Lucene search
K

5613 matches found

PyPA
PyPA
•added 2019/04/23 9:29 p.m.•6 views

PYSEC-2019-208

Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code local...

8.8CVSS7.9AI score0.00646EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/04/23 9:29 p.m.•6 views

PYSEC-2019-206

Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent...

6.5CVSS6.9AI score0.0038EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/04/23 9:29 p.m.•6 views

PYSEC-2019-233

Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code local...

8.8CVSS7.9AI score0.00646EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/04/23 9:29 p.m.•8 views

PYSEC-2019-224

Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent...

6.5CVSS6.9AI score0.0038EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2019/04/22 4:29 p.m.•7 views

PYSEC-2019-155

python-dbusmock before version 0.15.1 AddTemplate D-Bus method call or DBusTestCase.spawnservertemplate method could be tricked into executing malicious code if an attacker supplies a .pyc file...

9.3CVSS7.2AI score0.01815EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/04/22 4:29 p.m.•7 views

PYSEC-2019-188

A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository...

5.9CVSS6.6AI score0.01413EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2019/04/18 9:29 p.m.•5 views

PYSEC-2019-133

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use o...

7.5CVSS6.9AI score0.02836EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2019/04/17 2:29 p.m.•6 views

PYSEC-2019-198

OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authenticatio...

9.8CVSS7.1AI score0.04636EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2019/04/15 3:29 p.m.•7 views

PYSEC-2019-132

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter...

6.1CVSS7.4AI score0.02056EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2019/04/10 8:29 p.m.•11 views

PYSEC-2019-214

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views...

4.8CVSS7.4AI score0.02767EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/04/10 8:29 p.m.•9 views

PYSEC-2019-215

A number of HTTP endpoints in the Airflow webserver both RBAC and classic did not have adequate protection and were vulnerable to cross-site request forgery attacks...

8.8CVSS6.9AI score0.01563EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/04/08 1:29 p.m.•5 views

PYSEC-2019-220

In Pallets Jinja before 2.8.1, str.format allows a sandbox escape...

8.6CVSS7AI score0.03492EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2019/04/07 12:29 a.m.•7 views

PYSEC-2019-217

In Pallets Jinja before 2.10.1, str.formatmap allows a sandbox escape...

8.6CVSS7AI score0.03603EPSS
Exploits1References20Affected Software1
PyPA
PyPA
•added 2019/04/06 8:29 p.m.•9 views

PYSEC-2019-201

Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgihandler.py mishandle 404 errors...

6.1CVSS6.3AI score0.01568EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2019/04/05 5:29 a.m.•5 views

PYSEC-2019-189

An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes where those...

6.5CVSS6.8AI score0.01757EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2019/04/05 1:29 a.m.•5 views

PYSEC-2019-127

In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values...

6.5CVSS6.8AI score0.01277EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2019/04/04 4:29 p.m.•6 views

PYSEC-2019-158

In Jupyter Notebook before 5.7.8, an open redirect can occur via an empty netloc. This issue exists because of an incomplete fix for CVE-2019-10255...

6.1CVSS9.2AI score0.01741EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2019/04/04 5:29 a.m.•8 views

PYSEC-2019-107

nbla/logger.cpp in libnnabla.a in Sony Neural Network Libraries aka nnabla through v1.0.14 relies on the HOME environment variable, which might be untrusted...

9.8CVSS7AI score0.01552EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/04/02 8:29 p.m.•6 views

PYSEC-2019-165

The Serialize.deserialize method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client when they receive...

7.5CVSS6.8AI score0.0146EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2019/04/02 7:29 p.m.•11 views

PYSEC-2019-166

The Serialize.deserialize method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library e.g., the standard CoAP server, CoAP client, example collect CoAP server and client when they receive crafted CoAP messages...

7.5CVSS6.8AI score0.01446EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2019/03/27 1:29 p.m.•8 views

PYSEC-2019-5

Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path...

4.2CVSS6.7AI score0.00522EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2019/03/26 6:29 p.m.•7 views

PYSEC-2019-78

A vulnerability was found in ceilometer before version 12.0.0.0rc1. An Information Exposure in ceilometer-agent prints sensitive configuration data to log files without DEBUG logging being activated...

7.8CVSS6.7AI score0.00386EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2019/03/26 6:29 p.m.•7 views

PYSEC-2019-193

In a default Red Hat Openstack Platform Director installation, openstack-octavia before versions openstack-octavia 2.0.2-5 and openstack-octavia-3.0.1-0.20181009115732 creates log files that are readable by all users. Sensitive information such as private keys can appear in these log files allowi...

7.5CVSS6.7AI score0.00878EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/03/21 9:29 p.m.•5 views

PYSEC-2019-180

A code injection issue was discovered in ipycache through 2016-05-31...

8.8CVSS7.6AI score0.01591EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2019/03/21 8:29 p.m.•6 views

PYSEC-2019-21

An issue was discovered in Donfig 0.3.0. There is a vulnerability in the collectyaml method in configobj.py. It can execute arbitrary Python commands, resulting in command execution...

9.8CVSS7.6AI score0.03442EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2019/03/21 4:1 p.m.•9 views

PYSEC-2019-203

Splunk-SDK-Python before 1.6.6 does not properly verify untrusted TLS server certificates, which could result in man-in-the-middle attacks...

8.1CVSS6.8AI score0.00549EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/03/21 4:1 p.m.•5 views

PYSEC-2019-115

python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting...

7.5CVSS6.9AI score0.08548EPSS
Exploits2References14Affected Software1
PyPA
PyPA
•added 2019/03/21 4:1 p.m.•7 views

PYSEC-2019-187

Matrix Synapse before 0.34.0.1, when the macaroonsecretkey authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users...

7.5CVSS7.1AI score0.02418EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2019/03/13 2:29 a.m.•8 views

PYSEC-2019-190

An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option for example, VRRP, an...

6.5CVSS6.8AI score0.03635EPSS
Exploits1References11Affected Software1
PyPA
PyPA
•added 2019/03/12 9:29 a.m.•6 views

PYSEC-2019-159

An XSSI cross-site inclusion vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access to the content of resources has been demonstrated with Internet Explorer through capturing of erro...

5.4CVSS6.7AI score0.01636EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/03/12 2:29 a.m.•5 views

PYSEC-2019-139

An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests...

8.1CVSS7AI score0.0112EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2019/02/27 6:29 p.m.•12 views

PYSEC-2019-142

In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views...

5.5CVSS7.4AI score0.01956EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/02/25 3:29 p.m.•11 views

PYSEC-2019-249

An issue was discovered in Exiv2 0.27. There is infinite recursion at BigTiffImage::printIFD in the file bigtiffimage.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service Segmentation fault or possibly have unspecified other impact...

8.8CVSS7.3AI score0.02783EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2019/02/25 3:29 p.m.•6 views

PYSEC-2019-248

An issue was discovered in Exiv2 0.27. There is infinite recursion at Exiv2::Image::printTiffStructure in the file image.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service Segmentation fault or possibly have unspecified other impact...

8.8CVSS7.3AI score0.02769EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2019/02/20 12:29 a.m.•6 views

PYSEC-2019-123

SQLAlchemy before 1.3.0b3 allows SQL Injection via the orderby parameter. The fix commit 30307c4 was applied only to the main branch and was never backported to the 1.2.x release line; all 1.2.x versions remain vulnerable...

9.8CVSS7.8AI score0.03525EPSS
Exploits2References9Affected Software1
PyPA
PyPA
•added 2019/02/19 4:29 p.m.•8 views

PYSEC-2019-255

data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted Plex username that is mishandled when constructing the History page...

6.1CVSS6.1AI score0.0109EPSS
Exploits2References5Affected Software1
PyPA
PyPA
•added 2019/02/11 1:29 p.m.•10 views

PYSEC-2019-18

Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format function...

7.5CVSS6.9AI score0.05399EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2019/02/07 7:29 a.m.•8 views

PYSEC-2019-252

In parser/btorsmt2.c in Boolector 3.0.0, opening a specially crafted input file leads to a use after free in getfailedassumptions or btordelete...

5.5CVSS7AI score0.00959EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2019/02/06 9:29 p.m.•7 views

PYSEC-2019-124

SQLAlchemy 1.2.17 has SQL Injection when the groupby parameter can be controlled...

7.8CVSS8.1AI score0.01777EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2019/02/04 9:29 p.m.•8 views

PYSEC-2019-1

aioxmpp version 0.10.2 and earlier contains a Improper Handling of Structural Elements vulnerability in Stanza Parser, rollback during error processing, aioxmpp.xso.model.guard function that can result in Denial of Service, Other. This attack appears to be exploitable via Remote. A crafted stanza...

7.4CVSS6.9AI score0.0116EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2019/02/04 9:29 p.m.•9 views

PYSEC-2019-121

slixmpp version before commit 7cd73b594e8122dddf847953fcfc85ab4d316416 contains an incorrect Access Control vulnerability in XEP-0223 plugin Persistent Storage of Private Data via PubSub options profile, used for the configuration of default access model that can result in all of the contacts of...

7.5CVSS6.8AI score0.02323EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2019/02/04 5:29 p.m.•8 views

PYSEC-2019-169

When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1...

5.5CVSS6.5AI score0.00605EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2019/02/03 8:29 a.m.•6 views

PYSEC-2019-7

www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects other web sites in the same domain...

6.1CVSS7.3AI score0.0087EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2019/02/01 9:29 a.m.•7 views

PYSEC-2019-167

In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis...

7.5CVSS6.8AI score0.01762EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2019/01/25 4:29 a.m.•7 views

PYSEC-2019-113

CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI...

6.1CVSS6.7AI score0.03922EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2019/01/23 5:29 p.m.•7 views

PYSEC-2019-149

In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, whether it be via XSS or by leaving a machine unlocked can exfiltrate all credentials from the...

9.8CVSS6.3AI score0.02166EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/01/23 5:29 p.m.•7 views

PYSEC-2019-147

In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object...

8.8CVSS7.2AI score0.02044EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/01/23 5:29 p.m.•6 views

PYSEC-2019-143

The LDAP auth backend airflow.contrib.auth.backends.ldapauth prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking...

7.5CVSS7AI score0.01016EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/01/23 5:29 p.m.•7 views

PYSEC-2019-148

In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow...

8.8CVSS7.7AI score0.01295EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2019/01/21 6:29 a.m.•7 views

PYSEC-2019-250

GattLib 0.2 has a stack-based buffer over-read in gattlibconnect in dbus/gattlib.c because strncpy is misused...

8.8CVSS7.2AI score0.04965EPSS
Exploits5References7Affected Software1
Total number of security vulnerabilities5613