Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
•added 2022/02/03 12:15 p.m.•7 views

PYSEC-2022-131

Tensorflow is an Open Source Machine Learning Framework. The implementations of SparseCwise ops are vulnerable to integer overflows. These can be used to trigger large allocations so, OOM based denial of service or CHECK-fails when building new TensorShape objects so, assert failures based denial...

6.5CVSS6.9AI score0.01097EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/02/03 11:15 a.m.•7 views

PYSEC-2022-50

Tensorflow is an Open Source Machine Learning Framework. The implementation of Dequantize does not fully validate the value of axis and can result in heap OOB accesses. The axis argument can be -1 the default value for the optional argument or any other positive value at most the number of...

8.8CVSS7AI score0.00818EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 11:15 a.m.•7 views

PYSEC-2022-109

Tensorflow is an Open Source Machine Learning Framework. The implementation of FractionalAvgPoolGrad does not consider cases where the input tensors are invalid allowing an attacker to read from outside of bounds of heap. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this...

8.1CVSS6.9AI score0.00815EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 11:15 a.m.•7 views

PYSEC-2022-51

Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for Dequantize is vulnerable to an integer overflow weakness. The axis argument can be -1 the default value for the optional argument or any other positive value at most the number of dimensions of the...

8.8CVSS7.6AI score0.00659EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/01/31 9:15 p.m.•7 views

PYSEC-2022-24

Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server...

5.3CVSS6.6AI score0.00953EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/01/25 9:15 a.m.•7 views

PYSEC-2022-14

Improper Privilege Management in Conda loguru prior to 0.5.3...

4.3CVSS6.9AI score0.00758EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/01/20 11:15 a.m.•7 views

PYSEC-2022-11

In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "cancreate" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for...

6.5CVSS6.6AI score0.01709EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/01/18 11:15 p.m.•7 views

PYSEC-2022-41

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions The path parameter of the requested URL is not sanitized before being passed to the QT frontend. This path is used in all componen...

8.7CVSS6.8AI score0.00789EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/01/18 11:15 p.m.•7 views

PYSEC-2022-43

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions anyone with access to the chat environment can write messages disguised as another chat participant...

4.3CVSS6.9AI score0.00771EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/01/18 10:15 p.m.•7 views

PYSEC-2022-39

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. Affected versions of the desktop application were found to be vulnerable to denial of service via an undisclosed vulnerability in the QT image parsing...

7.5CVSS6.9AI score0.00787EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/01/12 1:15 p.m.•7 views

PYSEC-2022-7

Django CMS 3.7.3 does not validate the plugintype parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting XSS vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user...

5.4CVSS6.5AI score0.00617EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/01/10 2:12 p.m.•7 views

PYSEC-2022-8

pathgetbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path...

6.5CVSS7AI score0.02556EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/01/05 12:15 a.m.•7 views

PYSEC-2022-2

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a...

7.5CVSS6.8AI score0.01855EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/01/01 12:15 a.m.•7 views

PYSEC-2022-25

UltraJSON aka ujson through 5.1.0 has a stack-based buffer overflow in BufferAppendIndentUnchecked called from encode. Exploitation can, for example, use a large amount of indentation...

5.5CVSS7.5AI score0.0155EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2021/12/17 7:15 p.m.•7 views

PYSEC-2021-854

A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArrayNewFromDescrint function of ctors.c when specifying arrays of large dimensions over 32 from Python code, which could let a malicious user cause a Denial of Service...

5.3CVSS6.9AI score0.01074EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/12/16 7:15 p.m.•7 views

PYSEC-2021-853

vault-cli is a configurable command-line interface tool and python library to interact with Hashicorp Vault. In versions before 3.0.0 vault-cli features the ability for rendering templated values. When a secret starts with the prefix !template!, vault-cli interprets the rest of the contents of th...

9.1CVSS7.5AI score0.05004EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/12/13 6:15 p.m.•7 views

PYSEC-2021-852

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant...

8.2CVSS5.7AI score0.02456EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/11/23 12:15 a.m.•7 views

PYSEC-2021-862

Connections initialized by the AWS IoT Device SDK v2 for Java versions prior to 1.4.2, Python versions prior to 1.6.1, C++ versions prior to 1.12.7 and Node.js versions prior to 1.5.3 did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities CA in the...

8.8CVSS6.8AI score0.00375EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2021/11/10 6:15 p.m.•7 views

PYSEC-2021-437

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1...

5.7CVSS6.7AI score0.01687EPSS
Exploits2References2Affected Software1
PyPA
PyPA
•added 2021/11/05 11:15 p.m.•7 views

PYSEC-2021-412

TensorFlow is an open source platform for machine learning. In affected versions the async implementation of CollectiveReduceV2 suffers from a memory leak and a use after free. This occurs due to the asynchronous computation and the fact that objects that have been std::moved from are still...

7.8CVSS6.9AI score0.00204EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 11:15 p.m.•7 views

PYSEC-2021-420

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's savedmodelcli tool is vulnerable to a code injection as it calls eval on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given...

7.8CVSS7.8AI score0.00208EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 11:15 p.m.•7 views

PYSEC-2021-622

TensorFlow is an open source platform for machine learning. In affected versions the code behind tf.function API can be made to deadlock when two tf.function decorated Python functions are mutually recursive. This occurs due to using a non-reentrant Lock Python object. Loading any model which...

5.5CVSS7AI score0.00235EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/11/05 11:15 p.m.•7 views

PYSEC-2021-829

TensorFlow is an open source platform for machine learning. In affected versions the implementation of SplitV can trigger a segfault is an attacker supplies negative arguments. This occurs whenever sizesplits contains more than one value and at least one value is negative. The fix will be include...

5.5CVSS6.9AI score0.00181EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 10:15 p.m.•7 views

PYSEC-2021-845

TensorFlow is an open source platform for machine learning. In affected versions several TensorFlow operations are missing validation for the shapes of the tensor arguments involved in the call. Depending on the API, this can result in undefined behavior and segfault or CHECK-fail related crashes...

7.8CVSS7.1AI score0.00174EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2021/11/05 10:15 p.m.•7 views

PYSEC-2021-410

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for AllToAll can be made to execute a division by 0. This occurs whenever the splitcount argument is 0. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on...

5.5CVSS7.4AI score0.00128EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/11/05 9:15 p.m.•7 views

PYSEC-2021-418

TensorFlow is an open source platform for machine learning. In affected versions the implementation of SparseBinCount is vulnerable to a heap OOB access. This is because of missing validation between the elements of the values argument and the shape of the sparse output. The fix will be included ...

7.1CVSS6.9AI score0.00201EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 9:15 p.m.•7 views

PYSEC-2021-830

TensorFlow is an open source platform for machine learning. In affected versions the implementation of FusedBatchNorm kernels is vulnerable to a heap OOB access. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow...

7.1CVSS7AI score0.00201EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 9:15 p.m.•7 views

PYSEC-2021-407

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for DeserializeSparse can trigger a null pointer dereference. This is because the shape inference function assumes that the serializesparse tensor is a tensor with positive rank and having 3 ...

5.5CVSS7.1AI score0.00181EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 9:15 p.m.•7 views

PYSEC-2021-624

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for DeserializeSparse can trigger a null pointer dereference. This is because the shape inference function assumes that the serializesparse tensor is a tensor with positive rank and having 3 ...

5.5CVSS7.1AI score0.00181EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 9:15 p.m.•7 views

PYSEC-2021-626

TensorFlow is an open source platform for machine learning. In affected versions the process of building the control flow graph for a TensorFlow model is vulnerable to a null pointer exception when nodes that should be paired are not. This occurs because the code assumes that the first node in th...

5.5CVSS7.1AI score0.00181EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 9:15 p.m.•7 views

PYSEC-2021-635

TensorFlow is an open source platform for machine learning. In affected versions the implementation of SparseBinCount is vulnerable to a heap OOB access. This is because of missing validation between the elements of the values argument and the shape of the sparse output. The fix will be included ...

7.1CVSS6.9AI score0.00201EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 9:15 p.m.•7 views

PYSEC-2021-628

TensorFlow is an open source platform for machine learning. In affected versions the code for sparse matrix multiplication is vulnerable to undefined behavior via binding a reference to nullptr. This occurs whenever the dimensions of a or b are 0 or less. In the case on one of these is 0, an empt...

7.8CVSS7.2AI score0.00204EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 9:15 p.m.•7 views

PYSEC-2021-403

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for QuantizeV2 can trigger a read outside of bounds of heap allocated array. This occurs whenever axis is a negative value less than -1. In this case, we are accessing data before the start o...

7.1CVSS7AI score0.00201EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 8:15 p.m.•7 views

PYSEC-2021-842

TensorFlow is an open source platform for machine learning. In affected versions the implementation of tf.math.segment operations results in a CHECK-fail related abort and denial of service if a segment id in segmentids is large. This is similar to CVE-2021-29584 and similar other reported...

5.5CVSS7.1AI score0.00205EPSS
Exploits2References4Affected Software1
PyPA
PyPA
•added 2021/11/05 8:15 p.m.•7 views

PYSEC-2021-394

TensorFlow is an open source platform for machine learning. In affeced versions during execution, EinsumHelper::ParseEquation is supposed to set the flags in inputhasellipsis vector and outputhasellipsis boolean to indicate whether there is ellipsis in the corresponding inputs and output. However...

7.8CVSS7.1AI score0.00241EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 8:15 p.m.•7 views

PYSEC-2021-804

TensorFlow is an open source platform for machine learning. In affected versions the Keras pooling layers can trigger a segfault if the size of the pool is 0 or if a dimension is negative. This is due to the TensorFlow's implementation of pooling operations where the values in the sliding window...

5.5CVSS6.9AI score0.0023EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/11/03 6:15 p.m.•7 views

PYSEC-2021-428

nbdime provides tools for diffing and merging of Jupyter Notebooks. In affected versions a stored cross-site scripting XSS issue exists within the Jupyter-owned nbdime project. It appears that when reading the file name and path from disk, the extension does not sanitize the string it constructs...

8.7CVSS5.5AI score0.0068EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/10/31 8:15 p.m.•7 views

PYSEC-2021-388

The parseXML function in Easy-XML 0.5.0 was discovered to have a XML External Entity XXE vulnerability which allows for an attacker to expose sensitive data or perform a denial of service DOS via a crafted external entity entered into the XML content as input...

9.1CVSS7.2AI score0.0129EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/10/28 8:15 p.m.•7 views

PYSEC-2021-384

FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if createusers=True and t...

9.8CVSS6.6AI score0.01323EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/10/19 6:15 p.m.•7 views

PYSEC-2021-376

python-tuf is a Python reference implementation of The Update Framework TUF. In both clients tuf/client and tuf/ngclient, there is a path traversal vulnerability that in the worst case can overwrite files ending in .json anywhere on the client system on a call to getonevalidtargetinfo. It occurs...

8.8CVSS7.1AI score0.01404EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/10/06 1:15 p.m.•7 views

PYSEC-2021-423

An issue in Gate One 1.2.0 allows attackers to bypass to the verification check done by the origins list and connect to Gate One instances used by hosts not on the origins list...

5.3CVSS7AI score0.00764EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/09/28 4:15 p.m.•7 views

PYSEC-2021-351

ESPHome is a system to control the ESP8266/ESP32. Anyone with webserver enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which webserver allows over-the-air OTA updates without checking user defined basic auth username & password. This issue is...

7.5CVSS6.9AI score0.01175EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/09/27 6:15 a.m.•7 views

PYSEC-2021-354

furlongm openvpn-monitor through 1.1.3 allows Authorization Bypass to disconnect arbitrary clients...

7.5CVSS7.1AI score0.02448EPSS
Exploits6References3Affected Software1
PyPA
PyPA
•added 2021/09/22 8:15 p.m.•7 views

PYSEC-2021-338

Leo Editor v6.2.1 was discovered to contain a regular expression denial of service ReDoS vulnerability in the component plugins/importers/dart.py...

7.5CVSS7.2AI score0.01193EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/09/20 10:15 p.m.•7 views

PYSEC-2021-327

Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. In affected versions users who use Apprise granting them access to the IFTTT plugin which just comes out of the box are subject to a denial of service attac...

7.5CVSS6.8AI score0.01831EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/09/17 8:15 p.m.•7 views

PYSEC-2021-322

Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affected by a type confusion vulnerability. As a Rust library the wasmtime crate clearly marks which functions are safe and which are unsafe, guaranteeing that if consumers never use unsafe then it should...

6.3CVSS7.3AI score0.00295EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/09/10 11:15 p.m.•7 views

PYSEC-2021-334

parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding...

8.8CVSS7.5AI score0.01794EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/09/10 2:15 a.m.•7 views

PYSEC-2021-345

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding such as via ;\x2f\x7f, enabling a remote attack that consumes CPU and memory...

7.5CVSS7AI score0.05566EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2021/09/08 8:15 p.m.•7 views

PYSEC-2021-329

An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API...

6.5CVSS6.8AI score0.0176EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2021/08/16 6:15 p.m.•7 views

PYSEC-2021-144

XML External Entities XXE in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'...

9.8CVSS8.2AI score0.02771EPSS
Exploits1References2Affected Software1
Total number of security vulnerabilities5000