CVE-2023-44271 – python-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument
https://notcve.org/view.php?id=CVE-2023-44271
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. Se descubrió un problema en Pillow antes de la versión 10.0.0. Es una Denegación de Servicio que asigna memoria de forma incontrolable para procesar una tarea determinada, lo que puede provocar que un servicio falle al quedarse sin memoria. • https://devhub.checkmarx.com/cve-details/CVE-2023-44271 https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7 https://github.com/python-pillow/Pillow/pull/7244 https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4 https://access.redhat.com/security/cve/CVE-2023-44271 https://bugzilla.redhat.com/show_bug.cgi?id=2247820 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2023-45803 – Request body not stripped after redirect in urllib3
https://notcve.org/view.php?id=CVE-2023-45803
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. • https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX https://www.rfc-editor.org • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-25091 – urllib3: urllib3 does not remove the authorization HTTP header when following a cross-origin redirect
https://notcve.org/view.php?id=CVE-2018-25091
urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive). urllib3 anterior a 1.24.2 no elimina el encabezado HTTP de autorización cuando se sigue una redirección de origen cruzado (es decir, una redirección que difiere en host, puerto o esquema). Esto puede permitir que las credenciales en el encabezado de autorización se expongan a hosts no deseados o se transmitan en texto plano. NOTA: este problema existe debido a una solución incompleta para CVE-2018-20060 (que distinguía entre mayúsculas y minúsculas). • https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc https://github.com/urllib3/urllib3/compare/1.24.1...1.24.2 https://github.com/urllib3/urllib3/issues/1510 https://access.redhat.com/security/cve/CVE-2018-25091 https://bugzilla.redhat.com/show_bug.cgi?id=2244340 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2023-43804 – `Cookie` HTTP header isn't stripped on cross-origin redirects
https://notcve.org/view.php?id=CVE-2023-43804
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. urllib3 es una librería cliente HTTP fácil de usar para Python. urllib3 no trata el encabezado HTTP "Cookie" de manera especial ni proporciona ayuda para administrar las cookies a través de HTTP, eso es responsabilidad del usuario. Sin embargo, es posible que un usuario especifique un encabezado "Cookie" y, sin saberlo, filtre información a través de redireccionamientos HTTP a un origen diferente si ese usuario no deshabilita los redireccionamientos explícitamente. Este problema se solucionó en urllib3 versión 1.26.17 o 2.0.5. • https://github.com/JawadPy/CVE-2023-43804-Exploit https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5 https://lists.fedoraproject.org/archives/list/package-announc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-40217 – python: TLS handshake bypass
https://notcve.org/view.php?id=CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. • https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY https://security.netapp.com/advisory/ntap-20231006-0014 https://www.python.org/dev/security https://access.redhat.com/security/cve/CVE-2023-40217 https://bugzilla.redhat.com/show_bug.cgi?id=2235789 • CWE-305: Authentication Bypass by Primary Weakness •