Lucene search
K
PypaMost viewed

5612 matches found

PyPA
PyPA
•added 2021/10/14 4:15 p.m.•5 views

PYSEC-2021-379

OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of jQuery.html, there are a whole host of cross-site scripting possibilities with...

9.8CVSS6AI score0.01006EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/10/14 4:15 p.m.•5 views

PYSEC-2021-372

OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of jQuery.html, there are a whole host of cross-site scripting possibilities with...

9.8CVSS6AI score0.01006EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/10/07 2:15 p.m.•5 views

PYSEC-2021-878

The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601. and https://github.com/nisdn/CVE-2021-40978/issues/1...

7.5CVSS7AI score0.14759EPSS
Exploits2References6Affected Software1
PyPA
PyPA
•added 2021/10/07 6:15 a.m.•5 views

PYSEC-2021-357

The Unicorn framework through 0.35.3 for Django allows XSS via component.name...

5.4CVSS6.2AI score0.02524EPSS
Exploits4References2Affected Software1
PyPA
PyPA
•added 2021/10/04 10:15 a.m.•5 views

PYSEC-2021-429

SLO generator allows for loading of YAML files that if crafted in a specific format can allow for code execution within the context of the SLO Generator. We recommend upgrading SLO Generator past https://github.com/google/slo-generator/pull/173...

7.8CVSS7.6AI score0.0158EPSS
Exploits4References3Affected Software1
PyPA
PyPA
•added 2021/09/09 3:15 p.m.•5 views

PYSEC-2021-326

The variable import endpoint was not protected by authentication in Airflow =2.0.0, =2.0.0, 2.1.3...

9.8CVSS8.1AI score0.80938EPSS
Exploits2References3Affected Software1
PyPA
PyPA
•added 2021/09/08 6:15 p.m.•5 views

PYSEC-2021-359

Flask-AppBuilder is an application development framework, built on top of Flask. In affected versions if using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious...

7.2CVSS6.8AI score0.007EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/09/08 3:15 p.m.•5 views

PYSEC-2021-318

An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and sourcehash URLs can gain full file system access as root on a salt minion...

7.5CVSS7.2AI score0.03514EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/09/08 3:15 p.m.•5 views

PYSEC-2021-346

An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behaviour of the given minion software...

6.4CVSS6.9AI score0.00346EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2021/09/03 4:15 p.m.•5 views

PYSEC-2021-317

The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service ReDoS via the getrgb function...

7.5CVSS7AI score0.03154EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2021/08/31 6:15 p.m.•5 views

PYSEC-2021-361

An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extradhcpopts value...

6.5CVSS6.9AI score0.0189EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2021/08/27 7:15 p.m.•5 views

PYSEC-2021-343

Cross Site Scripting XSS in Mezzanine v4.3.1 allows remote attackers to execute arbitrary code via the 'Description' field of the component 'admin/blog/blogpost/add/'. This issue is different than CVE-2018-16632...

6.1CVSS6.9AI score0.01119EPSS
Exploits2References2Affected Software1
PyPA
PyPA
•added 2021/08/27 7:15 p.m.•5 views

PYSEC-2021-347

Cross Site Scripting XSS in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary code via line 54 of the component 'simiki/blob/master/simiki/generators.py'...

6.1CVSS6.9AI score0.01119EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/08/23 1:15 a.m.•5 views

PYSEC-2021-121

An XML external entity XXE injection in PyWPS before 4.5.0 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected...

7.5CVSS7.3AI score0.01524EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/08/16 8:15 a.m.•5 views

PYSEC-2021-116

This affects the package bikeshed before 3.0.0. This can occur when an untrusted source file containing Inline Tag Command metadata is processed. When an arbitrary OS command is executed, the command output would be included in the HTML output...

7.8CVSS7.2AI score0.00789EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/08/16 8:15 a.m.•5 views

PYSEC-2021-122

If remote logging is not used, the worker in the case of CeleryExecutor or the scheduler in the case of LocalExecutor runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG...

5.3CVSS7.3AI score0.04022EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/13 12:15 a.m.•5 views

PYSEC-2021-312

TensorFlow is an end-to-end open source platform for machine learning. In affected versions when running shape functions, some functions such as MutableHashTableShape produce extra output information in the form of a ShapeAndType struct. The shapes embedded in this struct are owned by an inferenc...

6.6CVSS6.9AI score0.00163EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-795

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementations of pooling in TFLite are vulnerable to division by 0 errors as there are no checks for divisors not being 0. We have patched the issue in GitHub commit...

5.5CVSS6.9AI score0.00138EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-798

TensorFlow is an end-to-end open source platform for machine learning. In affected versions TFLite's GatherNd implementation does not support negative indices but there are no checks for this situation. Hence, an attacker can read arbitrary data from the heap by carefully crafting a model with...

5.5CVSS6.9AI score0.00191EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-592

TensorFlow is an end-to-end open source platform for machine learning. In affected versions it is possible to nest a tf.mapfn within another tf.mapfn call. However, if the input tensor is a RaggedTensor and there is no function signature provided, code assumes the output is a fully specified tens...

7.8CVSS7.2AI score0.00181EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-581

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause denial of service in applications serving models using tf.rawops.UnravelIndex by triggering a division by 0. The implementation does not check that the tensor subsumed by dims is not...

5.5CVSS6.8AI score0.00154EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-590

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the shape inference code for tf.rawops.Dequantize has a vulnerability that could trigger a denial of service via a segfault if an attacker provides invalid arguments. The shape inference implementation use...

5.5CVSS7.1AI score0.00148EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-578

TensorFlow is an end-to-end open source platform for machine learning. In affected versions due to incomplete validation in MKL implementation of requantization, an attacker can trigger undefined behavior via binding a reference to a null pointer or can access data outside the bounds of heap...

7.8CVSS7AI score0.00185EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-793

TensorFlow is an end-to-end open source platform for machine learning. In affected versions all TFLite operations that use quantization can be made to use unitialized values. For example. The issue stems from the fact that quantization.params is only valid if quantization.type is different that...

7.1CVSS6.9AI score0.0018EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-576

TensorFlow is an end-to-end open source platform for machine learning. In affected versions due to incomplete validation in tf.rawops.QuantizeV2, an attacker can trigger undefined behavior via binding a reference to a null pointer or can access data outside the bounds of heap allocated arrays. Th...

7.8CVSS7AI score0.00173EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-294

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to tf.rawops.SdcaOptimizerV2. The implementation does not check that the length of...

5.5CVSS6.9AI score0.00172EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-802

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a division by zero error in LSH implementation. We have patched the issue in GitHub commit 0575b640091680cfb70f4dd93e70658de43b94f9. The fix will be...

5.5CVSS7AI score0.00152EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-309

TensorFlow is an end-to-end open source platform for machine learning. In affected versions TFLite's GatherNd implementation does not support negative indices but there are no checks for this situation. Hence, an attacker can read arbitrary data from the heap by carefully crafting a model with...

5.5CVSS6.9AI score0.00191EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-299

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the shape inference code for tf.rawops.Dequantize has a vulnerability that could trigger a denial of service via a segfault if an attacker provides invalid arguments. The shape inference implementation use...

5.5CVSS7.1AI score0.00148EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-788

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the shape inference code for tf.rawops.Dequantize has a vulnerability that could trigger a denial of service via a segfault if an attacker provides invalid arguments. The shape inference implementation use...

5.5CVSS7.1AI score0.00148EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-790

TensorFlow is an end-to-end open source platform for machine learning. In affected versions it is possible to nest a tf.mapfn within another tf.mapfn call. However, if the input tensor is a RaggedTensor and there is no function signature provided, code assumes the output is a fully specified tens...

7.8CVSS7.2AI score0.00181EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-781

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to tf.rawops.UpperBound. The implementation does not validate the rank of sortedinput...

5.5CVSS6.9AI score0.00169EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-780

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause denial of service in applications serving models using tf.rawops.NonMaxSuppressionV5 by triggering a division by 0. The implementation uses a user controlled argument to resize a...

5.5CVSS6.7AI score0.00175EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-585

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to tf.rawops.SdcaOptimizerV2. The implementation does not check that the length of...

5.5CVSS6.9AI score0.00172EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-776

TensorFlow is an end-to-end open source platform for machine learning. In affected versions due to incomplete validation in MKL implementation of requantization, an attacker can trigger undefined behavior via binding a reference to a null pointer or can access data outside the bounds of heap...

7.8CVSS7AI score0.00185EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•5 views

PYSEC-2021-306

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementations of pooling in TFLite are vulnerable to division by 0 errors as there are no checks for divisors not being 0. We have patched the issue in GitHub commit...

5.5CVSS6.9AI score0.00138EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2021/08/12 10:15 p.m.•5 views

PYSEC-2021-302

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of fully connected layers in TFLite is vulnerable to a division by zero error. We have patched the issue in GitHub commit 718721986aa137691ee23f03638867151f74935f. The fix will be includ...

5.5CVSS6.9AI score0.00152EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 10:15 p.m.•5 views

PYSEC-2021-759

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the code for tf.rawops.SaveV2 does not properly validate the inputs and an attacker can trigger a null pointer dereference. The implementation uses ValidateInputs to check that the input arguments are vali...

7.8CVSS7.2AI score0.00186EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 10:15 p.m.•5 views

PYSEC-2021-565

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation for tf.rawops.BoostedTreesCreateEnsemble can result in a use after free error if an attacker supplies specially crafted arguments. The implementation uses a reference counted resource an...

7.8CVSS7.1AI score0.00173EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 10:15 p.m.•5 views

PYSEC-2021-763

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation for tf.rawops.BoostedTreesCreateEnsemble can result in a use after free error if an attacker supplies specially crafted arguments. The implementation uses a reference counted resource an...

7.8CVSS7.1AI score0.00173EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 10:15 p.m.•5 views

PYSEC-2021-561

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the code for tf.rawops.SaveV2 does not properly validate the inputs and an attacker can trigger a null pointer dereference. The implementation uses ValidateInputs to check that the input arguments are vali...

7.8CVSS7.2AI score0.00186EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 10:15 p.m.•5 views

PYSEC-2021-311

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. This is caused by the MLIR optimization of L2NormalizeReduceAxis...

7.8CVSS6.9AI score0.00165EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 10:15 p.m.•5 views

PYSEC-2021-297

TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference implementation i...

5.5CVSS6.8AI score0.0016EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 10:15 p.m.•5 views

PYSEC-2021-579

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in tf.rawops.RaggedTensorToVariant. The implementation has an incomplete validation of the splits values, missing the case...

7.8CVSS7AI score0.00173EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 10:15 p.m.•5 views

PYSEC-2021-786

TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference implementation i...

5.5CVSS6.8AI score0.0016EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 10:15 p.m.•5 views

PYSEC-2021-782

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in tf.rawops.Map and tf.rawops.OrderedMap operations. The implementation has a check in place to ensure that indices is in...

7.8CVSS7AI score0.00173EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 10:15 p.m.•5 views

PYSEC-2021-589

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in tf.rawops.SparseFillEmptyRows. The shape inference implementation does not validate that the input arguments are not empt...

7.8CVSS6.9AI score0.00173EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 9:15 p.m.•5 views

PYSEC-2021-773

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can generate undefined behavior via a reference binding to nullptr in BoostedTreesCalculateBestGainsPerFeature and similar attack can occur in BoostedTreesCalculateBestFeatureSplitV2. The...

7.8CVSS6.9AI score0.00189EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/08/12 9:15 p.m.•5 views

PYSEC-2021-273

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation for tf.rawops.FractionalAvgPoolGrad can be tricked into accessing data outside of bounds of heap allocated buffers. The implementation does not validate that the input tensor is non-empt...

7.8CVSS7.4AI score0.00174EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 9:15 p.m.•5 views

PYSEC-2021-266

TensorFlow is an end-to-end open source platform for machine learning. In affected versions providing a negative element to numelements list argument of tf.rawops.TensorListReserve causes the runtime to abort the process due to reallocating a std::vector to have a negative number of elements. The...

5.5CVSS6.9AI score0.00152EPSS
Exploits0References2Affected Software1
Total number of security vulnerabilities5000