Filtered by vendor Python
Subscriptions
Total
229 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2021-25292 | 2 Python, Redhat | 3 Pillow, Enterprise Linux, Quay | 2024-11-21 | 6.5 Medium |
An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. | ||||
CVE-2021-25291 | 2 Python, Redhat | 2 Pillow, Quay | 2024-11-21 | 7.5 High |
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. | ||||
CVE-2021-25290 | 3 Debian, Python, Redhat | 4 Debian Linux, Pillow, Enterprise Linux and 1 more | 2024-11-21 | 7.5 High |
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size. | ||||
CVE-2021-25289 | 2 Python, Redhat | 2 Pillow, Quay | 2024-11-21 | 9.8 Critical |
An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. | ||||
CVE-2021-25288 | 3 Fedoraproject, Python, Redhat | 3 Fedora, Pillow, Enterprise Linux | 2024-11-21 | 9.1 Critical |
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. | ||||
CVE-2021-25287 | 3 Fedoraproject, Python, Redhat | 3 Fedora, Pillow, Enterprise Linux | 2024-11-21 | 9.1 Critical |
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. | ||||
CVE-2021-23437 | 2 Fedoraproject, Python | 2 Fedora, Pillow | 2024-11-21 | 7.5 High |
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. | ||||
CVE-2021-23336 | 7 Debian, Djangoproject, Fedoraproject and 4 more | 14 Debian Linux, Django, Fedora and 11 more | 2024-11-21 | 5.9 Medium |
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. | ||||
CVE-2020-8492 | 6 Canonical, Debian, Fedoraproject and 3 more | 7 Ubuntu Linux, Debian Linux, Fedora and 4 more | 2024-11-21 | 6.5 Medium |
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. | ||||
CVE-2020-8315 | 1 Python | 1 Python | 2024-11-21 | 5.5 Medium |
In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected. | ||||
CVE-2020-7212 | 1 Python | 1 Urllib3 | 2024-11-21 | 7.5 High |
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2). | ||||
CVE-2020-5313 | 5 Canonical, Debian, Fedoraproject and 2 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2024-11-21 | 7.1 High |
libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. | ||||
CVE-2020-5312 | 5 Canonical, Debian, Fedoraproject and 2 more | 7 Ubuntu Linux, Debian Linux, Fedora and 4 more | 2024-11-21 | 9.8 Critical |
libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. | ||||
CVE-2020-5311 | 5 Canonical, Debian, Fedoraproject and 2 more | 7 Ubuntu Linux, Debian Linux, Fedora and 4 more | 2024-11-21 | 9.8 Critical |
libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. | ||||
CVE-2020-5310 | 4 Canonical, Fedoraproject, Python and 1 more | 4 Ubuntu Linux, Fedora, Pillow and 1 more | 2024-11-21 | 8.8 High |
libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. | ||||
CVE-2020-35655 | 3 Fedoraproject, Python, Redhat | 3 Fedora, Pillow, Enterprise Linux | 2024-11-21 | 5.4 Medium |
In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled. | ||||
CVE-2020-35654 | 3 Fedoraproject, Python, Redhat | 3 Fedora, Pillow, Quay | 2024-11-21 | 8.8 High |
In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. | ||||
CVE-2020-35653 | 4 Debian, Fedoraproject, Python and 1 more | 5 Debian Linux, Fedora, Pillow and 2 more | 2024-11-21 | 7.1 High |
In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. | ||||
CVE-2020-29396 | 2 Odoo, Python | 2 Odoo, Python | 2024-11-21 | 8.8 High |
A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation. | ||||
CVE-2020-27619 | 4 Fedoraproject, Oracle, Python and 1 more | 5 Fedora, Communications Cloud Native Core Network Function Cloud Native Environment, Python and 2 more | 2024-11-21 | 9.8 Critical |
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. |