VYPR

rpm package

almalinux/python2-urllib3

pkg:rpm/almalinux/python2-urllib3

Vulnerabilities (26)

  • CVE-2020-28493Feb 1, 2021
    affected < 1.24.2-3.module_el8.6.0+2781+fed64c13fixed 1.24.2-3.module_el8.6.0+2781+fed64c13

    This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be miti

  • CVE-2021-3177Jan 19, 2021
    affected < 1.24.2-3.module_el8.6.0+2781+fed64c13fixed 1.24.2-3.module_el8.6.0+2781+fed64c13

    Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occu

  • CVE-2020-27783Dec 3, 2020
    affected < 1.24.2-3.module_el8.6.0+2781+fed64c13fixed 1.24.2-3.module_el8.6.0+2781+fed64c13

    A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

  • CVE-2020-27619Oct 22, 2020
    affected < 1.24.2-3.module_el8.6.0+2781+fed64c13fixed 1.24.2-3.module_el8.6.0+2781+fed64c13

    In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.

  • CVE-2020-26137Sep 29, 2020
    affected < 1.24.2-3.module_el8.6.0+2781+fed64c13fixed 1.24.2-3.module_el8.6.0+2781+fed64c13

    urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

  • CVE-2020-26116Sep 27, 2020
    affected < 1.24.2-3.module_el8.6.0+2781+fed64c13fixed 1.24.2-3.module_el8.6.0+2781+fed64c13

    http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque

Page 2 of 2