rpm package
suse/python&distro=SUSE Linux Enterprise Module for Desktop Applications 15 SP2
pkg:rpm/suse/python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-3733 | — | < 2.7.18-33.1 | 2.7.18-33.1 | Mar 7, 2022 | There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafte | ||
| CVE-2021-3737 | — | < 2.7.18-33.1 | 2.7.18-33.1 | Mar 4, 2022 | A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to syst | ||
| CVE-2021-23336 | — | < 2.7.18-7.55.1 | 2.7.18-7.55.1 | Feb 15, 2021 | The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When | ||
| CVE-2021-3177 | — | < 2.7.17-7.52.2 | 2.7.17-7.52.2 | Jan 19, 2021 | Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occu | ||
| CVE-2020-26116 | — | < 2.7.17-7.44.4 | 2.7.17-7.44.4 | Sep 27, 2020 | http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque | ||
| CVE-2019-20916 | — | < 2.7.17-7.47.1 | 2.7.17-7.47.1 | Sep 4, 2020 | The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _ | ||
| CVE-2019-20907 | — | < 2.7.17-7.41.1 | 2.7.17-7.41.1 | Jul 13, 2020 | In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. |
- CVE-2021-3733Mar 7, 2022affected < 2.7.18-33.1fixed 2.7.18-33.1
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafte
- CVE-2021-3737Mar 4, 2022affected < 2.7.18-33.1fixed 2.7.18-33.1
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to syst
- CVE-2021-23336Feb 15, 2021affected < 2.7.18-7.55.1fixed 2.7.18-7.55.1
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When
- CVE-2021-3177Jan 19, 2021affected < 2.7.17-7.52.2fixed 2.7.17-7.52.2
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occu
- CVE-2020-26116Sep 27, 2020affected < 2.7.17-7.44.4fixed 2.7.17-7.44.4
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque
- CVE-2019-20916Sep 4, 2020affected < 2.7.17-7.47.1fixed 2.7.17-7.47.1
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _
- CVE-2019-20907Jul 13, 2020affected < 2.7.17-7.41.1fixed 2.7.17-7.41.1
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.