Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
•added yesterday•4 views

TensorFlow has null dereference on ParallelConcat with XLA

ImpactWhen running with XLA, tf.rawops.ParallelConcat segfaults with a nullptr dereference when given a parameter shape with rank that is not greater than zero.pythonimport tensorflow as tffunc = tf.rawops.ParallelConcatpara = 'shape': 0, 'values': [email protected]=Truedef test: y = funcpa...

7.5CVSS6.7AI score0.00391EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added yesterday•4 views

Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True`

ImpactWhen using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their...

7.6CVSS6.9AI score0.00641EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

Saleor has Staff-Authenticated Error Message Information Disclosure Vulnerability via Python Exceptions

ImpactSome internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated requests.This issue has been patched in versions 3.1.48, 3.7.59, 3.8.30, 3.9.27, 3.10.14...

6.5CVSS6.3AI score0.00817EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added yesterday•4 views

openstack-neutron uncontrolled resource consumption flaw

An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significa...

6.5CVSS6.5AI score0.01056EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added yesterday•4 views

Open redirect in web2py

Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack...

6.1CVSS6.3AI score0.02382EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added yesterday•4 views

Apache HTTP Server via mod_proxy_uwsgi HTTP response smuggling

HTTP Response Smuggling vulnerability in Apache HTTP Server via modproxyuwsgi. This issue affects Apache HTTP Server from 2.4.30 through 2.4.55 and the uWSGI PyPI package prior to version 2.0.22. Special characters in the origin response header can truncate/split the response forwarded to the...

7.5CVSS7.1AI score0.02134EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added yesterday•4 views

Vulnerable OpenSSL included in cryptography wheels

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and...

7.4CVSS6.9AI score0.59501EPSS
Exploits0References15Affected Software1
PyPA
PyPA
•added yesterday•4 views

Improper Restriction of Excessive Authentication Attempts in modoboa

Improper Restriction of Excessive Authentication Attempts in GitHub repository modoboa/modoboa-installer prior to 2.0.4...

7.8CVSS7AI score0.00653EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added yesterday•4 views

Path traversal in binwalk

A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 inclusive. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode -e option. Remo...

7.8CVSS7.3AI score0.22013EPSS
Exploits8References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

OpenStack Swift XML external entities (XXE) Injection

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data...

6.5CVSS6.9AI score0.01001EPSS
Exploits1References16Affected Software1
PyPA
PyPA
•added yesterday•4 views

Improper Input Validation in pyload-ng

Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40...

7.5CVSS6.5AI score0.00816EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added yesterday•4 views

Apache AGE: Python and Golang drivers allow data manipulation and exposure due to SQL injection

There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python drivers in addition t...

8.1CVSS7.1AI score0.00948EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added yesterday•4 views

Denial of service vulnerability on Password reset page

ImpactPrevious versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email addresses of users in Kiwi TCMS. Additionally that may stra...

7.5CVSS6.8AI score0.00908EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added yesterday•4 views

Cross-site Scripting in pyload-ng

Cross-site Scripting XSS - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42...

9.6CVSS6.8AI score0.00822EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added yesterday•4 views

Apache Airflow AWS Provider Generates Error Message Containing Sensitive Information

Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1...

7.5CVSS7.1AI score0.01499EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added yesterday•4 views

OpenStack Cinder, glance, and Nova vulnerable to Path Traversal

An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, a...

5.7CVSS6.8AI score0.01025EPSS
Exploits1References11Affected Software1
PyPA
PyPA
•added yesterday•4 views

sviehb/jefferson vulnerable to path traversal

A vulnerability has been found in the sviehb/jefferson JFFS2 filesystem extraction tool. This vulnerability affects unknown code of the file src/scripts/jefferson. The manipulation leads to path traversal. The attack can be initiated remotely. Upgrading to version 0.4 is able to address this issu...

7.5CVSS5.7AI score0.0074EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added yesterday•4 views

pgAdmin 4 Open Redirect vulnerability

Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL...

6.1CVSS6.3AI score0.0091EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added yesterday•4 views

nsupdate.info has Sensitive Cookie Without 'HttpOnly' Flag

A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file src/nsupdate/settings/base.py of the component CSRF Cookie Handler. The manipulation of the argument CSRFCOOKIEHTTPONLY leads to cookie without httponly flag. It is possible to...

5.3CVSS4.8AI score0.00612EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added yesterday•4 views

pyLoad vulnerable to Improper Restriction of Rendered UI Layers or Frames

Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33...

6.1CVSS6AI score0.00456EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added yesterday•4 views

Pyload Insufficient Session Expiration vulnerability

Pyload 0.5.0b3.dev35 has an Insufficient Session Expiration vulnerability. A patch is available and anticipated to be part of version 0.5.0b3.dev36...

8.3CVSS6.8AI score0.00655EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added yesterday•4 views

Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. This issue is...

5.3CVSS6AI score0.00436EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added yesterday•4 views

Apache Superset's SQL Alchemy connector vulnerable to SQL Injection

A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the featur...

5.4CVSS6.2AI score0.01194EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added yesterday•4 views

Apache Superset vulnerable to Cross-Site Request Forgery via legacy REST API endpoints

Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

8.8CVSS6.4AI score0.00567EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added yesterday•4 views

Apache Superset vulnerable to Cross-site Scripting

Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

5.4CVSS6.1AI score0.0124EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added yesterday•4 views

Apache Superset is vulnerable to Cross-Site Scripting (XSS)

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

5.4CVSS6.1AI score0.01302EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added yesterday•4 views

Apache Superset has Improper Access Control

When explicitly enabling the feature flag DASHBOARDCACHE disabled by default, the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

5.3CVSS6.1AI score0.01229EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added yesterday•4 views

binwalk vulnerable to UNIX Symbolic Link (Symlink) Following

A vulnerability, which was classified as problematic, was found in ReFirm Labs binwalk up to 2.3.2. Affected is an unknown function of the file src/binwalk/modules/extractor.py of the component Archive Extraction Handler. The manipulation leads to symlink following. It is possible to launch the...

6.5CVSS5.3AI score0.01933EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added yesterday•4 views

Segfault in `CompositeTensorVariantToComponents`

ImpactAn input encoded that is not a valid CompositeTensorVariant tensor will trigger a segfault in tf.rawops.CompositeTensorVariantToComponents.pythonimport tensorflow as tfencode = tf.rawops.EmptyTensorListelementdtype=tf.int32, elementshape=10, 15, maxnumelements=2meta=...

7.5CVSS7AI score0.0049EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added yesterday•4 views

`MirrorPadGrad` heap out of bounds read

ImpactIf MirrorPadGrad is given outsize input paddings, TensorFlow will give a heap OOB error.pythonimport tensorflow as tftf.rawops.MirrorPadGradinput=1, paddings=0x77f00000,0xa000000, mode = 'REFLECT' PatchesWe have patched the issue in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92.The...

7.5CVSS7AI score0.0044EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

Overflow in `ResizeNearestNeighborGrad`

ImpactWhen tf.rawops.ResizeNearestNeighborGrad is given a large size input, it overflows.import tensorflow as tfaligncorners = Truehalfpixelcenters = Falsegrads = tf.constant1, shape=1,8,16,3, dtype=tf.float16size = tf.constant1879048192,1879048192, shape=2,...

7.5CVSS7AI score0.0044EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

`CHECK_EQ` fail via input in `SparseMatrixNNZ`

ImpactAn input sparsematrix that is not a matrix with a shape with rank 0 will trigger a CHECK fail in tf.rawops.SparseMatrixNNZ.pythonimport tensorflow as tftf.rawops.SparseMatrixNNZsparsematrix= PatchesWe have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693.The fix...

7.5CVSS7AI score0.0044EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

`CHECK` fail via inputs in `SdcaOptimizer`

ImpactInputs densefeatures or examplestatedata not of rank 2 will trigger a CHECK fail in SdcaOptimizer.pythonimport tensorflow as tftf.rawops.SdcaOptimizer sparseexampleindices=4 tf.random.uniform5,5,5,3, dtype=tf.dtypes.int64, maxval=100, sparsefeatureindices=4 tf.random.uniform5,5,5,3,...

7.5CVSS7AI score0.0044EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

Out of bounds write in grappler in Tensorflow

ImpactThe function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. PatchesWe have patched the issue in GitHub commit...

9.1CVSS7.2AI score0.00449EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

Heap overflow in `QuantizeAndDequantizeV2`

ImpactThe function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered.pythonimport tensorflow as [email protected] test:...

9.1CVSS7.2AI score0.00401EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

Buffer overflow in `CONV_3D_TRANSPOSE` on TFLite

ImpactThe reference kernel of the CONV3DTRANSPOSE TensorFlow Lite operator wrongly increments the dataptr when adding the bias to the result.Instead of dataptr += numchannels; it should be dataptr += outputnumchannels; as if the number of input channels is different than the number of output...

8.1CVSS7.3AI score0.00523EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

`CHECK_EQ` fail in `tf.raw_ops.TensorListResize`

ImpactIf tf.rawops.TensorListResize is given a nonscalar value for input size, it results CHECK fail which can be used to trigger a denial of service attack.pythonimport numpy as npimport tensorflow as tfa = datastructures.tftensorlistnewelements = tf.constantvalue=3, 4, 5b = np.zeros0, 2, 3,...

7.5CVSS7AI score0.00439EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

`CHECK` fail via inputs in `SparseFillEmptyRowsGrad`

ImpactIf SparseFillEmptyRowsGrad is given empty inputs, TensorFlow will crash.pythonimport tensorflow as tftf.rawops.SparseFillEmptyRowsGrad reverseindexmap=, gradvalues=, name=None PatchesWe have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8.The fix will be included...

7.5CVSS7AI score0.0044EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

`tf.raw_ops.Mfcc` crashes

ImpactIf ThreadUnsafeUnigramCandidateSampler is given input filterbankchannelcount greater than the allowed max size, TensorFlow will crash.pythonimport tensorflow as tftf.rawops.Mfcc spectrogram = 1.38, 6.32, 5.75, 9.51, samplerate = 2, upperfrequencylimit = 5.0, lowerfrequencylimit = 1.0,...

7.5CVSS7AI score0.0044EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

Cross-site Scripting in kiwitcms

A stored XSS in a kiwi Test Plan can run malicious javascript which could be chained with an HTML injection to perform a UI redressing attack clickjacking and an HTML injection which disables the use of the history page...

7.1CVSS6.7AI score0.00454EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added yesterday•4 views

Lin CMS vulnerable to Improper Authentication

An authentication bypass in Lin-CMS v0.2.1 allows attackers to escalate privileges to Super Administrator...

6.6CVSS6.7AI score0.01016EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added yesterday•4 views

Segfault via invalid attributes in `pywrap_tfe_src.cc`

ImpactIf a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a nullptr, which is not caught. An example can be seen in tf.compat.v1.extractvolumepatches by passing in quantized tensors as input ksizes.pythonimport numpy as npimport...

7.5CVSS7AI score0.00404EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

Overflow in `tf.keras.losses.poisson`

Impacttf.keras.losses.poisson receives a ypred and ytrue that are passed through functor::mul in BinaryOp. If the resulting dimensions overflow an int32, TensorFlow will crash due to a size mismatch during broadcast assignment.pythonimport numpy as npimport tensorflow as tftruevalue =...

7.5CVSS7AI score0.0044EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added yesterday•4 views

FPE in `tf.image.generate_bounding_box_proposals`

ImpactWhen running on GPU, tf.image.generateboundingboxproposals receives a scores input that must be of rank 4 but is not checked.pythonimport tensorflow as tfa = tf.constantvalue=1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0b =...

7.5CVSS7AI score0.00439EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

Apache Pulsar Disabled Certificate Validation for OAuth Client Credential Requests makes C++/Python Clients vulnerable to MITM attack

The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or...

8.1CVSS7.2AI score0.00704EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

Overflow in `FusedResizeAndPadConv2D`

ImpactWhen tf.rawops.FusedResizeAndPadConv2D is given a large tensor shape, it overflows.pythonimport tensorflow as tfmode = "REFLECT"strides = 1, 1, 1, 1padding = "SAME"resizealigncorners = Falseinput = tf.constant147, shape=3,3,1,1, dtype=tf.float16size = tf.constant1879048192,1879048192,...

7.5CVSS6.9AI score0.0043EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

Segfault in `tf.raw_ops.TensorListConcat`

ImpactIf tf.rawops.TensorListConcat is given elementshape=, it results segmentation fault which can be used to trigger a denial of service attack.pythonimport tensorflow as tftf.rawops.TensorListConcat inputhandle=tf.data.experimental.tovarianttf.data.Dataset.fromtensorslices1, 2, 3,...

7.5CVSS7AI score0.0043EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

Seg fault in `ndarray_tensor_bridge` due to zero and large inputs

ImpactIf a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. E.g. the following raises an error:pythonnp.ones0, 231, 231An example of a proof of concept:pythonimport numpy as npimport tensorflow as tfinputval =...

7.5CVSS6.9AI score0.0033EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added yesterday•4 views

Overflow in `ImageProjectiveTransformV2`

ImpactWhen tf.rawops.ImageProjectiveTransformV2 is given a large output shape, it overflows.pythonimport tensorflow as tfinterpolation = "BILINEAR"fillmode = "REFLECT"images = tf.constant0.184634328, shape=2,5,8,3, dtype=tf.float32transforms = tf.constant0.378575385, shape=2,8,...

7.5CVSS7AI score0.0043EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added yesterday•4 views

snowflake-connector-python is vulnerable to Regular Expression Denial of Service (ReDoS)

An exponential ReDoS Regular Expression Denial of Service can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the getfiletransfertype method...

7.5CVSS7.2AI score0.00816EPSS
Exploits1References8Affected Software1
Total number of security vulnerabilities5000