Lucene search
K

4602 matches found

PyPA
PyPA
•added 2018/12/17 7:29 a.m.•9 views

PYSEC-2018-9

DISPUTED OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should ha...

5.3CVSS7AI score0.0111EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2018/12/12 10:29 a.m.•4 views

PYSEC-2018-118

There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of tiffimageint.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack...

6.5CVSS6.8AI score0.02287EPSS
Exploits1References11Affected Software1
PyPA
PyPA
•added 2018/12/12 10:29 a.m.•7 views

PYSEC-2018-117

There is a heap-based buffer over-read in the Exiv2::tEXtToDataBuf function of pngimage.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack...

6.5CVSS7AI score0.02762EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2018/12/12 10:29 a.m.•7 views

PYSEC-2018-120

There is an infinite loop in Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack...

6.5CVSS6.8AI score0.02289EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2018/12/12 10:29 a.m.•7 views

PYSEC-2018-119

There is a heap-based buffer over-read in Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack...

6.5CVSS7AI score0.02567EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2018/12/11 5:29 p.m.•6 views

PYSEC-2018-32

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect i.e., a redirect that differs in host, port, or scheme. This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext...

9.8CVSS6.9AI score0.04488EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2018/12/02 10:29 a.m.•5 views

PYSEC-2018-12

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to...

6.1CVSS6.5AI score0.06333EPSS
Exploits2References6Affected Software1
PyPA
PyPA
•added 2018/11/29 6:29 p.m.•6 views

PYSEC-2018-60

Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext passwor...

4.4CVSS6.7AI score0.00535EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2018/11/27 7:29 a.m.•7 views

PYSEC-2018-143

Exiv2::isoSpeed in easyaccess.cpp in Exiv2 v0.27-RC2 allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a crafted file...

6.5CVSS6.7AI score0.0217EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2018/11/22 7:29 p.m.•6 views

PYSEC-2018-77

The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a...

5.9CVSS6.8AI score0.00856EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2018/11/18 5:29 p.m.•8 views

PYSEC-2018-18

Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely...

6.1CVSS6.1AI score0.01323EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2018/11/18 5:29 p.m.•6 views

PYSEC-2018-17

Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py,...

6.1CVSS6.3AI score0.01511EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2018/11/12 2:29 a.m.•9 views

PYSEC-2018-155

Py-EVM v0.2.0-alpha.33 allows attackers to make a vm.executebytecode call that triggers computation.stack.values with '"stack": 100, 100, 0' where b'\x' was expected, resulting in an execution failure because of an invalid opcode. This is reportedly related to "smart contracts can be executed...

8.8CVSS7.4AI score0.02901EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/11/12 2:29 a.m.•7 views

PYSEC-2018-96

Py-EVM v0.2.0-alpha.33 allows attackers to make a vm.executebytecode call that triggers computation.stack.values with '"stack": 100, 100, 0' where b'\x' was expected, resulting in an execution failure because of an invalid opcode. This is reportedly related to "smart contracts can be executed...

8.8CVSS7AI score0.02901EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2018/11/08 8:29 a.m.•5 views

PYSEC-2018-142

In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service infinite loop caused by an integer overflow via a crafted PSD image file...

6.5CVSS7AI score0.01936EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2018/11/08 8:29 a.m.•6 views

PYSEC-2018-141

In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp called from psdimage.cpp in the PSD image reader may suffer from a denial of service heap-based buffer over-read caused by an integer overflow via a crafted PSD image file...

6.5CVSS7.2AI score0.01816EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2018/11/07 2:29 p.m.•6 views

PYSEC-2018-74

Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation...

9.8CVSS8.1AI score0.53934EPSS
Exploits5References3Affected Software1
PyPA
PyPA
•added 2018/11/03 4:29 a.m.•6 views

PYSEC-2018-140

There is an infinite loop in the Exiv2::Image::printIFDStructure function of image.cpp in Exiv2 0.27-RC1. A crafted input will lead to a remote denial of service attack...

6.5CVSS6.8AI score0.01844EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/11/02 9:29 p.m.•6 views

PYSEC-2018-92

A flaw was found in openstack-mistral. By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh privatekeyfilename can take an absolute path, it can be used to...

7.5CVSS6.6AI score0.0152EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2018/10/30 6:29 p.m.•7 views

PYSEC-2018-85

python-kdcproxy before 0.3.2 allows remote attackers to cause a denial of service via a large POST request...

7.5CVSS6.8AI score0.02174EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2018/10/24 10:29 p.m.•7 views

PYSEC-2018-29

Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server...

5.3CVSS7AI score0.0424EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2018/10/24 10:29 p.m.•5 views

PYSEC-2018-30

SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-apinetapi...

9.8CVSS8AI score0.05199EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2018/10/24 9:29 p.m.•7 views

PYSEC-2018-107

ajenticp aka Ajenti Docker control panel for Ajenti through v1.2.23.13 has XSS via a filename that is mishandled in File Manager...

6.1CVSS6.2AI score0.0356EPSS
Exploits5References4Affected Software1
PyPA
PyPA
•added 2018/10/23 3:29 p.m.•6 views

PYSEC-2018-44

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just t...

7.8CVSS6.8AI score0.00354EPSS
Exploits0References15Affected Software1
PyPA
PyPA
•added 2018/10/18 6:29 p.m.•5 views

PYSEC-2018-154

An issue was discovered in libpgquery 10-1.0.2. There is a memory leak in pgqueryrawparse in pgqueryparse.c, which might lead to a denial of service...

6.5CVSS6.8AI score0.0115EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2018/10/15 7:29 p.m.•6 views

PYSEC-2018-47

Cross-site scripting XSS vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

6.1CVSS6AI score0.01924EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2018/10/09 5:29 p.m.•10 views

PYSEC-2018-28

The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network...

7.5CVSS6.9AI score0.07443EPSS
Exploits2References10Affected Software1
PyPA
PyPA
•added 2018/10/08 3:29 p.m.•6 views

PYSEC-2018-24

Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS 12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploitable via Depends...

5.9CVSS6.8AI score0.01895EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2018/10/08 3:29 p.m.•7 views

PYSEC-2018-69

Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity...

8.8CVSS6.9AI score0.04407EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2018/10/08 3:29 p.m.•8 views

PYSEC-2018-20

privacyIDEA version 2.23.1 and earlier contains a Improper Input Validation vulnerability in token validation api that can result in Denial-of-Service. This attack appear to be exploitable via http request with user== to /validate/check url. This vulnerability appears to have been fixed in 2.23.2...

7.5CVSS6.9AI score0.01675EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2018/10/08 3:29 p.m.•5 views

PYSEC-2018-23

Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on...

8.1CVSS7.7AI score0.04075EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2018/10/04 11:29 p.m.•5 views

PYSEC-2018-91

cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry...

9.1CVSS6.9AI score0.02033EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2018/10/02 6:29 p.m.•6 views

PYSEC-2018-3

An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission new in Django 2.1...

4.9CVSS7.1AI score0.02033EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2018/09/28 9:29 a.m.•7 views

PYSEC-2018-139

CiffDirectory::readDirectory at crwimageint.cpp in Exiv2 0.26 has excessive stack consumption due to a recursive function, leading to Denial of service...

6.5CVSS6.9AI score0.0235EPSS
Exploits1References12Affected Software1
PyPA
PyPA
•added 2018/09/20 8:29 p.m.•8 views

PYSEC-2018-138

An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference...

6.5CVSS7AI score0.02062EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/09/19 10:29 p.m.•8 views

PYSEC-2018-136

Exiv2::d2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service heap-based buffer overflow via a crafted image file...

6.5CVSS6.9AI score0.01903EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2018/09/19 10:29 p.m.•6 views

PYSEC-2018-137

Exiv2::ul2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service heap-based buffer overflow via a crafted image file...

6.5CVSS6.9AI score0.01903EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2018/09/18 5:29 p.m.•6 views

PYSEC-2018-67

In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields if the schema is being filtered dynamically using the...

5.3CVSS6.8AI score0.01858EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2018/09/13 2:29 a.m.•7 views

PYSEC-2018-153

Open Chinese Convert OpenCC 1.0.5 allows attackers to cause a denial of service segmentation fault because BinaryDict::NewFromFile in BinaryDict.cpp may have out-of-bounds keyOffset and valueOffset values via a crafted .ocd file...

5.5CVSS6.7AI score0.01046EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2018/09/10 7:29 p.m.•6 views

PYSEC-2018-93

When using the Linux bridge ml2 driver, non-privileged tenants are able to create and attach ports without specifying an IP address, bypassing IP address validation. A potential denial of service could occur if an IP address, conflicting with existing guests or routers, is then assigned from...

6.5CVSS6.6AI score0.02527EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2018/09/10 7:29 p.m.•6 views

PYSEC-2018-94

Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due ...

5.3CVSS6.8AI score0.01173EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2018/09/05 10:29 p.m.•6 views

PYSEC-2018-65

MicroPyramid Django-CRM 0.2 allows CSRF for /users/create/, /users//edit/, and /accounts//delete/ URIs...

8.8CVSS7AI score0.00638EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2018/09/05 2:29 p.m.•7 views

PYSEC-2018-54

helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL...

6.1CVSS6.2AI score0.01213EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/09/03 7:29 p.m.•8 views

PYSEC-2018-106

An issue was discovered in Mayan EDMS before 3.0.2. The Appearance app sets window.location directly, leading to XSS...

6.1CVSS7AI score0.01327EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/09/03 7:29 p.m.•6 views

PYSEC-2018-16

An issue was discovered in Mayan EDMS before 3.0.2. The Appearance app sets window.location directly, leading to XSS...

6.1CVSS7AI score0.01327EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/09/03 7:29 p.m.•7 views

PYSEC-2018-15

An issue was discovered in Mayan EDMS before 3.0.3. The Tags app has XSS because tag label values are mishandled...

6.1CVSS6.3AI score0.01209EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/09/03 7:29 p.m.•7 views

PYSEC-2018-14

An issue was discovered in Mayan EDMS before 3.0.2. The Cabinets app has XSS via a crafted cabinet label...

6.1CVSS6.1AI score0.01327EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/09/02 3:29 a.m.•7 views

PYSEC-2018-135

Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote attackers to cause a denial of service heap-based buffer over-read via a crafted image file, a different vulnerability than CVE-2018-10999...

6.5CVSS7AI score0.0273EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/08/28 7:29 p.m.•9 views

PYSEC-2018-64

In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call...

7.8CVSS7.9AI score0.02391EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2018/08/20 7:31 p.m.•6 views

PYSEC-2018-66

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. Th...

7.5CVSS6.9AI score0.03855EPSS
Exploits1References6Affected Software1
Total number of security vulnerabilities4602