rpm package
almalinux/python2-rpm-macros
pkg:rpm/almalinux/python2-rpm-macros
Vulnerabilities (41)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-28493 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Feb 1, 2021 | This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be miti | ||
| CVE-2021-3177 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Jan 19, 2021 | Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occu | ||
| CVE-2020-27783 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Dec 3, 2020 | A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. | ||
| CVE-2020-27619 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Oct 22, 2020 | In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. | ||
| CVE-2020-26137 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Sep 29, 2020 | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. | ||
| CVE-2020-26116 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Sep 27, 2020 | http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque | ||
| CVE-2019-20916 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Sep 4, 2020 | The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _ | ||
| CVE-2019-20907 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Jul 13, 2020 | In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. | ||
| CVE-2019-16056 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Sep 6, 2019 | An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on t | ||
| CVE-2018-20852 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Jul 13, 2019 | http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has an | ||
| CVE-2019-11324 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Apr 18, 2019 | The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is | ||
| CVE-2019-11236 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Apr 15, 2019 | In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. | ||
| CVE-2019-9948 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Mar 23, 2019 | urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. | ||
| CVE-2019-9947 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Mar 23, 2019 | An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path compone | ||
| CVE-2019-9740 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Mar 13, 2019 | An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string | ||
| CVE-2019-9636 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Mar 8, 2019 | Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The component | ||
| CVE-2019-7164 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Feb 20, 2019 | SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. | ||
| CVE-2019-7548 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Feb 6, 2019 | SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled. | ||
| CVE-2019-6446 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Jan 16, 2019 | An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavio | ||
| CVE-2018-20060 | — | < 3-38.module_el8.6.0+2781+fed64c13 | 3-38.module_el8.6.0+2781+fed64c13 | Dec 11, 2018 | urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted i |
- CVE-2020-28493Feb 1, 2021affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be miti
- CVE-2021-3177Jan 19, 2021affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occu
- CVE-2020-27783Dec 3, 2020affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
- CVE-2020-27619Oct 22, 2020affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
- CVE-2020-26137Sep 29, 2020affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
- CVE-2020-26116Sep 27, 2020affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque
- CVE-2019-20916Sep 4, 2020affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _
- CVE-2019-20907Jul 13, 2020affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
- CVE-2019-16056Sep 6, 2019affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on t
- CVE-2018-20852Jul 13, 2019affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has an
- CVE-2019-11324Apr 18, 2019affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is
- CVE-2019-11236Apr 15, 2019affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
- CVE-2019-9948Mar 23, 2019affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
- CVE-2019-9947Mar 23, 2019affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path compone
- CVE-2019-9740Mar 13, 2019affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string
- CVE-2019-9636Mar 8, 2019affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The component
- CVE-2019-7164Feb 20, 2019affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
- CVE-2019-7548Feb 6, 2019affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
- CVE-2019-6446Jan 16, 2019affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavio
- CVE-2018-20060Dec 11, 2018affected < 3-38.module_el8.6.0+2781+fed64c13fixed 3-38.module_el8.6.0+2781+fed64c13
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted i
Page 2 of 3