Lucene search
K
PypaMost viewed

5612 matches found

PyPA
PyPA
added yesterday4 views

tripleo-ansible may disclose important configuration details from an OpenStack deployment

A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of...

5.5CVSS6.4AI score0.00201EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Saleor Unauthenticated Information Disclosure Vulnerability via Python Exceptions

ImpactSome internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated requests.Affected versions: Saleor ≥ 2.0.0 WorkaroundsNone For more informationIf you hav...

5.3CVSS6.2AI score0.00751EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added yesterday4 views

TensorFlow has Floating Point Exception in TFLite in conv kernel

ImpactConstructing a tflite model with a paramater filterinputchannel of less than 1 gives a FPE. PatchesWe have patched the issue in GitHub commit 34f8368c535253f5c9cb3a303297743b62442aaa.The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1. For...

7.5CVSS6.7AI score0.00391EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

TensorFlow vulnerable to Out-of-Bounds Read in GRUBlockCellGrad

ImpactOut of bounds read in GRUBlockCellGradpythonfunc = tf.rawops.GRUBlockCellGradpara = 'x': 21.1, 156.2, 83.3, 115.4, 'hprev': array136.5, 136.6, 'wru': array26.7, 0.8, 47.9, 26.1, 26.2, 26.3, 'wc': array 0.4, 31.5, 0.6, 'bru': array0.1, 0.2 , dtype=float32, 'bc': 0x41414141, 'r': array0.3, 0....

7.5CVSS7AI score0.00383EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

openstack-neutron uncontrolled resource consumption flaw

An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significa...

6.5CVSS6.5AI score0.01056EPSS
Exploits0References12Affected Software1
PyPA
PyPA
added yesterday4 views

TensorFlow has Segfault in Bincount with XLA

ImpactWhen running with XLA, tf.rawops.Bincount segfaults when given a parameter weights that is neither the same shape as parameter arr nor a length-0 tensor.pythonimport tensorflow as tffunc = tf.rawops.Bincountpara='arr': 6, 'size': 804, 'weights': 52, [email protected]=Truedef fuzzjit...

7.5CVSS6.7AI score0.00391EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

Apache HTTP Server via mod_proxy_uwsgi HTTP response smuggling

HTTP Response Smuggling vulnerability in Apache HTTP Server via modproxyuwsgi. This issue affects Apache HTTP Server from 2.4.30 through 2.4.55 and the uWSGI PyPI package prior to version 2.0.22. Special characters in the origin response header can truncate/split the response forwarded to the...

7.5CVSS7.1AI score0.02134EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added yesterday4 views

tripleo-ansible may disclose important configuration details from an OpenStack deployment

A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information...

5.5CVSS6.3AI score0.002EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

TensorFlow has null dereference on ParallelConcat with XLA

ImpactWhen running with XLA, tf.rawops.ParallelConcat segfaults with a nullptr dereference when given a parameter shape with rank that is not greater than zero.pythonimport tensorflow as tffunc = tf.rawops.ParallelConcatpara = 'shape': 0, 'values': [email protected]=Truedef test: y = funcpa...

7.5CVSS6.7AI score0.00391EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True`

ImpactWhen using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their...

7.6CVSS6.9AI score0.00641EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

Saleor has Staff-Authenticated Error Message Information Disclosure Vulnerability via Python Exceptions

ImpactSome internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated requests.This issue has been patched in versions 3.1.48, 3.7.59, 3.8.30, 3.9.27, 3.10.14...

6.5CVSS6.3AI score0.00817EPSS
Exploits0References12Affected Software1
PyPA
PyPA
added yesterday4 views

Open redirect in web2py

Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack...

6.1CVSS6.3AI score0.02382EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

Cross-site Scripting in django-ajax-utilities

A vulnerability was found in Mobile Vikings Django AJAX Utilities and classified as problematic. This issue affects the function Pagination of the file djangoajax/static/ajax-utilities/js/pagination.js of the component Backslash Handler. The manipulation of the argument url leads to cross site...

6.1CVSS3.8AI score0.00564EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday4 views

Improper Restriction of Excessive Authentication Attempts in modoboa

Improper Restriction of Excessive Authentication Attempts in GitHub repository modoboa/modoboa-installer prior to 2.0.4...

7.8CVSS7AI score0.00653EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

Apache Airflow AWS Provider Generates Error Message Containing Sensitive Information

Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1...

7.5CVSS7.1AI score0.01499EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

Apache AGE: Python and Golang drivers allow data manipulation and exposure due to SQL injection

There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python drivers in addition t...

8.1CVSS7.1AI score0.00948EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

OpenStack Cinder, glance, and Nova vulnerable to Path Traversal

An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, a...

5.7CVSS6.8AI score0.01025EPSS
Exploits1References11Affected Software1
PyPA
PyPA
added yesterday4 views

Denial of service vulnerability on Password reset page

ImpactPrevious versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email addresses of users in Kiwi TCMS. Additionally that may stra...

7.5CVSS6.8AI score0.00908EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday4 views

Vulnerable OpenSSL included in cryptography wheels

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and...

7.4CVSS6.9AI score0.59501EPSS
Exploits0References15Affected Software1
PyPA
PyPA
added yesterday4 views

Cross-site Scripting in pyload-ng

Cross-site Scripting XSS - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42...

9.6CVSS6.8AI score0.00822EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

Path traversal in binwalk

A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 inclusive. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode -e option. Remo...

7.8CVSS7.3AI score0.22013EPSS
Exploits8References7Affected Software1
PyPA
PyPA
added yesterday4 views

Improper Input Validation in pyload-ng

Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40...

7.5CVSS6.5AI score0.00816EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

OpenStack Swift XML external entities (XXE) Injection

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data...

6.5CVSS6.9AI score0.01001EPSS
Exploits1References16Affected Software1
PyPA
PyPA
added yesterday4 views

Apache Superset vulnerable to Cross-Site Request Forgery via legacy REST API endpoints

Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

8.8CVSS6.4AI score0.00567EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

nsupdate.info has Sensitive Cookie Without 'HttpOnly' Flag

A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file src/nsupdate/settings/base.py of the component CSRF Cookie Handler. The manipulation of the argument CSRFCOOKIEHTTPONLY leads to cookie without httponly flag. It is possible to...

5.3CVSS4.8AI score0.00612EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday4 views

Apache Superset's SQL Alchemy connector vulnerable to SQL Injection

A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the featur...

5.4CVSS6.2AI score0.01194EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Apache Superset vulnerable to Cross-site Scripting

Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

5.4CVSS6.1AI score0.0124EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

pyLoad vulnerable to Improper Restriction of Rendered UI Layers or Frames

Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33...

6.1CVSS6AI score0.00456EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

Apache Superset has Improper Access Control

When explicitly enabling the feature flag DASHBOARDCACHE disabled by default, the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

5.3CVSS6.1AI score0.01229EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Apache Superset is vulnerable to Cross-Site Scripting (XSS)

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

5.4CVSS6.1AI score0.01302EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Pyload Insufficient Session Expiration vulnerability

Pyload 0.5.0b3.dev35 has an Insufficient Session Expiration vulnerability. A patch is available and anticipated to be part of version 0.5.0b3.dev36...

8.3CVSS6.8AI score0.00655EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. This issue is...

5.3CVSS6AI score0.00436EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

sviehb/jefferson vulnerable to path traversal

A vulnerability has been found in the sviehb/jefferson JFFS2 filesystem extraction tool. This vulnerability affects unknown code of the file src/scripts/jefferson. The manipulation leads to path traversal. The attack can be initiated remotely. Upgrading to version 0.4 is able to address this issu...

7.5CVSS5.7AI score0.0074EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added yesterday4 views

pgAdmin 4 Open Redirect vulnerability

Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL...

6.1CVSS6.3AI score0.0091EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added yesterday4 views

binwalk vulnerable to UNIX Symbolic Link (Symlink) Following

A vulnerability, which was classified as problematic, was found in ReFirm Labs binwalk up to 2.3.2. Affected is an unknown function of the file src/binwalk/modules/extractor.py of the component Archive Extraction Handler. The manipulation leads to symlink following. It is possible to launch the...

6.5CVSS5.3AI score0.01933EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added yesterday4 views

`FractionalMaxPoolGrad` Heap out of bounds read

ImpactIf FractionMaxPoolGrad is given outsize inputs rowpoolingsequence and colpoolingsequence, TensorFlow will crash.pythonimport tensorflow as tftf.rawops.FractionMaxPoolGrad originput = 1, 1, 1, 1, 1, origoutput = 1, 1, 1, outbackprop = 3, 3, 6, rowpoolingsequence = -0x4000000, 1, 1,...

7.5CVSS7AI score0.0044EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday4 views

FractionalMaxPool and FractionalAVGPool heap out-of-bounds acess

ImpactAn input poolingratio that is smaller than 1 will trigger a heap OOB in tf.rawops.FractionalMaxPool and tf.rawops.FractionalAvgPool. PatchesWe have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48.The fix will be included in TensorFlow 2.11.0. We will also cherry...

9.8CVSS7.2AI score0.00579EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

Buffer overflow in `CONV_3D_TRANSPOSE` on TFLite

ImpactThe reference kernel of the CONV3DTRANSPOSE TensorFlow Lite operator wrongly increments the dataptr when adding the bias to the result.Instead of dataptr += numchannels; it should be dataptr += outputnumchannels; as if the number of input channels is different than the number of output...

8.1CVSS7.3AI score0.00523EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday4 views

TensorFlow vulnerable to segfault in `QuantizedInstanceNorm`

ImpactIf QuantizedInstanceNorm is given xmin or xmax tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack.pythonimport tensorflow as tfoutputrangegiven = Falsegivenymin = 0givenymax = 0varianceepsilon = 1e-05minseparation = 0.001x =...

7.5CVSS7AI score0.00423EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

TensorFlow vulnerable to `CHECK` fail in `CollectiveGather`

ImpactWhen CollectiveGather receives an scalar input input, it gives a CHECK fails that can be used to trigger a denial of service attack.pythonimport tensorflow as tfarg0=1arg1=1arg2=1arg3=1arg4=3, 3,3arg5='auto'arg6=0arg7=''tf.rawops.CollectiveGatherinput=arg0, groupsize=arg1, groupkey=arg2,...

7.5CVSS7AI score0.00396EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

TensorFlow vulnerable to `CHECK` fail in `SetSize`

ImpactWhen SetSize receives an input setshape that is not a 1D tensor, it gives a CHECK fails that can be used to trigger a denial of service attack.pythonimport tensorflow as tfarg0=1arg1=1,1arg2=1arg3=Truearg4=''tf.rawops.SetSizesetindices=arg0, setvalues=arg1, setshape=arg2,...

7.5CVSS7AI score0.00396EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

TensorFlow vulnerable to `CHECK` fail in `TensorListFromTensor`

ImpactWhen TensorListFromTensor receives an elementshape of a rank greater than one, it gives a CHECK fail that can trigger a denial of service attack.pythonimport tensorflow as tfarg0=tf.random.uniformshape=6, 6, 2, dtype=tf.bfloat16, maxval=Nonearg1=tf.random.uniformshape=6, 9, 1, 3,...

7.5CVSS7AI score0.00396EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

TensorFlow vulnerable to integer overflow in math ops

ImpactWhen RangeSize receives values that do not fit into an int64t, it crashes.cpp auto size = std::isintegral::value ? Eigen::numext::abslimit - start + Eigen::numext::absdelta - T1 / Eigen::numext::absdelta : Eigen::numext::ceil Eigen::numext::abslimit - start / delta; // This check does not...

7.5CVSS7.1AI score0.00547EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday4 views

TensorFlow vulnerable to null dereference on MLIR on empty function attributes

ImpactEig can be fed an incorrect Tout input, resulting in a CHECK fail that can trigger a denial of service attack.pythonimport tensorflow as tfimport numpy as np arg0=tf.constantvalue=np.random.randomsize=2, 2, shape=2, 2, dtype=tf.float32arg1=tf.complex128arg2=Truearg3=''tf.rawops.Eiginput=arg...

7.5CVSS7AI score0.00396EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

TensorFlow vulnerable to `CHECK` fail in `FakeQuantWithMinMaxVarsPerChannel`

ImpactIf FakeQuantWithMinMaxVarsPerChannel is given min or max tensors of a rank other than one, it results in a CHECK fail that can be used to trigger a denial of service attack.pythonimport tensorflow as tfnumbits = 8narrowrange = Falseinputs = tf.constant0, shape=4, dtype=tf.float32min =...

7.5CVSS7AI score0.00396EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

TensorFlow vulnerable to `CHECK` fail in `RaggedTensorToVariant`

ImpactIf RaggedTensorToVariant is given a rtnestedsplits list that contains tensors of ranks other than one, it results in a CHECK fail that can be used to trigger a denial of service attack.pythonimport tensorflow as tfbatchedinput = Truertnestedsplits = tf.constant0,32,64, shape=3,...

7.5CVSS7AI score0.00383EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

TensorFlow vulnerable to `CHECK` fail in `QuantizeAndDequantizeV3`

ImpactIf QuantizeAndDequantizeV3 is given a nonscalar numbits input tensor, it results in a CHECK fail that can be used to trigger a denial of service attack.pythonimport tensorflow as tfsignedinput = Truerangegiven = Falsenarrowrange = Falseaxis = -1input = tf.constant-3.5, shape=1,...

7.5CVSS7AI score0.00396EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2 days ago4 views

Uncontrolled Resource Consumption in asyncua and opcua

All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service DoS due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited numb...

7.5CVSS7.1AI score0.01063EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2 days ago4 views

TensorFlow vulnerable to `CHECK` fail in `Conv2DBackpropInput`

ImpactWhen Conv2DBackpropInput receives empty outbackprop inputs e.g. 3, 1, 0, 1, the current CPU/GPU kernels CHECK fail one with dnnl, the other with cudnn. This can be used to trigger a denial of service attack.pythonimport tensorflow as tfimport numpy as npinputsizes = 3, 1, 1, 2filter =...

7.5CVSS7AI score0.00396EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2 days ago4 views

Apache Superset allows authenticated users to access metadata they have no permission to

Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics...

4.3CVSS5.9AI score0.0126EPSS
Exploits0References6Affected Software1
Total number of security vulnerabilities5000