Lucene search
K

4602 matches found

PyPA
PyPA
added 2014/01/07 6:55 p.m.6 views

PYSEC-2014-97

Libcloud 0.12.3 through 0.13.2 does not set the scrubdata parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM...

2.1CVSS6.2AI score0.0206EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2013/12/27 1:55 a.m.6 views

PYSEC-2013-45

keystone/middleware/authtoken.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova...

2.1CVSS6.6AI score0.00238EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2013/11/18 2:55 a.m.5 views

PYSEC-2013-28

Directory traversal vulnerability in the client in Tryton 3.0.0, as distributed before 20131104 and earlier, allows remote servers to write arbitrary files via path separators in the extension of a report...

7.8CVSS7.1AI score0.02137EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2013/11/05 6:55 p.m.5 views

PYSEC-2013-12

Salt aka SaltStack 0.15.0 through 0.17.0 allows remote authenticated users who are using external authentication or client ACL to execute restricted routines by embedding the routine in another routine...

6CVSS7.3AI score0.01515EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2013/11/05 6:55 p.m.7 views

PYSEC-2013-27

Unspecified vulnerability in salt-ssh in Salt aka SaltStack 0.17.0 has unspecified impact and vectors related to "insecure Usage of /tmp."...

10CVSS7AI score0.01458EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2013/11/05 6:55 p.m.5 views

PYSEC-2013-15

The salt master in Salt aka SaltStack 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it easier for remote attackers to gain privileges...

10CVSS7.1AI score0.03049EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2013/11/05 6:55 p.m.7 views

PYSEC-2013-14

Salt aka SaltStack before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key...

4.9CVSS6.9AI score0.01473EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2013/11/05 6:55 p.m.5 views

PYSEC-2013-26

The default configuration for salt-ssh in Salt aka SaltStack 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have unspecified impact via a man-in-the-middle MITM attack...

9.3CVSS7.2AI score0.01824EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2013/11/05 6:55 p.m.5 views

PYSEC-2013-13

Salt aka SaltStack before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe...

7.5CVSS7.8AI score0.02098EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2013/10/26 5:55 p.m.5 views

PYSEC-2013-29

The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator PRNG before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a...

4.3CVSS6.3AI score0.02007EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2013/10/04 5:55 p.m.6 views

PYSEC-2013-19

Cross-site scripting XSS vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField...

4.3CVSS6AI score0.0288EPSS
Exploits2References9Affected Software1
PyPA
PyPA
added 2013/10/04 5:55 p.m.7 views

PYSEC-2013-21

The issafeurl function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting XSS or other vulnerabilities into Django applications that use this function, a...

4.3CVSS6.2AI score0.02297EPSS
Exploits0References14Affected Software1
PyPA
PyPA
added 2013/10/01 8:55 p.m.5 views

PYSEC-2013-24

The user-password-update command in python-keystoneclient before 0.2.4 accepts the new password in the --password argument, which allows local users to obtain sensitive information by listing the process...

2.1CVSS6.5AI score0.0037EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2013/09/30 9:55 p.m.7 views

PYSEC-2013-31

The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate...

4.3CVSS6.8AI score0.01197EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2013/09/27 10:8 a.m.7 views

PYSEC-2013-4

Multiple cross-site scripting XSS vulnerabilities in Graphite before 0.9.11 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors...

4.3CVSS6AI score0.0117EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2013/09/27 10:8 a.m.6 views

PYSEC-2013-3

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object...

6.8CVSS8AI score0.38668EPSS
Exploits5References8Affected Software1
PyPA
PyPA
added 2013/09/27 10:8 a.m.8 views

PYSEC-2013-34

Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to 1 remotestorage.py, 2 storage.py, 3 render/datalib.py, and 4 whitelist/views.py, a different vulnerability than CVE-2013-5093...

6.8CVSS8.1AI score0.38668EPSS
Exploits5References3Affected Software1
PyPA
PyPA
added 2013/09/23 8:55 p.m.4 views

PYSEC-2013-33

cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/...

1.2CVSS6.8AI score0.00558EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2013/09/23 8:55 p.m.6 views

PYSEC-2013-32

cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/...

1.2CVSS6.8AI score0.00558EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2013/09/23 8:55 p.m.7 views

PYSEC-2013-42

The 1 mamcache and 2 KVS token backends in OpenStack Identity Keystone Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token...

5CVSS6.9AI score0.02342EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2013/09/23 8:55 p.m.4 views

PYSEC-2013-18

The authentication framework django.contrib.auth in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service CPU consumption via a long password which is then hashed...

5CVSS7.1AI score0.02661EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2013/09/16 7:14 p.m.4 views

PYSEC-2013-2

lib/ansible/playbook/init.py in Ansible 1.2.x before 1.2.3, when playbook does not run due to an error, allows local users to overwrite arbitrary files via a symlink attack on a retry file with a predictable name in /var/tmp/ansible/...

3.3CVSS6.6AI score0.00329EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2013/09/16 7:14 p.m.6 views

PYSEC-2013-1

runner/connectionplugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/...

1.9CVSS6.5AI score0.00339EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2013/09/16 7:14 p.m.9 views

PYSEC-2013-20

Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWEDINCLUDEROOTS setting followed by a .. dot dot in a ssi template tag...

5CVSS6.9AI score0.03182EPSS
Exploits2References7Affected Software1
PyPA
PyPA
added 2013/09/16 7:14 p.m.6 views

PYSEC-2013-35

The clearvolume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors...

2.1CVSS6.2AI score0.00406EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2013/08/28 9:55 p.m.5 views

PYSEC-2013-11

The Python client library for Glance python-glanceclient before 0.10.0 does not properly check the preverifyok value, which prevents the server hostname from being verified with a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate and allows...

5.8CVSS6.9AI score0.00986EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2013/08/23 4:55 p.m.5 views

PYSEC-2013-25

The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

5.8CVSS6.9AI score0.01573EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2013/08/17 6:54 a.m.8 views

PYSEC-2013-9

pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory...

2.1CVSS6.7AI score0.00367EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2013/08/15 5:55 p.m.5 views

PYSEC-2013-30

bson/cbsonmodule.c in the mongo-python-driver aka. pymongo before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service NULL pointer dereference and crash via vectors related to decoding of an "invalid DBRef."...

4.3CVSS6.7AI score0.02633EPSS
Exploits2References10Affected Software1
PyPA
PyPA
added 2013/08/06 2:52 a.m.7 views

PYSEC-2013-10

pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation...

6.8CVSS7.8AI score0.02083EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2013/08/06 2:52 a.m.5 views

PYSEC-2013-22

easyinstall in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product...

6.8CVSS7.8AI score0.01949EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2013/08/06 2:52 a.m.6 views

PYSEC-2013-8

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation...

6.8CVSS7.8AI score0.06217EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2013/05/21 6:55 p.m.7 views

PYSEC-2013-41

OpenStack Identity Keystone Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token...

6CVSS7AI score0.02468EPSS
Exploits1References11Affected Software1
PyPA
PyPA
added 2013/05/21 6:55 p.m.5 views

PYSEC-2013-40

OpenStack Identity Keystone Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the 1 admintoken and 2 LDAP password in plaintext, which allows local users to obtain sensitive by reading the log file...

2.1CVSS6.5AI score0.00602EPSS
Exploits0References10Affected Software1
PyPA
PyPA
added 2013/05/02 2:55 p.m.6 views

PYSEC-2013-16

The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information...

4CVSS6.7AI score0.01805EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2013/05/02 2:55 p.m.8 views

PYSEC-2013-17

The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service memory consumption or trigger server errors via a modified maxnum parameter...

5CVSS6.9AI score0.02574EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2013/03/22 9:55 p.m.11 views

PYSEC-2013-46

The v1 API in OpenStack Glance Essex 2012.1, Folsom 2012.2, and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image...

3.5CVSS5.8AI score0.01356EPSS
Exploits0References12Affected Software1
PyPA
PyPA
added 2013/03/22 9:55 p.m.6 views

PYSEC-2013-44

OpenStack Compute Nova Grizzly, Folsom 2012.2, and Essex 2012.1 does not properly implement a quota for fixed IPs, which allows remote authenticated users to cause a denial of service resource exhaustion and failure to spawn new instances via a large number of calls to the addFixedIp function...

4CVSS6.7AI score0.02742EPSS
Exploits0References14Affected Software1
PyPA
PyPA
added 2013/03/22 9:55 p.m.7 views

PYSEC-2013-39

OpenStack Keystone Folsom 2012.2 does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token...

6.8CVSS7AI score0.02608EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added 2013/03/22 9:55 p.m.5 views

PYSEC-2013-43

OpenStack Compute Nova Grizzly, Folsom 2012.2, and Essex 2012.1 allows remote authenticated users to gain access to a VM in opportunistic circumstances by using the VNC token for a deleted VM that was bound to the same VNC port...

6CVSS7AI score0.02146EPSS
Exploits1References10Affected Software1
PyPA
PyPA
added 2013/02/24 9:55 p.m.7 views

PYSEC-2013-37

store/swift.py in OpenStack Glance Essex 2012.1, Folsom 2012.2 before 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's user name and password in cleartext when the endpoint is misconfigured or unusable, allows remote authenticated users to obtain sensitive...

4CVSS6.6AI score0.02965EPSS
Exploits0References13Affected Software1
PyPA
PyPA
added 2013/01/27 6:55 p.m.6 views

PYSEC-2013-38

The client in FreeIPA 2.x and 3.x before 3.1.2 does not properly obtain the Certification Authority CA certificate from the server, which allows man-in-the-middle attackers to spoof a join procedure via a crafted certificate...

7.9CVSS6.7AI score0.00557EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2013/01/27 6:55 p.m.4 views

PYSEC-2013-36

The client in FreeIPA 2.x and 3.x before 3.1.2 does not properly obtain the Certification Authority CA certificate from the server, which allows man-in-the-middle attackers to spoof a join procedure via a crafted certificate...

7.9CVSS6.7AI score0.00557EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2013/01/03 1:55 a.m.8 views

PYSEC-2013-5

Directory traversal vulnerability in the doattachmentmove function in the AttachFile action action/AttachFile.py in MoinMoin 1.9.3 through 1.9.5 allows remote attackers to overwrite arbitrary files via a .. dot dot in a file name...

6.4CVSS7.1AI score0.04019EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added 2013/01/03 1:55 a.m.5 views

PYSEC-2013-7

Multiple directory traversal vulnerabilities in the 1 twikidraw action/twikidraw.py and 2 anywikidraw action/anywikidraw.py actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to overwrite arbitrary files via unspecified vectors. NOTE: this can be leveraged wi...

6CVSS7.6AI score0.30566EPSS
Exploits9References10Affected Software1
PyPA
PyPA
added 2013/01/03 1:55 a.m.7 views

PYSEC-2013-6

Multiple unrestricted file upload vulnerabilities in the 1 twikidraw action/twikidraw.py and 2 anywikidraw action/anywikidraw.py actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary code by uploading a file with an executable extension, the...

6CVSS8AI score0.30566EPSS
Exploits7References14Affected Software1
PyPA
PyPA
added 2013/01/03 1:55 a.m.6 views

PYSEC-2013-23

Cross-site scripting XSS vulnerability in the rsslink function in theme/init.py in MoinMoin 1.9.5 allows remote attackers to inject arbitrary web script or HTML via the page name in a rss link...

4.3CVSS6AI score0.02095EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2012/12/26 10:55 p.m.7 views

PYSEC-2012-42

OpenStack Compute Nova Folsom before 2012.2.2 and Grizzly, when using libvirt and LVM backed instances, does not properly clear physical volume PV content when reallocating for instances, which allows attackers to obtain sensitive information by reading the memory of the previous logical volume L...

4.3CVSS5.8AI score0.01994EPSS
Exploits0References11
PyPA
PyPA
added 2012/12/26 10:55 p.m.7 views

PYSEC-2012-41

OpenStack Compute Nova Folsom before 2012.2.2 and Grizzly, when using libvirt and LVM backed instances, does not properly clear physical volume PV content when reallocating for instances, which allows attackers to obtain sensitive information by reading the memory of the previous logical volume L...

4.3CVSS6.3AI score0.01994EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2012/12/18 1:55 a.m.6 views

PYSEC-2012-35

OpenStack Keystone Essex 2012.1 and Folsom 2012.2 does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role...

5.4CVSS6.8AI score0.02038EPSS
Exploits0References15Affected Software1
Total number of security vulnerabilities4602