5613 matches found
PYSEC-2019-14
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uritoiri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences...
PYSEC-2019-11
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars and words methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability i...
PYSEC-2019-12
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.striptags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities...
PYSEC-2019-2
A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be...
PYSEC-2019-192
A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens...
PYSEC-2019-152
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's nodecache.findnode. This function makes a SQL query using unfiltered data from a server reporting inspection...
PYSEC-2019-27
invenio-records before 1.2.2 allows XSS...
PYSEC-2019-25
invenio-communities before 1.0.0a20 allows XSS...
PYSEC-2019-24
invenio-app before 1.1.1 allows host header injection...
PYSEC-2019-26
invenio-previewer before 1.0.0a12 allows XSS...
PYSEC-2019-244
Exiv2 0.27.99.0 has a heap-based buffer over-read in Exiv2::RafImage::readMetadata in rafimage.cpp...
PYSEC-2019-245
Exiv2::PngImage::readMetadata in pngimage.cpp in Exiv2 0.27.99.0 allows attackers to cause a denial of service heap-based buffer over-read via a crafted image file...
PYSEC-2019-246
In Exiv2 0.27.99.0, there is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp. It could result in denial of service...
PYSEC-2019-120
scapy 2.4.0 is affected by: Denial of Service. The impact is: infinite loop, resource consumption and program unresponsive. The component is: RADIUSAttrPacketListField.getfieldself... The attack vector is: over the network or in a pcap. both work...
PYSEC-2019-119
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.userchpass function from the MySQL module for Salt. The attack vector is: specially crafted...
PYSEC-2019-184
Ladon since 0.6.1 since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059 is affected by: XML External Entity XXE. The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance:...
PYSEC-2019-179
The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656...
PYSEC-2019-170
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking CSWSH vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted...
PYSEC-2019-218
libnmap v0.6.3 is affected by: XML Injection. The impact is: Denial of service DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload...
PYSEC-2019-20
verification.py in django-rest-registration aka Django REST Registration library before 0.5.0 relies on a static string for signatures i.e., the Django Signing API is misused, which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to...
PYSEC-2019-10
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECUREPROXYSSLHEADER and SECURESSLREDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words,...
PYSEC-2019-257
http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial of service crash due to a NULL pointer dereference by returning a crafted response that lacks a space character...
PYSEC-2019-103
KeyIdentity LinOTP before 2.10.5.3 has Incorrect Access Control issue 1 of 2...
PYSEC-2019-129
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections...
PYSEC-2019-128
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF...
PYSEC-2019-163
aubio v0.4.0 to v0.4.8 has a NULL pointer dereference in newaubiofilterbank via invalid nfilters...
PYSEC-2019-164
aubio v0.4.0 to v0.4.8 has a newaubioonset NULL pointer dereference...
PYSEC-2019-162
aubio v0.4.0 to v0.4.8 has a Buffer Overflow in newaubiotempo...
PYSEC-2019-109
DISPUTED A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code...
PYSEC-2019-199
A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDGCONFIGDIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in...
PYSEC-2019-194
An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested t...
PYSEC-2019-79
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provid...
PYSEC-2019-256
In libwebp 0.5.1, there is a double free bug in libwebpmux...
PYSEC-2019-6
Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim...
PYSEC-2019-242
Capstone 3.0.4 has an out-of-bounds vulnerability SEGV caused by a read memory access in X86insnregintel in arch/X86/X86Mapping.c...
PYSEC-2019-185
An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID...
PYSEC-2019-205
Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent...
PYSEC-2019-230
Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent...
PYSEC-2019-223
Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent...
PYSEC-2019-232
Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory...
PYSEC-2019-210
NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file...
PYSEC-2019-229
Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file...
PYSEC-2019-222
Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file...
PYSEC-2019-204
Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file...
PYSEC-2019-235
NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file...
PYSEC-2019-225
Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory...
PYSEC-2019-207
Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory...
PYSEC-2019-228
NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file...
PYSEC-2019-231
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent...
PYSEC-2019-226
Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code local...