CVSS: 8.7EPSS: 0%CPEs: 7EXPL: 0CVE-2024-7143 – Pulpcore: rbac permissions incorrectly assigned in tasks that create objects
https://notcve.org/view.php?id=CVE-2024-7143
07 Aug 2024 — A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will alw... • https://access.redhat.com/security/cve/CVE-2024-7143 • CWE-277: Insecure Inherited Permissions •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-41990 – python-django: Potential denial-of-service vulnerability in django.utils.html.urlize()
https://notcve.org/view.php?id=CVE-2024-41990
07 Aug 2024 — An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. A flaw was found in Django. Processing very large inputs with a specific sequence of characters with the urlize and urlizetrunc functions can cause a denial of service. It was discovered that Django incorrectly handled certain strings in floatformat function. • https://docs.djangoproject.com/en/dev/releases/security • CWE-130: Improper Handling of Length Parameter Inconsistency •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2024-41991 – python-django: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget
https://notcve.org/view.php?id=CVE-2024-41991
07 Aug 2024 — An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. A flaw was found in Django. 'urlize', 'urlizetrunc', and 'AdminURLFieldWidget' may be subject to a denial of service attack via certain inputs with a very large number of Unicode characters. It was discovered that Django incorrectly handl... • https://docs.djangoproject.com/en/dev/releases/security • CWE-130: Improper Handling of Length Parameter Inconsistency CWE-400: Uncontrolled Resource Consumption •
CVSS: 10.0EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42005 – python-django: Potential SQL injection in QuerySet.values() and values_list()
https://notcve.org/view.php?id=CVE-2024-42005
07 Aug 2024 — An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. A flaw was found in Django. The QuerySet.values() and QuerySet.values_list() methods on models with a JSONField were subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. It was discovered that Django incorrectly handled certain string... • https://docs.djangoproject.com/en/dev/releases/security • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.2EPSS: 0%CPEs: 18EXPL: 0CVE-2024-5569 – Denial of Service via crafted zip file in jaraco/zipp
https://notcve.org/view.php?id=CVE-2024-5569
09 Jul 2024 — A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp... • https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.4EPSS: 1%CPEs: 4EXPL: 1CVE-2024-21520 – djangorestframework: Cross-site Scripting (XSS) via break_long_headers
https://notcve.org/view.php?id=CVE-2024-21520
26 Jun 2024 — Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with
tags. Las versiones del paquete djangorestframework anteriores a la 3.15.2 son vulnerables a Cross-site Scripting (XSS) a través del filtro de plantilla break_long_headers debido a una sanitización inadecuada de la entrada antes de dividir y unir con etiquetas
. A vulnerability was found... • https://github.com/ch4n3-yoon/CVE-2024-21520-Demo • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1657 – Platform: insecure websocket used when interacting with eda server
https://notcve.org/view.php?id=CVE-2024-1657
25 Apr 2024 — A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine in the CIDR block could download all rulebook data from the WebSocket, resulting in loss of confidentiality and integrity of the system. Se encontró una falla en the ansible automation platform. Se estaba utilizando una conexión WebSocket insegura en la instalación desde el servidor EDA del libro de reglas de Ans... • https://access.redhat.com/errata/RHSA-2024:1057 • CWE-1385: Missing Origin Validation in WebSockets •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-33663 – python-jose: algorithm confusion with OpenSSH ECDSA keys and other key formats
https://notcve.org/view.php?id=CVE-2024-33663
25 Apr 2024 — python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217. python-jose hasta 3.3.0 tiene confusión de algoritmos con claves OpenSSH ECDSA y otros formatos de claves. Esto es similar a CVE-2022-29217. An update that fixes one vulnerability is now available. This update for python-python-jose fixes the following issues. • https://github.com/mpdavis/python-jose/issues/346 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.8EPSS: 0%CPEs: 38EXPL: 0CVE-2024-1394 – Golang-fips/openssl: memory leaks in code encrypting and decrypting rsa payloads
https://notcve.org/view.php?id=CVE-2024-1394
21 Mar 2024 — A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fa... • https://access.redhat.com/errata/RHSA-2024:1462 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2024-21503 – psf/black: ReDoS via the lines_with_leading_tabs_expanded() function in strings.py file
https://notcve.org/view.php?id=CVE-2024-21503
19 Mar 2024 — Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings. Las versiones del paquete black anteriores a la 24.3.0 son vu... • https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8 • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) CWE-1333: Inefficient Regular Expression Complexity •