Latest python python Vulnerabilities

CVE-2023-6507
Groups not dropped before running subprocess when using empty 'extra_groups' parameter
Python Python=3.12.0
Python Python=3.13.0-alpha1
Python Python=3.13.0-alpha2
CVE-2023-40217
Python could allow a remote attacker to bypass security restrictions, caused by a race condition in the SSLSocket module. When the socket is closed before the TLS handshake is complete, the data is tr...
Python Python<3.8.18
Python Python>=3.9.0<3.9.18
Python Python>=3.10.0<3.10.13
Python Python>=3.11.0<3.11.5
ubuntu/python2.7<2.7.17-1~18.04ubuntu1.13+
ubuntu/python2.7<2.7.6-8ubuntu0.6+
and 22 more
CVE-2023-41105
An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausi...
Python Python>=3.11.0<=3.11.4
>=3.11.0<=3.11.4
redhat/Pyhton<3.11.5
debian/python2.7
debian/python3.10
and 6 more
CVE-2022-48565
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
Python Python<3.6.13
Python Python>=3.7.0<3.7.10
Python Python>=3.8.0<3.8.7
Python Python>=3.9.0<3.9.1
Debian Debian Linux=10.0
ubuntu/python2.7<2.7.17-1~18.04ubuntu1.13+
and 7 more
CVE-2022-48564
read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
Python Python<3.7.7
Python Python>=3.8.0<3.8.2
Python Python>=3.9.0<3.9.1
Python Python=3.10.0-alpha1
Python Python<3.6.13
Python Python>=3.7.0<3.7.10
and 16 more
CVE-2022-48566
An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.
Python Python<3.6.13
Python Python>=3.7.0<3.7.10
Python Python>=3.8.0<3.8.7
Python Python>=3.9.0<3.9.1
Debian Debian Linux=10.0
Apple iPadOS
and 12 more
CVE-2022-48560
A use-after-free exists in Python through 3.9 via heappushpop in heapq.
Python Python<3.6.11
Python Python>=3.7.0<3.7.7
Python Python>=3.8.0<3.8.2
Python Python=3.9.0-alpha1
Python Python=3.9.0-alpha2
Debian Debian Linux=10.0
and 14 more
CVE-2023-38898
** DISPUTED ** An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neith...
Python Python=3.13.0-alpha0
CVE-2023-36632
** DISPUTED ** The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a cra...
Python Python<=3.11.4
<=3.11.4
CVE-2023-33595
CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.
Python Cpython=3.12.0-alpha_7
Python Python=3.12.0-alpha7
CVE-2023-27043
Python could allow a remote attacker to bypass security restrictions, caused by a parsing flaw in the email.utils.parsaddr() and email.utils.getaddresses() functions. By sending a specially-crafted e-...
Python Python<=2.7.18
Python Python>=3.0<=3.11
IBM Cognos Dashboards on Cloud Pak for Data<=4.7.0
<=2.7.18
>=3.0<=3.11
CVE-2023-24329
Python could allow a remote attacker to bypass security restrictions, caused by a flaw in the urllib.parse component. By sending a specially-crafted request using URL starts with blank characters, an ...
Python Python<3.7.17
Python Python>=3.8.0<3.8.17
Python Python>=3.9.0<3.9.17
Python Python>=3.10.0<3.10.12
Python Python>=3.11.0<3.11.4
Fedoraproject Fedora=36
and 21 more
CVE-2022-45061
A vulnerability was discovered in Python. A quadratic algorithm exists when processing inputs to the IDNA (RFC 3490) decoder, such that a crafted unreasonably long name being presented to the decoder ...
redhat/python3<0:3.6.8-48.el8_7.1
redhat/python3.9<0:3.9.14-1.el9_1.2
Python Python<=3.7.15
Python Python>=3.8.0<=3.8.15
Python Python>=3.9.0<=3.9.15
Python Python>=3.10.0<=3.10.8
and 50 more
CVE-2022-42919
Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start m...
Python Python>=3.7.3<=3.7.15
Python Python>=3.8.3<=3.8.15
Python Python>=3.9.0<3.9.16
Python Python>=3.10.0<3.10.9
Fedoraproject Fedora=35
Fedoraproject Fedora=36
and 8 more
CVE-2022-37454
Fixed bug : buffer overflow in hash_update() on long parameter. (CVE-2022-37454)
debian/pysha3<=1.0.2-2<=1.0.2-4.1<=1.0.2-4.2
Extended Keccak Code Package Project Extended Keccak Code Package
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Fedoraproject Fedora=35
Fedoraproject Fedora=36
and 37 more
CVE-2021-28861
** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information...
redhat/python3<0:3.6.8-48.el8_7.1
redhat/python3.9<0:3.9.14-1.el9
redhat/rh-python38-python<0:3.8.14-1.el7
Python Python>=3.0.0<3.7.14
Python Python>=3.8.0<3.8.14
Python Python>=3.9.0<3.9.14
and 25 more
CVE-2017-20052
A vulnerability classified as problematic was found in Python 2.7.13. This vulnerability affects unknown code of the component pgAdmin4. The manipulation leads to uncontrolled search path. The attack ...
Python Python=2.7.13
CVE-2022-26488
In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the sy...
Python Python<=3.7.12
Python Python>=3.8.0<=3.8.12
Python Python>=3.9.0<=3.9.10
Python Python>=3.10.0<=3.10.2
Python Python=3.11.0-alpha1
Python Python=3.11.0-alpha2
and 7 more
CVE-2021-4189
Python could allow a remote attacker to obtain sensitive information, caused by a flaw when using the FTP client library in PASV (passive) mode. By using a specially-crafted FTP server, an attacker co...
redhat/python3<0:3.6.8-45.el8
redhat/rh-python38-babel<0:2.7.0-12.el7
redhat/rh-python38-python<0:3.8.11-2.el7
redhat/rh-python38-python-cryptography<0:2.8-5.el7
redhat/rh-python38-python-jinja2<0:2.10.3-6.el7
redhat/rh-python38-python-lxml<0:4.4.1-7.el7
and 19 more
CVE-2021-3733
Python is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the AbstractBasicAuthHandler class in urllib. By persuading a victim to visit a specially-...
redhat/python3<0:3.6.8-39.el8_4
redhat/rh-python38-babel<0:2.7.0-12.el7
redhat/rh-python38-python<0:3.8.11-2.el7
redhat/rh-python38-python-cryptography<0:2.8-5.el7
redhat/rh-python38-python-jinja2<0:2.10.3-6.el7
redhat/rh-python38-python-lxml<0:4.4.1-7.el7
and 48 more
CVE-2021-3737
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite...
redhat/python3<0:3.6.8-45.el8
redhat/python27-python<0:2.7.18-4.el7
Python Python>=3.6.0<3.6.14
Python Python>=3.7.0<3.7.11
Python Python>=3.8.0<3.8.11
Python Python>=3.9.0<3.9.6
and 40 more
CVE-2021-32052
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application ...
Djangoproject Django>=2.2<2.2.22
Djangoproject Django>=3.1<3.1.10
Djangoproject Django>=3.2<3.2.2
Python Python>=3.9.5
Fedoraproject Fedora=34
CVE-2021-29921
In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is base...
redhat/rh-python38-babel<0:2.7.0-12.el7
redhat/rh-python38-python<0:3.8.11-2.el7
redhat/rh-python38-python-cryptography<0:2.8-5.el7
redhat/rh-python38-python-jinja2<0:2.10.3-6.el7
redhat/rh-python38-python-lxml<0:4.4.1-7.el7
redhat/rh-python38-python-pip<0:19.3.1-2.el7
and 9 more
CVE-2022-0391
Python could provide weaker than expected security, cause by a improper input validation by the urllib.parse module. By sending a specially-crafted request using \r and \n characters in the URL path. ...
redhat/python3<0:3.6.8-47.el8_6
redhat/rh-python38-babel<0:2.7.0-12.el7
redhat/rh-python38-python<0:3.8.11-2.el7
redhat/rh-python38-python-cryptography<0:2.8-5.el7
redhat/rh-python38-python-jinja2<0:2.10.3-6.el7
redhat/rh-python38-python-lxml<0:4.4.1-7.el7
and 31 more
CVE-2021-28667
StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an atte...
pip/st2client<3.4.1
Stackstorm Stackstorm<3.4.1
Python Python<3.0.0
CVE-2021-3426
Python pydoc module could allow a remote attacker from within the local network obtain sensitive information. By starting the pydoc server, an attacker could exploit this vulnerability to extract arbi...
redhat/python<3.8.9
redhat/python<3.9.3
redhat/python<3.10.0
redhat/python3<0:3.6.8-41.el8
redhat/rh-python38-babel<0:2.7.0-12.el7
redhat/rh-python38-python<0:3.8.11-2.el7
and 29 more
CVE-2021-23336
Python CPython could allow a remote attacker to bypass security restrictions, caused by a web cache poisoning flaw via urllib.parse.parse_qsl and urllib.parse.parse_qs. By sending a specially-crafted ...
IBM Cloud Pak for Security (CP4S)<=1.7.2.0
IBM Cloud Pak for Security (CP4S)<=1.7.1.0
IBM Cloud Pak for Security (CP4S)<=1.7.0.0
Python Python<3.6.13
Python Python>=3.7.0<3.7.10
Python Python>=3.8.0<3.8.8
and 28 more
CVE-2021-3177
Python is vulnerable to a buffer overflow, caused by improper bounds checking by the PyCArg_repr function in _ctypes/callproc.c. By sending specially-crafted arguments to c_double.from_param, a remote...
redhat/python<0:2.7.5-92.el7_9
redhat/python3<0:3.6.8-37.el8
redhat/python27-babel<0:0.9.6-10.el7
redhat/python27-python<0:2.7.18-3.el7
redhat/python27-python-jinja2<0:2.6-16.el7
redhat/python27-python-pygments<0:1.5-5.el7
and 39 more
CVE-2020-29396
A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leadin...
Odoo Odoo>=11.0<=13.0
Odoo Odoo>=11.0<=13.0
Python Python>=3.6.0
CVE-2020-27619
An unspecified error with CJK codec tests call eval() on content retrieved throug HTTP in multibytecodec_support.py in Python has an unknown impact and attack vector.
redhat/python3<0:3.6.8-37.el8
redhat/python27-babel<0:0.9.6-10.el7
redhat/python27-python<0:2.7.18-3.el7
redhat/python27-python-jinja2<0:2.6-16.el7
redhat/python27-python-pygments<0:1.5-5.el7
redhat/rh-python38-babel<0:2.7.0-12.el7
and 27 more
CVE-2020-15801
In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The <executable-name>._pth file (e.g., the python._pth file) ...
Python Python>=3.7.0<3.7.9
Python Python>=3.8.0<3.8.5
Microsoft Windows
Netapp Max Data
CVE-2020-15523
In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native appli...
Python Python>=3.5.0<3.5.10
Python Python>=3.6.0<3.6.12
Python Python>=3.7.0<3.7.9
Python Python>=3.8.0<3.8.4
Python Python=3.8.4-rc1
Python Python=3.9.0-alpha1
and 11 more
CVE-2020-14422
A vulnerability was found in Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a den...
redhat/python3<0:3.6.8-18.el7
redhat/python3<0:3.6.8-31.el8
redhat/rh-python36-python<0:3.6.12-1.el6
redhat/rh-python36-python-pip<0:9.0.1-5.el6
redhat/rh-python36-python-virtualenv<0:15.1.0-3.el6
redhat/rh-python36-python<0:3.6.12-1.el7
and 22 more
CVE-2020-10735
Python is vulnerable to a denial of service, caused by the failure to limit amount of digits converting text to int by the int() type in PyLong_FromString(). A remote attacker could exploit this vuln...
redhat/python3<0:3.6.8-48.el8_7.1
redhat/python3.9<0:3.9.10-3.el9_0
redhat/rh-python38-python<0:3.8.14-1.el7
Python Python>=3.7.0<3.7.14
Python Python>=3.8.0<3.8.14
Python Python>=3.9.0<3.9.14
and 22 more
CVE-2013-1753
The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.
Python Python>=2.7.0<2.7.9
Python Python>=3.2.0<3.2.6
Python Python>=3.3.0<3.3.6
Python Python>=3.4.0<3.4.3
CVE-2014-4650
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct ...
Python Python>=2.7.0<2.7.8
Python Python>=3.2.0<3.2.6
Python Python>=3.3.0<3.3.6
Python Python>=3.4.0<3.4.2
Redhat Software Collections
Redhat Enterprise Linux=5.0
and 2 more
CVE-2020-26116
Python is vulnerable to CRLF injection, caused by improper validation of user-supplied input in http.client. By inserting CR and LF control characters in the first argument of HTTPConnection.request, ...
redhat/python<0:2.7.5-92.el7_9
redhat/python3<0:3.6.8-37.el8
redhat/python3<0:3.6.8-24.el8_2
redhat/rh-python36-python<0:3.6.12-1.el6
redhat/rh-python36-python-pip<0:9.0.1-5.el6
redhat/rh-python36-python-virtualenv<0:15.1.0-3.el6
and 37 more
CVE-2019-9674
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
Python Python<=3.7.2
Canonical Ubuntu Linux=12.04
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
Canonical Ubuntu Linux=20.04
and 10 more
CVE-2020-8492
Python is vulnerable to a denial of service, caused by a flaw in the urllib.request.AbstractBasicAuthHandler. By sending a specially crafted request, a remote attacker could exploit this vulnerability...
redhat/python3<0:3.6.8-17.el7
redhat/python3<0:3.6.8-31.el8
redhat/rh-python36-python<0:3.6.12-1.el6
redhat/rh-python36-python-pip<0:9.0.1-5.el6
redhat/rh-python36-python-virtualenv<0:15.1.0-3.el6
redhat/rh-python36-python<0:3.6.12-1.el7
and 32 more
CVE-2020-8315
Python could allow a remote attacker to execute arbitrary code on the system, caused by an insecure dependency load upon launch on Windows 7. An attacker could exploit this vulnerability to execute ar...
Python Python>=3.6.0<=3.6.10
Python Python>=3.7.0<=3.7.6
Python Python>=3.8.0<=3.8.1
CVE-2019-20907
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
redhat/python<0:2.7.5-90.el7
redhat/python3<0:3.6.8-18.el7
redhat/python<0:2.7.5-64.el7_4
redhat/python<0:2.7.5-84.el7_6
redhat/python<0:2.7.5-88.el7_7
redhat/python3<0:3.6.8-31.el8
and 41 more
CVE-2019-17514
library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: ...
=3.6.0
=3.7.0
=3.8.0
Python Python=3.6.0
Python Python=3.7.0
Python Python=3.8.0
and 9 more
CVE-2019-16935
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Li...
redhat/python3<0:3.6.8-17.el7
redhat/python<0:2.7.5-89.el7
redhat/python3<0:3.6.8-31.el8
redhat/rh-python36-python<0:3.6.12-1.el6
redhat/rh-python36-python-pip<0:9.0.1-5.el6
redhat/rh-python36-python-virtualenv<0:15.1.0-3.el6
and 40 more
CVE-2019-15903
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnN...
redhat/jbcs-httpd24-curl<0:7.64.1-36.jbcs.el6
redhat/jbcs-httpd24-httpd<0:2.4.37-57.jbcs.el6
redhat/jbcs-httpd24-nghttp2<0:1.39.2-25.jbcs.el6
redhat/jbcs-httpd24-curl<0:7.64.1-36.jbcs.el7
redhat/jbcs-httpd24-httpd<0:2.4.37-57.jbcs.el7
redhat/jbcs-httpd24-nghttp2<0:1.39.2-25.jbcs.el7
and 88 more
CVE-2019-13404
** DISPUTED ** The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3...
Python Python<=2.7.16
Python Python>=3.0.0<3.5.0
Microsoft Windows
Python Python<=2.7.16
Python Python>=3.0.0<3.5.0
Microsoft Windows
CVE-2019-18348
A CRLF injection flaw was discovered in python in the way URLs are handled when doing an HTTP/HTTPS connection (e.g. through urlopen() or HTTPConnection). An attacker who can control the url parameter...
redhat/rh-python36-python<0:3.6.12-1.el6
redhat/rh-python36-python-pip<0:9.0.1-5.el6
redhat/rh-python36-python-virtualenv<0:15.1.0-3.el6
redhat/python27-python<0:2.7.18-2.el7
redhat/python27-python-pip<0:8.1.2-6.el7
redhat/python27-python-virtualenv<0:13.1.0-4.el7
and 19 more
CVE-2019-12900
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
Bzip Bzip2<=1.0.6
Debian Debian Linux=8.0
openSUSE Leap=15.0
openSUSE Leap=15.1
Canonical Ubuntu Linux=12.04
Canonical Ubuntu Linux=14.04
and 44 more
CVE-2019-10160
A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which st...
redhat/python<0:2.7.5-80.el7_6
redhat/python27-python<0:2.7.16-6.el6
redhat/python27-python<0:2.7.16-6.el7
redhat/imgbased<0:1.1.9-0.1.el7e
redhat/ovirt-node-ng<0:4.3.5-0.20190717.0.el7e
redhat/redhat-release-virtualization-host<0:4.3.5-2.el7e
and 41 more
CVE-2019-9947
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the firs...
redhat/python<0:2.7.5-86.el7
redhat/python<0:2.7.5-63.el7_4
redhat/python<0:2.7.5-74.el7_5
redhat/python<0:2.7.5-83.el7_6
redhat/python3<0:3.6.8-15.1.el8
redhat/python27-python<0:2.7.16-4.el6
and 19 more
CVE-2019-9948
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering...
redhat/python<0:2.7.5-86.el7
redhat/python<0:2.7.5-63.el7_4
redhat/python<0:2.7.5-74.el7_5
redhat/python<0:2.7.5-83.el7_6
redhat/python3<0:3.6.8-15.1.el8
redhat/python27-python<0:2.7.16-6.el6
and 43 more

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203