Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
•added 2023/11/30 7:15 a.m.•5 views

PYSEC-2023-250

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request e.g. to insert a new header or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the...

7.2CVSS6.8AI score0.00874EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2023/11/29 7:15 p.m.•5 views

PYSEC-2023-254

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling loadpempkcs7certificates or loadderpkcs7certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service...

7.5CVSS6.3AI score0.00985EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2023/11/24 8:15 a.m.•5 views

PYSEC-2023-268

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.The information exposed to unauthorized actors may include sensitive data such as database credentials.Users who can't upgrade to the fixed version can also set environment variable...

7.5CVSS6.7AI score0.01201EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2023/11/09 4:15 p.m.•5 views

PYSEC-2023-234

An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm...

7.5CVSS6.6AI score0.00476EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2023/10/25 9:15 p.m.•5 views

PYSEC-2023-224

Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, th...

5.3CVSS6.9AI score0.00766EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2023/10/25 6:17 p.m.•5 views

PYSEC-2023-228

When installing a package from a Mercurial VCS URL ie "pip install hg+..." with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call ie "--config". Controlling the Mercurial configuration can modify how and which...

5.5CVSS7.5AI score0.00476EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/10/20 12:15 a.m.•5 views

PYSEC-2023-214

Home assistant is an open source home automation. The audit team’s analyses confirmed that the redirecturi and clientid are alterable when logging in. Consequently, the code parameter utilized to fetch the accesstoken post-authentication will be sent to the URL specified in the aforementioned...

5.4CVSS7AI score0.00395EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/10/19 10:15 p.m.•5 views

PYSEC-2023-213

Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py...

7.5CVSS6.6AI score0.0022EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/10/19 5:15 a.m.•5 views

PYSEC-2023-205

LangChain before 0.0.317 allows SSRF via documentloaders/recursiveurlloader.py because crawling can proceed from an external server to an internal server...

8.8CVSS7AI score0.44711EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/10/14 10:15 a.m.•5 views

PYSEC-2023-202

Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dagids and the stack-traces of import errors for those DAGs with import...

6.5CVSS6.7AI score0.01071EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2023/10/09 8:15 p.m.•5 views

PYSEC-2023-194

langchainexperimental 0.0.14 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via the PALChain in the python exec method...

9.8CVSS7.9AI score0.01074EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/10/02 8:15 p.m.•5 views

PYSEC-2023-187

An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application...

5.3CVSS6.9AI score0.00514EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2023/09/29 9:14 p.m.•5 views

PYSEC-2023-183

opencv-python versions before v4.8.1.78 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. opencv-python v4.8.1.78 upgrades the bundled libwebp binary to v1.3.2...

8.8CVSS8.1AI score0.99735EPSS
Exploits9References3Affected Software1
PyPA
PyPA
•added 2023/09/12 12:15 p.m.•5 views

PYSEC-2023-170

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allowsauthenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.Users should upgrade to...

4.3CVSS6.9AI score0.01305EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/07/26 12:15 p.m.•5 views

PYSEC-2023-126

PaddlePaddle before 2.5.0 has a command injection in fs.py. This resulted inthe ability to execute arbitrary commands on the operating system...

9.8CVSS8.3AI score0.01997EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2023/07/12 10:15 a.m.•5 views

PYSEC-2023-105

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the runid parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version th...

6.5CVSS6.6AI score0.01044EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/07/03 9:15 p.m.•5 views

PYSEC-2023-98

An issue in langchain v.0.0.199 allows an attacker to execute arbitrary code via the PALChain in the python exec method...

9.8CVSS8AI score0.01074EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/06/29 9:15 p.m.•5 views

PYSEC-2023-96

requests-xml v0.2.3 was discovered to contain an XML External Entity Injection XXE vulnerability which allows attackers to execute arbitrary code via a crafted XML file...

7.5CVSS8.5AI score0.00731EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/06/01 2:15 a.m.•5 views

PYSEC-2023-83

Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette...

7.5CVSS7AI score0.02032EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/05/26 6:15 p.m.•5 views

PYSEC-2023-74

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuildproxies to reattach the Proxy-Authorization header to requests. For HTTP connections sent...

6.1CVSS9.1AI score0.02782EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2023/05/17 9:15 p.m.•5 views

PYSEC-2023-69

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1...

9.8CVSS6.8AI score0.06311EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2023/05/12 9:15 p.m.•5 views

PYSEC-2023-71

Planet is software that provides satellite data. The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the user's group and non-group to read the file as well. This issue was patched in...

5.5CVSS6.9AI score0.00255EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/05/11 2:15 a.m.•5 views

PYSEC-2023-70

A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter...

7.5CVSS6.9AI score0.00996EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/04/21 4:15 p.m.•5 views

PYSEC-2023-48

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service...

7.5CVSS7AI score0.01288EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2023/04/19 8:15 p.m.•5 views

PYSEC-2023-20

Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur...

7.5CVSS7AI score0.00784EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2023/03/15 10:15 a.m.•5 views

PYSEC-2023-2

Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2...

5.3CVSS6.9AI score0.01382EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/02/22 9:15 a.m.•5 views

PYSEC-2023-33

Cross-site Scripting XSS - Reflected in GitHub repository modoboa/modoboa prior to 2.0.5...

4.8CVSS6.2AI score0.00494EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/02/17 6:15 p.m.•5 views

PYSEC-2023-289

An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4...

8.8CVSS6.8AI score0.01005EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/02/14 8:15 p.m.•5 views

PYSEC-2023-57

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =Host-test=bad for another subdomain...

3.5CVSS7.4AI score0.00507EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/01/26 11:15 p.m.•5 views

PYSEC-2023-31

Cross-site Scripting XSS - Stored in GitHub repository modoboa/modoboa prior to 2.0.4...

7.1CVSS6AI score0.00498EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2023/01/26 9:15 p.m.•5 views

PYSEC-2023-38

Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal as the externaldata field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory, for example "../../../etc/passwd"...

7.5CVSS7AI score0.01608EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2023/01/23 2:15 p.m.•5 views

PYSEC-2023-284

Cross-Site Request Forgery CSRF in GitHub repository modoboa/modoboa prior to 2.0.4...

6.5CVSS6.7AI score0.00342EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2022/12/27 3:15 p.m.•5 views

PYSEC-2022-43008

Authentication Bypass by Primary Weakness in GitHub repository ikus060/rdiffweb prior to 2.5.5...

7.2CVSS6.8AI score0.0113EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/12/19 10:15 p.m.•5 views

PYSEC-2022-43151

Patchelf v0.9 was discovered to contain an out-of-bounds read via the function modifyRPath at src/patchelf.cc...

9.1CVSS7.3AI score0.01042EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/12/15 9:15 p.m.•5 views

PYSEC-2022-43061

A vulnerability was found in django-photologue up to 3.15.1 and classified as problematic. Affected by this issue is some unknown functionality of the file photologue/templates/photologue/photodetail.html of the component Default Template Handler. The manipulation of the argument object.caption...

6.1CVSS5.9AI score0.0051EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/12/15 7:15 p.m.•5 views

PYSEC-2022-43060

The Apache Bookkeeper Java Client before 4.14.6 and also 4.15.0 does not close the connection to the bookkeeper server when TLS hostname verification fails. This leavesthe bookkeeper client vulnerable to a man in the middle attack.The problem affects BookKeeper client prior to versions 4.14.6 and...

5.9CVSS6.9AI score0.01021EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/12/13 6:15 p.m.•5 views

PYSEC-2022-43062

A vulnerability classified as problematic was found in pacparser up to 1.3.x. Affected by this vulnerability is the function pacparserfindproxy of the file src/pacparser.c. The manipulation of the argument url leads to buffer overflow. Attacking locally is a requirement. Upgrading to version 1.4....

7.8CVSS7.1AI score0.00435EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/11/25 7:15 p.m.•5 views

PYSEC-2022-42996

MPXJ is an open source library to read and write project plans from a variety of file formats and databases. On Unix-like operating systems not Windows or macos, MPXJ's use of File.createTempFile.. results in temporary files being created with the permissions -rw-r--r--. This means that any other...

3.3CVSS6.5AI score0.00208EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/11/14 9:15 p.m.•5 views

PYSEC-2022-43000

Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0...

9.8CVSS6.8AI score0.00876EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/11/14 7:15 a.m.•5 views

PYSEC-2022-42980

Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL...

7.5CVSS6.9AI score0.01102EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2022/11/11 9:15 p.m.•5 views

PYSEC-2022-43018

WsgiDAV is a generic and extendable WebDAV server based on WSGI. Implementations using this library with directory browsing enabled may be susceptible to Cross Site Scripting XSS attacks. This issue has been patched, users can upgrade to version 4.1.0. As a workaround, set dirbrowser.enable = Fal...

8.2CVSS6.2AI score0.00339EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/11/07 3:15 p.m.•5 views

PYSEC-2022-43085

The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-grammars package. The affected version of d8s-htm is 0.1.0...

9.8CVSS7.6AI score0.01012EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/11/07 3:15 p.m.•5 views

PYSEC-2022-43081

The d8s-networking for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-json package. The affected version of d8s-htm is 0.1.0...

9.8CVSS7.6AI score0.00991EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/11/07 3:15 p.m.•5 views

PYSEC-2022-43100

The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-grammars package. The affected version of d8s-htm is 0.1.0...

9.8CVSS7.6AI score0.01012EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/11/07 3:15 p.m.•5 views

PYSEC-2022-43096

The d8s-timer for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-dates package. The affected version of d8s-htm is 0.1.0...

8.8CVSS7.6AI score0.00972EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/11/07 3:15 p.m.•5 views

PYSEC-2022-43127

The d8s-networking for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-user-agents package. The affected version of d8s-htm is 0.1.0...

9.8CVSS7.6AI score0.00923EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/11/07 3:15 p.m.•5 views

PYSEC-2022-43094

The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-algorithms package. The affected version of d8s-htm is 0.1.0...

9.8CVSS7.6AI score0.01012EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/11/07 3:15 p.m.•5 views

PYSEC-2022-43128

The d8s-xml for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-utility package. The affected version of d8s-htm is 0.1.0...

9.8CVSS7.6AI score0.00997EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2022/11/07 3:15 p.m.•5 views

PYSEC-2022-43091

The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-domains package. The affected version of d8s-htm is 0.1.0...

9.8CVSS7.6AI score0.01012EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/11/07 3:15 p.m.•5 views

PYSEC-2022-43129

The d8s-strings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-uuids package. The affected version of d8s-htm is 0.1.0...

9.8CVSS7.6AI score0.01012EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities5000