rpm package
almalinux/python-sqlalchemy-doc
pkg:rpm/almalinux/python-sqlalchemy-doc
Vulnerabilities (30)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-27291 | — | < 1.3.2-2.module_el8.6.0+2781+fed64c13 | 1.3.2-2.module_el8.6.0+2781+fed64c13 | Mar 17, 2021 | In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a | ||
| CVE-2021-23336 | — | < 1.3.2-2.module_el8.6.0+2781+fed64c13 | 1.3.2-2.module_el8.6.0+2781+fed64c13 | Feb 15, 2021 | The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When | ||
| CVE-2020-28493 | — | < 1.3.2-2.module_el8.6.0+2781+fed64c13 | 1.3.2-2.module_el8.6.0+2781+fed64c13 | Feb 1, 2021 | This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be miti | ||
| CVE-2021-3177 | — | < 1.3.2-2.module_el8.6.0+2781+fed64c13 | 1.3.2-2.module_el8.6.0+2781+fed64c13 | Jan 19, 2021 | Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occu | ||
| CVE-2020-27783 | — | < 1.3.2-2.module_el8.6.0+2781+fed64c13 | 1.3.2-2.module_el8.6.0+2781+fed64c13 | Dec 3, 2020 | A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. | ||
| CVE-2020-27619 | — | < 1.3.2-2.module_el8.6.0+2781+fed64c13 | 1.3.2-2.module_el8.6.0+2781+fed64c13 | Oct 22, 2020 | In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. | ||
| CVE-2020-26137 | — | < 1.3.2-2.module_el8.6.0+2781+fed64c13 | 1.3.2-2.module_el8.6.0+2781+fed64c13 | Sep 29, 2020 | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. | ||
| CVE-2020-26116 | — | < 1.3.2-2.module_el8.6.0+2781+fed64c13 | 1.3.2-2.module_el8.6.0+2781+fed64c13 | Sep 27, 2020 | http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque | ||
| CVE-2019-20916 | — | < 1.3.2-2.module_el8.6.0+2781+fed64c13 | 1.3.2-2.module_el8.6.0+2781+fed64c13 | Sep 4, 2020 | The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _ | ||
| CVE-2019-20907 | — | < 1.3.2-2.module_el8.6.0+2781+fed64c13 | 1.3.2-2.module_el8.6.0+2781+fed64c13 | Jul 13, 2020 | In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. |
- CVE-2021-27291Mar 17, 2021affected < 1.3.2-2.module_el8.6.0+2781+fed64c13fixed 1.3.2-2.module_el8.6.0+2781+fed64c13
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a
- CVE-2021-23336Feb 15, 2021affected < 1.3.2-2.module_el8.6.0+2781+fed64c13fixed 1.3.2-2.module_el8.6.0+2781+fed64c13
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When
- CVE-2020-28493Feb 1, 2021affected < 1.3.2-2.module_el8.6.0+2781+fed64c13fixed 1.3.2-2.module_el8.6.0+2781+fed64c13
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be miti
- CVE-2021-3177Jan 19, 2021affected < 1.3.2-2.module_el8.6.0+2781+fed64c13fixed 1.3.2-2.module_el8.6.0+2781+fed64c13
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occu
- CVE-2020-27783Dec 3, 2020affected < 1.3.2-2.module_el8.6.0+2781+fed64c13fixed 1.3.2-2.module_el8.6.0+2781+fed64c13
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
- CVE-2020-27619Oct 22, 2020affected < 1.3.2-2.module_el8.6.0+2781+fed64c13fixed 1.3.2-2.module_el8.6.0+2781+fed64c13
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
- CVE-2020-26137Sep 29, 2020affected < 1.3.2-2.module_el8.6.0+2781+fed64c13fixed 1.3.2-2.module_el8.6.0+2781+fed64c13
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
- CVE-2020-26116Sep 27, 2020affected < 1.3.2-2.module_el8.6.0+2781+fed64c13fixed 1.3.2-2.module_el8.6.0+2781+fed64c13
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque
- CVE-2019-20916Sep 4, 2020affected < 1.3.2-2.module_el8.6.0+2781+fed64c13fixed 1.3.2-2.module_el8.6.0+2781+fed64c13
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _
- CVE-2019-20907Jul 13, 2020affected < 1.3.2-2.module_el8.6.0+2781+fed64c13fixed 1.3.2-2.module_el8.6.0+2781+fed64c13
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
Page 2 of 2