rpm package
almalinux/fence-virtd-libvirt
pkg:rpm/almalinux/fence-virtd-libvirt
Vulnerabilities (18)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-30922 | Hig | 7.5 | < 4.16.0-13.el10_1.4 | 4.16.0-13.el10_1.4 | Mar 18, 2026 | pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousa | |
| CVE-2026-32597 | Hig | 7.5 | < 4.16.0-13.el10_1.4 | 4.16.0-13.el10_1.4 | Mar 13, 2026 | PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token i | |
| CVE-2026-23490 | — | < 4.10.0-98.el9_7.5 | 4.10.0-98.el9_7.5 | Jan 16, 2026 | pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2. | ||
| CVE-2026-21441 | — | < 4.10.0-98.el9_7.4 | 4.10.0-98.el9_7.4 | Jan 7, 2026 | urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b | ||
| CVE-2025-66471 | — | < 4.10.0-98.el9_7.4 | 4.10.0-98.el9_7.4 | Dec 5, 2025 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu | ||
| CVE-2025-66418 | — | < 4.10.0-98.el9_7.4 | 4.10.0-98.el9_7.4 | Dec 5, 2025 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a | ||
| CVE-2025-47273 | — | < 4.10.0-86.el9_6.7 | 4.10.0-86.el9_6.7 | May 17, 2025 | setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on | ||
| CVE-2024-56326 | — | < 4.10.0-76.el9_5.4.alma.1 | 4.10.0-76.el9_5.4.alma.1 | Dec 23, 2024 | Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs t | ||
| CVE-2024-56201 | — | < 4.10.0-76.el9_5.4.alma.1 | 4.10.0-76.el9_5.4.alma.1 | Dec 23, 2024 | Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit | ||
| CVE-2024-6345 | Hig | 8.8 | < 4.10.0-62.el9_4.5 | 4.10.0-62.el9_4.5 | Jul 15, 2024 | A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are suscepti | |
| CVE-2024-37891 | — | < 4.10.0-62.el9_4.4.alma.1 | 4.10.0-62.el9_4.4.alma.1 | Jun 17, 2024 | urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it' | ||
| CVE-2024-34064 | — | < 4.10.0-62.el9_4.3 | 4.10.0-62.el9_4.3 | May 6, 2024 | Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an ap | ||
| CVE-2024-22195 | — | < 4.10.0-62.el9 | 4.10.0-62.el9 | Jan 11, 2024 | Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` f | ||
| CVE-2023-52323 | — | < 4.10.0-62.el9 | 4.10.0-62.el9 | Jan 5, 2024 | PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack. | ||
| CVE-2023-45803 | — | < 4.10.0-62.el9 | 4.10.0-62.el9 | Oct 17, 2023 | urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GE | ||
| CVE-2023-43804 | — | < 4.10.0-55.el9_3.2.alma.1 | 4.10.0-55.el9_3.2.alma.1 | Oct 4, 2023 | urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unk | ||
| CVE-2023-37920 | — | < 4.10.0-55.el9_3.2.alma.1 | 4.10.0-55.el9_3.2.alma.1 | Jul 25, 2023 | Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an invest | ||
| CVE-2022-36087 | — | < 4.10.0-43.el9 | 4.10.0-43.el9 | Sep 9, 2022 | OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it i |
- affected < 4.16.0-13.el10_1.4fixed 4.16.0-13.el10_1.4
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousa
- affected < 4.16.0-13.el10_1.4fixed 4.16.0-13.el10_1.4
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token i
- CVE-2026-23490Jan 16, 2026affected < 4.10.0-98.el9_7.5fixed 4.10.0-98.el9_7.5
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
- CVE-2026-21441Jan 7, 2026affected < 4.10.0-98.el9_7.4fixed 4.10.0-98.el9_7.4
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b
- CVE-2025-66471Dec 5, 2025affected < 4.10.0-98.el9_7.4fixed 4.10.0-98.el9_7.4
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu
- CVE-2025-66418Dec 5, 2025affected < 4.10.0-98.el9_7.4fixed 4.10.0-98.el9_7.4
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a
- CVE-2025-47273May 17, 2025affected < 4.10.0-86.el9_6.7fixed 4.10.0-86.el9_6.7
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on
- CVE-2024-56326Dec 23, 2024affected < 4.10.0-76.el9_5.4.alma.1fixed 4.10.0-76.el9_5.4.alma.1
Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs t
- CVE-2024-56201Dec 23, 2024affected < 4.10.0-76.el9_5.4.alma.1fixed 4.10.0-76.el9_5.4.alma.1
Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit
- affected < 4.10.0-62.el9_4.5fixed 4.10.0-62.el9_4.5
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are suscepti
- CVE-2024-37891Jun 17, 2024affected < 4.10.0-62.el9_4.4.alma.1fixed 4.10.0-62.el9_4.4.alma.1
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it'
- CVE-2024-34064May 6, 2024affected < 4.10.0-62.el9_4.3fixed 4.10.0-62.el9_4.3
Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an ap
- CVE-2024-22195Jan 11, 2024affected < 4.10.0-62.el9fixed 4.10.0-62.el9
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` f
- CVE-2023-52323Jan 5, 2024affected < 4.10.0-62.el9fixed 4.10.0-62.el9
PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.
- CVE-2023-45803Oct 17, 2023affected < 4.10.0-62.el9fixed 4.10.0-62.el9
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GE
- CVE-2023-43804Oct 4, 2023affected < 4.10.0-55.el9_3.2.alma.1fixed 4.10.0-55.el9_3.2.alma.1
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unk
- CVE-2023-37920Jul 25, 2023affected < 4.10.0-55.el9_3.2.alma.1fixed 4.10.0-55.el9_3.2.alma.1
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an invest
- CVE-2022-36087Sep 9, 2022affected < 4.10.0-43.el9fixed 4.10.0-43.el9
OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it i