Lucene search
K

4602 matches found

PyPA
PyPA
•added 2018/08/20 1:29 p.m.•7 views

PYSEC-2018-99

pyro before 3.15 unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks...

7.5CVSS7.1AI score0.02188EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/08/20 12:29 a.m.•7 views

PYSEC-2018-21

PyCryptodome before 3.6.6 has an integer overflow in the datalen variable in AESNI.c, related to the AESNIencrypt and AESNIdecrypt functions, leading to the mishandling of messages shorter than 16 bytes...

7.5CVSS7.2AI score0.0174EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2018/08/10 3:29 p.m.•9 views

PYSEC-2018-1

Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles...

6.1CVSS7.1AI score0.00463EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2018/08/06 1:29 p.m.•8 views

PYSEC-2018-45

It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for this is to upgrade to...

6.1CVSS6.3AI score0.02003EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2018/08/03 5:29 p.m.•7 views

PYSEC-2018-2

django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect...

6.1CVSS7AI score0.2549EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2018/08/01 6:29 p.m.•7 views

PYSEC-2018-98

A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10.5 and 1.8.6 that leads to read and extract of any data from any table in the pycsw database that the database user has access to. Also on PostgreSQL at least it is possible to perform updates/inserts/deletes and database...

9.1CVSS7.9AI score0.02336EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2018/07/31 9:29 p.m.•5 views

PYSEC-2018-37

A flaw was found in Ansible before version 2.2.0. The aptkey module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key...

7.5CVSS6.6AI score0.02458EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2018/07/31 8:29 p.m.•5 views

PYSEC-2018-38

Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as...

9.1CVSS7.5AI score0.03253EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2018/07/30 5:29 p.m.•7 views

PYSEC-2018-102

A vulnerability was found in openstack-tripleo-heat-templates before version 8.0.2-40. When deployed using Director using default configuration, Opendaylight in RHOSP13 is configured with easily guessable default credentials...

8.8CVSS6.8AI score0.0087EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2018/07/30 4:29 p.m.•8 views

PYSEC-2018-52

A flaw was found in python-cryptography versions between =1.9.0 and 2.3. The finalizewithtag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalizewithtag an attacker could craft an invalid payload with a shortened tag e.g. 1 byte suc...

7.5CVSS6.4AI score0.02605EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2018/07/26 2:29 p.m.•8 views

PYSEC-2018-58

An input validation vulnerability was found in Ansible's mysqluser module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed...

4.9CVSS6.9AI score0.01428EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2018/07/23 8:29 a.m.•7 views

PYSEC-2018-63

An issue was discovered in aubio 0.4.6. A buffer over-read can occur in newaubiopitchyinfft in pitch/pitchyinfft.c, as demonstrated by aubionotes...

8.8CVSS7.2AI score0.01966EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/07/23 8:29 a.m.•6 views

PYSEC-2018-61

An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aubiosourceavcodecreadframe in io/sourceavcodec.c, as demonstrated by aubiomfcc...

8.8CVSS7AI score0.01498EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2018/07/23 8:29 a.m.•6 views

PYSEC-2018-62

An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aubiopitchsetunit in pitch/pitch.c, as demonstrated by aubionotes...

8.8CVSS7AI score0.01948EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/07/22 6:29 p.m.•5 views

PYSEC-2018-56

mitmweb in mitmproxy v4.0.3 allows DNS Rebinding attacks, related to tools/web/app.py...

8.8CVSS6.9AI score0.03348EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2018/07/19 1:29 p.m.•8 views

PYSEC-2018-41

Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2...

9.8CVSS7.5AI score0.04617EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2018/07/19 1:29 p.m.•7 views

PYSEC-2018-152

An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service keystone. An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles...

7.2CVSS6.7AI score0.02106EPSS
Exploits1References13Affected Software1
PyPA
PyPA
•added 2018/07/17 12:29 p.m.•6 views

PYSEC-2018-134

samples/geotag.cpp in the example code of Exiv2 0.26 misuses the realpath function on POSIX platforms other than Apple platforms where glibc is not used, possibly leading to a buffer overflow...

8.1CVSS7.2AI score0.01433EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2018/07/13 10:29 p.m.•12 views

PYSEC-2018-43

A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code...

7.8CVSS7.1AI score0.00587EPSS
Exploits0References15Affected Software1
PyPA
PyPA
•added 2018/07/13 3:29 p.m.•6 views

PYSEC-2018-133

Exiv2 0.26 has a heap-based buffer over-read in WebPImage::decodeChunks in webpimage.cpp...

8.8CVSS7.2AI score0.01688EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2018/07/12 1:29 p.m.•7 views

PYSEC-2018-25

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application...

4.7CVSS6.6AI score0.00504EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2018/07/12 12:29 p.m.•6 views

PYSEC-2018-27

qutebrowser before version 1.4.1 is vulnerable to a cross-site request forgery flaw that allows websites to access 'qute://' URLs. A malicious website could exploit this to load a 'qute://settings/set' URL, which then sets 'editor.command' to a bash script, resulting in arbitrary code execution...

9.3CVSS7.3AI score0.01187EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2018/07/06 12:29 a.m.•6 views

PYSEC-2018-89

mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002...

9.8CVSS7AI score0.02643EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2018/07/06 12:29 a.m.•6 views

PYSEC-2018-88

The mpatchapply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004...

7.5CVSS6.9AI score0.02337EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2018/07/06 12:29 a.m.•8 views

PYSEC-2018-90

The mpatchdecode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001...

7.5CVSS6.9AI score0.02087EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2018/07/03 1:29 a.m.•7 views

PYSEC-2018-42

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the nolog task flag for failed tasks. When the nolog flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on th...

5.9CVSS6.7AI score0.03088EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2018/07/02 1:29 p.m.•6 views

PYSEC-2018-81

In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result...

7.8CVSS7.6AI score0.00485EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2018/06/27 12:29 p.m.•8 views

PYSEC-2018-49

In PyYAML before 5.1, the yaml.load API could execute arbitrary code if used with untrusted data. The load function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function...

9.8CVSS9.4AI score0.06031EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2018/06/26 4:29 p.m.•9 views

PYSEC-2018-80

aio-libs aiohttp-session contains a Session Fixation vulnerability in loadsession function for RedisStorage see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttpsession/redisstorage.pyL42 that can result in Session Hijacking. This attack appear to be exploitable via Any method that...

6.5CVSS6.9AI score0.01181EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2018/06/26 4:29 p.m.•7 views

PYSEC-2018-149

The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability in Many templates used in the Galaxy server did not properly sanitize user's input, which would allow for cross-site scripting XSS attacks. In this form of attack,...

6.1CVSS6.6AI score0.01042EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2018/06/26 4:29 p.m.•9 views

PYSEC-2018-76

topydo contains a CWE-20: Improper Input Validation vulnerability in ListFormatParser::parse, file topydo/lib/ListFormat.py line 292 as of d4f843dac71308b2f29a7c2cdc76f055c3841523 that can result in Injection of arbitrary bytes to the terminal, including terminal escape code sequences. This attac...

8.1CVSS7.4AI score0.01155EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2018/06/26 4:29 p.m.•4 views

PYSEC-2018-26

qutebrowser version introduced in v0.11.0 1179ee7a937fb31414d77d9970bac21095358449 contains a Cross Site Scripting XSS vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be...

6.1CVSS6AI score0.01483EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/06/26 4:29 p.m.•5 views

PYSEC-2018-79

aaugustin websockets version 4 contains a CWE-409: Improper Handling of Highly Compressed Data Data Amplification vulnerability in Servers and clients, unless configured with compression=None that can result in Denial of Service by memory exhaustion. This attack appear to be exploitable via Sendi...

7.5CVSS6.9AI score0.01818EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2018/06/22 1:29 p.m.•6 views

PYSEC-2018-40

Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the...

8.5CVSS7.8AI score0.03157EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2018/06/17 8:29 p.m.•10 views

PYSEC-2018-116

Cross-site scripting XSS vulnerability in Airbnb Knowledge Repo 0.7.4 allows remote attackers to inject arbitrary web scripts or HTML via the post comments functionality, as demonstrated by the post/posts/newreport.kp URI...

6.1CVSS6.1AI score0.01315EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2018/06/13 10:29 p.m.•21 views

PYSEC-2018-95

An issue was discovered in Yelp OSXCollector. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious...

7.8CVSS7.2AI score0.00857EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2018/06/13 11:29 a.m.•8 views

PYSEC-2018-131

Exiv2 0.26 has integer overflows in LoaderTiff::getData in preview.cpp, leading to an out-of-bounds read in Exiv2::ValueType::setDataArea in value.hpp...

8.8CVSS7AI score0.02891EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2018/06/13 11:29 a.m.•7 views

PYSEC-2018-132

Exiv2 0.26 has an integer overflow in the LoaderExifJpeg class in preview.cpp, leading to an out-of-bounds read in Exiv2::MemIo::read in basicio.cpp...

8.8CVSS7.2AI score0.02891EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2018/06/01 7:29 p.m.•7 views

PYSEC-2018-150

Hyperledger Iroha versions v1.0beta and v1.0.0beta-1 are vulnerable to transaction and block signature verification bypass in the transaction and block validator allowing a single node to sign a transaction and/or block multiple times, each with a random nonce, and have other validating nodes...

7.5CVSS7AI score0.00816EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2018/05/29 7:29 a.m.•5 views

PYSEC-2018-130

Exiv2 0.26 has a heap-based buffer overflow in getData in preview.cpp...

9.8CVSS7.5AI score0.0296EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2018/05/14 3:29 a.m.•7 views

PYSEC-2018-129

In Exiv2 0.26, the Exiv2::PngImage::printStructure function in pngimage.cpp allows remote attackers to cause an information leak via a crafted file...

6.5CVSS6.7AI score0.02363EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2018/05/12 4:29 a.m.•8 views

PYSEC-2018-128

An issue was discovered in Exiv2 0.26. The Exiv2::Internal::PngChunk::parseTXTChunk function has a heap-based buffer over-read...

6.5CVSS7.3AI score0.02433EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2018/05/12 4:29 a.m.•6 views

PYSEC-2018-127

An issue was discovered in Exiv2 0.26. readMetadata in jp2image.cpp allows remote attackers to cause a denial of service SIGABRT by triggering an incorrect Safe::add call...

6.5CVSS6.9AI score0.02467EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 2018/05/10 2:29 a.m.•7 views

PYSEC-2018-126

In types.cpp in Exiv2 0.26, a large size value may lead to a SIGABRT during an attempt at memory allocation for an Exiv2::Internal::PngChunk::zlibUncompress call...

6.5CVSS6.9AI score0.02524EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2018/05/08 5:29 p.m.•6 views

PYSEC-2018-104

python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulnerable to an information disclosure. Software using the CatchError class could include sensitive values in a traceback's error message. System users could exploit this flaw to obtain sensitive information from OpenStack component...

5.9CVSS6.4AI score0.00467EPSS
Exploits0References13Affected Software1
PyPA
PyPA
•added 2018/05/07 7:29 a.m.•8 views

PYSEC-2018-125

Exiv2::Image::byteSwap2 in image.cpp in Exiv2 0.26 has a heap-based buffer over-read...

6.5CVSS7.2AI score0.00978EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2018/05/04 8:29 p.m.•5 views

PYSEC-2018-36

Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys...

7.4CVSS6.8AI score0.01963EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2018/04/24 4:29 p.m.•9 views

PYSEC-2018-39

Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute...

9.3CVSS7.8AI score0.1765EPSS
Exploits5References10Affected Software1
PyPA
PyPA
•added 2018/04/23 10:29 p.m.•6 views

PYSEC-2018-50

In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master...

9.8CVSS7AI score0.014EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2018/04/18 7:29 p.m.•4 views

PYSEC-2018-55

gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "processheaders" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been...

7.5CVSS7.1AI score0.02431EPSS
Exploits1References6Affected Software1
Total number of security vulnerabilities4602