Lucene search
K

5612 matches found

PyPA
PyPA
•added 2019/11/22 3:15 p.m.•7 views

PYSEC-2019-243

Designate does not enforce the DNS protocol limit concerning record set sizes...

6.5CVSS7AI score0.01593EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/11/22 1:15 p.m.•8 views

PYSEC-2019-145

ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them...

6.5CVSS6.9AI score0.01503EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/11/21 3:15 p.m.•6 views

PYSEC-2019-202

python-rply before 0.7.4 insecurely creates temporary files...

5.5CVSS7AI score0.00396EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/11/21 2:15 p.m.•5 views

PYSEC-2019-211

trytond 2.4: ModelView.button fails to validate authorization...

7.5CVSS7AI score0.01763EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/11/16 1:15 a.m.•7 views

PYSEC-2019-102

Eval injection in the Math plugin of Limnoria before 2019.11.09 and Supybot through 2018-05-09 allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands...

9.8CVSS7.8AI score0.0171EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/11/12 2:15 p.m.•5 views

PYSEC-2019-212

Python Twisted 14.0 trustRoot is not respected in HTTP client...

7.5CVSS7AI score0.0259EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2019/11/12 2:15 a.m.•7 views

PYSEC-2019-41

psutil aka python-psutil through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object...

7.5CVSS9.1AI score0.03522EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/11/08 7:15 p.m.•6 views

PYSEC-2019-196

While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory...

7.5CVSS7.6AI score0.04711EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/11/08 7:15 p.m.•6 views

PYSEC-2019-195

It was discovered that the C++ implementation which underlies the R, Python and Ruby implementations of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow...

7.5CVSS7.6AI score0.03225EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/11/08 12:15 a.m.•9 views

PYSEC-2019-186

Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /sendjoin, /sendleave, and /invite may not be correctly signed, or may not come from the expected servers...

9.8CVSS7AI score0.00864EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/11/07 6:15 p.m.•7 views

PYSEC-2019-253

Tahoe-LAFS 1.9.0 fails to ensure integrity which allows remote attackers to corrupt mutable files or directories upon retrieval...

7.4CVSS7AI score0.01714EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2019/11/05 10:15 p.m.•5 views

PYSEC-2019-160

The mirroring support -M, --use-mirrors in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks...

5.9CVSS6.9AI score0.07987EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2019/11/04 9:15 p.m.•6 views

PYSEC-2019-175

An eval vulnerability exists in Python Software Foundation Djblets 0.7.21 and Beanbag Review Board before 1.7.15 when parsing JSON requests...

9.8CVSS7AI score0.0304EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2019/11/04 8:15 p.m.•6 views

PYSEC-2019-156

The scipy.weave component in SciPy before 0.12.1 creates insecure temporary directories...

7.8CVSS7AI score0.00427EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2019/10/31 4:15 p.m.•9 views

PYSEC-2019-176

python-docutils allows insecure usage of temporary files...

9.1CVSS7AI score0.01116EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/10/31 3:15 p.m.•5 views

PYSEC-2019-157

Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document...

5.3CVSS6.3AI score0.01443EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/10/30 10:15 p.m.•8 views

PYSEC-2019-216

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process...

4.8CVSS7.3AI score0.01345EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/10/28 5:15 p.m.•8 views

PYSEC-2019-181

Python keyring lib before 0.10 created keyring files with world-readable permissions...

7.5CVSS7AI score0.0146EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/10/21 11:15 p.m.•6 views

PYSEC-2019-213

The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion...

7.5CVSS6.7AI score0.01927EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2019/10/16 12:15 p.m.•7 views

PYSEC-2019-117

ReportLab through 3.5.26 allows remote code execution because of toColorevalarg in colors.py, as demonstrated by a crafted XML document with '...

9.8CVSS8.1AI score0.10231EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2019/10/14 3:15 p.m.•6 views

PYSEC-2019-171

A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argumentspec with sub parameters marked as nolog, passing an invalid parameter name to the module will cause the task to fail before the nolog options in the sub parameters are processe...

7.3CVSS6.7AI score0.00427EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2019/10/14 2:15 a.m.•7 views

PYSEC-2019-241

GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogrexpat.cpp when the 10MB threshold is exceeded...

9.8CVSS7.2AI score0.02577EPSS
Exploits0References15Affected Software1
PyPA
PyPA
•added 2019/10/11 11:15 p.m.•6 views

PYSEC-2019-151

sendemail in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent ...

7.5CVSS7.1AI score0.16948EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2019/10/09 10:15 p.m.•5 views

PYSEC-2019-183

Koji through 1.18.0 allows remote Directory Traversal, with resultant Privilege Escalation...

6.5CVSS7.1AI score0.02793EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2019/10/09 7:15 p.m.•7 views

PYSEC-2019-247

Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimageint.cpp, because there is no validation of the relationship of the total size to the offset and size...

6.5CVSS6.8AI score0.01851EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/10/08 7:15 p.m.•5 views

PYSEC-2019-4

In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible...

7.8CVSS6.5AI score0.00509EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2019/10/05 11:15 p.m.•59 views

PYSEC-2019-116

Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper aka Redis Wrapper before 0.3.0 allows attackers to execute arbitrary scripts...

9.8CVSS7.5AI score0.03158EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/10/04 10:15 p.m.•6 views

PYSEC-2019-110

An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image...

7.5CVSS7AI score0.03154EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2019/10/04 8:15 p.m.•8 views

PYSEC-2019-125

Valve Steam Client before 2019-09-12 allows placing or appending partially controlled filesystem content, as demonstrated by file modifications on Windows in the context of NT AUTHORITY\SYSTEM. This could lead to denial of service, elevation of privilege, or unspecified other impact...

7.8CVSS7AI score0.00717EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2019/10/03 8:15 p.m.•7 views

PYSEC-2019-118

In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings...

7.5CVSS7.2AI score0.13049EPSS
Exploits2References6Affected Software1
PyPA
PyPA
•added 2019/09/23 4:15 p.m.•8 views

PYSEC-2019-221

Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to read the application's error log via components/api.py...

7.5CVSS6.5AI score0.01677EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/09/11 3:15 p.m.•7 views

PYSEC-2019-238

An issue was discovered in py-lmdb 0.97. mdbnodedel does not validate a memmove in the case of an unexpected node-mnhi, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker...

7.5CVSS7AI score0.01543EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2019/09/11 3:15 p.m.•7 views

PYSEC-2019-236

An issue was discovered in py-lmdb 0.97. For certain values of mdflags, mdbnodeadd does not properly set up a memcpy destination, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker...

9.8CVSS7AI score0.01765EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2019/09/11 3:15 p.m.•8 views

PYSEC-2019-240

An issue was discovered in py-lmdb 0.97. There is a divide-by-zero error in the function mdbenvopen2 if mdbenvreadheader obtains a zero value for a certain size field. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker...

7.5CVSS7AI score0.01786EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2019/09/11 3:15 p.m.•7 views

PYSEC-2019-237

An issue was discovered in py-lmdb 0.97. For certain values of mpflags, mdbpagetouch does not properly set up mc-mcpgmc-top, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker...

9.8CVSS7AI score0.01765EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2019/09/11 3:15 p.m.•7 views

PYSEC-2019-239

An issue was discovered in py-lmdb 0.97. For certain values of mnflags, mdbcursorset triggers a memcpy with an invalid write operation within mdbxcursorinit1. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker...

9.8CVSS7AI score0.01963EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2019/09/10 5:15 p.m.•8 views

PYSEC-2019-126

DISPUTED In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inethttpserver, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. T...

8.2CVSS6.9AI score0.02283EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/08/27 3:15 p.m.•9 views

PYSEC-2019-174

Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /change-password-by-admin/, /api/settings/add/, /cases/create/, /change-password-by-admin/, /comment/add/, /documents/1/view/, /documents/create/, /opportunities/create/, and /login/...

8.8CVSS7.1AI score0.01149EPSS
Exploits2References4Affected Software1
PyPA
PyPA
•added 2019/08/26 6:15 p.m.•7 views

PYSEC-2019-144

An issue was discovered in the arrayfire crate before 3.6.0 for Rust. Addition of the repr attribute to an enum is mishandled, leading to memory corruption...

9.8CVSS7AI score0.01645EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/08/23 5:15 p.m.•7 views

PYSEC-2019-23

All versions of the HTTPie package prior to version 1.0.3 are vulnerable to Open Redirect that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or hers control...

8.8CVSS7AI score0.02045EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2019/08/23 1:15 p.m.•7 views

PYSEC-2019-19

django-js-reverse aka Django JS Reverse before 0.9.1 has XSS via jsreverseinline...

6.1CVSS6.2AI score0.01025EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/08/22 5:15 p.m.•7 views

PYSEC-2019-178

When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing...

7.2CVSS6.8AI score0.0151EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/08/22 4:15 p.m.•5 views

PYSEC-2019-106

NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ dot dot slash in an NLTK package ZIP archive that is mishandled during extraction...

7.5CVSS7.1AI score0.05831EPSS
Exploits2References9Affected Software1
PyPA
PyPA
•added 2019/08/18 8:15 p.m.•9 views

PYSEC-2019-104

DISPUTED core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected. NOTE: the vendor disputes this issue because it is exploitable only in conjunction with...

9.8CVSS7.1AI score0.01632EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/08/09 7:15 p.m.•7 views

PYSEC-2019-191

An issue was discovered in OpenStack Nova before 17.0.12, 18.x before 18.2.2, and 19.x before 19.0.2. If an API request from an authenticated user ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response, and could include sensiti...

6.5CVSS6.7AI score0.01927EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2019/08/09 4:15 p.m.•6 views

PYSEC-2019-219

Recommender before 2018-07-18 allows XSS...

6.1CVSS7AI score0.00848EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/08/09 3:15 p.m.•10 views

PYSEC-2019-140

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id...

7.5CVSS7AI score0.02288EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/08/09 1:15 p.m.•8 views

PYSEC-2019-13

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to...

9.8CVSS7.7AI score0.47694EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2019/08/07 5:15 p.m.•7 views

PYSEC-2019-114

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk controlled by spark.maxRemoteBlockSizeFetchToMem; in SparkR, using parallelize; in Pyspark, using...

7.5CVSS6.6AI score0.01291EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/08/02 3:15 p.m.•6 views

PYSEC-2019-14

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uritoiri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences...

7.5CVSS6.9AI score0.03073EPSS
Exploits0References11Affected Software1
Total number of security vulnerabilities5612