rpm package
suse/python-doc&distro=SUSE Linux Enterprise Server 12 SP5
pkg:rpm/suse/python-doc&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5
Vulnerabilities (25)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-0450 | Med | 6.2 | < 2.7.18-33.35.1 | 2.7.18-33.35.1 | Mar 19, 2024 | An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed | |
| CVE-2023-52425 | — | < 2.7.18-33.32.1 | 2.7.18-33.32.1 | Feb 4, 2024 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | ||
| CVE-2023-40217 | — | < 2.7.18-33.23.1 | 2.7.18-33.23.1 | Aug 25, 2023 | An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buf | ||
| CVE-2022-48566 | — | < 2.7.18-33.26.1 | 2.7.18-33.26.1 | Aug 22, 2023 | An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest. | ||
| CVE-2022-48565 | — | < 2.7.18-33.26.1 | 2.7.18-33.26.1 | Aug 22, 2023 | An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. | ||
| CVE-2022-48560 | — | < 2.7.18-33.32.1 | 2.7.18-33.32.1 | Aug 22, 2023 | A use-after-free exists in Python through 3.9 via heappushpop in heapq. | ||
| CVE-2023-27043 | Med | 5.3 | < 2.7.18-33.29.1 | 2.7.18-33.29.1 | Apr 19, 2023 | The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which applica | |
| CVE-2023-24329 | — | < 2.7.18-33.20.2 | 2.7.18-33.20.2 | Feb 17, 2023 | An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. | ||
| CVE-2022-45061 | — | < 2.7.18-33.17.1 | 2.7.18-33.17.1 | Nov 9, 2022 | An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hos | ||
| CVE-2021-4189 | — | < 2.7.18-33.8.1 | 2.7.18-33.8.1 | Aug 24, 2022 | A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP | ||
| CVE-2021-28861 | — | < 2.7.18-33.14.2 | 2.7.18-33.14.2 | Aug 23, 2022 | Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation | ||
| CVE-2015-20107 | — | < 2.7.18-33.11.1 | 2.7.18-33.11.1 | Apr 13, 2022 | In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validati | ||
| CVE-2021-3733 | — | < 2.7.18-28.74.1 | 2.7.18-28.74.1 | Mar 7, 2022 | There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafte | ||
| CVE-2021-3737 | — | < 2.7.18-28.74.1 | 2.7.18-28.74.1 | Mar 4, 2022 | A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to syst | ||
| CVE-2022-0391 | — | < 2.7.18-33.8.1 | 2.7.18-33.8.1 | Feb 9, 2022 | A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. Th | ||
| CVE-2021-23336 | — | < 2.7.18-28.67.1 | 2.7.18-28.67.1 | Feb 15, 2021 | The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When | ||
| CVE-2021-3177 | — | < 2.7.17-28.64.3 | 2.7.17-28.64.3 | Jan 19, 2021 | Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occu | ||
| CVE-2020-26116 | — | < 2.7.17-28.56.1 | 2.7.17-28.56.1 | Sep 27, 2020 | http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque | ||
| CVE-2019-20916 | — | < 2.7.17-28.59.1 | 2.7.17-28.59.1 | Sep 4, 2020 | The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _ | ||
| CVE-2019-20907 | — | < 2.7.17-28.48.1 | 2.7.17-28.48.1 | Jul 13, 2020 | In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. |
- affected < 2.7.18-33.35.1fixed 2.7.18-33.35.1
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed
- CVE-2023-52425Feb 4, 2024affected < 2.7.18-33.32.1fixed 2.7.18-33.32.1
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
- CVE-2023-40217Aug 25, 2023affected < 2.7.18-33.23.1fixed 2.7.18-33.23.1
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buf
- CVE-2022-48566Aug 22, 2023affected < 2.7.18-33.26.1fixed 2.7.18-33.26.1
An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.
- CVE-2022-48565Aug 22, 2023affected < 2.7.18-33.26.1fixed 2.7.18-33.26.1
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
- CVE-2022-48560Aug 22, 2023affected < 2.7.18-33.32.1fixed 2.7.18-33.32.1
A use-after-free exists in Python through 3.9 via heappushpop in heapq.
- affected < 2.7.18-33.29.1fixed 2.7.18-33.29.1
The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which applica
- CVE-2023-24329Feb 17, 2023affected < 2.7.18-33.20.2fixed 2.7.18-33.20.2
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
- CVE-2022-45061Nov 9, 2022affected < 2.7.18-33.17.1fixed 2.7.18-33.17.1
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hos
- CVE-2021-4189Aug 24, 2022affected < 2.7.18-33.8.1fixed 2.7.18-33.8.1
A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP
- CVE-2021-28861Aug 23, 2022affected < 2.7.18-33.14.2fixed 2.7.18-33.14.2
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation
- CVE-2015-20107Apr 13, 2022affected < 2.7.18-33.11.1fixed 2.7.18-33.11.1
In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validati
- CVE-2021-3733Mar 7, 2022affected < 2.7.18-28.74.1fixed 2.7.18-28.74.1
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafte
- CVE-2021-3737Mar 4, 2022affected < 2.7.18-28.74.1fixed 2.7.18-28.74.1
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to syst
- CVE-2022-0391Feb 9, 2022affected < 2.7.18-33.8.1fixed 2.7.18-33.8.1
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. Th
- CVE-2021-23336Feb 15, 2021affected < 2.7.18-28.67.1fixed 2.7.18-28.67.1
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When
- CVE-2021-3177Jan 19, 2021affected < 2.7.17-28.64.3fixed 2.7.17-28.64.3
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occu
- CVE-2020-26116Sep 27, 2020affected < 2.7.17-28.56.1fixed 2.7.17-28.56.1
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque
- CVE-2019-20916Sep 4, 2020affected < 2.7.17-28.59.1fixed 2.7.17-28.59.1
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _
- CVE-2019-20907Jul 13, 2020affected < 2.7.17-28.48.1fixed 2.7.17-28.48.1
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
Page 1 of 2