CVE Daily
← All tags

Tag: Python

All CVEs associated with "Python". Page 12/14 • 1575 CVEs.

Subscribe CVEs: RSS for “Python”  ·  RSS (High+Critical only)

About “Python”

A curated feed of “Python”-related CVEs appears below. We currently track 1575 CVEs for this tag (all time). In the last 365 days, 558 were published. Average CVSS is 7.3 (all time; 7.4 over 365d), and 62% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-94 - Improper Control of Generation of Code ('Code Injection'), CWE-502 - Deserialization of Untrusted Data, CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2018-09-12
High

CVE-2018-12175

Default install directory permissions in Intel Distribution for Python (IDP) version 2018 may allow an unprivileged user to escalate privileges via local access.

CVSS: 7.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2018-08-28
High

CVE-2018-14572

In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.syste…

CVSS: 7.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2018-08-01
High

CVE-2018-3650

Insufficient Input Validation in Bleach module in INTEL Distribution for Python versions prior to IDP 2018 Update 2 allows unprivileged user to bypass URI sanitization via local vector.

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
2018-07-30
High

CVE-2018-10903

A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2018-06-19
Medium

CVE-2018-1061

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of s…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2018-06-18
High

CVE-2018-1060

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2018-05-31
Medium

CVE-2016-10561

Bitty is a development web server tool that functions similar to `python -m SimpleHTTPServer`. Version 0.2.10 has a directory traversal vulnerability that is exploitable via the URL path in GET reque…

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2018-05-08
Medium

CVE-2017-2592

python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulnerable to an information disclosure. Software using the CatchError class could include sensitive values in a traceback's error mess…

CVSS: 5.9 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2018-04-19
Medium

CVE-2018-2753

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Python modules). The supported version that is affected is 11.3. Difficult to exploit vulnerability allows l…

CVSS: 6.0 CWE: N/A View on NVD
2018-04-11
Medium

CVE-2018-0023

JSNAPy is an open source python version of Junos Snapshot Administrator developed by Juniper available through github. The default configuration and sample files of JSNAPy automation tool versions pr…

CVSS: 5.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2018-04-06
Critical

CVE-2014-3539

base/oi/doa.py in the Rope library in CPython (aka Python) allows remote attackers to execute arbitrary code by leveraging an unsafe call to pickle.load.

CVSS: 9.8 CWE: N/A View on NVD
2018-03-08
High

CVE-2018-7889

gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Pyt…

CVSS: 7.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2018-03-07
Medium

CVE-2018-1000117

Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, li…

CVSS: 6.7 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2018-03-01
Medium

CVE-2017-18207

The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exceptio…

CVSS: 6.5 CWE: CWE-369 - Divide By Zero View on NVD
2018-02-22
Critical

CVE-2018-0015

A malicious user with unrestricted access to the AppFormix application management platform may be able to access a Python debug console and execute system commands with root privilege. The AppFormix…

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
2018-02-08
Low

CVE-2018-1000030

Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be…

CVSS: 3.6 CWE: CWE-416 - Use After Free View on NVD
2018-02-05
High

CVE-2018-6461

March Hare WINCVS before 2.8.01 build 6610, and CVS Suite before 2009R2 build 6610, contains an Insecure Library Loading vulnerability in the wincvs2.exe or wincvs.exe file, which may allow local use…

CVSS: 7.8 CWE: CWE-426 - Untrusted Search Path View on NVD
2018-01-27
High

CVE-2018-6353

The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not under…

CVSS: 7.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2018-01-18
Medium

CVE-2018-5773

An issue was discovered in markdown2 (aka python-markdown2) through 2.3.5. The safe_mode feature, which is supposed to sanitize user input against XSS, is flawed and does not escape the input properl…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2018-01-03
Medium

CVE-2017-1000483

Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1. This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part…

CVSS: 6.5 CWE: N/A View on NVD
2018-01-02
High

CVE-2017-1000433

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
2017-12-14
High

CVE-2017-17522

Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-…

CVSS: 8.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2017-11-30
Medium

CVE-2017-12340

A vulnerability in Cisco NX-OS System Software running on Cisco MDS Multilayer Director Switches, Cisco Nexus 7000 Series Switches, and Cisco Nexus 7700 Series Switches could allow an authenticated,…

CVSS: 4.2 CWE: CWE-284 - Improper Access Control View on NVD
2017-11-17
Critical

CVE-2017-1000158

CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code ex…

CVSS: 9.8 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
Medium

CVE-2017-1000246

Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.

CVSS: 5.3 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
2017-11-13
Critical

CVE-2017-0906

The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resource.get" method that could result…

CVSS: 9.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2017-11-10
Critical

CVE-2017-16764

An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_app 0.1.3. A YAML parser can execute arbitrary Python commands resulti…

CVSS: 9.8 CWE: N/A View on NVD
Critical

CVE-2017-16763

An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Due to the user-specific configuration being loaded from "~/.confire.yaml" using the yaml.load fun…

CVSS: 9.8 CWE: N/A View on NVD
2017-11-08
Critical

CVE-2017-16618

An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. A "Load YAML" string or file (aka load_yaml or load_yamlf) can execute arbitrary Python c…

CVSS: 9.8 CWE: N/A View on NVD
Critical

CVE-2017-16616

An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting…

CVSS: 9.8 CWE: N/A View on NVD
Critical

CVE-2017-16615

An exploitable vulnerability exists in the YAML parsing functionality in the parse_yaml_query method in parser.py in MLAlchemy before 0.2.2. When processing YAML-Based queries for data, a YAML parser…

CVSS: 9.8 CWE: N/A View on NVD
2017-10-19
Medium

CVE-2017-12301

A vulnerability in the Python scripting subsystem of Cisco NX-OS Software could allow an authenticated, local attacker to escape the Python parser and gain unauthorized access to the underlying opera…

CVSS: 6.7 CWE: CWE-20 - Improper Input Validation View on NVD
2017-09-15
Medium

CVE-2017-14483

flower.initd in the Gentoo dev-python/flower package before 0.9.1-r1 for Celery Flower sets PID file ownership to a non-root account, which might allow local users to kill arbitrary processes by leve…

CVSS: 5.5 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2017-09-14
High

CVE-2017-2809

An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2017-1002150

python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2017-08-25
High

CVE-2015-3206

The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other u…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
2017-08-24
Medium

CVE-2014-4616

Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negati…

CVSS: 5.9 CWE: CWE-129 - Improper Validation of Array Index View on NVD
2017-08-09
Medium

CVE-2015-2674

Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the ssl.wrap_socket function in Python with the default CERT_NONE value for the cert_reqs argument.

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-07-04
Medium

CVE-2017-10803

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated pr…

CVSS: 6.5 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2017-06-22
Critical

CVE-2017-9807

An issue was discovered in the OpenWebif plugin through 1.2.4 for E2 open devices. The saveConfig function of "plugin/controllers/models/config.py" performs an eval() call on the contents of the "key…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2017-06-14
High

CVE-2017-2810

An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker ca…

CVSS: 7.5 CWE: N/A View on NVD
2017-06-13
High

CVE-2015-3220

The tlslite library before 0.4.9 for Python allows remote attackers to trigger a denial of service (runtime exception and process crash).

CVSS: 7.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2017-06-06
High

CVE-2017-9462

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

CVSS: 8.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2017-06-01
High

CVE-2015-6531

Palo Alto Networks Panorama VM Appliance with PAN-OS before 6.0.1 might allow remote attackers to execute arbitrary Python code via a crafted firmware image file.

CVSS: 7.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2017-04-24
Low

CVE-2017-3590

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/Python). Supported versions that are affected are 2.1.5 and earlier. Easily "exploitable" vulnerability allows…

CVSS: 3.3 CWE: N/A View on NVD
2017-03-23
Medium

CVE-2017-5524

Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.

CVSS: 4.3 CWE: CWE-134 - Use of Externally-Controlled Format String View on NVD
High

CVE-2017-7235

An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A malicious website owner could craft a page that executes arbitrary Python code against any cfscrape user who scrapes that website.…

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
2017-02-24
Medium

CVE-2016-4043

Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates.

CVSS: 4.9 CWE: CWE-264 View on NVD
2017-02-15
Critical

CVE-2013-7459

Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv p…

CVSS: 9.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2017-01-23
Critical

CVE-2016-7036

python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.

CVSS: 9.8 CWE: CWE-361 View on NVD
2017-01-11
Low

CVE-2016-9015

Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the l…

CVSS: 3.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-01-10
High

CVE-2016-6581

A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called "HPACK Bomb" attack. T…

CVSS: 7.5 CWE: CWE-399 View on NVD
High

CVE-2016-6580

A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every p…

CVSS: 7.5 CWE: CWE-399 View on NVD
2016-12-21
High

CVE-2016-5851

python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document.

CVSS: 8.8 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2016-12-17
High

CVE-2016-9950

An issue was discovered in Apport before 2.20.4. There is a path traversal issue in the Apport crash file "Package" and "SourcePackage" fields. These fields are used to build a path to the package sp…

CVSS: 7.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2016-9949

An issue was discovered in Apport before 2.20.4. In apport/ui.py, Apport reads the CrashDB field and it then evaluates the field as Python code if it begins with a "{". This allows remote attackers t…

CVSS: 7.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2016-10-25
Medium

CVE-2016-5598

Unspecified vulnerability in the MySQL Connector component 2.1.3 and earlier and 2.0.4 and earlier in Oracle MySQL allows remote attackers to affect confidentiality, integrity, and availability via v…

CVSS: 5.6 CWE: CWE-284 - Improper Access Control View on NVD
2016-09-26
Critical

CVE-2016-4972

OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x…

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
2016-09-02
Medium

CVE-2016-5699

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP…

CVSS: 6.1 CWE: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') View on NVD
Critical

CVE-2016-5636

Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negat…

CVSS: 9.8 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
Medium

CVE-2016-0772

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypa…

CVSS: 6.5 CWE: CWE-693 - Protection Mechanism Failure View on NVD
2016-06-07
Medium

CVE-2013-7440

The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof serve…

CVSS: 5.9 CWE: CWE-19 View on NVD
2016-05-16
High

CVE-2015-4605

The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a certain offset value,…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2015-4604

The mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a certain pointer relatio…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2016-04-13
Medium

CVE-2016-2533

Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash)…

CVSS: 6.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2016-02-03
High

CVE-2015-7546

The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty b…

CVSS: 7.5 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2016-01-13
Medium

CVE-2016-1494

The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.

CVSS: 5.3 CWE: CWE-20 - Improper Input Validation View on NVD
2016-01-01
High

CVE-2015-7489

IBM SPSS Statistics 22.0.0.2 before IF10 and 23.0.0.2 before IF7 uses weak permissions (Everyone: Write) for Python scripts, which allows local users to gain privileges by modifying a script.

CVSS: 7.8 CWE: CWE-264 View on NVD
2015-11-25
Medium

CVE-2015-5306

OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by trigge…

CVSS: 6.8 CWE: CWE-254 View on NVD
Medium

CVE-2015-5242

OpenStack Swift-on-File (aka Swiftonfile) does not properly restrict use of the pickle Python module when loading metadata, which allows remote authenticated users to execute arbitrary code via a cra…

CVSS: 6.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2015-10-06
High

CVE-2015-5652

Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory. NOTE…

CVSS: 7.2 CWE: N/A View on NVD
2015-08-31
High

CVE-2014-2331

Check_MK 1.2.2p2, 1.2.2p3, and 1.2.3i5 allows remote authenticated users to execute arbitrary Python code via a crafted rules.mk file in a snapshot. NOTE: this can be exploited by remote attackers b…

CVSS: 8.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2015-07-03
High

CVE-2015-4234

Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs CSCun02887…

CVSS: 7.2 CWE: CWE-264 View on NVD
Low

CVE-2015-4231

The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative privileg…

CVSS: 3.6 CWE: CWE-264 View on NVD
2015-07-01
Medium

CVE-2015-1950

IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain Po…

CVSS: 4.6 CWE: CWE-255 View on NVD
2015-05-01
Critical

CVE-2015-3446

The Framework Daemon in AlienVault Unified Security Management before 4.15 allows remote attackers to execute arbitrary Python code via a crafted plugin configuration file (.cfg).

CVSS: 9.3 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2015-04-17
Medium

CVE-2015-1852

The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configurat…

CVSS: 4.3 CWE: CWE-17 View on NVD
2015-04-15
High

CVE-2015-0693

Cisco Web Security Appliance (WSA) devices with software 8.5.0-ise-147 do not properly restrict use of the pickle Python module during certain tunnel-status checks, which allows local users to execut…

CVSS: 7.2 CWE: CWE-20 - Improper Input Validation View on NVD
2015-04-11
High

CVE-2015-0692

Cisco Web Security Appliance (WSA) devices with software 8.5.0-ise-147 do not properly restrict use of the pickle Python module during certain tunnel-status checks, which allows local users to execut…

CVSS: 7.2 CWE: CWE-264 View on NVD
2015-03-25
Medium

CVE-2015-2316

The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of servi…

CVSS: 5.0 CWE: CWE-399 View on NVD
2015-02-19
Critical

CVE-2014-8165

scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.

CVSS: 10.0 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2015-01-04
Medium

CVE-2013-2131

Format string vulnerability in the rrdtool module 1.4.7 for Python, as used in Zenoss, allows context-dependent attackers to cause a denial of service (crash) via format string specifiers to the rrdt…

CVSS: 5.0 CWE: CWE-134 - Use of Externally-Controlled Format String View on NVD
2014-12-12
Medium

CVE-2014-9365

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check…

CVSS: 5.8 CWE: N/A View on NVD
2014-11-16
Low

CVE-2014-2667

Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file per…

CVSS: 3.3 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2014-10-27
High

CVE-2011-4104

The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2011-4103

emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the y…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2014-10-25
Medium

CVE-2014-1929

python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists b…

CVSS: 4.4 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2014-1928

The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors,…

CVSS: 4.6 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2014-1927

The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2014-10-15
Medium

CVE-2014-3593

Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration.

CVSS: 6.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2014-1830

Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request.

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2014-1829

Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-10-08
Medium

CVE-2014-7185

Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function.

CVSS: 6.4 CWE: CWE-189 View on NVD
2014-10-02
Medium

CVE-2014-7144

OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (pa…

CVSS: 4.3 CWE: CWE-310 View on NVD
2014-09-30
Medium

CVE-2012-5506

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permissi…

CVSS: 5.0 CWE: CWE-399 View on NVD
Medium

CVE-2012-5499

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns.

CVSS: 5.0 CWE: CWE-399 View on NVD
Medium

CVE-2012-5495

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."

CVSS: 5.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2012-5494

Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, relat…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2012-5493

gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors.

CVSS: 8.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2012-5488

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVSS: 5.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2012-5487

The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and e…

CVSS: 8.5 CWE: CWE-264 View on NVD
Medium

CVE-2012-5485

registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2014-09-02
Critical

CVE-2014-5340

The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object,…

CVSS: 9.3 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2014-0485

S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2014-08-25
Medium

CVE-2014-3589

PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2014-07-07
Critical

CVE-2014-2967

Autodesk VRED Professional 2014 before SR1 SP8 allows remote attackers to execute arbitrary code via Python os library calls in Python API commands to the integrated web server.

CVSS: 10.0 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2014-06-19
Medium

CVE-2013-1068

The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.…

CVSS: 5.0 CWE: CWE-264 View on NVD
2014-06-09
High

CVE-2013-7323

python-gnupg before 0.3.5 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.

CVSS: 7.5 CWE: N/A View on NVD
2014-05-20
Medium

CVE-2013-4347

The (1) make_nonce, (2) generate_nonce, and (3) generate_verifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess…

CVSS: 5.8 CWE: CWE-310 View on NVD
Medium

CVE-2013-4346

The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL.

CVSS: 4.3 CWE: CWE-310 View on NVD
2014-05-19
Medium

CVE-2013-7040

Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictab…

CVSS: 4.3 CWE: CWE-310 View on NVD
2014-05-14
Medium

CVE-2013-5655

Directory traversal vulnerability in the FTP server in YingZhi Python Programming Language for iOS 1.9 allows remote attackers to read and possibly write arbitrary files via a .. (dot dot) in the def…

CVSS: 6.4 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2014-05-08
Low

CVE-2014-1934

tag.py in eyeD3 (aka python-eyed3) 7.0.3, 0.6.18, and earlier for Python allows local users to modify arbitrary files via a symlink attack on a temporary file.

CVSS: 3.3 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2014-04-27
Critical

CVE-2014-3007

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possib…

CVSS: 10.0 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2014-04-23
Medium

CVE-2014-0472

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Pyth…

CVSS: 5.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2014-04-22
High

CVE-2013-7338

Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read,…

CVSS: 7.1 CWE: CWE-20 - Improper Input Validation View on NVD
2014-04-17
Low

CVE-2014-1933

The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes…

CVSS: 2.1 CWE: CWE-264 View on NVD
Medium

CVE-2014-1932

The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (…

CVSS: 4.4 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2014-04-15
Medium

CVE-2014-0105

The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authen…

CVSS: 6.0 CWE: CWE-255 View on NVD
2014-03-01
High

CVE-2014-1912

Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code…

CVSS: 7.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD