Filtered by vendor Python Subscriptions
Total 229 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-42576 2 Microco, Python 2 Bluemonday, Pybluemonday 2024-11-21 9.8 Critical
The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
CVE-2021-3737 6 Canonical, Fedoraproject, Netapp and 3 more 18 Ubuntu Linux, Fedora, Hci and 15 more 2024-11-21 7.5 High
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
CVE-2021-3733 4 Fedoraproject, Netapp, Python and 1 more 21 Extra Packages For Enterprise Linux, Fedora, Hci Compute Node Firmware and 18 more 2024-11-21 6.5 Medium
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
CVE-2021-3426 6 Debian, Fedoraproject, Netapp and 3 more 11 Debian Linux, Fedora, Cloud Backup and 8 more 2024-11-21 5.7 Medium
There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.
CVE-2021-3177 6 Debian, Fedoraproject, Netapp and 3 more 12 Debian Linux, Fedora, Active Iq Unified Manager and 9 more 2024-11-21 9.8 Critical
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
CVE-2021-34552 4 Debian, Fedoraproject, Python and 1 more 5 Debian Linux, Fedora, Pillow and 2 more 2024-11-21 9.8 Critical
Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.
CVE-2021-33503 4 Fedoraproject, Oracle, Python and 1 more 10 Fedora, Enterprise Manager Ops Center, Instantis Enterprisetrack and 7 more 2024-11-21 7.5 High
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
CVE-2021-32052 3 Djangoproject, Fedoraproject, Python 3 Django, Fedora, Python 2024-11-21 6.1 Medium
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
CVE-2021-29921 3 Oracle, Python, Redhat 8 Communications Cloud Native Core Automated Test Suite, Communications Cloud Native Core Binding Support Function, Communications Cloud Native Core Network Slice Selection Function and 5 more 2024-11-21 9.8 Critical
In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
CVE-2021-28861 3 Fedoraproject, Python, Redhat 4 Fedora, Python, Enterprise Linux and 1 more 2024-11-21 7.4 High
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
CVE-2021-28678 3 Fedoraproject, Python, Redhat 3 Fedora, Pillow, Enterprise Linux 2024-11-21 5.5 Medium
An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.
CVE-2021-28677 3 Fedoraproject, Python, Redhat 3 Fedora, Pillow, Enterprise Linux 2024-11-21 7.5 High
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.
CVE-2021-28676 3 Fedoraproject, Python, Redhat 3 Fedora, Pillow, Enterprise Linux 2024-11-21 7.5 High
An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.
CVE-2021-28675 3 Fedoraproject, Python, Redhat 3 Fedora, Pillow, Enterprise Linux 2024-11-21 5.5 Medium
An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.
CVE-2021-28667 2 Python, Stackstorm 2 Python, Stackstorm 2024-11-21 7.5 High
StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data (from an action or rule name).
CVE-2021-28363 4 Fedoraproject, Oracle, Python and 1 more 4 Fedora, Peoplesoft Enterprise Peopletools, Urllib3 and 1 more 2024-11-21 6.5 Medium
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
CVE-2021-27923 3 Fedoraproject, Python, Redhat 4 Fedora, Pillow, Enterprise Linux and 1 more 2024-11-21 7.5 High
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.
CVE-2021-27922 3 Fedoraproject, Python, Redhat 4 Fedora, Pillow, Enterprise Linux and 1 more 2024-11-21 7.5 High
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.
CVE-2021-27921 3 Fedoraproject, Python, Redhat 4 Fedora, Pillow, Enterprise Linux and 1 more 2024-11-21 7.5 High
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
CVE-2021-25293 2 Python, Redhat 3 Pillow, Enterprise Linux, Quay 2024-11-21 7.5 High
An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.