Lucene search
K

7035 matches found

PyPA
PyPA
•added 2019/12/16 9:15 p.m.•10 views

PYSEC-2019-234

In TensorFlow before 1.15, a heap buffer overflow in UnsortedSegmentSum can be produced when the Index template argument is int32. In this case datasize and numsegments fields are truncated from int64 to int32 and can produce negative numbers, resulting in accessing out of bounds heap memory. Thi...

9.8CVSS7.4AI score0.00777EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/12/16 9:15 p.m.•6 views

PYSEC-2019-209

In TensorFlow before 1.15, a heap buffer overflow in UnsortedSegmentSum can be produced when the Index template argument is int32. In this case datasize and numsegments fields are truncated from int64 to int32 and can produce negative numbers, resulting in accessing out of bounds heap memory. Thi...

9.8CVSS7.4AI score0.00777EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/12/15 10:15 p.m.•5 views

PYSEC-2019-200

python-requests-Kerberos through 0.5 does not handle mutual authentication...

9.8CVSS7AI score0.03615EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2019/12/10 8:15 p.m.•9 views

PYSEC-2019-105

The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection XXE attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML...

7.5CVSS7.2AI score0.01465EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2019/12/10 8:15 p.m.•10 views

PYSEC-2019-251

The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection XXE attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML...

7.5CVSS7.2AI score0.01465EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2019/12/10 3:15 p.m.•7 views

PYSEC-2019-161

python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass...

9.8CVSS7AI score0.01696EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2019/12/10 3:15 p.m.•7 views

PYSEC-2019-197

python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass...

9.8CVSS7AI score0.01764EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2019/12/09 9:15 p.m.•8 views

PYSEC-2019-154

The CreateID function in packet.py in pyrad before 2.1 uses sequential packet IDs, which makes it easier for remote attackers to spoof packets by predicting the next ID, a different vulnerability than CVE-2013-0294...

5.9CVSS7AI score0.02833EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2019/12/09 6:15 p.m.•7 views

PYSEC-2019-29

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforcescope is false. Users with a role on a project are able to view any other users' credentials,...

8.8CVSS6.5AI score0.0178EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2019/12/05 1:15 a.m.•8 views

PYSEC-2019-134

The validators package 0.12.2 through 0.12.5 for Python enters an infinite loop when validators.domain is called with a crafted domain string. This is fixed in 0.12.6...

7.8CVSS6.8AI score0.01171EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2019/12/02 2:15 p.m.•8 views

PYSEC-2019-15

Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests,...

6.5CVSS6.8AI score0.01656EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2019/11/29 5:15 p.m.•7 views

PYSEC-2019-135

When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0...

8.8CVSS7AI score0.01162EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/11/27 9:15 a.m.•7 views

PYSEC-2019-28

A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function berscanf was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger...

8.8CVSS7.3AI score0.06329EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2019/11/27 8:15 a.m.•7 views

PYSEC-2019-168

A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with...

6.5CVSS6.6AI score0.01412EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2019/11/27 8:15 a.m.•7 views

PYSEC-2019-22

A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with...

6.5CVSS6.6AI score0.01412EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2019/11/26 3:15 p.m.•6 views

PYSEC-2019-130

typedast 1.3.0 and 1.3.1 has a handlekeywordonlyargs out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source but not necessarily execute it may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that...

7.5CVSS6.9AI score0.03255EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2019/11/26 3:15 p.m.•6 views

PYSEC-2019-131

typedast 1.3.0 and 1.3.1 has an astforarguments out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source but not necessarily execute it may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that pars...

7.5CVSS6.9AI score0.03255EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2019/11/26 2:15 p.m.•7 views

PYSEC-2019-146

ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None...

6.5CVSS6.9AI score0.01649EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2019/11/26 1:15 p.m.•8 views

PYSEC-2019-177

An error-handling flaw was found in python-ecdsa before version 0.13.3. During signature decoding, malformed DER signatures could raise unexpected exceptions or no exceptions at all, which could lead to a denial of service...

7.5CVSS6.6AI score0.02505EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/11/25 4:15 p.m.•7 views

PYSEC-2019-3

A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by nolog feature. Some of these fields in GCP modules are not set properly. serviceaccountcontents which is common class for all gcp modules is not setting nolog to True. Any sensitive data manage...

6.5CVSS6.5AI score0.01853EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2019/11/25 1:15 p.m.•5 views

PYSEC-2019-182

Python keyring has insecure permissions on new databases allowing world-readable files to be created...

6.2CVSS7AI score0.0045EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2019/11/22 3:15 p.m.•7 views

PYSEC-2019-243

Designate does not enforce the DNS protocol limit concerning record set sizes...

6.5CVSS7AI score0.01593EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/11/22 1:15 p.m.•8 views

PYSEC-2019-145

ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them...

6.5CVSS6.9AI score0.01503EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/11/21 3:15 p.m.•6 views

PYSEC-2019-202

python-rply before 0.7.4 insecurely creates temporary files...

5.5CVSS7AI score0.00396EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/11/21 2:15 p.m.•5 views

PYSEC-2019-211

trytond 2.4: ModelView.button fails to validate authorization...

7.5CVSS7AI score0.01763EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/11/16 1:15 a.m.•7 views

PYSEC-2019-102

Eval injection in the Math plugin of Limnoria before 2019.11.09 and Supybot through 2018-05-09 allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands...

9.8CVSS7.8AI score0.0171EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/11/12 2:15 p.m.•5 views

PYSEC-2019-212

Python Twisted 14.0 trustRoot is not respected in HTTP client...

7.5CVSS7AI score0.0259EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2019/11/12 2:15 a.m.•7 views

PYSEC-2019-41

psutil aka python-psutil through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object...

7.5CVSS9.1AI score0.03522EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/11/08 7:15 p.m.•6 views

PYSEC-2019-195

It was discovered that the C++ implementation which underlies the R, Python and Ruby implementations of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow...

7.5CVSS7.6AI score0.03225EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/11/08 7:15 p.m.•6 views

PYSEC-2019-196

While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory...

7.5CVSS7.6AI score0.04711EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/11/08 12:15 a.m.•9 views

PYSEC-2019-186

Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /sendjoin, /sendleave, and /invite may not be correctly signed, or may not come from the expected servers...

9.8CVSS7AI score0.00864EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/11/07 6:15 p.m.•7 views

PYSEC-2019-253

Tahoe-LAFS 1.9.0 fails to ensure integrity which allows remote attackers to corrupt mutable files or directories upon retrieval...

7.4CVSS7AI score0.01714EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2019/11/05 10:15 p.m.•5 views

PYSEC-2019-160

The mirroring support -M, --use-mirrors in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks...

5.9CVSS6.9AI score0.07987EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2019/11/04 9:15 p.m.•6 views

PYSEC-2019-175

An eval vulnerability exists in Python Software Foundation Djblets 0.7.21 and Beanbag Review Board before 1.7.15 when parsing JSON requests...

9.8CVSS7AI score0.0304EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2019/11/04 8:15 p.m.•6 views

PYSEC-2019-156

The scipy.weave component in SciPy before 0.12.1 creates insecure temporary directories...

7.8CVSS7AI score0.00427EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2019/10/31 4:15 p.m.•9 views

PYSEC-2019-176

python-docutils allows insecure usage of temporary files...

9.1CVSS7AI score0.01116EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/10/31 3:15 p.m.•6 views

PYSEC-2019-157

Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document...

5.3CVSS6.3AI score0.01443EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/10/30 10:15 p.m.•8 views

PYSEC-2019-216

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process...

4.8CVSS7.3AI score0.01345EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/10/28 5:15 p.m.•8 views

PYSEC-2019-181

Python keyring lib before 0.10 created keyring files with world-readable permissions...

7.5CVSS7AI score0.0146EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/10/21 11:15 p.m.•6 views

PYSEC-2019-213

The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion...

7.5CVSS6.7AI score0.01927EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2019/10/16 12:15 p.m.•7 views

PYSEC-2019-117

ReportLab through 3.5.26 allows remote code execution because of toColorevalarg in colors.py, as demonstrated by a crafted XML document with '...

9.8CVSS8.1AI score0.10231EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2019/10/14 3:15 p.m.•6 views

PYSEC-2019-171

A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argumentspec with sub parameters marked as nolog, passing an invalid parameter name to the module will cause the task to fail before the nolog options in the sub parameters are processe...

7.3CVSS6.7AI score0.00427EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2019/10/14 2:15 a.m.•7 views

PYSEC-2019-241

GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogrexpat.cpp when the 10MB threshold is exceeded...

9.8CVSS7.2AI score0.02577EPSS
Exploits0References15Affected Software1
PyPA
PyPA
•added 2019/10/11 11:15 p.m.•7 views

PYSEC-2019-151

sendemail in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent ...

7.5CVSS7.1AI score0.16948EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2019/10/09 10:15 p.m.•5 views

PYSEC-2019-183

Koji through 1.18.0 allows remote Directory Traversal, with resultant Privilege Escalation...

6.5CVSS7.1AI score0.02793EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2019/10/09 7:15 p.m.•7 views

PYSEC-2019-247

Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimageint.cpp, because there is no validation of the relationship of the total size to the offset and size...

6.5CVSS6.8AI score0.01851EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/10/08 7:15 p.m.•6 views

PYSEC-2019-4

In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible...

7.8CVSS6.5AI score0.00509EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2019/10/05 11:15 p.m.•69 views

PYSEC-2019-116

Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper aka Redis Wrapper before 0.3.0 allows attackers to execute arbitrary scripts...

9.8CVSS7.5AI score0.03158EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/10/04 10:15 p.m.•6 views

PYSEC-2019-110

An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image...

7.5CVSS7AI score0.03154EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2019/10/04 8:15 p.m.•8 views

PYSEC-2019-125

Valve Steam Client before 2019-09-12 allows placing or appending partially controlled filesystem content, as demonstrated by file modifications on Windows in the context of NT AUTHORITY\SYSTEM. This could lead to denial of service, elevation of privilege, or unspecified other impact...

7.8CVSS7AI score0.00717EPSS
Exploits1References5Affected Software1
Total number of security vulnerabilities7035