Filtered by vendor Python Subscriptions
Total 229 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2013-7040 2 Apple, Python 2 Mac Os X, Python 2024-11-21 N/A
Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.
CVE-2013-4238 4 Canonical, Opensuse, Python and 1 more 4 Ubuntu Linux, Opensuse, Python and 1 more 2024-11-21 N/A
The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVE-2013-2099 3 Canonical, Python, Redhat 8 Ubuntu Linux, Python, Openstack and 5 more 2024-11-21 N/A
Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.
CVE-2013-1895 2 Fedoraproject, Python 2 Fedora, Py-bcrypt 2024-11-21 7.5 High
The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.
CVE-2013-1753 2 Python, Redhat 3 Python, Enterprise Linux, Rhel Software Collections 2024-11-21 7.5 High
The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.
CVE-2013-1633 1 Python 1 Setuptools 2024-11-21 N/A
easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.
CVE-2013-0340 3 Apple, Libexpat Project, Python 7 Ipados, Iphone Os, Macos and 4 more 2024-11-21 N/A
expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
CVE-2012-5578 1 Python 1 Keyring 2024-11-21 6.2 Medium
Python keyring has insecure permissions on new databases allowing world-readable files to be created
CVE-2012-5577 2 Debian, Python 2 Debian Linux, Keyring 2024-11-21 7.5 High
Python keyring lib before 0.10 created keyring files with world-readable permissions.
CVE-2012-4571 1 Python 1 Keyring 2024-11-21 N/A
Python Keyring 0.9.1 does not securely initialize the cipher when encrypting passwords for CryptedFileKeyring files, which makes it easier for local users to obtain passwords via a brute-force attack.
CVE-2012-3458 1 Python 1 Beaker 2024-11-21 N/A
Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.
CVE-2012-2135 3 Canonical, Debian, Python 3 Ubuntu Linux, Debian Linux, Python 2024-11-21 N/A
The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.
CVE-2012-1150 2 Python, Redhat 2 Python, Enterprise Linux 2024-11-21 N/A
Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
CVE-2012-0877 2 Python, Redhat 3 Pyxml, Enterprise Linux, Enterprise Virtualization Hypervisor 2024-11-21 7.5 High
PyXML: Hash table collisions CPU usage Denial of Service
CVE-2012-0876 6 Canonical, Debian, Libexpat Project and 3 more 15 Ubuntu Linux, Debian Linux, Libexpat and 12 more 2024-11-21 N/A
The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.
CVE-2012-0845 2 Python, Redhat 2 Python, Enterprise Linux 2024-11-21 N/A
SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.
CVE-2011-4944 2 Python, Redhat 2 Python, Enterprise Linux 2024-11-21 N/A
Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.
CVE-2011-4940 2 Python, Redhat 2 Python, Enterprise Linux 2024-11-21 N/A
The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
CVE-2011-4617 1 Python 1 Virtualenv 2024-11-21 N/A
virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.
CVE-2011-1521 2 Python, Redhat 2 Python, Enterprise Linux 2024-11-21 N/A
The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.