Lucene search
K
PypaMost viewed

4602 matches found

PyPA
PyPA
•added 2021/05/14 8:15 p.m.•7 views

PYSEC-2021-172

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in QuantizedMul by passing in invalid thresholds for the quantization. This is because the...

7.8CVSS7.4AI score0.00211EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•7 views

PYSEC-2021-233

TensorFlow is an end-to-end open source platform for machine learning. The implementation of the EmbeddingLookup TFLite operator is vulnerable to a division by zero...

7.8CVSS6.9AI score0.00201EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•7 views

PYSEC-2021-238

TensorFlow is an end-to-end open source platform for machine learning. The TFLite implementation of concatenation is vulnerable to an integer overflow issuehttps://github.com/tensorflow/tensorflow/blob/7b7352a724b690b11bfaae2cd54bc3907daf6285/tensorflow/lite/kernels/concatenation.ccL70-L76. An...

7.1CVSS7.2AI score0.00192EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•7 views

PYSEC-2021-734

TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in tf.rawops.RaggedTensorToTensor, an attacker can exploit an undefined behavior if input arguments are empty. The...

7.8CVSS7AI score0.00234EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•7 views

PYSEC-2021-704

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.rawops.FractionalAvgPoolGrad is vulnerable to a heap buffer overflow. The...

7.8CVSS7.3AI score0.00211EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•7 views

PYSEC-2021-677

TensorFlow is an end-to-end open source platform for machine learning. The implementation of MatrixTriangularSolvehttps://github.com/tensorflow/tensorflow/blob/8cae746d8449c7dda5298327353d68613f16e798/tensorflow/core/kernels/linalg/matrixtriangularsolveopimpl.hL160-L240 fails to terminate kernel...

5.5CVSS7AI score0.00217EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/13 11:15 p.m.•7 views

PYSEC-2021-13

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage e.g., filesystem, Memcached, Redis, etc., they can construct a crafted payload, poison the...

9.8CVSS8.1AI score0.07288EPSS
Exploits3References2Affected Software1
PyPA
PyPA
•added 2021/04/29 4:15 p.m.•7 views

PYSEC-2021-1

A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the nolog feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability...

7.5CVSS6.4AI score0.02043EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/04/01 10:15 p.m.•7 views

PYSEC-2021-11

django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not properly apply filters...

3.7CVSS6.6AI score0.0041EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2021/03/23 4:15 p.m.•7 views

PYSEC-2021-31

OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. This represents an information...

6.5CVSS6.6AI score0.01457EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2021/03/19 4:15 a.m.•7 views

PYSEC-2021-39

An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c...

7.5CVSS7AI score0.01601EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/03/15 6:15 p.m.•7 views

PYSEC-2021-59

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy if an SSLContext isn't given via proxyconfig doesn't verify the hostname of the certificate. This means certificates for...

6.5CVSS9.1AI score0.02109EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/03/03 9:15 a.m.•7 views

PYSEC-2021-41

Pillow before 8.1.1 allows attackers to cause a denial of service memory consumption because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large...

7.5CVSS6.7AI score0.04851EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2021/02/27 5:15 a.m.•7 views

PYSEC-2021-55

An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.genthin command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py...

9.8CVSS7.7AI score0.08246EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2021/02/27 5:15 a.m.•7 views

PYSEC-2021-73

An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory...

7.8CVSS7.6AI score0.04302EPSS
Exploits2References8Affected Software1
PyPA
PyPA
•added 2021/02/17 3:15 p.m.•7 views

PYSEC-2021-2

Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when webserver exposeconfig is set to False in airflow.cfg. This allowed a privilege escalation attack...

6.5CVSS6.9AI score0.02805EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/02/17 3:15 p.m.•7 views

PYSEC-2021-3

The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can jus...

5.3CVSS7.1AI score0.04555EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2021/02/16 3:15 p.m.•7 views

PYSEC-2021-68

An issue was discovered in NFStream 5.2.0. Because some allocated modules are not correctly freed, if the nfstream object is directly destroyed without being used after it is created, it will cause a memory leak that may result in a local denial of service DoS...

5.5CVSS6.6AI score0.00329EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/02/05 6:15 p.m.•7 views

PYSEC-2021-33

LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the "No results found for" message in the search bar...

6.1CVSS6.2AI score0.03203EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/01/13 5:15 p.m.•7 views

PYSEC-2021-15

git-big-picture before 1.0.0 mishandles ' characters in a branch name, leading to code execution...

9.8CVSS7.1AI score0.02798EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/01/12 9:15 a.m.•7 views

PYSEC-2021-71

In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled...

5.8CVSS7.2AI score0.01573EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/01/12 9:15 a.m.•7 views

PYSEC-2021-69

In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations...

7.1CVSS7.1AI score0.01498EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2020/12/17 4:15 p.m.•7 views

PYSEC-2020-49

DISPUTED jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must no...

9.8CVSS8.4AI score0.06101EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2020/12/14 10:15 a.m.•7 views

PYSEC-2020-20

In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old Flask-admin based UI were vulnerable for SSRF attack...

5.3CVSS6.9AI score0.04325EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2020/12/10 11:15 p.m.•7 views

PYSEC-2020-336

In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer...

4.4CVSS6.8AI score0.00166EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2020/12/10 11:15 p.m.•7 views

PYSEC-2020-335

In TensorFlow release candidate versions 2.4.0rc, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel...

7.5CVSS6.9AI score0.00663EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2020/12/09 7:15 a.m.•7 views

PYSEC-2020-92

A denial of service via regular expression in the py.path.svnwc component of py aka python-py through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality...

7.5CVSS7.4AI score0.04607EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2020/12/04 8:15 a.m.•7 views

PYSEC-2020-45

An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provid...

6.1CVSS6.9AI score0.014EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2020/12/04 3:15 a.m.•7 views

PYSEC-2020-109

In some conditions, a snap package built by snapcraft includes the current directory in LDLIBRARYPATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to...

6.8CVSS7.8AI score0.00673EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2020/12/03 5:15 p.m.•7 views

PYSEC-2020-62

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code...

6.1CVSS6.3AI score0.03934EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2020/12/02 8:15 a.m.•7 views

PYSEC-2020-74

Multiple cross-site scripting XSS vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in...

6.1CVSS5.7AI score0.01527EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2020/11/26 5:15 a.m.•7 views

PYSEC-2020-75

petl before 1.68, in some configurations, allows resolution of entities in an XML document...

9.8CVSS7AI score0.02275EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2020/11/10 4:15 p.m.•7 views

PYSEC-2020-18

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at...

9.8CVSS6.8AI score0.997EPSS
Exploits8References2Affected Software1
PyPA
PyPA
•added 2020/11/06 6:15 p.m.•7 views

PYSEC-2020-159

In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for...

9.8CVSS7.2AI score0.65933EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2020/10/21 9:15 p.m.•7 views

PYSEC-2020-139

In Tensorflow before version 2.4.0, when the boxes argument of tf.image.cropandresize has a very large value, the CPU kernel implementation receives it as a C++ nan floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault. The issue is...

7.5CVSS6.8AI score0.00916EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2020/10/16 6:15 a.m.•7 views

PYSEC-2020-225

An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2.0.0, and 3.0.0. A user allowed to access the Blazar dashboard in Horizon may trigger code execution on the Horizon host as the user the Horizon service runs under because the Python eval function is used. This may result in...

9.9CVSS7.6AI score0.03123EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2020/09/30 6:15 p.m.•7 views

PYSEC-2020-148

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest. NOTE: this is similar to CVE-2020-26116...

7.2CVSS9.3AI score0.0642EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2020/09/25 7:15 p.m.•7 views

PYSEC-2020-127

In eager mode, TensorFlow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 does not set the session state. Hence, calling tf.rawops.GetSessionHandle or tf.rawops.GetSessionHandleV2 results in a null pointer dereference In linked snippet, in eager mode, ctx-sessionstate returns nullptr. Since...

5.3CVSS7.1AI score0.00903EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2020/09/25 7:15 p.m.•7 views

PYSEC-2020-309

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the SparseFillEmptyRowsGrad implementation has incomplete validation of the shapes of its arguments. Although reverseindexmapt and gradvaluest are accessed in a similar pattern, only reverseindexmapt is validated to be of proper...

5.3CVSS6.8AI score0.01017EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2020/09/25 7:15 p.m.•7 views

PYSEC-2020-121

In Tensorflow before version 2.3.1, the SparseCountSparseOutput implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the indices tensor has the same shape as the values one. The values in these tensors are always accessed...

5.8CVSS6.9AI score0.00537EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2020/09/25 7:15 p.m.•7 views

PYSEC-2020-285

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the datasplits argument of tf.rawops.StringNGrams lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory In the linked code snippet, all the binary strings after ...

9.8CVSS7.3AI score0.01015EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2020/09/22 8:15 a.m.•7 views

PYSEC-2020-227

All versions of package cabot are vulnerable to Cross-site Scripting XSS via the Endpoint column...

8.2CVSS6.5AI score0.01266EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2020/09/11 6:15 p.m.•7 views

PYSEC-2020-3

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri...

5.5CVSS6.5AI score0.00568EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2020/09/01 1:15 p.m.•7 views

PYSEC-2020-34

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 when Python 3.7+ is used. The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077...

7.5CVSS6.9AI score0.0327EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2020/08/26 7:15 p.m.•7 views

PYSEC-2020-243

An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that share the same paths ...

8.3CVSS7.1AI score0.01715EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2020/07/27 12:15 p.m.•7 views

PYSEC-2020-150

This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request craft...

7.5CVSS6.9AI score0.01345EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2020/07/14 8:15 p.m.•7 views

PYSEC-2020-232

In freewvs before 0.1.1, a user could create a large file that freewvs will try to read, which will terminate a scan process. This has been patched in 0.1.1...

3.3CVSS6.8AI score0.00324EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2020/06/25 7:15 p.m.•7 views

PYSEC-2020-80

In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311...

9.8CVSS7AI score0.04212EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2020/06/25 7:15 p.m.•7 views

PYSEC-2020-77

In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state-shuffle is instructed to read beyond state-buffer...

5.5CVSS6.8AI score0.01105EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2020/06/23 10:15 p.m.•7 views

PYSEC-2020-95

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication spark.authenticate via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even...

9.8CVSS7.4AI score0.29157EPSS
Exploits0References6Affected Software1
Total number of security vulnerabilities4602