CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 1CVE-2020-25862
https://notcve.org/view.php?id=CVE-2020-25862
In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and 2.6.0 to 2.6.20, the TCP dissector could crash. This was addressed in epan/dissectors/packet-tcp.c by changing the handling of the invalid 0xFFFF checksum. En Wireshark versiones 3.2.0 hasta 3.2.6, versiones 3.0.0 hasta 3.0.13 y versiones 2.6.0 hasta 2.6.20, el disector TCP podría bloquearse. Esto fue abordado en el archivo epan/disactors/packet-tcp.c mediante el cambio en el manejo del checksum 0xFFFF no válido • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00038.html https://gitlab.com/wireshark/wireshark/-/commit/7f3fe6164a68b76d9988c4253b24d43f498f1753 https://gitlab.com/wireshark/wireshark/-/issues/16816 https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DQHPKZFQ7W3X34RYN3FWFYCFJD4FXJW https://lists.fedoraproject.org/archives&# • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2020-26137 – python-urllib3: CRLF injection via HTTP request method
https://notcve.org/view.php?id=CVE-2020-26137
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. urllib3 versiones anteriores a 1.25.9, permite una inyección de CRLF si el atacante controla el método de petición HTTP, como es demostrado al insertar caracteres de control CR y LF en el primer argumento de la función putrequest(). NOTA: esto es similar a CVE-2020-26116 A flaw was found in python-urllib3. The HTTPConnection.request() does not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation of the request by injecting additional HTTP headers. The highest threat from this vulnerability is to confidentiality and integrity. • https://bugs.python.org/issue39603 https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b https://github.com/urllib3/urllib3/pull/1800 https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html https://usn.ubuntu.com/4570-1 https://www.oracle.com/security-alerts/cpujul2022.html https://www.oracle.com/security-alerts/cpuoct2021.html https://access.redhat.com/security/cve/CVE-2020-26137 https& • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.2EPSS: 0%CPEs: 17EXPL: 1CVE-2020-26116 – python: CRLF injection via HTTP request method in httplib/http.client
https://notcve.org/view.php?id=CVE-2020-26116
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. http.client en Python 3.x antes de la versión 3.5.10, 3.6.x antes de la versión 3.6.12, 3.7.x antes de la versión 3.7.9, y 3.8.x antes de la versión 3.8.5 permite la inyección de CRLF si el atacante controla el método de petición HTTP, como se demuestra insertando caracteres de control CR y LF en el primer argumento de HTTPConnection.request A flaw was found in Python. The built-in modules httplib and http.client (included in Python 2 and Python 3, respectively) do not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation to the request by injecting additional HTTP headers. The highest threat from this vulnerability is to confidentiality and integrity. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html https://bugs.python.org/issue39603 https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD https://lists.fedoraproject.org/ • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2020-24584
https://notcve.org/view.php?id=CVE-2020-24584
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077. Se detectó un problema en Django versiones 2.2 anteriores a 2.2.16, versiones 3.0 anteriores a 3.0.10 y versiones 3.1 anteriores a 3.1.1 (cuando es usado Python 3.7+). Los directorios de nivel intermedio de la caché del sistema de archivos tenían la umask estándar del sistema en lugar de 0o077 • https://docs.djangoproject.com/en/dev/releases/security https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/m • CWE-276: Incorrect Default Permissions •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2020-24583
https://notcve.org/view.php?id=CVE-2020-24583
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command. Se detectó un problema en Django versiones 2.2 anteriores a 2.2.16, versiones 3.0 anteriores a 3.0.10 y versiones 3.1 anteriores a 3.1.1 (cuando es usado Python 3.7+). El modo FILE_UPLOAD_DIRECTORY_PERMISSIONS no fue aplicado a los directorios de nivel intermedio creados en el proceso de carga de archivos. • https://docs.djangoproject.com/en/dev/releases/security https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/m • CWE-276: Incorrect Default Permissions •