Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-211

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.rawops.MaxPool3DGradGrad exhibits undefined behavior by dereferencing null pointers backing attacker-supplied empty tensors. The...

7.8CVSS6.9AI score0.00201EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-229

TensorFlow is an end-to-end open source platform for machine learning. The fix for CVE-2020-15209https://vulners.com/cve/CVE-2020-15209 missed the case when the target shape of Reshape operator is given by the elements of a 1-D tensor. As such, the fix for the...

7.8CVSS6.9AI score0.008EPSS
Exploits2References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-741

TensorFlow is an end-to-end open source platform for machine learning. The implementation of ParseAttrValuehttps://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa74ed79595/tensorflow/core/framework/attrvalueutil.ccL397-L453 can be tricked into stack overflow due to recursion...

5.5CVSS7.2AI score0.00204EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-536

TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in tf.rawops.RaggedTensorToTensor, an attacker can exploit an undefined behavior if input arguments are empty. The...

7.8CVSS7AI score0.00234EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-254

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via CHECK-fail in tf.strings.substr with invalid arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3,...

5.5CVSS6.8AI score0.0023EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-545

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via CHECK-fail in tf.strings.substr with invalid arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3,...

5.5CVSS6.8AI score0.0023EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-670

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a CHECK-fail in tf.rawops.QuantizeAndDequantizeV4Grad. This is because the...

5.5CVSS6.7AI score0.0031EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-533

TensorFlow is an end-to-end open source platform for machine learning. The TFLite code for allocating TFLiteIntArrays is vulnerable to an integer overflow issuehttps://github.com/tensorflow/tensorflow/blob/4ceffae632721e52bf3501b736e4fe9d1221cdfa/tensorflow/lite/c/common.cL24-L27. An attacker can...

7.1CVSS7.4AI score0.0022EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-231

TensorFlow is an end-to-end open source platform for machine learning. TFLite's convolution codehttps://github.com/tensorflow/tensorflow/blob/09c73bca7d648e961dd05898292d91a8322a9d45/tensorflow/lite/kernels/conv.cc has multiple division where the divisor is controlled by the user and not checked ...

7.8CVSS7AI score0.00201EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-171

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a CHECK-fail in tf.rawops.SparseConcat. This is because the...

5.5CVSS6.8AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-460

TensorFlow is an end-to-end open source platform for machine learning. An attacker can force accesses outside the bounds of heap allocated arrays by passing in invalid tensor values to tf.rawops.RaggedCross. This is because the...

7.1CVSS6.8AI score0.00198EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-537

TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in SparseAdd results in allowing attackers to exploit undefined behavior dereferencing null pointers as well as write outside of bounds of heap allocated data. The...

7.8CVSS7.2AI score0.00234EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-659

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a CHECK failure by passing an empty image to tf.rawops.DrawBoundingBoxes. This is because the...

5.5CVSS7AI score0.00217EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-201

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a null pointer dereference in the implementation of tf.rawops.EditDistance. This is because the...

5.5CVSS7AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-158

TensorFlow is an end-to-end open source platform for machine learning. Specifying a negative dense shape in tf.rawops.SparseCountSparseOutput results in a segmentation fault being thrown out from the standard library as std::vector invariants are broken. This is because the...

5.5CVSS6.9AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•6 views

PYSEC-2021-256

TensorFlow is an end-to-end open source platform for machine learning. Passing invalid arguments e.g., discovered via fuzzing to tf.rawops.SparseCountSparseOutput results in segfault. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow...

5.5CVSS7AI score0.00194EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/14 7:15 p.m.•6 views

PYSEC-2021-680

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in tf.rawops.DenseCountSparseOutput. This is because the...

5.5CVSS6.8AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/05/13 7:15 p.m.•6 views

PYSEC-2021-47

Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either 'infinity', 'inf' or float'inf' or their negatives to datetime or date fields causes validation to run forever with 100% CPU usage on one CPU. Pydantic has been patched with fixes...

7.5CVSS6.8AI score0.00967EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/05/11 3:15 p.m.•6 views

PYSEC-2021-135

Synapse is a Matrix reference homeserver written in python pypi package matrix-synapse. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including eventmatch, which matches event...

5.3CVSS6.8AI score0.01647EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/05/11 2:15 p.m.•6 views

PYSEC-2021-29

The Logging subsystem in OctoPrint before 1.6.0 has incorrect access control because it attempts to manage files that are not .log files...

6.5CVSS6.9AI score0.0149EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2021/04/29 9:15 p.m.•6 views

PYSEC-2021-64

django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated NumberFilter instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential...

7.5CVSS6.9AI score0.01797EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/04/27 10:15 a.m.•6 views

PYSEC-2021-128

Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click...

6.1CVSS6.8AI score0.63768EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/04/15 9:15 p.m.•6 views

PYSEC-2021-22

Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perfor...

7.7CVSS6.9AI score0.01194EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2021/04/12 2:15 p.m.•6 views

PYSEC-2021-147

in SiCKRAGE, versions 4.2.0 to 10.0.11.dev1 are vulnerable to Stored Cross-Site-Scripting XSS due to user input not being validated properly when processed by the server. Therefore, an attacker can inject arbitrary JavaScript code inside the application, and possibly steal a user’s sensitive...

5.4CVSS6.7AI score0.0066EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/04/07 2:15 p.m.•6 views

PYSEC-2021-18

CERN Indico before 2.3.4 can use an attacker-supplied Host header in a password reset link...

7.5CVSS7.1AI score0.01047EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/04/06 7:15 p.m.•6 views

PYSEC-2021-111

projen is a project generation tool that synthesizes project configuration files such as package.json, tsconfig.json, .gitignore, GitHub Workflows, eslint, jest, and more, from a well-typed definition written in JavaScript. Users of projen's NodeProject project type including any project type...

8.1CVSS7.4AI score0.01381EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/04/06 3:15 p.m.•6 views

PYSEC-2021-6

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability...

5.3CVSS7.1AI score0.03865EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2021/04/01 8:15 p.m.•6 views

PYSEC-2021-34

models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries...

7.5CVSS7AI score0.01713EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/04/01 6:15 p.m.•6 views

PYSEC-2021-107

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the nolog feature. An...

5.5CVSS6.4AI score0.00333EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/03/26 8:15 p.m.•6 views

PYSEC-2021-134

Synapse is a Matrix reference homeserver written in python pypi package matrix-synapse. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject...

6.1CVSS7AI score0.01392EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/03/23 6:15 p.m.•6 views

PYSEC-2021-432

Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid free or realloc calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and ...

7.1CVSS6.7AI score0.01811EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2021/03/19 4:15 a.m.•6 views

PYSEC-2021-35

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654...

9.8CVSS7.5AI score0.02281EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/03/19 4:15 a.m.•6 views

PYSEC-2021-36

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size...

7.5CVSS6.9AI score0.02372EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/03/19 4:15 a.m.•6 views

PYSEC-2021-38

An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS ReDoS attack via a crafted PDF file because of a catastrophic backtracking regex...

6.5CVSS7AI score0.01635EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/03/09 1:15 a.m.•6 views

PYSEC-2021-43

Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Gener...

5.3CVSS6.3AI score0.01525EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/03/08 9:15 p.m.•6 views

PYSEC-2021-44

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this...

6.5CVSS6.5AI score0.01505EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/03/03 4:15 p.m.•6 views

PYSEC-2021-20

markdown2 =1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time...

7.5CVSS6.9AI score0.02384EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2021/03/03 9:15 a.m.•6 views

PYSEC-2021-40

Pillow before 8.1.1 allows attackers to cause a denial of service memory consumption because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large...

7.5CVSS6.7AI score0.0317EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2021/02/27 5:15 a.m.•6 views

PYSEC-2021-53

An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level...

4.4CVSS7AI score0.00539EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2021/02/27 5:15 a.m.•6 views

PYSEC-2021-57

An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via sshoptions provided in an API request...

9.8CVSS7.4AI score0.72327EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2021/02/27 5:15 a.m.•6 views

PYSEC-2021-75

In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated...

7.4CVSS6.9AI score0.02954EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2021/02/27 5:15 a.m.•6 views

PYSEC-2021-54

In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. They might be used to run command against the salt master or minions...

9.1CVSS7.1AI score0.05196EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2021/02/09 9:15 p.m.•6 views

PYSEC-2021-142

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the fullload method or with the FullLoader loader. Applications that use the library to process untrusted input may be...

10CVSS8.2AI score0.05984EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/02/08 8:15 p.m.•6 views

PYSEC-2021-16

httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service CPU burn while parsing header of the httplib2 client accessing said...

7.5CVSS6.9AI score0.03876EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2021/02/02 5:58 p.m.•6 views

PYSEC-2021-865

In Mozilla Bleach before 3.3.0, a mutation XSS affects users calling bleach.clean with math or svg; p or br; and style, title, noscript, script, textarea, noframes, iframe, or xmp tags with stripcomments=False...

6.1CVSS6.3AI score0.00483EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2021/01/21 3:15 p.m.•6 views

PYSEC-2021-48

PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping...

6.5CVSS6.8AI score0.01078EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/01/13 4:15 a.m.•6 views

PYSEC-2021-67

JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an xsrf field, as demonstrated by a /hub/api/user request to add or remove a user account...

4.5CVSS9.1AI score0.00499EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/01/12 9:15 a.m.•6 views

PYSEC-2021-70

In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode...

8.8CVSS7.4AI score0.01789EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2021/01/11 10:15 a.m.•6 views

PYSEC-2021-876

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface...

6.5CVSS7AI score0.01728EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2021/01/06 5:15 p.m.•6 views

PYSEC-2021-5

CairoSVG is a Python pypi package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service REDoS vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regula...

5.7CVSS6.7AI score0.01466EPSS
Exploits1References4Affected Software1
Total number of security vulnerabilities5000