Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
•added 2022/05/04 10:15 p.m.•6 views

PYSEC-2022-42999

DISPUTED In the python-libnmap package through 0.7.2 for Python, remote command execution can occur if used in a client application that does not validate arguments. NOTE: the vendor believes it would be unrealistic for an application to call NmapProcess with arguments taken from input data that...

9.8CVSS7.2AI score0.04936EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2022/04/19 3:15 a.m.•6 views

PYSEC-2022-43167

Selenium Server Grid before 4 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain...

9.3CVSS7AI score0.11675EPSS
Exploits6References6Affected Software1
PyPA
PyPA
•added 2022/04/18 7:15 p.m.•6 views

PYSEC-2022-194

PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content...

6.2CVSS7AI score0.01317EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/04/16 4:15 p.m.•6 views

PYSEC-2022-43153

Wasm3 0.5.0 has a heap-based buffer overflow in NewCodePage in m3code.c called indirectly from CompileBranchTable in m3compile.c...

5.5CVSS7.5AI score0.00597EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/04/13 7:15 p.m.•6 views

PYSEC-2022-188

Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue...

9.8CVSS8.1AI score0.02788EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/03/30 10:15 a.m.•6 views

PYSEC-2022-176

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service ReDoS attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher...

7.5CVSS7AI score0.01904EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/03/29 5:15 p.m.•6 views

PYSEC-2022-174

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisheracl, if a user configured in the publisheracl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid,...

8.8CVSS7AI score0.01315EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/03/28 2:15 a.m.•6 views

PYSEC-2022-168

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled...

9.1CVSS6.9AI score0.02811EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/03/21 10:15 p.m.•6 views

PYSEC-2022-234

Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS...

9.8CVSS7.5AI score0.01828EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/03/17 10:15 p.m.•6 views

PYSEC-2022-166

In Paramiko before 2.10.1, a race condition between creation and chmod in the writeprivatekeyfile function could allow unauthorized information disclosure...

5.9CVSS6.6AI score0.0208EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/03/17 12:15 p.m.•6 views

PYSEC-2022-165

The package guake before 3.8.5 are vulnerable to Exposed Dangerous Method or Function due to the exposure of executecommand and executecommandbyuuid methods via the d-bus interface, which makes it possible for a malicious user to run an arbitrary command via the d-bus method. Note: Exploitation...

8CVSS7AI score0.01113EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2022/03/15 3:15 p.m.•6 views

PYSEC-2022-167

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository httpie/httpie prior to 3.1.0...

5.3CVSS6.7AI score0.01272EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/03/10 9:15 a.m.•6 views

PYSEC-2022-186

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would...

7.5CVSS7.1AI score0.01817EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/03/04 8:15 p.m.•6 views

PYSEC-2022-31

The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution RCE via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution...

8.8CVSS8AI score0.02927EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/02/25 9:15 a.m.•6 views

PYSEC-2022-29

It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the origin query argument. This issue affects Apache Airflow versions 2.2.3 and below...

6.1CVSS6.5AI score0.02561EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/20 6:15 p.m.•6 views

PYSEC-2022-38

An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobble...

7.1CVSS6.4AI score0.00306EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/02/19 12:15 a.m.•6 views

PYSEC-2022-37

An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function checkforinvalidimports can allow Cheetah code to import Python modules via the "from MODULE import" substring. Only lines beginning with import are blocked...

7.8CVSS7.3AI score0.00495EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-96

Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior...

9.8CVSS7.2AI score0.00888EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-86

Tensorflow is an Open Source Machine Learning Framework. The implementation of GetInitOp is vulnerable to a crash caused by dereferencing a null pointer. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, ...

6.5CVSS7AI score0.00783EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-84

Tensorflow is an Open Source Machine Learning Framework. The implementation of OpLevelCostEstimator::CalculateTensorSize is vulnerable to an integer overflow if an attacker can create an operation which would involve a tensor with large enough number of elements. The fix will be included in...

6.5CVSS7.2AI score0.00783EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-90

Tensorflow is an Open Source Machine Learning Framework. The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a SavedModel such that IsSimplifiableReshape would trigger CHECK failures. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this...

6.5CVSS6.8AI score0.01151EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-66

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would trigger a division by zero in BiasAndClamp implementation. There is no check that the biassize is non zero. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on...

6.5CVSS7AI score0.00757EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-153

Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, Grappler component of TensorFlow can trigger a null pointer dereference. There are 2 places where this can occur, for the same malicious alteration of a SavedModel file fixing the first one would trigger the same...

6.5CVSS7AI score0.01097EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-88

Tensorflow is an Open Source Machine Learning Framework. The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a SavedModel such that SafeToRemoveIdentity would trigger CHECK failures. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this...

6.5CVSS6.8AI score0.00821EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-123

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations. Both embeddingsize and lookupsize are products of values provided by the user. Hence, a malicious user could trigger overflows in the...

8.8CVSS7.1AI score0.01173EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-152

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a SavedModel such that Grappler optimizer would attempt to build a tensor using a reference dtype. This would result in a crash due to a CHECK-fail in the Tensor constructor as...

6.5CVSS6.8AI score0.00864EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-138

Tensorflow is an Open Source Machine Learning Framework. There is a typo in TensorFlow's SpecializeType which results in heap OOB read/write. Due to a typo, arg is initialized to the ith mutable argument in a loop where the loop index is j. Hence it is possible to assign to arg from outside the...

8.8CVSS7AI score0.00837EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-98

Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, Grappler component of TensorFlow can trigger a null pointer dereference. There are 2 places where this can occur, for the same malicious alteration of a SavedModel file fixing the first one would trigger the same...

6.5CVSS7AI score0.01097EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-93

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a use after free behavior when decoding PNG images. After png::CommonFreeDecode gets called, the values of decode.width and decode.height are in an unspecified state. The fix will be included in TensorFlow 2.8.0. ...

7.6CVSS7AI score0.00725EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-74

Tensorflow is an Open Source Machine Learning Framework. An attacker can trigger denial of service via assertion failure by altering a SavedModel on disk such that AttrDefs of some operation are duplicated. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on...

6.5CVSS6.9AI score0.00469EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•6 views

PYSEC-2022-150

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a SavedModel such that assertions in function.cc would be falsified and crash the Python interpreter. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this comm...

6.5CVSS6.8AI score0.008EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/02/03 3:15 p.m.•6 views

PYSEC-2022-64

Tensorflow is an Open Source Machine Learning Framework. The implementation of SparseCountSparseOutput is vulnerable to a heap overflow. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also...

8.8CVSS7.1AI score0.00788EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/02/03 2:15 p.m.•6 views

PYSEC-2022-61

Tensorflow is an Open Source Machine Learning Framework. The implementation of Bincount operations allows malicious users to cause denial of service by passing in arguments which would trigger a CHECK-fail. There are several conditions that the input arguments must satisfy. Some are not caught...

6.5CVSS6.7AI score0.00783EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 1:15 p.m.•6 views

PYSEC-2022-113

Tensorflow is an Open Source Machine Learning Framework. The implementation of MapStage is vulnerable a CHECK-fail if the key tensor is not a scalar. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as...

6.5CVSS7AI score0.00783EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 1:15 p.m.•6 views

PYSEC-2022-133

Tensorflow is an Open Source Machine Learning Framework. Multiple operations in TensorFlow can be used to trigger a denial of service via CHECK-fails i.e., assertion failures. This is similar to TFSA-2021-198 and has similar fixes. We have patched the reported issues in multiple GitHub commits. I...

6.5CVSS7AI score0.00458EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/03 1:15 p.m.•6 views

PYSEC-2022-59

Tensorflow is an Open Source Machine Learning Framework. The implementation of FractionalMaxPool can be made to crash a TensorFlow process via a division by 0. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow...

6.5CVSS6.9AI score0.00783EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 1:15 p.m.•6 views

PYSEC-2022-58

Tensorflow is an Open Source Machine Learning Framework. The implementation of MapStage is vulnerable a CHECK-fail if the key tensor is not a scalar. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as...

6.5CVSS7AI score0.00783EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 1:15 p.m.•6 views

PYSEC-2022-108

Tensorflow is an Open Source Machine Learning Framework. The implementation of UnravelIndex is vulnerable to a division by zero caused by an integer overflow bug. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlo...

6.5CVSS7.2AI score0.00783EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 12:15 p.m.•6 views

PYSEC-2022-77

Tensorflow is an Open Source Machine Learning Framework. The implementation of AddManySparseToTensorsMap is vulnerable to an integer overflow which results in a CHECK-fail when building new TensorShape objects so, an assert failure based denial of service. We are missing some validation on the...

6.5CVSS7.1AI score0.008EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/02/03 12:15 p.m.•6 views

PYSEC-2022-55

Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for ConcatV2 can be used to trigger a denial of service attack via a segfault caused by a type confusion. The axis argument is translated into concatdim in the ConcatShapeHelper helper function. Then, a...

6.5CVSS6.8AI score0.00845EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/02/03 12:15 p.m.•6 views

PYSEC-2022-57

Tensorflow is an Open Source Machine Learning Framework. The implementation of StringNGrams can be used to trigger a denial of service attack by causing an out of memory condition after an integer overflow. We are missing a validation on padwitdh and that result in computing a negative value for...

6.5CVSS6.8AI score0.00821EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 12:15 p.m.•6 views

PYSEC-2022-110

Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for ConcatV2 can be used to trigger a denial of service attack via a segfault caused by a type confusion. The axis argument is translated into concatdim in the ConcatShapeHelper helper function. Then, a...

6.5CVSS6.8AI score0.00845EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/02/03 11:15 a.m.•6 views

PYSEC-2022-106

Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for Dequantize is vulnerable to an integer overflow weakness. The axis argument can be -1 the default value for the optional argument or any other positive value at most the number of dimensions of the...

8.8CVSS7.6AI score0.00659EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 2:15 a.m.•6 views

PYSEC-2022-20

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files...

7.5CVSS7AI score0.49246EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/02/01 2:15 p.m.•6 views

PYSEC-2022-36

Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher...

6.5CVSS6.7AI score0.07863EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/01/28 10:15 p.m.•6 views

PYSEC-2022-18

Cross-site Scripting XSS - Reflected in Pypi calibreweb prior to 0.6.16...

8.5CVSS6.3AI score0.00853EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/01/28 10:15 p.m.•6 views

PYSEC-2022-21

Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the imageviewfullscre...

6.1CVSS5.9AI score0.00735EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/01/26 2:15 p.m.•6 views

PYSEC-2022-48

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to...

6.5CVSS6.9AI score0.0266EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/01/19 10:15 p.m.•6 views

PYSEC-2022-12

IPython Interactive Python is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary...

8.8CVSS9.6AI score0.00657EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/01/18 11:15 p.m.•6 views

PYSEC-2022-45

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. The website mode of the onionshare allows to use a hardened CSP, which will block any scripts and external resources. It is not possible to configure...

5.3CVSS6.8AI score0.01248EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities5000