rpm package
suse/python-pip&distro=SUSE Linux Enterprise Module for Public Cloud 15 SP4
pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-1703 | Low | — | < 22.3.1-150400.17.19.1 | 22.3.1-150400.17.19.1 | Feb 2, 2026 | When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat | |
| CVE-2023-28859 | — | < 22.3.1-150400.17.16.4 | 22.3.1-150400.17.16.4 | Mar 26, 2023 | redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutio | ||
| CVE-2023-28858 | — | < 22.3.1-150400.17.16.4 | 22.3.1-150400.17.16.4 | Mar 26, 2023 | redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT |
- affected < 22.3.1-150400.17.19.1fixed 22.3.1-150400.17.19.1
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat
- CVE-2023-28859Mar 26, 2023affected < 22.3.1-150400.17.16.4fixed 22.3.1-150400.17.16.4
redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutio
- CVE-2023-28858Mar 26, 2023affected < 22.3.1-150400.17.16.4fixed 22.3.1-150400.17.16.4
redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT