Vendor CVEs
Python (programming language)
All CVEs
310 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-36406 | 0.00 | — | 0.01 | Nov 14, 2023 | Windows Hyper-V Information Disclosure Vulnerability | |||
| CVE-2023-40217 | 0.00 | — | 0.01 | Aug 25, 2023 | An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket… | |||
| CVE-2023-41105 | 0.00 | — | 0.02 | Aug 23, 2023 | An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security… | |||
| CVE-2022-48566 | 0.00 | — | 0.01 | Aug 22, 2023 | An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest. | |||
| CVE-2022-48564 | 0.00 | — | 0.01 | Aug 22, 2023 | read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. | |||
| CVE-2022-48560 | 0.00 | — | 0.02 | Aug 22, 2023 | A use-after-free exists in Python through 3.9 via heappushpop in heapq. | |||
| CVE-2023-38898 | 0.00 | — | 0.01 | Aug 15, 2023 | An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there… | |||
| CVE-2023-36632 | 0.00 | — | 0.02 | Jun 25, 2023 | The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data… | |||
| CVE-2023-33595 | 0.00 | — | 0.00 | Jun 7, 2023 | CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c. | |||
| CVE-2023-23411 | 0.00 | — | 0.01 | Mar 14, 2023 | Windows Hyper-V Denial of Service Vulnerability | |||
| CVE-2022-31394 | 0.00 | — | 0.01 | Feb 21, 2023 | Hyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software, allowing attackers to perform HTTP2 attacks. | |||
| CVE-2023-24816 | 0.00 | — | 0.01 | Feb 10, 2023 | IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This… | |||
| CVE-2022-44682 | 0.00 | — | 0.01 | Dec 13, 2022 | Windows Hyper-V Denial of Service Vulnerability | |||
| CVE-2022-41094 | 0.00 | — | 0.00 | Dec 13, 2022 | Windows Hyper-V Elevation of Privilege Vulnerability | |||
| CVE-2022-45061 | 0.00 | — | 0.02 | Nov 9, 2022 | An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service.… | |||
| CVE-2022-38015 | 0.00 | — | 0.01 | Nov 9, 2022 | Windows Hyper-V Denial of Service Vulnerability | |||
| CVE-2022-44049 | 0.00 | — | 0.01 | Nov 7, 2022 | The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-grammars package. The affected version of d8s-htm is 0.1.0. | |||
| CVE-2022-44054 | 0.00 | — | 0.01 | Nov 7, 2022 | The d8s-xml for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-utility package. The affected version of d8s-htm is 0.1.0. | |||
| CVE-2022-42919 | 0.00 | — | 0.01 | Nov 6, 2022 | Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same… | |||
| CVE-2022-42043 | 0.00 | — | 0.01 | Oct 11, 2022 | The d8s-xml package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-html package. The affected version is 0.1.0. | |||
| CVE-2022-42037 | 0.00 | — | 0.01 | Oct 11, 2022 | The d8s-asns package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package. The affected version is 0.1.0. | |||
| CVE-2022-37979 | 0.00 | — | 0.01 | Oct 11, 2022 | Windows Hyper-V Elevation of Privilege Vulnerability | |||
| CVE-2020-10735 | 0.00 | — | 0.03 | Sep 9, 2022 | A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases… | |||
| CVE-2021-28861 | 0.00 | — | 0.02 | Aug 23, 2022 | Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html… | |||
| CVE-2022-34696 | 0.00 | — | 0.00 | Aug 9, 2022 | Windows Hyper-V Remote Code Execution Vulnerability | |||
| CVE-2022-31516 | 0.00 | — | 0.01 | Jul 11, 2022 | The Harveyzyh/Python repository through 2022-05-04 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||
| CVE-2022-30163 | 0.00 | — | 0.02 | Jun 15, 2022 | Windows Hyper-V Remote Code Execution Vulnerability | |||
| CVE-2022-24466 | 0.00 | — | 0.01 | May 10, 2022 | Windows Hyper-V Security Feature Bypass Vulnerability | |||
| CVE-2022-22713 | 0.00 | — | 0.01 | May 10, 2022 | Windows Hyper-V Denial of Service Vulnerability | |||
| CVE-2021-4212 | 0.00 | — | 0.00 | Apr 22, 2022 | A potential vulnerability in the SMI callback function used in the Legacy BIOS mode driver in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code. | |||
| CVE-2021-3971 | 0.00 | — | 0.01 | Apr 22, 2022 | A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM… | |||
| CVE-2022-23268 | 0.00 | — | 0.01 | Apr 15, 2022 | Windows Hyper-V Denial of Service Vulnerability | |||
| CVE-2022-23257 | 0.00 | — | 0.01 | Apr 15, 2022 | Windows Hyper-V Remote Code Execution Vulnerability | |||
| CVE-2022-22009 | 0.00 | — | 0.01 | Apr 15, 2022 | Windows Hyper-V Remote Code Execution Vulnerability | |||
| CVE-2022-22008 | 0.00 | — | 0.00 | Apr 15, 2022 | Windows Hyper-V Remote Code Execution Vulnerability | |||
| CVE-2015-20107 | 0.00 | — | 0.07 | Apr 13, 2022 | In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack… | |||
| CVE-2022-21975 | 0.00 | — | 0.00 | Mar 9, 2022 | Windows Hyper-V Denial of Service Vulnerability | |||
| CVE-2022-26488 | 0.00 | — | 0.01 | Mar 7, 2022 | In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for… | |||
| CVE-2022-22712 | 0.00 | — | 0.01 | Feb 9, 2022 | Windows Hyper-V Denial of Service Vulnerability | |||
| CVE-2022-21995 | 0.00 | — | 0.01 | Feb 9, 2022 | Windows Hyper-V Remote Code Execution Vulnerability | |||
| CVE-2022-0391 | 0.00 | — | 0.08 | Feb 9, 2022 | A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path.… | |||
| CVE-2022-21699 | 0.00 | — | 0.01 | Jan 19, 2022 | IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing… | |||
| CVE-2022-21901 | 0.00 | — | 0.01 | Jan 11, 2022 | Windows Hyper-V Elevation of Privilege Vulnerability | |||
| CVE-2022-21900 | 0.00 | — | 0.01 | Jan 11, 2022 | Windows Hyper-V Security Feature Bypass Vulnerability | |||
| CVE-2021-42284 | 0.00 | — | 0.03 | Nov 10, 2021 | Windows Hyper-V Denial of Service Vulnerability | |||
| CVE-2021-42274 | 0.00 | — | 0.01 | Nov 10, 2021 | Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability | |||
| CVE-2021-38672 | 0.00 | — | 0.01 | Oct 13, 2021 | Windows Hyper-V Remote Code Execution Vulnerability | |||
| CVE-2021-34450 | 0.00 | — | 0.02 | Jul 16, 2021 | Windows Hyper-V Remote Code Execution Vulnerability | |||
| CVE-2021-31977 | 0.00 | — | 0.03 | Jun 8, 2021 | Windows Hyper-V Denial of Service Vulnerability | |||
| CVE-2021-3426 | 0.00 | — | 0.02 | May 20, 2021 | There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not… |
- CVE-2023-36406Nov 14, 2023risk 0.00cvss —epss 0.01
Windows Hyper-V Information Disclosure Vulnerability
- CVE-2023-40217Aug 25, 2023risk 0.00cvss —epss 0.01
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket…
- CVE-2023-41105Aug 23, 2023risk 0.00cvss —epss 0.02
An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security…
- CVE-2022-48566Aug 22, 2023risk 0.00cvss —epss 0.01
An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.
- CVE-2022-48564Aug 22, 2023risk 0.00cvss —epss 0.01
read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
- CVE-2022-48560Aug 22, 2023risk 0.00cvss —epss 0.02
A use-after-free exists in Python through 3.9 via heappushpop in heapq.
- CVE-2023-38898Aug 15, 2023risk 0.00cvss —epss 0.01
An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there…
- CVE-2023-36632Jun 25, 2023risk 0.00cvss —epss 0.02
The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data…
- CVE-2023-33595Jun 7, 2023risk 0.00cvss —epss 0.00
CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.
- CVE-2023-23411Mar 14, 2023risk 0.00cvss —epss 0.01
Windows Hyper-V Denial of Service Vulnerability
- CVE-2022-31394Feb 21, 2023risk 0.00cvss —epss 0.01
Hyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software, allowing attackers to perform HTTP2 attacks.
- CVE-2023-24816Feb 10, 2023risk 0.00cvss —epss 0.01
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This…
- CVE-2022-44682Dec 13, 2022risk 0.00cvss —epss 0.01
Windows Hyper-V Denial of Service Vulnerability
- CVE-2022-41094Dec 13, 2022risk 0.00cvss —epss 0.00
Windows Hyper-V Elevation of Privilege Vulnerability
- CVE-2022-45061Nov 9, 2022risk 0.00cvss —epss 0.02
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service.…
- CVE-2022-38015Nov 9, 2022risk 0.00cvss —epss 0.01
Windows Hyper-V Denial of Service Vulnerability
- CVE-2022-44049Nov 7, 2022risk 0.00cvss —epss 0.01
The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-grammars package. The affected version of d8s-htm is 0.1.0.
- CVE-2022-44054Nov 7, 2022risk 0.00cvss —epss 0.01
The d8s-xml for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-utility package. The affected version of d8s-htm is 0.1.0.
- CVE-2022-42919Nov 6, 2022risk 0.00cvss —epss 0.01
Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same…
- CVE-2022-42043Oct 11, 2022risk 0.00cvss —epss 0.01
The d8s-xml package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-html package. The affected version is 0.1.0.
- CVE-2022-42037Oct 11, 2022risk 0.00cvss —epss 0.01
The d8s-asns package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package. The affected version is 0.1.0.
- CVE-2022-37979Oct 11, 2022risk 0.00cvss —epss 0.01
Windows Hyper-V Elevation of Privilege Vulnerability
- CVE-2020-10735Sep 9, 2022risk 0.00cvss —epss 0.03
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases…
- CVE-2021-28861Aug 23, 2022risk 0.00cvss —epss 0.02
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html…
- CVE-2022-34696Aug 9, 2022risk 0.00cvss —epss 0.00
Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2022-31516Jul 11, 2022risk 0.00cvss —epss 0.01
The Harveyzyh/Python repository through 2022-05-04 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.
- CVE-2022-30163Jun 15, 2022risk 0.00cvss —epss 0.02
Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2022-24466May 10, 2022risk 0.00cvss —epss 0.01
Windows Hyper-V Security Feature Bypass Vulnerability
- CVE-2022-22713May 10, 2022risk 0.00cvss —epss 0.01
Windows Hyper-V Denial of Service Vulnerability
- CVE-2021-4212Apr 22, 2022risk 0.00cvss —epss 0.00
A potential vulnerability in the SMI callback function used in the Legacy BIOS mode driver in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.
- CVE-2021-3971Apr 22, 2022risk 0.00cvss —epss 0.01
A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM…
- CVE-2022-23268Apr 15, 2022risk 0.00cvss —epss 0.01
Windows Hyper-V Denial of Service Vulnerability
- CVE-2022-23257Apr 15, 2022risk 0.00cvss —epss 0.01
Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2022-22009Apr 15, 2022risk 0.00cvss —epss 0.01
Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2022-22008Apr 15, 2022risk 0.00cvss —epss 0.00
Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2015-20107Apr 13, 2022risk 0.00cvss —epss 0.07
In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack…
- CVE-2022-21975Mar 9, 2022risk 0.00cvss —epss 0.00
Windows Hyper-V Denial of Service Vulnerability
- CVE-2022-26488Mar 7, 2022risk 0.00cvss —epss 0.01
In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for…
- CVE-2022-22712Feb 9, 2022risk 0.00cvss —epss 0.01
Windows Hyper-V Denial of Service Vulnerability
- CVE-2022-21995Feb 9, 2022risk 0.00cvss —epss 0.01
Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2022-0391Feb 9, 2022risk 0.00cvss —epss 0.08
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path.…
- CVE-2022-21699Jan 19, 2022risk 0.00cvss —epss 0.01
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing…
- CVE-2022-21901Jan 11, 2022risk 0.00cvss —epss 0.01
Windows Hyper-V Elevation of Privilege Vulnerability
- CVE-2022-21900Jan 11, 2022risk 0.00cvss —epss 0.01
Windows Hyper-V Security Feature Bypass Vulnerability
- CVE-2021-42284Nov 10, 2021risk 0.00cvss —epss 0.03
Windows Hyper-V Denial of Service Vulnerability
- CVE-2021-42274Nov 10, 2021risk 0.00cvss —epss 0.01
Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability
- CVE-2021-38672Oct 13, 2021risk 0.00cvss —epss 0.01
Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2021-34450Jul 16, 2021risk 0.00cvss —epss 0.02
Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2021-31977Jun 8, 2021risk 0.00cvss —epss 0.03
Windows Hyper-V Denial of Service Vulnerability
- CVE-2021-3426May 20, 2021risk 0.00cvss —epss 0.02
There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not…
Page 4 of 7