CVSS: 5.9EPSS: 0%CPEs: 6EXPL: 0CVE-2020-10378 – python-pillow: an out-of-bounds read in libImaging/PcxDecode.c can occur when reading PCX files
https://notcve.org/view.php?id=CVE-2020-10378
25 Jun 2020 — In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. En la biblioteca libImaging/PcxDecode.c en Pillow versiones anteriores a 7.1.0, puede ocurrir una lectura fuera de límites cuando se leen archivos PCX donde state->shuffle es instruido para que lea más allá de state->buffer A flaw was found in python-pillow. In libImaging/PcxDecode.c, an out-of-bounds read occurs when reading PCX file... • https://github.com/python-pillow/Pillow/commit/6a83e4324738bb0452fbe8074a995b1c73f08de7#diff-9478f2787e3ae9668a15123b165c23ac • CWE-125: Out-of-bounds Read •
CVSS: 5.9EPSS: 0%CPEs: 9EXPL: 0CVE-2020-14422 – python: DoS via inefficiency in IPv{4,6}Interface classes
https://notcve.org/view.php?id=CVE-2020-14422
18 Jun 2020 — Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3... • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00003.html • CWE-330: Use of Insufficiently Random Values CWE-400: Uncontrolled Resource Consumption CWE-682: Incorrect Calculation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2020-13757 – python-rsa: decryption of ciphertext leads to DoS
https://notcve.org/view.php?id=CVE-2020-13757
01 Jun 2020 — Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation). Python-RSA versión 4.1, ignora bytes '\0' principales durante la desencriptación del texto cifrado. Esto podría tener un impacto relevante para la seguridad, por ejemplo, al ayudar... • https://github.com/sybrenstuvel/python-rsa/issues/146 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 2CVE-2020-13388
https://notcve.org/view.php?id=CVE-2020-13388
22 May 2020 — An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used. Se presenta una vulnerabilidad explotable en la funcionalidad configuration-loading del paquete jw.util versiones anteriores a 2.3 para Python. Al cargar una configuración con las funciones FromString o FromStrea... • https://joel-malwarebenchmark.github.io • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11073 – Remote Code Execution in Autoswitch Python Virtualenv
https://notcve.org/view.php?id=CVE-2020-11073
13 May 2020 — In Autoswitch Python Virtualenv before version 0.16.0, a user who enters a directory with a malicious `.venv` file could run arbitrary code without any user interaction. This is fixed in version: 1.16.0 En Autoswitch Python Virtualenv versiones anteriores a 0.16.0, un usuario que ingresa a un directorio con un archivo malicioso ".venv" podría ejecutar código arbitrario sin interacción del usuario. Esto es corregido en la versión: 1.16.0 • https://github.com/MichaelAquilina/zsh-autoswitch-virtualenv/commit/30c77db7c83eca2bc5f6134fccbdc117b49a6a05 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11888
https://notcve.org/view.php?id=CVE-2020-11888
20 Apr 2020 — python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute. python-markdown2 versiones hasta 2.3.8, permite un ataque de tipo XSS porque los nombres de los elementos se manejan inapropiadamente a menos que una coincidencia de \w+ tenga éxito. Por ejemplo, un ataque podría usar elementname@ o elementname- con un atributo onclick. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00031.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7212
https://notcve.org/view.php?id=CVE-2020-7212
06 Mar 2020 — The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). • https://github.com/urllib3/urllib3/blob/master/CHANGES.rst • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2013-5106
https://notcve.org/view.php?id=CVE-2013-5106
12 Feb 2020 — A Code Execution vulnerability exists in select.py when using python-mode 2012-12-19. Se presenta una vulnerabilidad de ejecución de código en el archivo select.py cuando se utiliza el python-mode 2012-12-19. • http://github.com/klen/python-mode/issues/162 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 0CVE-2019-9674 – Ubuntu Security Notice USN-6891-1
https://notcve.org/view.php?id=CVE-2019-9674
04 Feb 2020 — Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb. La biblioteca Lib/zipfile.py en Python versiones hasta 3.7.2, permite a atacantes remotos causar una denegación de servicio (consumo de recursos) por medio de una bomba ZIP. USN-4754-1 fixed vulnerabilities in Python. This update provides the corresponding updates for Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. In the case of Python 2.7 for 20.04 ESM, these additional fixes are inclu... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.1EPSS: 4%CPEs: 15EXPL: 1CVE-2020-8492 – python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS
https://notcve.org/view.php?id=CVE-2020-8492
30 Jan 2020 — Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. Python versiones 2.7 hasta 2.7.17, versiones 3.5 hasta 3.5.9, versiones 3.6 hasta 3.6.10, versiones 3.7 hasta 3.7.6 y versiones 3.8 hasta 3.8.1, permiten a un servidor HTTP conducir ataques de Denegación de Servicio de Expre... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html • CWE-400: Uncontrolled Resource Consumption •