Lucene search
K
PypaMost viewed

5612 matches found

PyPA
PyPA
•added 2022/01/01 1:15 a.m.•4 views

PYSEC-2022-43065

GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment...

5.5CVSS7.5AI score0.01491EPSS
Exploits1References20Affected Software1
PyPA
PyPA
•added 2021/12/29 5:15 p.m.•4 views

PYSEC-2021-858

This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends result stores. When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery...

7.5CVSS7.5AI score0.03877EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/12/26 5:15 a.m.•4 views

PYSEC-2021-868

An issue was discovered in splitregion in uc.c in Unicorn Engine before 2.0.0-rc5. It allows local attackers to escape the sandbox. An attacker must first obtain the ability to execute crafted code in the target sandbox in order to exploit this vulnerability. The specific flaw exists within the...

8.1CVSS7.7AI score0.00528EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2021/12/23 6:15 p.m.•4 views

PYSEC-2021-874

pytorch-lightning is vulnerable to Deserialization of Untrusted Data...

7.8CVSS7AI score0.00978EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/12/01 2:15 p.m.•4 views

PYSEC-2021-841

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the maliciou...

5.4CVSS6.2AI score0.00493EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/11/23 9:15 p.m.•4 views

PYSEC-2021-839

Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with “dot-dot-slash ../� sequences and its variations or by using absolute file paths, it may ...

8.6CVSS7.1AI score0.01846EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2021/11/13 9:15 a.m.•4 views

PYSEC-2021-430

django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'...

8.8CVSS6.7AI score0.0098EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/11/05 11:15 p.m.•4 views

PYSEC-2021-419

TensorFlow is an open source platform for machine learning. In affected versions the ImmutableConst operation in TensorFlow can be tricked into reading arbitrary memory contents. This is because the tstring TensorFlow string class has a special case for memory mapped strings but the operation...

6.6CVSS7.1AI score0.0023EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/11/05 11:15 p.m.•4 views

PYSEC-2021-408

TensorFlow is an open source platform for machine learning. In affected versions the shape inference function for Transpose is vulnerable to a heap buffer overflow. This occurs whenever perm contains negative elements. The shape inference function does not validate that the indices in perm are al...

7.8CVSS7.3AI score0.00156EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/11/05 11:15 p.m.•4 views

PYSEC-2021-630

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for the Cudnn operations in TensorFlow can be tricked into accessing invalid memory, via a heap buffer overflow. This occurs because the ranks of the input, inputh and inputc parameters are n...

7.8CVSS7.5AI score0.00214EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 11:15 p.m.•4 views

PYSEC-2021-828

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for the Cudnn operations in TensorFlow can be tricked into accessing invalid memory, via a heap buffer overflow. This occurs because the ranks of the input, inputh and inputc parameters are n...

7.8CVSS7.5AI score0.00214EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 10:15 p.m.•4 views

PYSEC-2021-616

TensorFlow is an open source platform for machine learning. In affected versions the implementation of ParallelConcat misses some input validation and can produce a division by 0. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow...

5.5CVSS6.9AI score0.00136EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/11/05 10:15 p.m.•4 views

PYSEC-2021-847

TensorFlow is an open source platform for machine learning. In affected versions several TensorFlow operations are missing validation for the shapes of the tensor arguments involved in the call. Depending on the API, this can result in undefined behavior and segfault or CHECK-fail related crashes...

7.8CVSS7.1AI score0.00174EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2021/11/05 10:15 p.m.•4 views

PYSEC-2021-814

TensorFlow is an open source platform for machine learning. In affected versions the implementation of ParallelConcat misses some input validation and can produce a division by 0. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow...

5.5CVSS6.9AI score0.00136EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/11/05 10:15 p.m.•4 views

PYSEC-2021-627

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for AllToAll can be made to execute a division by 0. This occurs whenever the splitcount argument is 0. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on...

5.5CVSS7.4AI score0.00128EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/11/05 10:15 p.m.•4 views

PYSEC-2021-401

TensorFlow is an open source platform for machine learning. In affected versions the implementations for convolution operators trigger a division by 0 if passed empty filter tensor arguments. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1,...

5.5CVSS6.9AI score0.00136EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/11/05 10:15 p.m.•4 views

PYSEC-2021-618

TensorFlow is an open source platform for machine learning. In affected versions the implementations for convolution operators trigger a division by 0 if passed empty filter tensor arguments. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1,...

5.5CVSS6.9AI score0.00136EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/11/05 10:15 p.m.•4 views

PYSEC-2021-825

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for AllToAll can be made to execute a division by 0. This occurs whenever the splitcount argument is 0. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on...

5.5CVSS7.4AI score0.00128EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/11/05 10:15 p.m.•4 views

PYSEC-2021-617

TensorFlow is an open source platform for machine learning. In affected versions the code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of service via dereferencing nullptrs or via CHECK-failures as well as abuse undefined behavior binding...

8.8CVSS7.1AI score0.00168EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/11/05 9:15 p.m.•4 views

PYSEC-2021-615

TensorFlow is an open source platform for machine learning. In affected versions the shape inference functions for the QuantizeAndDequantizeV operations can trigger a read outside of bounds of heap allocated array. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit ...

7.1CVSS6.9AI score0.00148EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/11/05 9:15 p.m.•4 views

PYSEC-2021-633

TensorFlow is an open source platform for machine learning. In affected versions the implementation of SparseFillEmptyRows can be made to trigger a heap OOB access. This occurs whenever the size of indices does not match the size of values. The fix will be included in TensorFlow 2.7.0. We will al...

7.1CVSS6.9AI score0.00201EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/11/05 8:15 p.m.•4 views

PYSEC-2021-805

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow allows tensor to have a large number of dimensions and each dimension can be as large as desired. However, the total number of elements in a tensor must fit within an int64t. If an overflow occurs,...

5.5CVSS7.1AI score0.00307EPSS
Exploits2References6Affected Software1
PyPA
PyPA
•added 2021/11/05 8:15 p.m.•4 views

PYSEC-2021-606

TensorFlow is an open source platform for machine learning. In affected versions the Keras pooling layers can trigger a segfault if the size of the pool is 0 or if a dimension is negative. This is due to the TensorFlow's implementation of pooling operations where the values in the sliding window...

5.5CVSS6.9AI score0.0023EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/11/05 8:15 p.m.•4 views

PYSEC-2021-806

TensorFlow is an open source platform for machine learning. In affected versions if tf.tile is called with a large input argument then the TensorFlow process will crash due to a CHECK-failure caused by an overflow. The number of elements in the output tensor is too much for the int64t type and th...

5.5CVSS7.2AI score0.0023EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/11/04 6:15 p.m.•4 views

PYSEC-2021-386

JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials for the single-user server only, not the Hub reinstated...

7.5CVSS6.9AI score0.00778EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/10/05 9:15 p.m.•4 views

PYSEC-2021-364

Scrapy-splash is a library which provides Scrapy and JavaScript integration. In affected versions users who use HttpAuthMiddleware i.e. the httpuser and httppass spider attributes for Splash authentication will have any non-Splash request expose your credentials to the request target. This includ...

7.5CVSS7.1AI score0.01077EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/10/04 6:15 a.m.•4 views

PYSEC-2021-374

Cobbler before 3.3.0 allows arbitrary file write operations via uploadlogdata...

7.5CVSS7.2AI score0.68635EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/10/04 6:15 a.m.•4 views

PYSEC-2021-373

Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection...

9.8CVSS7.3AI score0.88482EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/09/22 12:15 p.m.•4 views

PYSEC-2021-358

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters...

7.1CVSS6.6AI score0.00854EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/09/20 5:15 p.m.•4 views

PYSEC-2021-333

sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. On...

7.5CVSS7.8AI score0.02134EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/09/16 3:15 p.m.•4 views

PYSEC-2021-328

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.2 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of...

9.8CVSS6.9AI score0.01093EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2021/09/10 10:15 p.m.•4 views

PYSEC-2021-330

Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0...

9.8CVSS8AI score0.17353EPSS
Exploits4References4Affected Software1
PyPA
PyPA
•added 2021/08/31 4:15 p.m.•4 views

PYSEC-2021-424

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where the vulnerable...

3.5CVSS6.4AI score0.00892EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2021/08/25 6:15 p.m.•4 views

PYSEC-2021-315

nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade...

9.6CVSS7.5AI score0.0173EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/08/23 10:15 p.m.•4 views

PYSEC-2021-883

An invalid memory access in the decode function in iptc.cpp of Exiv2 0.27.99.0 allows attackers to cause a denial of service DOS via a crafted tif file...

6.5CVSS6.7AI score0.01332EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/08/23 1:15 a.m.•4 views

PYSEC-2021-121

An XML external entity XXE injection in PyWPS before 4.5.0 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected...

7.5CVSS7.3AI score0.01524EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/08/18 6:15 p.m.•4 views

PYSEC-2021-120

Webrecorder pywb before 2.6.0 allows XSS because it does not ensure that Jinja2 templates are autoescaped...

6.1CVSS6.4AI score0.00699EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/08/16 6:15 p.m.•4 views

PYSEC-2021-143

Cross Site Scripting XSS in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the 'Username' parameter in the component 'quokka/admin/actions.py'...

6.1CVSS7AI score0.01312EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/08/13 9:15 p.m.•4 views

PYSEC-2021-344

OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. To be vulnerable, a...

10CVSS7.4AI score0.02415EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2021/08/13 12:15 a.m.•4 views

PYSEC-2021-801

TensorFlow is an end-to-end open source platform for machine learning. In affected versions when running shape functions, some functions such as MutableHashTableShape produce extra output information in the form of a ShapeAndType struct. The shapes embedded in this struct are owned by an inferenc...

6.6CVSS6.9AI score0.00163EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/13 12:15 a.m.•4 views

PYSEC-2021-603

TensorFlow is an end-to-end open source platform for machine learning. In affected versions when running shape functions, some functions such as MutableHashTableShape produce extra output information in the form of a ShapeAndType struct. The shapes embedded in this struct are owned by an inferenc...

6.6CVSS6.9AI score0.00163EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•4 views

PYSEC-2021-597

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementations of pooling in TFLite are vulnerable to division by 0 errors as there are no checks for divisors not being 0. We have patched the issue in GitHub commit...

5.5CVSS6.9AI score0.00138EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•4 views

PYSEC-2021-292

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to tf.rawops.UpperBound. The implementation does not validate the rank of sortedinput...

5.5CVSS6.9AI score0.00169EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•4 views

PYSEC-2021-586

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a denial of service via a CHECK-fail in tf.rawops.MapStage. The implementation does not check that the key input is a valid non-empty tensor. We have patched the issue in GitHub...

5.5CVSS6.8AI score0.00154EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•4 views

PYSEC-2021-301

TensorFlow is an end-to-end open source platform for machine learning. In affected versions it is possible to nest a tf.mapfn within another tf.mapfn call. However, if the input tensor is a RaggedTensor and there is no function signature provided, code assumes the output is a fully specified tens...

7.8CVSS7.2AI score0.00181EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•4 views

PYSEC-2021-307

TensorFlow is an end-to-end open source platform for machine learning. In affected versions TFLite's expanddims.cc contains a vulnerability which allows reading one element outside of bounds of heap allocated data. If axis is a large negative value e.g., -100000, then after the first if it would...

5.5CVSS6.9AI score0.00172EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•4 views

PYSEC-2021-789

TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The implementation uses yaml.unsafeload which can perform arbitrary code execution...

9.3CVSS7.9AI score0.00451EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•4 views

PYSEC-2021-785

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a denial of service via a segmentation fault in tf.rawops.MaxPoolGrad caused by missing validation. The implementation misses some validation for the originput and origoutput tensor...

7.8CVSS6.8AI score0.00214EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•4 views

PYSEC-2021-605

TensorFlow is an end-to-end open source platform for machine learning. In affected versions under certain conditions, Go code can trigger a segfault in string deallocation. For string tensors, C.TFTStringDealloc is called during garbage collection within a finalizer function. However, tensor...

5.5CVSS7.1AI score0.00172EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2021/08/12 11:15 p.m.•4 views

PYSEC-2021-287

TensorFlow is an end-to-end open source platform for machine learning. In affected versions due to incomplete validation in MKL implementation of requantization, an attacker can trigger undefined behavior via binding a reference to a null pointer or can access data outside the bounds of heap...

7.8CVSS7AI score0.00185EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities5000