rpm package
opensuse/python315&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/python315&distro=openSUSE%20Tumbleweed
Vulnerabilities (66)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-40217 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Aug 25, 2023 | An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buf | ||
| CVE-2023-2650 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | May 30, 2023 | Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limi | ||
| CVE-2023-27043 | Med | 5.3 | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Apr 19, 2023 | The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which applica | |
| CVE-2023-24329 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Feb 17, 2023 | An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. | ||
| CVE-2023-0286 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Feb 8, 2023 | There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This | ||
| CVE-2022-45061 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Nov 9, 2022 | An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hos | ||
| CVE-2022-42919 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Nov 6, 2022 | Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same mach | ||
| CVE-2020-10735 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Sep 9, 2022 | A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2 | ||
| CVE-2021-4189 | — | < 3.15.0~b2-1.1 | 3.15.0~b2-1.1 | Aug 24, 2022 | A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP | ||
| CVE-2022-25236 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Feb 16, 2022 | xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. | ||
| CVE-2021-3426 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | May 20, 2021 | There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normal | ||
| CVE-2021-23336 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Feb 15, 2021 | The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When | ||
| CVE-2021-3177 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Jan 19, 2021 | Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occu | ||
| CVE-2020-15801 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Jul 17, 2020 | In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The ._pth file (e.g., the python._pth file) is not affected. | ||
| CVE-2019-20907 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Jul 13, 2020 | In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. | ||
| CVE-2020-15523 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Jul 4, 2020 | In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for pyth | ||
| CVE-2014-4650 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Feb 20, 2020 | The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character | ||
| CVE-2020-8492 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Jan 30, 2020 | Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtr | ||
| CVE-2019-5010 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Oct 31, 2019 | An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connection | ||
| CVE-2019-9947 | — | < 3.15.0~a1-1.1 | 3.15.0~a1-1.1 | Mar 23, 2019 | An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path compone |
- CVE-2023-40217Aug 25, 2023affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buf
- CVE-2023-2650May 30, 2023affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limi
- affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which applica
- CVE-2023-24329Feb 17, 2023affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
- CVE-2023-0286Feb 8, 2023affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This
- CVE-2022-45061Nov 9, 2022affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hos
- CVE-2022-42919Nov 6, 2022affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same mach
- CVE-2020-10735Sep 9, 2022affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2
- CVE-2021-4189Aug 24, 2022affected < 3.15.0~b2-1.1fixed 3.15.0~b2-1.1
A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP
- CVE-2022-25236Feb 16, 2022affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
- CVE-2021-3426May 20, 2021affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normal
- CVE-2021-23336Feb 15, 2021affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When
- CVE-2021-3177Jan 19, 2021affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occu
- CVE-2020-15801Jul 17, 2020affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The ._pth file (e.g., the python._pth file) is not affected.
- CVE-2019-20907Jul 13, 2020affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
- CVE-2020-15523Jul 4, 2020affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for pyth
- CVE-2014-4650Feb 20, 2020affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character
- CVE-2020-8492Jan 30, 2020affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtr
- CVE-2019-5010Oct 31, 2019affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connection
- CVE-2019-9947Mar 23, 2019affected < 3.15.0~a1-1.1fixed 3.15.0~a1-1.1
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path compone
Page 3 of 4