Filtered by vendor Python
Subscriptions
Total
250 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-26488 | 3 Microsoft, Netapp, Python | 4 Windows, Active Iq Unified Manager, Ontap Select Deploy Administration Utility and 1 more | 2024-11-21 | 7.0 High |
| In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2. | ||||
| CVE-2022-24303 | 2 Fedoraproject, Python | 2 Fedora, Pillow | 2024-11-21 | 9.1 Critical |
| Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. | ||||
| CVE-2022-22817 | 3 Debian, Python, Redhat | 5 Debian Linux, Pillow, Enterprise Linux and 2 more | 2024-11-21 | 9.8 Critical |
| PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used. | ||||
| CVE-2022-22816 | 3 Debian, Python, Redhat | 5 Debian Linux, Pillow, Enterprise Linux and 2 more | 2024-11-21 | 6.5 Medium |
| path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. | ||||
| CVE-2022-22815 | 3 Debian, Python, Redhat | 3 Debian Linux, Pillow, Enterprise Linux | 2024-11-21 | 6.5 Medium |
| path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. | ||||
| CVE-2021-42576 | 2 Microco, Python | 2 Bluemonday, Pybluemonday | 2024-11-21 | 9.8 Critical |
| The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. | ||||
| CVE-2021-3177 | 6 Debian, Fedoraproject, Netapp and 3 more | 12 Debian Linux, Fedora, Active Iq Unified Manager and 9 more | 2024-11-21 | 9.8 Critical |
| Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. | ||||
| CVE-2021-34552 | 4 Debian, Fedoraproject, Python and 1 more | 5 Debian Linux, Fedora, Pillow and 2 more | 2024-11-21 | 9.8 Critical |
| Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c. | ||||
| CVE-2021-33503 | 4 Fedoraproject, Oracle, Python and 1 more | 10 Fedora, Enterprise Manager Ops Center, Instantis Enterprisetrack and 7 more | 2024-11-21 | 7.5 High |
| An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. | ||||
| CVE-2021-32052 | 3 Djangoproject, Fedoraproject, Python | 3 Django, Fedora, Python | 2024-11-21 | 6.1 Medium |
| In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers. | ||||
| CVE-2021-28678 | 3 Fedoraproject, Python, Redhat | 3 Fedora, Pillow, Enterprise Linux | 2024-11-21 | 5.5 Medium |
| An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. | ||||
| CVE-2021-28677 | 3 Fedoraproject, Python, Redhat | 3 Fedora, Pillow, Enterprise Linux | 2024-11-21 | 7.5 High |
| An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. | ||||
| CVE-2021-28676 | 3 Fedoraproject, Python, Redhat | 3 Fedora, Pillow, Enterprise Linux | 2024-11-21 | 7.5 High |
| An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. | ||||
| CVE-2021-28675 | 3 Fedoraproject, Python, Redhat | 3 Fedora, Pillow, Enterprise Linux | 2024-11-21 | 5.5 Medium |
| An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. | ||||
| CVE-2021-28667 | 2 Python, Stackstorm | 2 Python, Stackstorm | 2024-11-21 | 7.5 High |
| StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data (from an action or rule name). | ||||
| CVE-2021-28363 | 4 Fedoraproject, Oracle, Python and 1 more | 4 Fedora, Peoplesoft Enterprise Peopletools, Urllib3 and 1 more | 2024-11-21 | 6.5 Medium |
| The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted. | ||||
| CVE-2021-25293 | 2 Python, Redhat | 3 Pillow, Enterprise Linux, Quay | 2024-11-21 | 7.5 High |
| An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c. | ||||
| CVE-2021-25292 | 2 Python, Redhat | 3 Pillow, Enterprise Linux, Quay | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. | ||||
| CVE-2021-25291 | 2 Python, Redhat | 2 Pillow, Quay | 2024-11-21 | 7.5 High |
| An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. | ||||
| CVE-2021-25290 | 3 Debian, Python, Redhat | 4 Debian Linux, Pillow, Enterprise Linux and 1 more | 2024-11-21 | 7.5 High |
| An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size. | ||||