Bitnami package
python
pkg:bitnami/python
Vulnerabilities (88)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-27619 | — | >= 3.0.0, < 3.6.13 | 3.6.13 | Oct 22, 2020 | In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. | ||
| CVE-2020-26116 | — | >= 3.0.0, < 3.5.10 | 3.5.10 | Sep 27, 2020 | http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque | ||
| CVE-2020-15801 | — | >= 3.7.0, < 3.7.9 | 3.7.9 | Jul 17, 2020 | In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The ._pth file (e.g., the python._pth file) is not affected. | ||
| CVE-2020-15523 | — | >= 3.5.0, < 3.5.10 | 3.5.10 | Jul 4, 2020 | In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for pyth | ||
| CVE-2020-14422 | — | >= 3.0.0, < 3.5.10 | 3.5.10 | Jun 18, 2020 | Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or I | ||
| CVE-2020-8492 | — | >= 2.7.0, < 2.7.18 | 2.7.18 | Jan 30, 2020 | Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtr | ||
| CVE-2020-8315 | — | >= 3.6.0, < 3.6.11 | 3.6.11 | Jan 28, 2020 | In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are u | ||
| CVE-2007-4559 | Cri | 9.8 | < 3.6.16 | 3.6.16 | Aug 28, 2007 | Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267. |
- CVE-2020-27619Oct 22, 2020affected >= 3.0.0, < 3.6.13fixed 3.6.13
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
- CVE-2020-26116Sep 27, 2020affected >= 3.0.0, < 3.5.10fixed 3.5.10
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque
- CVE-2020-15801Jul 17, 2020affected >= 3.7.0, < 3.7.9fixed 3.7.9
In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The ._pth file (e.g., the python._pth file) is not affected.
- CVE-2020-15523Jul 4, 2020affected >= 3.5.0, < 3.5.10fixed 3.5.10
In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for pyth
- CVE-2020-14422Jun 18, 2020affected >= 3.0.0, < 3.5.10fixed 3.5.10
Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or I
- CVE-2020-8492Jan 30, 2020affected >= 2.7.0, < 2.7.18fixed 2.7.18
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtr
- CVE-2020-8315Jan 28, 2020affected >= 3.6.0, < 3.6.11fixed 3.6.11
In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are u
- affected < 3.6.16fixed 3.6.16
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
Page 5 of 5