Lucene search
K

5613 matches found

PyPA
PyPA
•added 2014/02/18 7:55 p.m.•7 views

PYSEC-2014-12

The OpenStack Python client library for Swift python-swiftclient 1.0 through 1.9.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

5.8CVSS6.6AI score0.00732EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2014/02/14 3:55 p.m.•7 views

PYSEC-2014-102

OpenStack Image Registry and Delivery Service Glance 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading th...

2.6CVSS6.5AI score0.00314EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/02/08 12:55 a.m.•6 views

PYSEC-2014-88

python-bugzilla before 0.9.0 does not validate X.509 certificates, which allows man-in-the-middle attackers to spoof Bugzilla servers via a crafted certificate...

4.3CVSS6.8AI score0.00888EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2014/02/06 5:0 p.m.•6 views

PYSEC-2014-111

The icreateimagesandbacking aka createimagesandbacking method in libvirt driver in OpenStack Compute Nova Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users vi...

7.1CVSS6.9AI score0.02159EPSS
Exploits0References13Affected Software1
PyPA
PyPA
•added 2014/01/28 12:55 a.m.•8 views

PYSEC-2014-117

The parser cache functionality in parsergenerator.py in RPLY aka python-rply before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-.json file with a predictable name...

2.1CVSS5.8AI score0.00351EPSS
Exploits0References7
PyPA
PyPA
•added 2014/01/28 12:55 a.m.•9 views

PYSEC-2014-95

Race condition in the xdg.BaseDirectory.getruntimedir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once th...

3.3CVSS6.7AI score0.00315EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/01/28 12:55 a.m.•8 views

PYSEC-2014-17

The parser cache functionality in parsergenerator.py in RPLY aka python-rply before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-.json file with a predictable name...

2.1CVSS6.6AI score0.00351EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2014/01/23 1:55 a.m.•6 views

PYSEC-2014-116

The TempURL middleware in OpenStack Object Storage Swift 1.4.6 through 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret URLs by leveraging an object name and a timing side-channel attack...

4.3CVSS6.9AI score0.01895EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2014/01/21 6:55 p.m.•6 views

PYSEC-2014-69

python-keystoneclient before 0.2.4, as used in OpenStack Keystone Folsom, does not properly check expiry for PKI tokens, which allows remote authenticated users to 1 retain use of a token after it has expired, or 2 use a revoked token once it expires...

5.5CVSS6.8AI score0.02064EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2014/01/21 4:6 p.m.•8 views

PYSEC-2014-64

The isURLInPortal method in the URLTool class in inportal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allowexternalloginsites filtering property, redirect users to...

5.8CVSS6.9AI score0.02264EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2014/01/18 9:55 p.m.•5 views

PYSEC-2014-81

httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary...

2.6CVSS6.9AI score0.01324EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2014/01/07 6:55 p.m.•7 views

PYSEC-2014-97

Libcloud 0.12.3 through 0.13.2 does not set the scrubdata parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM...

2.1CVSS6.2AI score0.0206EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2013/12/27 1:55 a.m.•7 views

PYSEC-2013-45

keystone/middleware/authtoken.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova...

2.1CVSS6.6AI score0.00238EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2013/11/18 2:55 a.m.•5 views

PYSEC-2013-28

Directory traversal vulnerability in the client in Tryton 3.0.0, as distributed before 20131104 and earlier, allows remote servers to write arbitrary files via path separators in the extension of a report...

7.8CVSS7.1AI score0.02137EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2013/11/05 6:55 p.m.•5 views

PYSEC-2013-15

The salt master in Salt aka SaltStack 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it easier for remote attackers to gain privileges...

10CVSS7.1AI score0.03049EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2013/11/05 6:55 p.m.•7 views

PYSEC-2013-14

Salt aka SaltStack before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key...

4.9CVSS6.9AI score0.01473EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2013/11/05 6:55 p.m.•5 views

PYSEC-2013-26

The default configuration for salt-ssh in Salt aka SaltStack 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have unspecified impact via a man-in-the-middle MITM attack...

9.3CVSS7.2AI score0.01824EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2013/11/05 6:55 p.m.•9 views

PYSEC-2013-27

Unspecified vulnerability in salt-ssh in Salt aka SaltStack 0.17.0 has unspecified impact and vectors related to "insecure Usage of /tmp."...

10CVSS7AI score0.01458EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2013/11/05 6:55 p.m.•5 views

PYSEC-2013-13

Salt aka SaltStack before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe...

7.5CVSS7.8AI score0.02098EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2013/11/05 6:55 p.m.•5 views

PYSEC-2013-12

Salt aka SaltStack 0.15.0 through 0.17.0 allows remote authenticated users who are using external authentication or client ACL to execute restricted routines by embedding the routine in another routine...

6CVSS7.3AI score0.01515EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2013/10/26 5:55 p.m.•5 views

PYSEC-2013-29

The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator PRNG before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a...

4.3CVSS6.3AI score0.02007EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2013/10/04 5:55 p.m.•6 views

PYSEC-2013-19

Cross-site scripting XSS vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField...

4.3CVSS6AI score0.0288EPSS
Exploits2References9Affected Software1
PyPA
PyPA
•added 2013/10/04 5:55 p.m.•7 views

PYSEC-2013-21

The issafeurl function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting XSS or other vulnerabilities into Django applications that use this function, a...

4.3CVSS6.2AI score0.02297EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2013/10/01 8:55 p.m.•5 views

PYSEC-2013-24

The user-password-update command in python-keystoneclient before 0.2.4 accepts the new password in the --password argument, which allows local users to obtain sensitive information by listing the process...

2.1CVSS6.5AI score0.0037EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2013/09/30 9:55 p.m.•7 views

PYSEC-2013-31

The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate...

4.3CVSS6.8AI score0.01197EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2013/09/27 10:8 a.m.•6 views

PYSEC-2013-3

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object...

6.8CVSS8AI score0.38668EPSS
Exploits5References8Affected Software1
PyPA
PyPA
•added 2013/09/27 10:8 a.m.•8 views

PYSEC-2013-34

Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to 1 remotestorage.py, 2 storage.py, 3 render/datalib.py, and 4 whitelist/views.py, a different vulnerability than CVE-2013-5093...

6.8CVSS8.1AI score0.38668EPSS
Exploits5References3Affected Software1
PyPA
PyPA
•added 2013/09/27 10:8 a.m.•8 views

PYSEC-2013-4

Multiple cross-site scripting XSS vulnerabilities in Graphite before 0.9.11 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors...

4.3CVSS6AI score0.0117EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2013/09/23 8:55 p.m.•4 views

PYSEC-2013-33

cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/...

1.2CVSS6.8AI score0.00558EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2013/09/23 8:55 p.m.•6 views

PYSEC-2013-32

cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/...

1.2CVSS6.8AI score0.00558EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2013/09/23 8:55 p.m.•7 views

PYSEC-2013-42

The 1 mamcache and 2 KVS token backends in OpenStack Identity Keystone Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token...

5CVSS6.9AI score0.02342EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2013/09/23 8:55 p.m.•5 views

PYSEC-2013-18

The authentication framework django.contrib.auth in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service CPU consumption via a long password which is then hashed...

5CVSS7.1AI score0.02661EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2013/09/16 7:14 p.m.•4 views

PYSEC-2013-2

lib/ansible/playbook/init.py in Ansible 1.2.x before 1.2.3, when playbook does not run due to an error, allows local users to overwrite arbitrary files via a symlink attack on a retry file with a predictable name in /var/tmp/ansible/...

3.3CVSS6.6AI score0.00329EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2013/09/16 7:14 p.m.•6 views

PYSEC-2013-1

runner/connectionplugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/...

1.9CVSS6.5AI score0.00339EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2013/09/16 7:14 p.m.•9 views

PYSEC-2013-20

Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWEDINCLUDEROOTS setting followed by a .. dot dot in a ssi template tag...

5CVSS6.9AI score0.03182EPSS
Exploits2References7Affected Software1
PyPA
PyPA
•added 2013/09/16 7:14 p.m.•6 views

PYSEC-2013-35

The clearvolume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors...

2.1CVSS6.2AI score0.00406EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2013/08/28 9:55 p.m.•5 views

PYSEC-2013-11

The Python client library for Glance python-glanceclient before 0.10.0 does not properly check the preverifyok value, which prevents the server hostname from being verified with a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate and allows...

5.8CVSS6.9AI score0.00986EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2013/08/23 4:55 p.m.•5 views

PYSEC-2013-25

The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

5.8CVSS6.9AI score0.01573EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2013/08/17 6:54 a.m.•9 views

PYSEC-2013-9

pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory...

2.1CVSS6.7AI score0.00367EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2013/08/15 5:55 p.m.•5 views

PYSEC-2013-30

bson/cbsonmodule.c in the mongo-python-driver aka. pymongo before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service NULL pointer dereference and crash via vectors related to decoding of an "invalid DBRef."...

4.3CVSS6.7AI score0.02633EPSS
Exploits2References10Affected Software1
PyPA
PyPA
•added 2013/08/06 2:52 a.m.•7 views

PYSEC-2013-10

pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation...

6.8CVSS7.8AI score0.02083EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2013/08/06 2:52 a.m.•5 views

PYSEC-2013-22

easyinstall in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product...

6.8CVSS7.8AI score0.01949EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2013/08/06 2:52 a.m.•6 views

PYSEC-2013-8

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation...

6.8CVSS7.8AI score0.06217EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2013/05/21 6:55 p.m.•5 views

PYSEC-2013-40

OpenStack Identity Keystone Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the 1 admintoken and 2 LDAP password in plaintext, which allows local users to obtain sensitive by reading the log file...

2.1CVSS6.5AI score0.00602EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2013/05/21 6:55 p.m.•8 views

PYSEC-2013-41

OpenStack Identity Keystone Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token...

6CVSS7AI score0.02468EPSS
Exploits1References11Affected Software1
PyPA
PyPA
•added 2013/05/02 2:55 p.m.•6 views

PYSEC-2013-16

The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information...

4CVSS6.7AI score0.01805EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2013/05/02 2:55 p.m.•8 views

PYSEC-2013-17

The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service memory consumption or trigger server errors via a modified maxnum parameter...

5CVSS6.9AI score0.02574EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2013/03/22 9:55 p.m.•11 views

PYSEC-2013-46

The v1 API in OpenStack Glance Essex 2012.1, Folsom 2012.2, and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image...

3.5CVSS5.8AI score0.01356EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2013/03/22 9:55 p.m.•6 views

PYSEC-2013-44

OpenStack Compute Nova Grizzly, Folsom 2012.2, and Essex 2012.1 does not properly implement a quota for fixed IPs, which allows remote authenticated users to cause a denial of service resource exhaustion and failure to spawn new instances via a large number of calls to the addFixedIp function...

4CVSS6.7AI score0.02742EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2013/03/22 9:55 p.m.•7 views

PYSEC-2013-39

OpenStack Keystone Folsom 2012.2 does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token...

6.8CVSS7AI score0.02608EPSS
Exploits0References11Affected Software1
Total number of security vulnerabilities5613