Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Python Subscribe
Total 194 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-25293 1 Python 1 Pillow 2021-12-01 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.
CVE-2021-25287 2 Fedoraproject, Python 2 Fedora, Pillow 2021-12-01 6.4 MEDIUM 9.1 CRITICAL
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.
CVE-2021-25288 2 Fedoraproject, Python 2 Fedora, Pillow 2021-12-01 6.4 MEDIUM 9.1 CRITICAL
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.
CVE-2021-42576 2 Microco, Python 2 Bluemonday, Pybluemonday 2021-10-26 7.5 HIGH 9.8 CRITICAL
The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
CVE-2020-8492 5 Canonical, Debian, Fedoraproject and 2 more 5 Ubuntu Linux, Debian Linux, Fedora and 2 more 2021-09-16 7.1 HIGH 6.5 MEDIUM
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2021-28676 2 Fedoraproject, Python 2 Fedora, Pillow 2021-09-14 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.
CVE-2021-28675 2 Fedoraproject, Python 2 Fedora, Pillow 2021-09-14 4.3 MEDIUM 5.5 MEDIUM
An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.
CVE-2021-28678 2 Fedoraproject, Python 2 Fedora, Pillow 2021-09-14 4.3 MEDIUM 5.5 MEDIUM
An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.
CVE-2021-28677 2 Fedoraproject, Python 2 Fedora, Pillow 2021-09-14 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.
CVE-2019-12761 1 Python 1 Pyxdg 2021-08-03 5.1 MEDIUM 7.5 HIGH
A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.
CVE-2020-14422 4 Fedoraproject, Opensuse, Oracle and 1 more 4 Fedora, Leap, Enterprise Manager Ops Center and 1 more 2021-07-21 4.3 MEDIUM 5.9 MEDIUM
Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.
CVE-2020-8315 1 Python 1 Python 2021-07-21 4.3 MEDIUM 5.5 MEDIUM
In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.
CVE-2019-6802 1 Python 1 Pypiserver 2021-07-21 4.3 MEDIUM 6.1 MEDIUM
CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI.
CVE-2019-11324 2 Canonical, Python 2 Ubuntu Linux, Urllib3 2021-06-15 5.0 MEDIUM 7.5 HIGH
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
CVE-2018-20060 2 Fedoraproject, Python 2 Fedora, Urllib3 2021-06-15 5.0 MEDIUM 9.8 CRITICAL
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
CVE-2019-11236 1 Python 1 Urllib3 2021-06-15 4.3 MEDIUM 6.1 MEDIUM
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CVE-2009-3720 3 A M Kuchling, James Clark, Python 3 Pyxml, Expat, Python 2021-06-06 5.0 MEDIUM N/A
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.
CVE-2021-28359 2 Apache, Python 2 Airflow, Python 2021-05-10 4.3 MEDIUM 6.1 MEDIUM
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).
CVE-2021-28667 2 Python, Stackstorm 2 Python, Stackstorm 2021-03-25 7.1 HIGH 7.5 HIGH
StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data (from an action or rule name).
CVE-2020-35654 2 Fedoraproject, Python 2 Fedora, Pillow 2021-03-22 6.8 MEDIUM 8.8 HIGH
In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.