Filtered by vendor Python Subscriptions
Total 229 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-25292 2 Python, Redhat 3 Pillow, Enterprise Linux, Quay 2024-11-21 6.5 Medium
An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.
CVE-2021-25291 2 Python, Redhat 2 Pillow, Quay 2024-11-21 7.5 High
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.
CVE-2021-25290 3 Debian, Python, Redhat 4 Debian Linux, Pillow, Enterprise Linux and 1 more 2024-11-21 7.5 High
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.
CVE-2021-25289 2 Python, Redhat 2 Pillow, Quay 2024-11-21 9.8 Critical
An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.
CVE-2021-25288 3 Fedoraproject, Python, Redhat 3 Fedora, Pillow, Enterprise Linux 2024-11-21 9.1 Critical
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.
CVE-2021-25287 3 Fedoraproject, Python, Redhat 3 Fedora, Pillow, Enterprise Linux 2024-11-21 9.1 Critical
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.
CVE-2021-23437 2 Fedoraproject, Python 2 Fedora, Pillow 2024-11-21 7.5 High
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
CVE-2021-23336 7 Debian, Djangoproject, Fedoraproject and 4 more 14 Debian Linux, Django, Fedora and 11 more 2024-11-21 5.9 Medium
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
CVE-2020-8492 6 Canonical, Debian, Fedoraproject and 3 more 7 Ubuntu Linux, Debian Linux, Fedora and 4 more 2024-11-21 6.5 Medium
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2020-8315 1 Python 1 Python 2024-11-21 5.5 Medium
In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.
CVE-2020-7212 1 Python 1 Urllib3 2024-11-21 7.5 High
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
CVE-2020-5313 5 Canonical, Debian, Fedoraproject and 2 more 6 Ubuntu Linux, Debian Linux, Fedora and 3 more 2024-11-21 7.1 High
libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.
CVE-2020-5312 5 Canonical, Debian, Fedoraproject and 2 more 7 Ubuntu Linux, Debian Linux, Fedora and 4 more 2024-11-21 9.8 Critical
libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.
CVE-2020-5311 5 Canonical, Debian, Fedoraproject and 2 more 7 Ubuntu Linux, Debian Linux, Fedora and 4 more 2024-11-21 9.8 Critical
libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.
CVE-2020-5310 4 Canonical, Fedoraproject, Python and 1 more 4 Ubuntu Linux, Fedora, Pillow and 1 more 2024-11-21 8.8 High
libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc.
CVE-2020-35655 3 Fedoraproject, Python, Redhat 3 Fedora, Pillow, Enterprise Linux 2024-11-21 5.4 Medium
In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.
CVE-2020-35654 3 Fedoraproject, Python, Redhat 3 Fedora, Pillow, Quay 2024-11-21 8.8 High
In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.
CVE-2020-35653 4 Debian, Fedoraproject, Python and 1 more 5 Debian Linux, Fedora, Pillow and 2 more 2024-11-21 7.1 High
In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.
CVE-2020-29396 2 Odoo, Python 2 Odoo, Python 2024-11-21 8.8 High
A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation.
CVE-2020-27619 4 Fedoraproject, Oracle, Python and 1 more 5 Fedora, Communications Cloud Native Core Network Function Cloud Native Environment, Python and 2 more 2024-11-21 9.8 Critical
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.