CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0161
https://notcve.org/view.php?id=CVE-2014-0161
02 Jan 2020 — ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate. ovirt-engine-sdk-python versiones anteriores a la versión 3.4.0.7 y 3.5.0.4, no comprueba que el nombre de host del endpoint remoto coincida con el Common Name (CN) o subjectAltName según lo... • https://access.redhat.com/security/cve/cve-2014-0161 • CWE-295: Improper Certificate Validation •
CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 2CVE-2019-14859 – python-ecdsa: DER encoding is not being verified in signatures
https://notcve.org/view.php?id=CVE-2019-14859
18 Nov 2019 — A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions. Se encontró un fallo en todas las versiones de python-ecdsa anteriores a la versión 0.13.3, donde no se comprobaba correctamente si las firmas usaban codificación DER. Sin esta... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14853 – python-ecdsa: Unexpected and undocumented exceptions during signature decoding
https://notcve.org/view.php?id=CVE-2019-14853
18 Nov 2019 — An error-handling flaw was found in python-ecdsa before version 0.13.3. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service. Se encontró un error de manejo de errores en python-ecdsa anterior de la versión 0.13.3. Durante la decodificación de firmas, las firmas DER mal formadas pueden generar excepciones inesperadas (o ninguna excepción), lo que podría conducir a una denegación de servicio. An error-handling... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14853 • CWE-391: Unchecked Error Condition CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2009-5042
https://notcve.org/view.php?id=CVE-2009-5042
31 Oct 2019 — python-docutils allows insecure usage of temporary files python-docutils, permite el uso no seguro de archivos temporales. • https://security-tracker.debian.org/tracker/CVE-2009-5042 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2019-18348 – python: CRLF injection via the host part of the url passed to urlopen()
https://notcve.org/view.php?id=CVE-2019-18348
23 Oct 2019 — An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 2CVE-2019-17514 – Ubuntu Security Notice USN-6891-1
https://notcve.org/view.php?id=CVE-2019-17514
12 Oct 2019 — library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older doc... • https://bugs.python.org/issue33275 • CWE-682: Incorrect Calculation •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 2CVE-2019-16935 – python: XSS vulnerability in the documentation XML-RPC server in server_title field
https://notcve.org/view.php?id=CVE-2019-16935
28 Sep 2019 — The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. La documentación del servidor XML-RPC en Python versiones hasta 2.7.16, versiones 3.x hasta 3.6.9 y versiones 3.7.x hasta 3.7.4, present... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2019-16729 – Ubuntu Security Notice USN-4552-2
https://notcve.org/view.php?id=CVE-2019-16729
24 Sep 2019 — pam-python before 1.0.7-1 has an issue in regard to the default environment variable handling of Python, which could allow for local root escalation in certain PAM setups. pam-python versiones anteriores a 1.0.7-1, presenta un problema con respecto al manejo predeterminado de la variable de entorno de Python, lo que podría permitir la escalada de root local en ciertas configuraciones de PAM. USN-4552-1 and USN-4552-2 fixed a vulnerability in Pam-python. The update introduced a regression which prevented PAM... • https://bugzilla.suse.com/show_bug.cgi?id=1150510#c1 •
CVSS: 7.5EPSS: 0%CPEs: 28EXPL: 0CVE-2019-16056 – python: email.utils.parseaddr wrongly parses email addresses
https://notcve.org/view.php?id=CVE-2019-16056
06 Sep 2019 — An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally. Se descubrió un problema en ... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2019-15903 – expat: heap-based buffer over-read via crafted XML input
https://notcve.org/view.php?id=CVE-2019-15903
04 Sep 2019 — In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. En libexpat versiones anteriores a 2.2.8, una entrada XML especialmente diseñada podría engañar al analizador para que cambie de análisis DTD a análisis de documentos demasiado pronto; una llamada consecutiva a la función XML_GetCurrentLineNumber (o XML_Get... • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html • CWE-125: Out-of-bounds Read CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •