 p.m.•8 views

PYSEC-2022-62

Tensorflow is an Open Source Machine Learning Framework. The implementation of SparseCountSparseOutput can be made to crash a TensorFlow process by an integer overflow whose result is then used in a memory allocation. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this comm...

6.5CVSS7.2AI score0.00783EPSS
Exploits1References3Affected Software1
Total number of security vulnerabilities5000