Lucene search
K

4602 matches found

PyPA
PyPA
•added 2017/12/29 3:29 p.m.•5 views

PYSEC-2017-18

Cross-site scripting XSS vulnerability in the keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument...

6.1CVSS6.1AI score0.02198EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/12/13 10:29 p.m.•6 views

PYSEC-2017-140

There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunkint.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote denial of service attack...

5.5CVSS7AI score0.01598EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2017/12/12 1:29 a.m.•6 views

PYSEC-2017-76

A NULL pointer dereference DoS Vulnerability was found in the function aubiosourceavcodecreadframe in io/sourceavcodec.c of aubio 0.4.6, which may lead to DoS when playing a crafted audio file...

5.5CVSS6.7AI score0.00739EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2017/12/12 1:29 a.m.•5 views

PYSEC-2017-77

The swriaudioconvert function in audioconvert.c in FFmpeg libswresample through 3.0.101, as used in FFmpeg 3.4.1, aubio 0.4.6, and other products, allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a crafted audio file...

6.5CVSS6.7AI score0.01055EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2017/12/07 6:29 p.m.•6 views

PYSEC-2017-90

In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be...

10CVSS7.4AI score0.06331EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2017/11/29 7:29 a.m.•5 views

PYSEC-2017-75

In aubio 0.4.6, a divide-by-zero error exists in the function newaubiosourcewavread in sourcewavread.c, which may lead to DoS when playing a crafted audio file...

5.5CVSS6.8AI score0.00835EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2017/11/27 10:29 a.m.•8 views

PYSEC-2017-149

Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117...

9.3CVSS7.1AI score0.05978EPSS
Exploits0References8
PyPA
PyPA
•added 2017/11/21 5:29 p.m.•7 views

PYSEC-2017-4

A flaw was found in the way Ansible 2.3.x before 2.3.3, and 2.4.x before 2.4.1 passed certain parameters to the jenkinsplugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in th...

9.8CVSS6.4AI score0.0353EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/11/21 1:29 p.m.•9 views

PYSEC-2017-84

An issue was discovered in middleware.py in OpenStack Swauth through 1.2.0 when used with OpenStack Swift through 2.15.1. The Swift object store and proxy server are saving unhashed tokens retrieved from the Swauth middleware authentication mechanism to a log file as part of a GET URI. This allow...

9.8CVSS7.1AI score0.08354EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2017/11/17 10:29 p.m.•5 views

PYSEC-2017-115

exiv2 0.26 contains a Stack out of bounds read in webp parser...

5.5CVSS6.9AI score0.01062EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/11/17 10:29 p.m.•4 views

PYSEC-2017-116

Exiv2 0.26 contains a heap buffer overflow in tiff parser...

5.5CVSS7.5AI score0.00992EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/11/17 10:29 p.m.•7 views

PYSEC-2017-117

Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser...

5.5CVSS6.9AI score0.01119EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/11/17 4:29 a.m.•5 views

PYSEC-2017-26

Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data...

5.3CVSS6.9AI score0.00905EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2017/11/13 5:29 p.m.•6 views

PYSEC-2017-68

The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resource.get" method that could result in compromise of API keys or other critical resources...

9.8CVSS7AI score0.02594EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/11/10 9:29 a.m.•6 views

PYSEC-2017-40

Sanic before 0.5.1 allows reading arbitrary files with directory traversal, as demonstrated by the /static/..%2f substring...

7.5CVSS7.1AI score0.02426EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2017/11/10 9:29 a.m.•7 views

PYSEC-2017-79

An exploitable vulnerability exists in the YAML parsing functionality in the readyamlfile method in ioutils.py in djangomakeapp 0.1.3. A YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability...

9.8CVSS8AI score0.03098EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2017/11/10 9:29 a.m.•6 views

PYSEC-2017-78

An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Due to the user-specific configuration being loaded from "/.confire.yaml" using the yaml.load function, a YAML parser can execute arbitrary Python commands resulting in command execution. An...

9.8CVSS8AI score0.04435EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2017/11/08 3:29 a.m.•5 views

PYSEC-2017-23

An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safeload should have been used. An attacker can...

9.8CVSS8AI score0.03589EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/11/08 3:29 a.m.•8 views

PYSEC-2017-22

An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. A "Load YAML" string or file aka loadyaml or loadyamlf can execute arbitrary Python commands resulting in command execution because load is used where safeload should have been used. An...

9.8CVSS7.9AI score0.04435EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2017/11/08 3:29 a.m.•6 views

PYSEC-2017-19

An exploitable vulnerability exists in the YAML parsing functionality in the parseyamlquery method in parser.py in MLAlchemy before 0.2.2. When processing YAML-Based queries for data, a YAML parser can execute arbitrary Python commands resulting in command execution because load is used where...

9.8CVSS8AI score0.03415EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/11/06 5:29 p.m.•5 views

PYSEC-2017-73

sosreport in SoS 3.x allows local users to obtain sensitive information from sosreport files or gain privileges via a symlink attack on an archive file in a temporary directory, as demonstrated by sosreport-$hostname-$date.tar in /tmp/sosreport-$hostname-$date...

7.8CVSS6.6AI score0.00438EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2017/10/29 8:29 p.m.•5 views

PYSEC-2017-12

Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117...

9.8CVSS7.8AI score0.03394EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/10/24 5:29 p.m.•7 views

PYSEC-2017-36

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an...

9.8CVSS6.9AI score0.04629EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2017/10/24 5:29 p.m.•4 views

PYSEC-2017-37

SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request...

7.5CVSS6.9AI score0.02739EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2017/10/23 4:29 p.m.•8 views

PYSEC-2017-43

Cross-site scripting XSS vulnerability in the renderfull function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 as used in Pallets Flask and other products allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message...

6.1CVSS6AI score0.01985EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/10/19 8:29 a.m.•8 views

PYSEC-2017-80

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline such as in java\nscript: or a crafted email address, related to the escape and autolink functions...

6.1CVSS6.2AI score0.00923EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2017/10/10 4:29 p.m.•8 views

PYSEC-2017-70

salt before 2015.5.5 leaks git usernames and passwords to the log...

6.3CVSS7AI score0.01227EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/10/06 5:29 p.m.•8 views

PYSEC-2017-144

Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around blacklisted paths for build submission...

7.5CVSS7AI score0.01142EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/10/05 1:29 a.m.•8 views

PYSEC-2017-88

Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository...

7.5CVSS6.8AI score0.04815EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2017/10/05 1:29 a.m.•5 views

PYSEC-2017-89

Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks...

10CVSS6.9AI score0.05734EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2017/09/29 1:34 a.m.•5 views

PYSEC-2017-139

There is a heap-based buffer overflow in the Exiv2::s2Data function of types.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack...

5.5CVSS7.2AI score0.00797EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2017/09/29 1:34 a.m.•6 views

PYSEC-2017-137

An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service...

5.5CVSS6.8AI score0.01071EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2017/09/29 1:34 a.m.•5 views

PYSEC-2017-135

An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service...

5.5CVSS6.8AI score0.01071EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2017/09/29 1:34 a.m.•7 views

PYSEC-2017-138

There is a heap-based buffer overflow in the Exiv2::us2Data function of types.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack...

5.5CVSS7.2AI score0.00759EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2017/09/29 1:34 a.m.•7 views

PYSEC-2017-131

There is a heap-based buffer overflow in the Exiv2::l2Data function of types.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack...

5.5CVSS7.2AI score0.00797EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2017/09/29 1:34 a.m.•7 views

PYSEC-2017-136

A NULL pointer dereference was discovered in Exiv2::Image::printIFDStructure in image.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service...

5.5CVSS6.8AI score0.00875EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2017/09/29 1:34 a.m.•8 views

PYSEC-2017-133

There is a heap-based buffer over-read in the Exiv2::Jp2Image::readMetadata function of jp2image.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack...

5.5CVSS7AI score0.0083EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2017/09/29 1:34 a.m.•5 views

PYSEC-2017-132

An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service...

5.5CVSS6.8AI score0.01071EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2017/09/29 1:34 a.m.•6 views

PYSEC-2017-130

In Exiv2 0.26, there is an invalid free in the Image class in image.cpp that leads to a Segmentation fault. A crafted input will lead to a denial of service attack...

5.5CVSS6.8AI score0.00772EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2017/09/29 1:34 a.m.•6 views

PYSEC-2017-134

There is a stack consumption vulnerability in the Exiv2::Internal::stringFormat function of image.cpp in Exiv2 0.26. A Crafted input will lead to a remote denial of service attack...

5.5CVSS6.8AI score0.00963EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2017/09/26 2:29 p.m.•9 views

PYSEC-2017-38

When using the localbatch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed...

8.8CVSS7.1AI score0.01681EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/09/26 2:29 p.m.•8 views

PYSEC-2017-39

Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's sshclient...

9CVSS7.4AI score0.03205EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/09/25 9:29 p.m.•8 views

PYSEC-2017-51

Multiple cross-site request forgery CSRF vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x...

8.8CVSS7AI score0.03058EPSS
Exploits2References5Affected Software1
PyPA
PyPA
•added 2017/09/25 5:29 p.m.•5 views

PYSEC-2017-65

protobuf allows remote authenticated attackers to cause a heap-based buffer overflow...

8.8CVSS6.5AI score0.05106EPSS
Exploits0References21Affected Software1
PyPA
PyPA
•added 2017/09/25 5:29 p.m.•9 views

PYSEC-2017-150

protobuf allows remote authenticated attackers to cause a heap-based buffer overflow...

8.8CVSS6.9AI score0.05106EPSS
Exploits0References32Affected Software1
PyPA
PyPA
•added 2017/09/25 5:29 p.m.•6 views

PYSEC-2017-52

Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator...

5.9CVSS6.9AI score0.02004EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/09/25 5:29 p.m.•7 views

PYSEC-2017-53

Cross-site scripting XSS vulnerability in Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.x before 4.3.7, and 5.0rc1...

6.1CVSS6.2AI score0.01221EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/09/25 5:29 p.m.•7 views

PYSEC-2017-54

Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses...

7.5CVSS7AI score0.01666EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/09/21 9:29 p.m.•10 views

PYSEC-2017-152

A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploi...

6.4CVSS6.6AI score0.00347EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2017/09/21 2:29 p.m.•5 views

PYSEC-2017-45

Cross-site scripting XSS vulnerability in IPython 3.x before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/contents path...

6.1CVSS6AI score0.01626EPSS
Exploits0References7Affected Software1
Total number of security vulnerabilities4602