VYPR

rpm package

suse/python3-base&distro=SUSE Linux Enterprise Server LTSS Extended Security 12 SP5

pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5

Vulnerabilities (28)

  • CVE-2025-4435HigJun 3, 2025
    affected < 3.4.10-25.169.1fixed 3.4.10-25.169.1

    When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not

  • CVE-2025-4330HigJun 3, 2025
    affected < 3.4.10-25.169.1fixed 3.4.10-25.169.1

    Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extrac

  • CVE-2025-4138HigJun 3, 2025
    affected < 3.4.10-25.169.1fixed 3.4.10-25.169.1

    Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extrac

  • CVE-2024-12718MedJun 3, 2025
    affected < 3.4.10-25.169.1fixed 3.4.10-25.169.1

    Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.

  • CVE-2025-0938MedJan 31, 2025
    affected < 3.4.10-25.148.1fixed 3.4.10-25.148.1

    The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This

  • CVE-2024-11168LowNov 12, 2024
    affected < 3.4.10-25.145.1fixed 3.4.10-25.145.1

    The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

  • CVE-2024-9287Oct 22, 2024
    affected < 3.4.10-25.142.1fixed 3.4.10-25.142.1

    A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This

  • CVE-2007-4559CriAug 28, 2007
    affected < 3.4.10-25.169.1fixed 3.4.10-25.169.1

    Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Page 2 of 2