7035 matches found
PYSEC-2019-194
An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested t...
PYSEC-2019-79
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provid...
PYSEC-2019-256
In libwebp 0.5.1, there is a double free bug in libwebpmux...
PYSEC-2019-6
Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim...
PYSEC-2019-242
Capstone 3.0.4 has an out-of-bounds vulnerability SEGV caused by a read memory access in X86insnregintel in arch/X86/X86Mapping.c...
PYSEC-2019-185
An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID...
PYSEC-2019-205
Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent...
PYSEC-2019-223
Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent...
PYSEC-2019-230
Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent...
PYSEC-2019-210
NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file...
PYSEC-2019-229
Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file...
PYSEC-2019-225
Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory...
PYSEC-2019-207
Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory...
PYSEC-2019-228
NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file...
PYSEC-2019-204
Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file...
PYSEC-2019-222
Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file...
PYSEC-2019-235
NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file...
PYSEC-2019-232
Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory...
PYSEC-2019-208
Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code local...
PYSEC-2019-226
Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code local...
PYSEC-2019-233
Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code local...
PYSEC-2019-206
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent...
PYSEC-2019-224
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent...
PYSEC-2019-231
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent...
PYSEC-2019-188
A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository...
PYSEC-2019-155
python-dbusmock before version 0.15.1 AddTemplate D-Bus method call or DBusTestCase.spawnservertemplate method could be tricked into executing malicious code if an attacker supplies a .pyc file...
PYSEC-2019-133
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use o...
PYSEC-2019-198
OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authenticatio...
PYSEC-2019-132
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter...
PYSEC-2019-215
A number of HTTP endpoints in the Airflow webserver both RBAC and classic did not have adequate protection and were vulnerable to cross-site request forgery attacks...
PYSEC-2019-214
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views...
PYSEC-2019-220
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape...
PYSEC-2019-217
In Pallets Jinja before 2.10.1, str.formatmap allows a sandbox escape...
PYSEC-2019-201
Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgihandler.py mishandle 404 errors...
PYSEC-2019-189
An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes where those...
PYSEC-2019-127
In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values...
PYSEC-2019-158
In Jupyter Notebook before 5.7.8, an open redirect can occur via an empty netloc. This issue exists because of an incomplete fix for CVE-2019-10255...
PYSEC-2019-107
nbla/logger.cpp in libnnabla.a in Sony Neural Network Libraries aka nnabla through v1.0.14 relies on the HOME environment variable, which might be untrusted...
PYSEC-2019-165
The Serialize.deserialize method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client when they receive...
PYSEC-2019-166
The Serialize.deserialize method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library e.g., the standard CoAP server, CoAP client, example collect CoAP server and client when they receive crafted CoAP messages...
PYSEC-2019-5
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path...
PYSEC-2019-193
In a default Red Hat Openstack Platform Director installation, openstack-octavia before versions openstack-octavia 2.0.2-5 and openstack-octavia-3.0.1-0.20181009115732 creates log files that are readable by all users. Sensitive information such as private keys can appear in these log files allowi...
PYSEC-2019-78
A vulnerability was found in ceilometer before version 12.0.0.0rc1. An Information Exposure in ceilometer-agent prints sensitive configuration data to log files without DEBUG logging being activated...
PYSEC-2019-180
A code injection issue was discovered in ipycache through 2016-05-31...
PYSEC-2019-21
An issue was discovered in Donfig 0.3.0. There is a vulnerability in the collectyaml method in configobj.py. It can execute arbitrary Python commands, resulting in command execution...
PYSEC-2019-203
Splunk-SDK-Python before 1.6.6 does not properly verify untrusted TLS server certificates, which could result in man-in-the-middle attacks...
PYSEC-2019-115
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting...
PYSEC-2019-187
Matrix Synapse before 0.34.0.1, when the macaroonsecretkey authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users...
PYSEC-2019-190
An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option for example, VRRP, an...
PYSEC-2019-159
An XSSI cross-site inclusion vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access to the content of resources has been demonstrated with Internet Explorer through capturing of erro...