rpm package
suse/python3-base&distro=SUSE OpenStack Cloud Crowbar 9
pkg:rpm/suse/python3-base&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-24329 | — | < 3.4.10-25.108.1 | 3.4.10-25.108.1 | Feb 17, 2023 | An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. | ||
| CVE-2022-40899 | — | < 3.4.10-25.108.1 | 3.4.10-25.108.1 | Dec 22, 2022 | An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. | ||
| CVE-2022-45061 | — | < 3.4.10-25.102.2 | 3.4.10-25.102.2 | Nov 9, 2022 | An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hos | ||
| CVE-2020-10735 | — | < 3.4.10-25.102.2 | 3.4.10-25.102.2 | Sep 9, 2022 | A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2 | ||
| CVE-2021-28861 | — | < 3.4.10-25.96.1 | 3.4.10-25.96.1 | Aug 23, 2022 | Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation | ||
| CVE-2015-20107 | — | < 3.4.10-25.93.1 | 3.4.10-25.93.1 | Apr 13, 2022 | In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validati | ||
| CVE-2020-27619 | — | < 3.4.10-25.71.1 | 3.4.10-25.71.1 | Oct 22, 2020 | In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. | ||
| CVE-2019-20916 | — | < 3.4.10-25.58.1 | 3.4.10-25.58.1 | Sep 4, 2020 | The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _ | ||
| CVE-2019-20907 | — | < 3.4.10-25.52.1 | 3.4.10-25.52.1 | Jul 13, 2020 | In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. | ||
| CVE-2020-14422 | — | < 3.4.10-25.52.1 | 3.4.10-25.52.1 | Jun 18, 2020 | Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or I | ||
| CVE-2019-16935 | — | < 3.4.10-25.52.1 | 3.4.10-25.52.1 | Sep 28, 2019 | The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted i | ||
| CVE-2019-16056 | — | < 3.4.10-25.52.1 | 3.4.10-25.52.1 | Sep 6, 2019 | An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on t | ||
| CVE-2018-20852 | — | < 3.4.10-25.52.1 | 3.4.10-25.52.1 | Jul 13, 2019 | http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has an | ||
| CVE-2019-9947 | — | < 3.4.10-25.52.1 | 3.4.10-25.52.1 | Mar 23, 2019 | An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path compone | ||
| CVE-2018-14647 | — | < 3.4.10-25.52.1 | 3.4.10-25.52.1 | Sep 25, 2018 | Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data struc |
- CVE-2023-24329Feb 17, 2023affected < 3.4.10-25.108.1fixed 3.4.10-25.108.1
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
- CVE-2022-40899Dec 22, 2022affected < 3.4.10-25.108.1fixed 3.4.10-25.108.1
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.
- CVE-2022-45061Nov 9, 2022affected < 3.4.10-25.102.2fixed 3.4.10-25.102.2
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hos
- CVE-2020-10735Sep 9, 2022affected < 3.4.10-25.102.2fixed 3.4.10-25.102.2
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2
- CVE-2021-28861Aug 23, 2022affected < 3.4.10-25.96.1fixed 3.4.10-25.96.1
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation
- CVE-2015-20107Apr 13, 2022affected < 3.4.10-25.93.1fixed 3.4.10-25.93.1
In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validati
- CVE-2020-27619Oct 22, 2020affected < 3.4.10-25.71.1fixed 3.4.10-25.71.1
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
- CVE-2019-20916Sep 4, 2020affected < 3.4.10-25.58.1fixed 3.4.10-25.58.1
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _
- CVE-2019-20907Jul 13, 2020affected < 3.4.10-25.52.1fixed 3.4.10-25.52.1
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
- CVE-2020-14422Jun 18, 2020affected < 3.4.10-25.52.1fixed 3.4.10-25.52.1
Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or I
- CVE-2019-16935Sep 28, 2019affected < 3.4.10-25.52.1fixed 3.4.10-25.52.1
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted i
- CVE-2019-16056Sep 6, 2019affected < 3.4.10-25.52.1fixed 3.4.10-25.52.1
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on t
- CVE-2018-20852Jul 13, 2019affected < 3.4.10-25.52.1fixed 3.4.10-25.52.1
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has an
- CVE-2019-9947Mar 23, 2019affected < 3.4.10-25.52.1fixed 3.4.10-25.52.1
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path compone
- CVE-2018-14647Sep 25, 2018affected < 3.4.10-25.52.1fixed 3.4.10-25.52.1
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data struc