VYPR

rpm package

opensuse/python38&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/python38&distro=openSUSE%20Tumbleweed

Vulnerabilities (38)

  • CVE-2021-3426May 20, 2021
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normal

  • CVE-2021-23336Feb 15, 2021
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When

  • CVE-2021-3177Jan 19, 2021
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occu

  • CVE-2020-26116Sep 27, 2020
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque

  • CVE-2019-20916Sep 4, 2020
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _

  • CVE-2019-20907Jul 13, 2020
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

  • CVE-2014-4650Feb 20, 2020
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character

  • CVE-2020-8492Jan 30, 2020
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtr

  • CVE-2019-5010Oct 31, 2019
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connection

  • CVE-2019-9947Mar 23, 2019
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path compone

  • CVE-2014-2667Nov 16, 2014
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has

  • CVE-2013-0340Jan 21, 2014
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read ar

  • CVE-2013-4238Aug 18, 2013
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a craf

  • CVE-2012-1150Oct 5, 2012
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input

  • CVE-2012-0845Oct 5, 2012
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of

  • CVE-2011-4944Aug 27, 2012
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.

  • CVE-2011-3389Sep 6, 2011
    affected < 3.8.12-1.2fixed 3.8.12-1.2

    The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to ob

  • CVE-2007-4559CriAug 28, 2007
    affected < 3.8.16-7.1fixed 3.8.16-7.1

    Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Page 2 of 2