VYPR

rpm package

opensuse/python39&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/python39&distro=openSUSE%20Tumbleweed

Vulnerabilities (59)

  • CVE-2021-3572Nov 10, 2021
    affected < 3.9.13-2.1fixed 3.9.13-2.1

    A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip

  • CVE-2021-3426May 20, 2021
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normal

  • CVE-2021-29921May 6, 2021
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

  • CVE-2021-23336Feb 15, 2021
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When

  • CVE-2021-3177Jan 19, 2021
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occu

  • CVE-2020-15801Jul 17, 2020
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The ._pth file (e.g., the python._pth file) is not affected.

  • CVE-2019-20907Jul 13, 2020
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

  • CVE-2020-15523Jul 4, 2020
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for pyth

  • CVE-2014-4650Feb 20, 2020
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character

  • CVE-2020-8492Jan 30, 2020
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtr

  • CVE-2019-5010Oct 31, 2019
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connection

  • CVE-2019-9947Mar 23, 2019
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path compone

  • CVE-2014-2667Nov 16, 2014
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has

  • CVE-2013-4238Aug 18, 2013
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a craf

  • CVE-2012-1150Oct 5, 2012
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input

  • CVE-2012-0845Oct 5, 2012
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of

  • CVE-2011-4944Aug 27, 2012
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.

  • CVE-2011-3389Sep 6, 2011
    affected < 3.9.7-2.1fixed 3.9.7-2.1

    The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to ob

  • CVE-2007-4559CriAug 28, 2007
    affected < 3.9.16-7.1fixed 3.9.16-7.1

    Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Page 3 of 3