VuXML ID | Description |
f671c282-95ef-11eb-9c34-080027f515ea | python -- Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem
David Schwörer reports:
Remove the getfile feature of the pydoc module which could be
abused to read arbitrary files on the disk (directory traversal
vulnerability). Moreover, even source code of Python modules
can contain sensitive data like passwords.
Discovery 2021-01-21 Entry 2021-04-10 python38
< 3.8.9
python39
< 3.9.3
CVE-2021-3426
https://pythoninsider.blogspot.com/2021/04/python-393-and-389-are-now-available.html
https://bugs.python.org/issue42988
|
80e057e7-2f0a-11ed-978f-fcaa147e860e | Python -- multiple vulnerabilities
Python reports:
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal),
16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number
of digits in string form is above a limit to avoid potential denial of service attacks
due to the algorithmic complexity.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when
an URI path starts with //. Vulnerability discovered, and initial fix proposed, by
Hamza Avvan.
Discovery 2020-03-20 Entry 2022-09-08 python37
< 3.7.14
python38
< 3.8.14
python39
< 3.9.14
python310
< 3.10.7
CVE-2020-10735
https://docs.python.org/release/3.7.14/whatsnew/changelog.html#changelog
|
a9eeb3a3-ca5e-11ea-930b-080027846a02 | Python -- multiple vulnerabilities
Python reports:
bpo-41162:Audit hooks are now cleared later during finalization to avoid missing
events.
bpo-29778:Ensure python3.dll is loaded from correct locations when Python is
embedded.
Discovery 2020-06-29 Entry 2020-07-20 python38
< 3.8.4
https://docs.python.org/3/whatsnew/changelog.html#python-3-8-4-final
CVE-2020-15523
|
145ce848-1165-11ec-ac7e-08002789875b | Python -- multiple vulnerabilities
Python reports:
bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid
a potential race condition.
bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the
fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used
on Windows and macOS.
bpo-43124: Made the internal putcmd function in smtplib sanitize input for
presence of \r and \n characters to avoid (unlikely) command injection.
bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address
strings. Leading zeros are ambiguous and interpreted as octal notation by some
libraries. For example the legacy function socket.inet_aton() treats leading
zeros as octal notation. glibc implementation of modern inet_pton() does not
accept any leading zeros. For a while the ipaddress module used to accept ambiguous
leading zeros.
Discovery 2021-08-30 Entry 2021-09-09 python38
< 3.8.12
https://docs.python.org/3.8/whatsnew/changelog.html#changelog
|
ca595a25-91d8-11ea-b470-080027846a02 | Python -- CRLF injection via the host part of the url passed to urlopen()
Python reports:
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x
through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as
demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in
the host component of a URL) followed by an HTTP header.
Discovery 2019-10-24 Entry 2020-05-09 Modified 2020-06-13 python27
< 2.7.18
python38
< 3.8.3
python37
le 3.7.7
python36
< 3.6.10
python35
le 3.5.9_4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348
https://bugs.python.org/issue38576
CVE-2019-18348
|
a27b0bb6-84fc-11ea-b5b4-641c67a117d8 | Python -- Regular Expression DoS attack against client
Ben Caller and Matt Schwager reports:
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7
through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct
Regular Expression Denial of Service (ReDoS) attacks against a client
because of urllib.request.AbstractBasicAuthHandler catastrophic
backtracking.
Discovery 2019-11-17 Entry 2020-04-23 Modified 2020-06-13 python38
< 3.8.3
python37
le 3.7.7
python36
< 3.6.10
python35
le 3.5.9_4
python27
< 2.7.18
https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
https://bugs.python.org/issue39503
CVE-2020-8492
ports/245819
|
d6d088c9-5064-11ed-bade-080027881239 | Python -- multiple vulnerabilities
Python reports:
gh-97616: Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close to the
maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.
gh-97612: Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses
a shell to run openssl commands. Issue reported and initial fix by
Caleb Shortt. Patch by Victor Stinner.
Discovery 2022-09-29 Entry 2022-10-20 python37
< 3.7.15
python38
< 3.8.15
python39
< 3.9.15
python310
< 3.10.8
https://docs.python.org/release/3.9.15/whatsnew/changelog.html
|
bffa40db-ad50-11eb-86b8-080027846a02 | Python -- multiple vulnerabilities
Python reports:
bpo-43434: Creating a sqlite3.Connection object now also produces a
sqlite3.connect auditing event. Previously this event was only produced
by sqlite3.connect() calls. Patch by Erlend E. Aasland.
bpo-43882: The presence of newline or tab characters in parts of a URL
could allow some forms of attacks.Following the controlling specification
for URLs defined by WHATWG urllib.parse() now removes A SCII newlines
and tabs from URLs, preventing such attacks.
bpo-43472: Ensures interpreter-level audit hooks receive the cpython.
PyInterpreterState_New event when called through the _xxsubinterpreters
module.
bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4
address strings. Leading zeros are ambiguous and interpreted as octal
notation by some libraries. For example the legacy function socket.inet_aton()
treats leading zeros as octal notatation. glibc implementation of modern
inet_pton() does not accept any leading zeros. For a while the ipaddress
module used to accept ambiguous leading zeros.
bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability
in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has
quadratic worst-case complexity and it allows cause a denial of service
when identifying crafted invalid RFCs. This ReDoS issue is on the client
side and needs remote attackers to control the HTTP server.
bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame,
and generator code/frame attribute access.
Discovery 2021-03-08 Entry 2021-05-05 python38
< 3.8.10
python39
< 3.9.5
https://docs.python.org/3/whatsnew/changelog.html#changelog
https://docs.python.org/3.8/whatsnew/changelog.html#changelog
|
7d7221ee-d334-11ea-bc50-080027846a02 | Python -- multiple vulnerabilities
Python reports:
bpo-41304: Fixes python3x._pth being ignored on Windows, caused by the fix for
bpo-29778 (CVE-2020-15801).
bpo-39603: Prevent http header injection by rejecting control characters in
http.client.putreques().
Discovery 2020-02-11 Entry 2020-07-31 python38
< 3.8.5
https://docs.python.org/3/whatsnew/changelog.html#python-3-8-5-final
CVE-2020-15801
|
050eba46-7638-11ed-820d-080027d3a315 | Python -- multiple vulnerabilities
Python reports:
gh-100001: python -m http.server no longer allows terminal control characters sent
within a garbage request to be printed to the stderr server log.
This is done by changing the http.server BaseHTTPRequestHandler .log_message method
to replace control characters with a \xHH hex escape before printing.
gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.
gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related
name resolution functions no longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive length hostname involving
bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a name.
gh-98739: Update bundled libexpat to 2.5.0.
gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example
script. The script no longer uses a shell to run openssl commands. Issue reported and
initial fix by Caleb Shortt. Patch by Victor Stinner.
Discovery 2022-09-28 Entry 2022-12-07 python37
< 3.7.16
python38
< 3.8.16
python39
< 3.9.16
python310
< 3.10.9
python311
< 3.11.1
https://docs.python.org/3/whatsnew/changelog.html#changelog
|