apk package
chainguard/python-3.7
pkg:apk/chainguard/python-3.7
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-48566 | — | < 0 | 0 | Aug 22, 2023 | An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest. | ||
| CVE-2022-48565 | — | < 0 | 0 | Aug 22, 2023 | An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. | ||
| CVE-2022-48564 | — | < 0 | 0 | Aug 22, 2023 | read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. | ||
| CVE-2022-48560 | — | < 0 | 0 | Aug 22, 2023 | A use-after-free exists in Python through 3.9 via heappushpop in heapq. | ||
| CVE-2023-36632 | — | < 0 | 0 | Jun 25, 2023 | The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data t | ||
| CVE-2023-24329 | — | < 3.7.17-r0 | 3.7.17-r0 | Feb 17, 2023 | An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. | ||
| CVE-2007-4559 | Cri | 9.8 | < 0 | 0 | Aug 28, 2007 | Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267. |
- CVE-2022-48566Aug 22, 2023affected < 0fixed 0
An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.
- CVE-2022-48565Aug 22, 2023affected < 0fixed 0
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
- CVE-2022-48564Aug 22, 2023affected < 0fixed 0
read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
- CVE-2022-48560Aug 22, 2023affected < 0fixed 0
A use-after-free exists in Python through 3.9 via heappushpop in heapq.
- CVE-2023-36632Jun 25, 2023affected < 0fixed 0
The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data t
- CVE-2023-24329Feb 17, 2023affected < 3.7.17-r0fixed 3.7.17-r0
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
- affected < 0fixed 0
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.