CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 1CVE-2017-9233
https://notcve.org/view.php?id=CVE-2017-9233
XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD. Una vulnerabilidad de XML External Entity (XEE) en libexpat versión 2.2.0 y anteriores (Expat XML Parser Library) permite que los atacantes consigan que el analizador entre en un bucle infinito utilizando una definición de entidad externa mal formada desde una DTD externa. • http://www.debian.org/security/2017/dsa-3898 http://www.openwall.com/lists/oss-security/2017/06/17/7 http://www.securityfocus.com/bid/99276 http://www.securitytracker.com/id/1039427 https://github.com/libexpat/libexpat/blob/master/expat/Changes https://libexpat.github.io/doc/cve-2017-9233 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40% • CWE-611: Improper Restriction of XML External Entity Reference CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2017-2810
https://notcve.org/view.php?id=CVE-2017-2810
An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability. Una vulnerabilidad explotable en la funcionalidad Databook loading de Tablib versión 0.11.4. Un Databook cargado yaml puede ejecutar comandos python arbitrarios resultando en la ejecución de comandos. • http://www.securityfocus.com/bid/99076 https://security.gentoo.org/glsa/201811-18 https://talosintelligence.com/vulnerability_reports/TALOS-2017-0307 •
CVSS: 5.5EPSS: 0%CPEs: 19EXPL: 0CVE-2016-3076
https://notcve.org/view.php?id=CVE-2016-3076
Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file. Desbordamiento de búfer basado en memoria dinámica en la función j2k_encode_entry en Pillow 2.5.0 hasta la versión 3.1.1 permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria) a través de un archivo Jpeg2000 manipulado. • http://pillow.readthedocs.io/en/4.1.x/releasenotes/3.1.2.html http://www.securityfocus.com/bid/98042 https://bugzilla.redhat.com/show_bug.cgi?id=1321929 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5992
https://notcve.org/view.php?id=CVE-2017-5992
Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document. Openpyxl 2.4.1 resuelve entidades externas por defecto, lo que permite a atacantes remotos llevar a cabo ataques de XXE a través de un documento .xlsx manipulado. • http://www.openwall.com/lists/oss-security/2017/02/07/5 https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 https://bitbucket.org/openpyxl/openpyxl/issues/749 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7036
https://notcve.org/view.php?id=CVE-2016-7036
python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys. python-jose en versiones anteriores a 1.3.2 permite a atacantes remotos tener un impacto no especificado aprovechando un fallo para utilizar una comparación de tiempo constante para teclas HMAC. • http://www.securityfocus.com/bid/95845 https://github.com/mpdavis/python-jose/pull/35/commits/89b46353b9f611e9da38de3d2fedf52331167b93 https://github.com/mpdavis/python-jose/releases/tag/1.3.2 • CWE-361: 7PK - Time and State •