Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
•added 2022/10/06 6:16 p.m.•5 views

PYSEC-2022-302

Path Traversal in GitHub repository ikus060/rdiffweb prior to 2.4.10...

8.2CVSS6.8AI score0.00997EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/09/30 2:15 p.m.•5 views

PYSEC-2022-299

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a3...

7.5CVSS6.8AI score0.00983EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/09/19 4:15 p.m.•5 views

PYSEC-2022-43115

The d8s-ip-addresses for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package. The affected version is 0.1.0...

9.8CVSS7AI score0.01033EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/09/19 4:15 p.m.•5 views

PYSEC-2022-43121

The d8s-math for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0...

9.8CVSS7AI score0.01238EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/09/19 3:15 p.m.•5 views

PYSEC-2022-43104

The d8s-domains for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0...

9.8CVSS7AI score0.01033EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/09/13 9:15 p.m.•5 views

PYSEC-2022-275

LIEF commit 5d1d643 was discovered to contain a segmentation violation via the function LIEF::MachO::SegmentCommand::fileoffset at /MachO/SegmentCommand.cpp...

5.5CVSS7.3AI score0.00291EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/09/13 10:15 a.m.•5 views

PYSEC-2022-271

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2...

7.5CVSS6.8AI score0.00556EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/09/08 7:15 p.m.•5 views

PYSEC-2022-268

Improper Restriction of Rendered UI Layers or Frames in GitHub repository ikus060/rdiffweb prior to 2.4.1...

10CVSS6.7AI score0.00933EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/09/01 6:15 p.m.•5 views

PYSEC-2022-43152

A flaw was found in the python-scciclient when making an HTTPS connection to a server where the server's certificate would not be verified. This issue opens up the connection to possible Man-in-the-middle MITM attacks...

7.4CVSS6.5AI score0.00508EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/08/27 8:15 p.m.•5 views

PYSEC-2022-43134

The exotel aka exotel-py package in PyPI as of 0.1.6 includes a code execution backdoor inserted by a third party...

9.8CVSS7.6AI score0.01178EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2022/08/26 5:55 p.m.•5 views

PYSEC-2022-250

The exotel project on PyPI was taken over via user account compromise via a phishing attack and a new malicious release made which contained code which some environment variables and downloaded and ran malware at install time...

7.2AI score
Exploits0References1Affected Software1
PyPA
PyPA
•added 2022/08/23 4:15 p.m.•5 views

PYSEC-2022-43067

A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate use...

6.6CVSS6.5AI score0.00264EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2022/08/18 3:15 p.m.•5 views

PYSEC-2022-43146

py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the application.commands scope without the bot scope. Currently, it appears that all public bots that use slash commands are...

7.5CVSS7.1AI score0.00662EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/07/29 9:15 p.m.•5 views

PYSEC-2022-43072

An inflation issue was discovered in Chia Network CAT1 Standard 1.0.0. Previously minted tokens minted on the Chia blockchain using the CAT1 standard can be inflated to an arbitrary extent by any holder of any amount of the token. The total amount of the token can be increased as high as the...

7.5CVSS7AI score0.00734EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/07/27 2:15 p.m.•5 views

PYSEC-2022-43057

WASM3 v0.5.0 was discovered to contain a segmentation fault via the component CompileMemoryCopyFill...

5.5CVSS7.3AI score0.00275EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/07/25 11:15 p.m.•5 views

PYSEC-2022-237

In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking...

7.5CVSS9.1AI score0.01215EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/07/13 12:15 p.m.•5 views

PYSEC-2022-238

This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method...

6.5CVSS6.9AI score0.00991EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/06/24 9:15 p.m.•5 views

PYSEC-2022-43164

The Rondolu-YT-Concate package in PyPI v0.1.0 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges...

9.8CVSS7.9AI score0.01931EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/06/24 9:15 p.m.•5 views

PYSEC-2022-219

The RootInteractive package in PyPI v0.0.5 to v0.0.19b0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges...

9.8CVSS8AI score0.01857EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/06/24 9:15 p.m.•5 views

PYSEC-2022-43132

The DR-Web-Engine package in PyPI v0.2.0b0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges...

9.8CVSS8AI score0.01896EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/06/14 6:15 p.m.•5 views

PYSEC-2022-212

Jupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with ContentsManager.allowhidden = False only prevented listing the contents of hidden directories, not accessing individual hidden files or files...

4.3CVSS6.9AI score0.0103EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2022/06/08 8:15 p.m.•5 views

PYSEC-2022-43147

pyanxdns package in PyPI version 0.2 is vulnerable to code execution backdoor. The impact is: execute arbitrary code remote. When installing the pyanxdns package of version 0.2, the request package will be installed...

9.8CVSS8.2AI score0.022EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/06/08 6:15 p.m.•5 views

PYSEC-2022-43056

The keep for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.2...

9.8CVSS7AI score0.02344EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/06/02 2:15 p.m.•5 views

PYSEC-2022-42973

Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes...

8.6CVSS7.2AI score0.01339EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/05/25 1:15 a.m.•5 views

PYSEC-2022-203

DISPUTED Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported...

9.8CVSS6.9AI score0.07663EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/05/08 6:15 a.m.•5 views

PYSEC-2022-182

ADMesh through 0.98.4 has a heap-based buffer over-read in stlupdateconnectsremove1 called from stlremovedegenerate in connect.c in libadmesh.a...

8.1CVSS7.2AI score0.0102EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/05/06 5:15 p.m.•5 views

PYSEC-2022-184

Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and identity quote and the verifier for validating the integrity quote. This allows an attacker to use one AK, EK pair from a real TPM to pass EK validation and give the verifier an...

9.1CVSS6.8AI score0.01343EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2022/05/04 10:15 p.m.•5 views

PYSEC-2022-42999

DISPUTED In the python-libnmap package through 0.7.2 for Python, remote command execution can occur if used in a client application that does not validate arguments. NOTE: the vendor believes it would be unrealistic for an application to call NmapProcess with arguments taken from input data that...

9.8CVSS7.2AI score0.04936EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2022/04/26 4:15 p.m.•5 views

PYSEC-2022-43150

Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure...

7.5CVSS6.7AI score0.03137EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2022/04/04 6:15 p.m.•5 views

PYSEC-2022-195

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing...

8.1CVSS7AI score0.028EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/03/29 5:15 p.m.•5 views

PYSEC-2022-171

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data...

8.8CVSS7.1AI score0.00861EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/03/29 5:15 p.m.•5 views

PYSEC-2022-172

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. A minion authentication denial of service can cause a MiTM attacker to force a minion process to stop by impersonating a master...

4.3CVSS7AI score0.01586EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/03/24 5:15 p.m.•5 views

PYSEC-2022-43141

MotionEye v0.42.1 and below allows attackers to access sensitive information via a GET request to /config/list. To exploit this vulnerability, a regular user password must be unconfigured...

7.5CVSS6.7AI score0.06829EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/03/24 9:15 a.m.•5 views

PYSEC-2022-175

Insecure Temporary File in GitHub repository horovod/horovod prior to 0.24.0...

8.2CVSS6.8AI score0.00922EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/03/14 6:15 p.m.•5 views

PYSEC-2022-163

The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the updaterepo function when using hg, the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution...

9.8CVSS7.6AI score0.03652EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/03/11 1:15 p.m.•5 views

PYSEC-2022-177

Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2...

9.1CVSS6.7AI score0.02256EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2022/03/11 12:15 a.m.•5 views

PYSEC-2022-43135

FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers to create crafted cookies to bypass authentication or escalate privileges...

8.8CVSS7.3AI score0.01035EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/03/10 5:47 p.m.•5 views

PYSEC-2022-43170

An XXE issue was discovered in Tryton Application Platform Server 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform Command Line Client proteus 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user...

6.5CVSS6.9AI score0.01374EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2022/03/04 5:15 p.m.•5 views

PYSEC-2022-162

Weblate is a web based localization tool with tight version control integration. Prior to version 4.11.1, Weblate didn't properly sanitize some arguments passed to Git and Mercurial, allowing them to change their behavior in an unintended way. Instances where untrusted users cannot create new...

7AI score
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/03/02 4:15 a.m.•5 views

PYSEC-2022-159

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1...

8.8CVSS6.7AI score0.01243EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/25 9:15 a.m.•5 views

PYSEC-2022-30

In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI...

8.8CVSS7.2AI score0.7788EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•5 views

PYSEC-2022-75

Tensorflow is an Open Source Machine Learning Framework. TensorFlow is vulnerable to a heap OOB write in Grappler. The setoutput function writes to an array at the specified index. Hence, this gives a malicious user a write primitive. The fix will be included in TensorFlow 2.8.0. We will also...

8.8CVSS7AI score0.00924EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•5 views

PYSEC-2022-151

Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior...

9.8CVSS7.2AI score0.00888EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•5 views

PYSEC-2022-97

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a SavedModel such that Grappler optimizer would attempt to build a tensor using a reference dtype. This would result in a crash due to a CHECK-fail in the Tensor constructor as...

6.5CVSS6.8AI score0.00864EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•5 views

PYSEC-2022-82

Tensorflow is an Open Source Machine Learning Framework. The implementation of AssignOp can result in copying uninitialized data to a new tensor. This later results in undefined behavior. The implementation has a check that the left hand side of the assignment is initialized to minimize number of...

8.8CVSS6.9AI score0.00755EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•5 views

PYSEC-2022-145

Tensorflow is an Open Source Machine Learning Framework. The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a SavedModel such that IsSimplifiableReshape would trigger CHECK failures. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this...

6.5CVSS6.8AI score0.01151EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•5 views

PYSEC-2022-136

Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, TensorFlow can fail to specialize a type during shape inference. This case is covered by the DCHECK function however, DCHECK is a no-op in production builds and an assertion failure in debug builds. In the first cas...

6.5CVSS7AI score0.00992EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•5 views

PYSEC-2022-125

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would cause a write outside of bounds of an array in TFLite. In fact, the attacker can override the linked list used by the memory allocator. This can be leveraged for an arbitrary write primitive...

8.8CVSS7.1AI score0.0054EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•5 views

PYSEC-2022-137

Tensorflow is an Open Source Machine Learning Framework. The implementation of AssignOp can result in copying uninitialized data to a new tensor. This later results in undefined behavior. The implementation has a check that the left hand side of the assignment is initialized to minimize number of...

8.8CVSS6.9AI score0.00755EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•5 views

PYSEC-2022-92

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a SavedModel such that any binary op would trigger CHECK failures. This occurs when the protobuf part corresponding to the tensor arguments is modified such that the dtype no longer...

6.5CVSS6.8AI score0.00872EPSS
Exploits1References3Affected Software1
Total number of security vulnerabilities5000