Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
added 2023/08/05 7:15 a.m.8 views

PYSEC-2023-134

Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the...

8.8CVSS7.4AI score0.0236EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2023/07/26 11:15 a.m.8 views

PYSEC-2023-124

Heap buffer overflow in paddle.trace in PaddlePaddle before 2.5.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible...

9.8CVSS7.3AI score0.00645EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2023/07/19 1:15 a.m.8 views

PYSEC-2023-308

Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0...

10CVSS6.8AI score0.70736EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2023/07/15 11:15 p.m.8 views

PYSEC-2023-312

Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command specifically, a SET command. NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this...

5.9CVSS7.4AI score0.01309EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2023/07/06 9:15 p.m.8 views

PYSEC-2023-114

DISPUTED A use-after-free issue was discovered in PyFindObjects function in SciPy versions prior to 1.8.0. NOTE: the vendor and discoverer indicate that this is not a security issue...

9.8CVSS6.9AI score0.01334EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2023/07/05 6:15 p.m.8 views

PYSEC-2023-101

A cross-site scripting XSS vulnerability in Selenium Grid v3.141.59 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the hub parameter under the /grid/console page...

6.1CVSS5.8AI score0.00406EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2023/05/30 6:16 a.m.8 views

PYSEC-2023-81

A vulnerability classified as problematic was found in MindSpore 2.0.0-alpha/2.0.0-rc1. This vulnerability affects the function JsonHelper::UpdateArray of the file mindspore/ccsrc/minddata/dataset/util/jsonhelper.cc. The manipulation leads to memory corruption. The name of the patch is...

6.5CVSS6.8AI score0.00875EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2023/05/11 10:15 p.m.8 views

PYSEC-2023-79

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the type...

7.5CVSS6.8AI score0.00725EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2023/05/11 9:15 p.m.8 views

PYSEC-2023-78

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter. The issue seems to happen only in loops of...

7.5CVSS7.1AI score0.00913EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2023/05/10 6:15 p.m.8 views

PYSEC-2023-63

in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the...

5.5CVSS7.2AI score0.00241EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/05/08 5:15 p.m.8 views

PYSEC-2023-76

Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8...

7.5CVSS6.8AI score0.00697EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2023/05/08 10:15 a.m.8 views

PYSEC-2023-60

Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0...

5.4CVSS6.9AI score0.01911EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/04/20 9:15 p.m.8 views

PYSEC-2023-41

pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export a non-default feature. Users were able to upload crafted HTML documents that trigger the reading of arbitrary files...

6.5CVSS7AI score0.06648EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2023/04/18 4:15 p.m.8 views

PYSEC-2023-34

Weak Password Requirements in GitHub repository modoboa/modoboa prior to 2.1.0...

9.8CVSS6.8AI score0.00619EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2023/04/15 8:16 p.m.8 views

PYSEC-2023-22

An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attacke...

6.3CVSS7.1AI score0.00299EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/04/07 3:15 p.m.8 views

PYSEC-2023-3

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2...

7.5CVSS7AI score0.02062EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/04/05 2:15 a.m.8 views

PYSEC-2023-18

In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method...

9.8CVSS8.2AI score0.39653EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2023/03/26 7:15 p.m.8 views

PYSEC-2023-46

redis-py through 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time in the case of a non-pipeline operation, and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858...

6.5CVSS7.1AI score0.01034EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2023/03/16 9:15 p.m.8 views

PYSEC-2023-50

Streamlit, software for turning data scripts into web applications, had a cross-site scripting XSS vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit apps were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to ...

6.1CVSS5.5AI score0.00407EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/03/10 2:15 a.m.8 views

PYSEC-2023-318

WebAssembly v1.0.29 was discovered to contain a segmentation fault via the component wabt::Decompiler::WrapChild...

5.5CVSS6AI score0.00278EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2023/03/08 12:15 a.m.8 views

PYSEC-2023-86

OWSLib is a Python package for client programming with Open Geospatial Consortium OGC web service interface standards, and their related content models. OWSLib's XML parser which supports both lxml and xml.etree does not disable entity resolution, and could lead to arbitrary file reads from an...

8.2CVSS7AI score0.00985EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/03/06 11:15 p.m.8 views

PYSEC-2023-42

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1...

7.5CVSS6.9AI score0.00623EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/02/15 3:15 p.m.8 views

PYSEC-2023-49

Starlite is an Asynchronous Server Gateway Interface ASGI framework. Prior to version 1.5.2, the request body parsing in starlite allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and ...

7.5CVSS7AI score0.01004EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2023/02/15 1:15 a.m.8 views

PYSEC-2023-13

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs e.g., an excessive number of parts to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for ...

7.5CVSS7AI score0.62575EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2023/02/10 7:15 p.m.8 views

PYSEC-2023-32

Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4...

9.8CVSS6.8AI score0.15088EPSS
Exploits4References6Affected Software1
PyPA
PyPA
added 2023/02/07 9:15 p.m.8 views

PYSEC-2023-11

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.updateinto would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects such as bytes to b...

6.5CVSS8.2AI score0.01301EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2023/02/06 5:15 p.m.8 views

PYSEC-2023-208

A vulnerability was found in paxswill EVE Ship Replacement Program 0.12.11. It has been rated as problematic. This issue affects some unknown processing of the file src/evesrp/views/api.py of the component User Information Handler. The manipulation leads to information disclosure. The attack may ...

4.3CVSS6.8AI score0.00666EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2022/12/12 6:15 p.m.8 views

PYSEC-2022-43002

Improper Privilege Management in GitHub repository ikus060/rdiffweb prior to 2.5.2...

9.8CVSS6.7AI score0.00789EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/12/06 8:15 p.m.8 views

PYSEC-2022-42998

A directory traversal vulnerability in the SevenZipFile.extractall function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file...

9.1CVSS7AI score0.02242EPSS
Exploits3References7Affected Software1
PyPA
PyPA
added 2022/12/06 6:15 p.m.8 views

PYSEC-2022-42997

Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python random library for random value selection. The python random library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator...

7.5CVSS6.8AI score0.00791EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2022/11/04 11:0 a.m.8 views

PYSEC-2022-42969

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS Regular expression Denial of Service attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled...

7.5CVSS7AI score0.01546EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/10/26 4:15 p.m.8 views

PYSEC-2022-42972

Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it...

7.5CVSS6.9AI score0.01341EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2022/10/11 10:15 p.m.8 views

PYSEC-2022-43032

The d8s-utility package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0...

9.8CVSS7AI score0.01168EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/09/22 7:15 p.m.8 views

PYSEC-2022-289

Cross-Site Request Forgery CSRF in GitHub repository ikus060/rdiffweb prior to 2.4.7...

7CVSS6.7AI score0.00375EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/22 10:15 a.m.8 views

PYSEC-2022-284

Cross-Site Request Forgery CSRF in GitHub repository ikus060/rdiffweb prior to 2.4.6...

6.8CVSS6.7AI score0.00319EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/21 12:15 p.m.8 views

PYSEC-2022-283

Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3...

8.8CVSS6.7AI score0.00437EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/21 8:15 a.m.8 views

PYSEC-2022-279

In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction...

7.5CVSS6.7AI score0.01573EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2022/09/19 4:15 p.m.8 views

PYSEC-2022-43106

The d8s-dicts for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0...

9.8CVSS7AI score0.01005EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2022/09/19 4:15 p.m.8 views

PYSEC-2022-43123

The d8s-netstrings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0...

9.8CVSS7AI score0.01238EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/09/19 3:15 p.m.8 views

PYSEC-2022-43103

The d8s-uuids for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0...

9.8CVSS7AI score0.01033EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/15 9:15 a.m.8 views

PYSEC-2022-278

Cross-Site Request Forgery CSRF in GitHub repository ikus060/rdiffweb prior to 2.4.3...

8.8CVSS6.7AI score0.00622EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/14 11:15 a.m.8 views

PYSEC-2022-267

OSU Open Source Lab VNCAuthProxy through 1.1.1 is affected by an vncap/vnc/protocol.py VNCServerAuthenticator authentication-bypass vulnerability that could allow a malicious actor to gain unauthorized access to a VNC session or to disconnect a legitimate user from a VNC session. A remote attacke...

9.8CVSS7.2AI score0.01653EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/09/13 9:15 p.m.8 views

PYSEC-2022-276

LIEF commit 365a16a was discovered to contain a heap-buffer overflow via the function printbinary at /c/machoreader.c...

7.8CVSS7.6AI score0.00328EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2022/09/13 9:15 p.m.8 views

PYSEC-2022-277

LIEF commit 365a16a was discovered to contain a segmentation violation via the component CoreFile.tcc:69...

5.5CVSS7.3AI score0.00287EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2022/09/13 5:15 p.m.8 views

PYSEC-2022-272

Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.4.2...

8.8CVSS6.8AI score0.00785EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/13 10:15 a.m.8 views

PYSEC-2022-273

Missing Custom Error Page in GitHub repository ikus060/rdiffweb prior to 2.4.2...

5.3CVSS6.6AI score0.00684EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/09 9:15 p.m.8 views

PYSEC-2022-269

OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of urivalidate functions depending where it is used. OAuthLib...

6.5CVSS6.8AI score0.01258EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/09/09 7:15 p.m.8 views

PYSEC-2022-270

indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose...

7.5CVSS6.7AI score0.00924EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2022/09/07 1:15 p.m.8 views

PYSEC-2022-260

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin...

7.5CVSS7AI score0.01718EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/09/06 5:15 p.m.8 views

PYSEC-2022-265

Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...

8.8CVSS8.1AI score0.01738EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities5000