CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2014-3598
https://notcve.org/view.php?id=CVE-2014-3598
The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image. El plugin Jpeg2KImagePlugin en Pillow anterior a 2.5.3 permite a atacantes remotos causar una denegación de servicio a través de una imagen manipulada. • http://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html https://pypi.python.org/pypi/Pillow/2.5.3 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2013-1753 – python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding
https://notcve.org/view.php?id=CVE-2013-1753
The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request. La función gzip_decode en la biblioteca de cliente xmlrpc en Python versiones 3.4 y anteriores, permite a atacantes remotos causar una denegación de servicio (consumo de memoria) por medio de una petición HTTP especialmente diseñada. It was discovered that the Python xmlrpclib did not restrict the size of a gzip compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory. • https://bugs.python.org/issue16043 https://access.redhat.com/security/cve/CVE-2013-1753 https://bugzilla.redhat.com/show_bug.cgi?id=1046170 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 1%CPEs: 14EXPL: 0CVE-2015-2296
https://notcve.org/view.php?id=CVE-2015-2296
The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect. La función resolve_redirects en sessions.py en requests 2.1.0 hasta 2.5.3 permite a atacantes remotos realizar ataques de fijación de sesión a través de una cookie sin valor de anfitrión en una redirección. • http://advisories.mageia.org/MGASA-2015-0120.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153594.html http://www.mandriva.com/security/advisories?name=MDVSA-2015:133 http://www.openwall.com/lists/oss-security/2015/03/14/4 http://www.openwall.com/lists/oss-security/2015/03/15/1 http://www.ubuntu.com/usn/USN-2531-1 https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc https://warehouse.python.org/project/requests/2.6.0 •
CVSS: 5.0EPSS: 1%CPEs: 4EXPL: 0CVE-2014-9601
https://notcve.org/view.php?id=CVE-2014-9601
Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed. Pillow anterior a 2.7.0 permite a atacantes remotos causar una denegación de servicio a través de un fragmento de texto comprimido en una imagen PNG que tiene un tamaño grande cuando está descomprimido. • http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html http://pillow.readthedocs.org/releasenotes/2.7.0.html http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html http://www.securityfocus.com/bid/77758 https://github.com/python-pillow/Pillow/pull/1060 https://www.djangoproject.com/weblog/2015/jan/02/pillow-security-release • CWE-20: Improper Input Validation •
CVSS: 5.8EPSS: 0%CPEs: 88EXPL: 2CVE-2014-9365 – python: failure to validate certificates in the HTTP client with TLS (PEP 476)
https://notcve.org/view.php?id=CVE-2014-9365
The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Los clientes HTTP en las librarias (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib en CPython (también conocido como Python) 2.x anterior a 2.7.9 y 3.x anterior a 3.4.3, cuando accede a una URL HTTPS, not (a) comprueba el certificado contra un almacen trust o verifica que elnombre del servidor coincide con un nombre de dominio en el campo del tema (b) Common Name o (c) subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle falsificar servidores SSL a través de un certificado válido arbitrario. The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data. • http://bugs.python.org/issue22417 http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://www.openwall.com/lists/oss-security/2014/12/11/1 http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html http://www.securityfocus.com/bid/71639 https://access.redhat.com/errata/RHSA-2016:1166 https://access.redhat.com/errata/RHSA-2017:1162 https://access.redhat.com/errata&#x • CWE-345: Insufficient Verification of Data Authenticity •