rpm package
suse/python-base&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6
pkg:rpm/suse/python-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-6075 | — | < 2.7.18-150000.89.2 | 2.7.18-150000.89.2 | Oct 31, 2025 | If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. | ||
| CVE-2025-8291 | Med | 4.3 | < 2.7.18-150000.86.1 | 2.7.18-150000.86.1 | Oct 7, 2025 | The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be | |
| CVE-2025-8194 | Hig | 7.5 | < 2.7.18-150000.83.1 | 2.7.18-150000.83.1 | Jul 28, 2025 | There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously cra | |
| CVE-2025-6069 | Med | 4.3 | < 2.7.18-150000.80.1 | 2.7.18-150000.80.1 | Jun 17, 2025 | The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. | |
| CVE-2025-0938 | Med | — | < 2.7.18-150000.71.1 | 2.7.18-150000.71.1 | Jan 31, 2025 | The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This | |
| CVE-2024-11168 | Low | 3.7 | < 2.7.18-150000.68.1 | 2.7.18-150000.68.1 | Nov 12, 2024 | The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. | |
| CVE-2024-0450 | Med | 6.2 | < 2.7.18-150000.65.1 | 2.7.18-150000.65.1 | Mar 19, 2024 | An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed | |
| CVE-2023-52425 | — | < 2.7.18-150000.65.1 | 2.7.18-150000.65.1 | Feb 4, 2024 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | ||
| CVE-2022-48560 | — | < 2.7.18-150000.65.1 | 2.7.18-150000.65.1 | Aug 22, 2023 | A use-after-free exists in Python through 3.9 via heappushpop in heapq. | ||
| CVE-2023-27043 | Med | 5.3 | < 2.7.18-150000.65.1 | 2.7.18-150000.65.1 | Apr 19, 2023 | The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which applica |
- CVE-2025-6075Oct 31, 2025affected < 2.7.18-150000.89.2fixed 2.7.18-150000.89.2
If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
- affected < 2.7.18-150000.86.1fixed 2.7.18-150000.86.1
The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be
- affected < 2.7.18-150000.83.1fixed 2.7.18-150000.83.1
There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously cra
- affected < 2.7.18-150000.80.1fixed 2.7.18-150000.80.1
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
- affected < 2.7.18-150000.71.1fixed 2.7.18-150000.71.1
The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This
- affected < 2.7.18-150000.68.1fixed 2.7.18-150000.68.1
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
- affected < 2.7.18-150000.65.1fixed 2.7.18-150000.65.1
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed
- CVE-2023-52425Feb 4, 2024affected < 2.7.18-150000.65.1fixed 2.7.18-150000.65.1
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
- CVE-2022-48560Aug 22, 2023affected < 2.7.18-150000.65.1fixed 2.7.18-150000.65.1
A use-after-free exists in Python through 3.9 via heappushpop in heapq.
- affected < 2.7.18-150000.65.1fixed 2.7.18-150000.65.1
The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which applica