Lucene search
K
PypaMost viewed

5612 matches found

PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-182

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a CHECK-fail in converting sparse tensors to CSR Sparse matrices. This is because the...

5.5CVSS6.9AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-727

TensorFlow is an end-to-end open source platform for machine learning. The TFLite implementation of concatenation is vulnerable to an integer overflow issuehttps://github.com/tensorflow/tensorflow/blob/7b7352a724b690b11bfaae2cd54bc3907daf6285/tensorflow/lite/kernels/concatenation.ccL70-L76. An...

7.1CVSS7.2AI score0.00192EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-233

TensorFlow is an end-to-end open source platform for machine learning. The implementation of the EmbeddingLookup TFLite operator is vulnerable to a division by zero...

7.8CVSS6.9AI score0.00201EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-520

TensorFlow is an end-to-end open source platform for machine learning. The fix for CVE-2020-15209https://vulners.com/cve/CVE-2020-15209 missed the case when the target shape of Reshape operator is given by the elements of a 1-D tensor. As such, the fix for the...

7.8CVSS6.9AI score0.008EPSS
Exploits2References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-152

TensorFlow is an end-to-end open source platform for machine learning. The implementation of MatrixDiag operationshttps://github.com/tensorflow/tensorflow/blob/4c4f420e68f1cfaf8f4b6e8e3eb857e9e4c3ff33/tensorflow/core/kernels/linalg/matrixdiagop.ccL195-L197 does not validate that the tensor...

7.8CVSS7AI score0.00201EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-178

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null pointer in tf.rawops.StringNGrams. This is because the...

5.5CVSS6.9AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-677

TensorFlow is an end-to-end open source platform for machine learning. The implementation of MatrixTriangularSolvehttps://github.com/tensorflow/tensorflow/blob/8cae746d8449c7dda5298327353d68613f16e798/tensorflow/core/kernels/linalg/matrixtriangularsolveopimpl.hL160-L240 fails to terminate kernel...

5.5CVSS7AI score0.00217EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-644

TensorFlow is an end-to-end open source platform for machine learning. In eager mode default in TF 2.0 and later, session operations are invalid. However, users could still call the raw ops associated with them and trigger a null pointer dereference. The...

7.8CVSS6.8AI score0.00201EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-706

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.rawops.FractionalMaxPoolGrad triggers an undefined behavior if one of the input tensors is empty. The code is also vulnerable to a denial of service attack as a CHECK condition becomes false and aborts...

5.5CVSS7AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-685

TensorFlow is an end-to-end open source platform for machine learning. An attacker can access data outside of bounds of heap allocated array in tf.rawops.UnicodeEncode. This is because the...

7.1CVSS7AI score0.00198EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-159

TensorFlow is an end-to-end open source platform for machine learning. The tf.rawops.Conv3DBackprop operations fail to validate that the input tensors are not empty. In turn, this would result in a division by 0. This is because the...

5.5CVSS6.8AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-463

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in QuantizedMul by passing in invalid thresholds for the quantization. This is because the...

7.8CVSS7.4AI score0.00211EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-675

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a runtime division by zero error and denial of service in tf.rawops.QuantizedBatchNormWithGlobalNormalization. This is because the...

5.5CVSS6.8AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-174

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in QuantizedResizeBilinear by passing in invalid thresholds for the quantization. This is because the...

7.8CVSS7.4AI score0.00211EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-709

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.rawops.FusedBatchNorm is vulnerable to a heap buffer overflow. If the tensors are empty, the same implementation can trigger undefined behavior by dereferencing null pointers. The...

7.8CVSS7.3AI score0.00211EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-204

TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in tf.rawops.SparseDenseCwiseMul, an attacker can trigger denial of service via CHECK-fails or accesses to outside the bounds of heap allocated data. Since the...

5.5CVSS7AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.7 views

PYSEC-2021-702

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.rawops.MaxPool3DGradGrad is vulnerable to a heap buffer overflow. The...

7.8CVSS7.3AI score0.00211EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/04/01 10:15 p.m.7 views

PYSEC-2021-11

django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not properly apply filters...

3.7CVSS6.6AI score0.0041EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2021/03/23 4:15 p.m.7 views

PYSEC-2021-31

OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. This represents an information...

6.5CVSS6.6AI score0.01457EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2021/03/19 4:15 a.m.7 views

PYSEC-2021-39

An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c...

7.5CVSS7AI score0.01601EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2021/03/15 6:15 p.m.7 views

PYSEC-2021-59

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy if an SSLContext isn't given via proxyconfig doesn't verify the hostname of the certificate. This means certificates for...

6.5CVSS9.1AI score0.02109EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2021/03/03 9:15 a.m.7 views

PYSEC-2021-41

Pillow before 8.1.1 allows attackers to cause a denial of service memory consumption because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large...

7.5CVSS6.7AI score0.04851EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2021/02/27 5:15 a.m.7 views

PYSEC-2021-73

An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory...

7.8CVSS7.6AI score0.04302EPSS
Exploits2References8Affected Software1
PyPA
PyPA
added 2021/02/17 3:15 p.m.7 views

PYSEC-2021-3

The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can jus...

5.3CVSS7.1AI score0.04555EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2021/02/16 3:15 p.m.7 views

PYSEC-2021-68

An issue was discovered in NFStream 5.2.0. Because some allocated modules are not correctly freed, if the nfstream object is directly destroyed without being used after it is created, it will cause a memory leak that may result in a local denial of service DoS...

5.5CVSS6.6AI score0.00329EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/02/05 6:15 p.m.7 views

PYSEC-2021-33

LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the "No results found for" message in the search bar...

6.1CVSS6.2AI score0.03203EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/01/13 5:15 p.m.7 views

PYSEC-2021-15

git-big-picture before 1.0.0 mishandles ' characters in a branch name, leading to code execution...

9.8CVSS7.1AI score0.02798EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2021/01/12 9:15 a.m.7 views

PYSEC-2021-69

In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations...

7.1CVSS7.1AI score0.01498EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2021/01/12 9:15 a.m.7 views

PYSEC-2021-71

In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled...

5.8CVSS7.2AI score0.01573EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2021/01/11 5:15 a.m.7 views

PYSEC-2021-46

beforeupstreamconnection in AuthPlugin in http/proxy/auth.py in proxy.py before 2.3.1 accepts incorrect Proxy-Authorization header data because of a boolean confusion and versus or...

7.5CVSS6.9AI score0.01673EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2020/12/17 4:15 p.m.7 views

PYSEC-2020-49

DISPUTED jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must no...

9.8CVSS8.4AI score0.06101EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2020/12/14 10:15 a.m.7 views

PYSEC-2020-20

In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old Flask-admin based UI were vulnerable for SSRF attack...

5.3CVSS6.9AI score0.04325EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2020/12/10 11:15 p.m.7 views

PYSEC-2020-255

In affected versions of TensorFlow the tf.rawops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the...

4.4CVSS6.9AI score0.00203EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2020/12/10 11:15 p.m.7 views

PYSEC-2020-256

In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer...

4.4CVSS6.8AI score0.00166EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2020/12/10 11:15 p.m.7 views

PYSEC-2020-336

In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer...

4.4CVSS6.8AI score0.00166EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2020/12/10 11:15 p.m.7 views

PYSEC-2020-335

In TensorFlow release candidate versions 2.4.0rc, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel...

7.5CVSS6.9AI score0.00663EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2020/12/10 11:15 p.m.7 views

PYSEC-2020-300

In TensorFlow release candidate versions 2.4.0rc, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel...

7.5CVSS6.9AI score0.00663EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2020/12/10 11:15 p.m.7 views

PYSEC-2020-254

In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen...

5.3CVSS7.5AI score0.00243EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2020/12/09 7:15 a.m.7 views

PYSEC-2020-92

A denial of service via regular expression in the py.path.svnwc component of py aka python-py through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality...

7.5CVSS7.4AI score0.04607EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2020/12/04 8:15 p.m.7 views

PYSEC-2020-226

Cross Site Scripting XSS vulnerability in Arachnys Cabot 0.11.12 can be exploited via the Address column...

4.8CVSS6.1AI score0.01133EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2020/12/04 8:15 a.m.7 views

PYSEC-2020-45

An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provid...

6.1CVSS6.9AI score0.014EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2020/12/03 5:15 p.m.7 views

PYSEC-2020-62

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code...

6.1CVSS6.3AI score0.03934EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2020/12/02 8:15 a.m.7 views

PYSEC-2020-74

Multiple cross-site scripting XSS vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in...

6.1CVSS5.7AI score0.01527EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2020/11/26 5:15 a.m.7 views

PYSEC-2020-75

petl before 1.68, in some configurations, allows resolution of entities in an XML document...

9.8CVSS7AI score0.02275EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2020/11/24 9:15 p.m.7 views

PYSEC-2020-234

Jupyter Server before version 1.0.6 has an Open redirect vulnerability. A maliciously crafted link to a jupyter server could redirect the browser to a different website. All jupyter servers are technically affected, however, these maliciously crafted links can only be reasonably made for known...

5.5CVSS6.8AI score0.00823EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2020/11/10 5:15 p.m.7 views

PYSEC-2020-67

The cache action in action/cache.py in MoinMoin through 1.9.10 allows directory traversal through a crafted HTTP request. An attacker who can upload attachments to the wiki can use this to achieve remote code execution...

9.8CVSS7.8AI score0.06121EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2020/11/06 6:15 p.m.7 views

PYSEC-2020-159

In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for...

9.8CVSS7.2AI score0.65933EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2020/10/21 9:15 p.m.7 views

PYSEC-2020-139

In Tensorflow before version 2.4.0, when the boxes argument of tf.image.cropandresize has a very large value, the CPU kernel implementation receives it as a C++ nan floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault. The issue is...

7.5CVSS6.8AI score0.00916EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2020/10/16 6:15 a.m.7 views

PYSEC-2020-225

An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2.0.0, and 3.0.0. A user allowed to access the Blazar dashboard in Horizon may trigger code execution on the Horizon host as the user the Horizon service runs under because the Python eval function is used. This may result in...

9.9CVSS7.6AI score0.03123EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2020/10/05 1:15 p.m.7 views

PYSEC-2020-221

A flaw was found in Ansible Base when using the awsssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service...

7.1CVSS6.7AI score0.00298EPSS
Exploits0References2Affected Software1
Total number of security vulnerabilities5000