CVSS: 9.4EPSS: 69%CPEs: 1EXPL: 2CVE-2022-39227 – Python-jwt subject to Authentication Bypass by Spoofing
https://notcve.org/view.php?id=CVE-2022-39227
23 Sep 2022 — python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. • https://github.com/user0x1337/CVE-2022-39227 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-38887
https://notcve.org/view.php?id=CVE-2022-38887
19 Sep 2022 — The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The democritus-strings package. The affected version is 0.1.0. d8s-python para python, tal y como es distribuido en PyPI, incluía una potencial puerta trasera de ejecución de código insertada por un tercero. El paquete democritus-strings. La versión afectada es 0.1.0 • https://github.com/democritus-project/d8s-python/issues/36 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 0%CPEs: 23EXPL: 0CVE-2020-10735 – python: int() type in PyLong_FromString() does not limit amount of digits converting text to int leading to DoS
https://notcve.org/view.php?id=CVE-2020-10735
09 Sep 2022 — A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability. Se ha encontrado un fallo en python. En los algoritmos con complejidad de tiempo cuadrática que usan bases no binarias, cuan... • http://www.openwall.com/lists/oss-security/2022/09/21/1 • CWE-400: Uncontrolled Resource Consumption CWE-704: Incorrect Type Conversion or Cast •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-2996 – python-scciclient: missing server certificate verification
https://notcve.org/view.php?id=CVE-2022-2996
01 Sep 2022 — A flaw was found in the python-scciclient when making an HTTPS connection to a server where the server's certificate would not be verified. This issue opens up the connection to possible Man-in-the-middle (MITM) attacks. Se encontró un fallo en python-scciclient cuando es realizada una conexión HTTPS a un servidor en el que no es verificado el certificado del servidor. Este problema abre la conexión a posibles ataques de tipo Man-in-the-middle (MITM) An update for python-scciclient is now available for Red ... • https://lists.debian.org/debian-lts-announce/2022/11/msg00006.html • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 17EXPL: 0CVE-2021-28861 – python: open redirection vulnerability in lib/http/server.py may lead to information disclosure
https://notcve.org/view.php?id=CVE-2021-28861
23 Aug 2022 — Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks." ** EN DISPUTA ** Python versiones 3.x hasta la versión 3.10, presenta una vulnerabilidad de redireccionamiento abierto ... • https://bugs.python.org/issue43223 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31575
https://notcve.org/view.php?id=CVE-2022-31575
11 Jul 2022 — The duducosmos/livro_python repository through 2018-06-06 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. El repositorio duducosmos/livro_python versiones hasta 06-06-2018 en GitHub, permite un salto de ruta absoluto porque la función send_file de Flask es usada de forma no segura • https://github.com/github/securitylab/issues/669#issuecomment-1117265726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31571
https://notcve.org/view.php?id=CVE-2022-31571
11 Jul 2022 — The akashtalole/python-flask-restful-api repository through 2019-09-16 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. El repositorio akashtalole/python-flask-restful-api versiones hasta 16-09-2019 en GitHub, permite un salto de ruta absoluto porque la función send_file de Flask es usada de forma no segura • https://github.com/github/securitylab/issues/669#issuecomment-1117265726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31550
https://notcve.org/view.php?id=CVE-2022-31550
11 Jul 2022 — The olmax99/pyathenastack repository through 2019-11-08 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. El repositorio olmax99/pyathenastack versiones hasta 08-11-2019 en GitHub, permite un salto de ruta absoluto porque la función send_file de Flask es usada de forma no segura • https://github.com/github/securitylab/issues/669#issuecomment-1117265726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31518
https://notcve.org/view.php?id=CVE-2022-31518
11 Jul 2022 — The JustAnotherSoftwareDeveloper/Python-Recipe-Database repository through 2021-03-31 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. El repositorio JustAnotherSoftwareDeveloper/Python-Recipe-Database versiones hasta 31-03-2021 en GitHub, permite un salto de ruta absoluto porque la función send_file de Flask es usada de forma no segura • https://github.com/github/securitylab/issues/669#issuecomment-1117265726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31516
https://notcve.org/view.php?id=CVE-2022-31516
11 Jul 2022 — The Harveyzyh/Python repository through 2022-05-04 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. El repositorio Harveyzyh/Python versiones hasta 04-05-2022 en GitHub, permite un salto de ruta absoluto porque la función send_file de Flask es usada de forma no segura • https://github.com/github/securitylab/issues/669#issuecomment-1117265726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •