Lucene search
K

4602 matches found

PyPA
PyPA
•added 2012/12/18 1:55 a.m.•7 views

PYSEC-2012-20

OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression...

4.9CVSS6.8AI score0.0284EPSS
Exploits1References12Affected Software1
PyPA
PyPA
•added 2012/11/30 10:55 p.m.•9 views

PYSEC-2012-8

Python Keyring 0.9.1 does not securely initialize the cipher when encrypting passwords for CryptedFileKeyring files, which makes it easier for local users to obtain passwords via a brute-force attack...

2.1CVSS6.5AI score0.0037EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2012/11/18 11:55 p.m.•6 views

PYSEC-2012-7

The django.http.HttpRequest.gethost function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values...

6.4CVSS7.3AI score0.03635EPSS
Exploits1References18Affected Software1
PyPA
PyPA
•added 2012/11/11 1:0 p.m.•6 views

PYSEC-2012-30

The v2 API in OpenStack Glance Grizzly, Folsom 2012.2, and Essex 2012.1 allows remote authenticated users to delete arbitrary non-protected images via an image deletion request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-4573...

5.5CVSS7AI score0.03318EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2012/11/11 1:0 p.m.•6 views

PYSEC-2012-29

The v1 API in OpenStack Glance Grizzly, Folsom 2012.2, and Essex 2012.1 allows remote authenticated users to delete arbitrary non-protected images via an image deletion request, a different vulnerability than CVE-2012-5482...

5.5CVSS7.1AI score0.03318EPSS
Exploits0References18Affected Software1
PyPA
PyPA
•added 2012/11/04 10:55 p.m.•8 views

PYSEC-2012-17

Tweepy does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the Python httplib library...

5.8CVSS6.9AI score0.00597EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2012/11/04 10:55 p.m.•6 views

PYSEC-2012-12

Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted...

5.9CVSS6.8AI score0.01208EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2012/09/15 5:55 p.m.•9 views

PYSEC-2012-1

Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors...

4.3CVSS7AI score0.02447EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2012/09/10 10:55 p.m.•5 views

PYSEC-2012-10

security/init.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group...

6CVSS6.8AI score0.0209EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2012/09/05 11:55 p.m.•6 views

PYSEC-2012-19

OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex 2012.1, allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly...

5.8CVSS7.3AI score0.02895EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2012/09/05 11:55 p.m.•5 views

PYSEC-2012-18

Open redirect vulnerability in views/authforms.py in OpenStack Dashboard Horizon Essex 2012.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter to auth/login/. NOTE: this issue was originally assigned CVE-2012-3542 by...

5.8CVSS6.9AI score0.02895EPSS
Exploits1References11Affected Software1
PyPA
PyPA
•added 2012/08/26 9:55 p.m.•6 views

PYSEC-2012-13

Elixir 0.8.0 uses Blowfish in CFB mode without constructing a unique initialization vector IV, which makes it easier for context-dependent users to obtain sensitive information and decrypt the database...

4.3CVSS6.4AI score0.01667EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2012/08/26 8:55 p.m.•5 views

PYSEC-2012-11

Buffer overflow in the fribidiutf8tounicode function in PyFriBidi before 0.11.0 allows remote attackers to cause a denial of service application crash via a 4-byte utf-8 sequence...

5CVSS7.1AI score0.02652EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2012/08/20 6:55 p.m.•6 views

PYSEC-2012-21

virt/disk/api.py in OpenStack Compute Nova 2012.1.x before 2012.1.2 and Folsom before Folsom-3 allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image that uses a symlink that is only readable by root. NOTE: this vulnerability exists because of an...

5.5CVSS6.9AI score0.02582EPSS
Exploits2References11Affected Software1
PyPA
PyPA
•added 2012/07/31 5:55 p.m.•6 views

PYSEC-2012-3

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service memory consumption by uploading an image file...

5CVSS6.8AI score0.02641EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2012/07/31 5:55 p.m.•6 views

PYSEC-2012-2

The 1 django.http.HttpResponseRedirect and 2 django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting XSS attacks via a data: URL...

4.3CVSS6.1AI score0.02072EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2012/07/31 5:55 p.m.•5 views

PYSEC-2012-4

The getimagedimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service process or thread consumption via a large TIFF image...

5CVSS6.8AI score0.01774EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2012/07/31 10:45 a.m.•7 views

PYSEC-2012-34

OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by 1 creating new tokens through token chaining, 2 leveraging...

4.9CVSS6.8AI score0.02266EPSS
Exploits1References17Affected Software1
PyPA
PyPA
•added 2012/07/22 4:55 p.m.•6 views

PYSEC-2012-39

virt/disk/api.py in OpenStack Compute Nova Folsom 2012.2, Essex 2012.1, and Diablo 2011.3 allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image...

5.5CVSS6.9AI score0.02582EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2012/07/22 4:55 p.m.•6 views

PYSEC-2012-38

Directory traversal vulnerability in virt/disk/api.py in OpenStack Compute Nova Folsom 2012.2 and Essex 2012.1, when used over libvirt-based hypervisors, allows remote authenticated users to write arbitrary files to the disk image via a .. dot dot in the path attribute of a file element...

5.5CVSS7AI score0.02997EPSS
Exploits1References11Affected Software1
PyPA
PyPA
•added 2012/07/17 9:55 p.m.•7 views

PYSEC-2012-40

The Nova scheduler in OpenStack Compute Nova Folsom 2012.2 and Essex 2012.1, when DifferentHostFilter or SameHostFilter is enabled, allows remote authenticated users to cause a denial of service excessive database lookup calls and server hang via a request with many repeated IDs in the...

3.5CVSS6.7AI score0.01846EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 2012/07/12 8:55 p.m.•5 views

PYSEC-2012-6

model/modelstorage.py in the Tryton application framework trytond before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a 1 create, 2 write, 3 delete, or 4 cop...

5.5CVSS6.9AI score0.01966EPSS
Exploits2References5Affected Software1
PyPA
PyPA
•added 2012/06/21 3:55 p.m.•8 views

PYSEC-2012-37

The 1 EC2 and 2 OS APIs in OpenStack Compute Nova Folsom 2012.2, Essex 2012.1, and Diablo 2011.3 do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restriction...

4.3CVSS7AI score0.02626EPSS
Exploits1References12Affected Software1
PyPA
PyPA
•added 2012/06/17 3:41 a.m.•7 views

PYSEC-2012-16

PyCrypto before 2.6 does not produce appropriate prime numbers when using an ElGamal scheme to generate a key, which reduces the signature space or public key space and makes it easier for attackers to conduct brute force attacks to obtain the private key...

4.3CVSS6.7AI score0.02727EPSS
Exploits2References15Affected Software1
PyPA
PyPA
•added 2012/06/07 7:55 p.m.•7 views

PYSEC-2012-36

Openstack Compute Nova Folsom, 2012.1, and 2011.3 does not limit the number of security group rules, which allows remote authenticated users with certain permissions to cause a denial of service CPU and hard drive consumption via a network request that triggers a large number of iptables rules...

3.5CVSS6.7AI score0.0148EPSS
Exploits0References13Affected Software1
PyPA
PyPA
•added 2012/06/05 10:55 p.m.•8 views

PYSEC-2012-32

Cross-site scripting XSS vulnerability in the refresh mechanism in the log viewer in horizon/static/horizon/js/horizon.js in OpenStack Dashboard Horizon folsom-1 and 2012.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the guest console...

4.3CVSS6AI score0.02415EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2012/06/05 10:55 p.m.•6 views

PYSEC-2012-33

Session fixation vulnerability in OpenStack Dashboard Horizon folsom-1 and 2012.1 allows remote attackers to hijack web sessions via the sessionid cookie...

6.8CVSS7AI score0.0211EPSS
Exploits1References12Affected Software1
PyPA
PyPA
•added 2012/06/05 10:55 p.m.•6 views

PYSEC-2012-9

Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4, as used in Keystone, allow remote attackers to execute arbitrary SQL commands via the 1 limit or 2 offset keyword to the select function, or unspecified vectors to the 3 select.limit or 4 select.offset function...

7.5CVSS8.8AI score0.02862EPSS
Exploits2References11Affected Software1
PyPA
PyPA
•added 2012/05/23 8:55 p.m.•8 views

PYSEC-2012-5

CRLF injection vulnerability in the tornado.web.RequestHandler.setheader function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input...

5CVSS7.5AI score0.01362EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2012/05/21 10:55 p.m.•6 views

PYSEC-2012-14

Universal Feed Parser aka feedparser or python-feedparser before 5.1.2 allows remote attackers to cause a denial of service memory consumption via a crafted XML ENTITY declaration in a non-ASCII encoded document...

5CVSS6.8AI score0.01863EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2012/05/01 7:55 p.m.•6 views

PYSEC-2012-15

Paste Script 1.7.5 and earlier does not properly set group memberships during execution with root privileges, which might allow remote attackers to bypass intended file-access restrictions by leveraging a web application that uses the local filesystem...

5.1CVSS7AI score0.0404EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2012/03/21 10:11 a.m.•5 views

PYSEC-2012-25

The TAR file parser in Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7, avast! Antivirus 4.8.1351.0 and 5.0.677.0, AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Quick Heal aka Cat QuickHeal 11.00, ClamAV 0.96.4, Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5.1.0.1, eSafe 7.0.17.0, F-Prot...

4.3CVSS6.8AI score0.98293EPSS
Exploits0References16Affected Software1
PyPA
PyPA
•added 2012/03/21 10:11 a.m.•6 views

PYSEC-2012-23

The ELF file parser in Bitdefender 7.2, Command Antivirus 5.2.11.5, Comodo Antivirus 7424, eSafe 7.0.17.0, F-Prot Antivirus 4.6.2.117, F-Secure Anti-Virus 9.0.16160.0, McAfee Gateway formerly Webwasher 2010.1C, nProtect Anti-Virus 2011-01-17.01, Sophos Anti-Virus 4.61.0, and Rising Antivirus...

4.3CVSS7AI score0.96091EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2012/03/21 10:11 a.m.•9 views

PYSEC-2012-28

The ELF file parser in AhnLab V3 Internet Security 2011.01.18.00, Bitdefender 7.2, Quick Heal aka Cat QuickHeal 11.00, Command Antivirus 5.2.11.5, Comodo Antivirus 7424, eSafe 7.0.17.0, F-Prot Antivirus 4.6.2.117, F-Secure Anti-Virus 9.0.16160.0, McAfee Anti-Virus Scanning Engine 5.400.0.1158,...

4.3CVSS7AI score0.94361EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2012/03/21 10:11 a.m.•8 views

PYSEC-2012-27

The Gzip file parser in AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5.1.0.1, F-Secure Anti-Virus 9.0.16160.0, Fortinet Antivirus 4.2.254.0, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, Jiangmin Antivirus 13.0.900, K7 AntiVirus...

4.3CVSS6.9AI score0.91746EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2012/03/21 10:11 a.m.•6 views

PYSEC-2012-24

The RAR file parser in ClamAV 0.96.4, Rising Antivirus 22.83.00.03, Quick Heal aka Cat QuickHeal 11.00, G Data AntiVirus 21, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Command Antivirus 5.2.11.5, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, Emsisoft Anti-Malware 5.1.0....

4.3CVSS6.8AI score0.99636EPSS
Exploits0References17Affected Software1
PyPA
PyPA
•added 2012/03/21 10:11 a.m.•10 views

PYSEC-2012-22

The ELF file parser in Bitdefender 7.2, Comodo Antivirus 7424, eSafe 7.0.17.0, F-Secure Anti-Virus 9.0.16160.0, McAfee Anti-Virus Scanning Engine 5.400.0.1158, McAfee Gateway formerly Webwasher 2010.1C, nProtect Anti-Virus 2011-01-17.01, Sophos Anti-Virus 4.61.0, and Rising Antivirus 22.83.00.03...

4.3CVSS6.9AI score0.96091EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2012/03/21 10:11 a.m.•4 views

PYSEC-2012-26

The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7, avast! Antivirus 4.8.1351.0 and 5.0.677.0, AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Quick Heal aka Cat QuickHeal 11.00, ClamAV 0.96.4, Command Antivirus 5.2.11.5, Comodo...

4.3CVSS6.8AI score0.99809EPSS
Exploits0References17Affected Software1
PyPA
PyPA
•added 2012/03/19 7:55 p.m.•6 views

PYSEC-2012-31

libs/updater.py in GoLismero 0.6.3, and other versions before Git revision 2b3bb43d6867, as used in backtrack and possibly other products, allows local users to overwrite arbitrary files via a symlink attack on GoLismero-controlled files, as demonstrated using Admin/changes.dat...

3.3CVSS6.8AI score0.00307EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2011/12/31 1:55 a.m.•8 views

PYSEC-2011-23

virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/...

1.2CVSS6.7AI score0.00324EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2011/12/30 1:55 a.m.•10 views

PYSEC-2011-22

Plone 4.1.3 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service CPU consumption by sending many crafted parameters...

5CVSS6.8AI score0.02153EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2011/12/05 11:55 a.m.•6 views

PYSEC-2011-17

Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryddetach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving...

6.9CVSS7.3AI score0.00346EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2011/10/19 10:55 a.m.•6 views

PYSEC-2011-5

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page...

6.8CVSS7.2AI score0.01093EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2011/10/19 10:55 a.m.•5 views

PYSEC-2011-1

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that...

5.8CVSS6.9AI score0.02284EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2011/10/19 10:55 a.m.•7 views

PYSEC-2011-4

Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request...

5CVSS6.9AI score0.02304EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2011/10/19 10:55 a.m.•7 views

PYSEC-2011-2

The verifyexists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service resource consumption via a URL associated with...

6.4CVSS7AI score0.04266EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2011/10/19 10:55 a.m.•6 views

PYSEC-2011-3

The verifyexists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitra...

5CVSS7AI score0.02341EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2011/10/10 10:55 a.m.•10 views

PYSEC-2011-27

The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587...

9.3CVSS7.1AI score0.78546EPSS
Exploits15References5Affected Software1
PyPA
PyPA
•added 2011/10/10 10:55 a.m.•9 views

PYSEC-2011-26

Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p class in OFS/misc.py and the use of Python modules...

9.3CVSS7.7AI score0.78546EPSS
Exploits15References9Affected Software1
PyPA
PyPA
•added 2011/09/12 12:41 p.m.•5 views

PYSEC-2011-24

libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle MITM attack...

4.3CVSS6.9AI score0.01379EPSS
Exploits0References6Affected Software1
Total number of security vulnerabilities4602