Filtered by vendor Python
Subscribe
Total
226 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-0772 | 1 Python | 1 Python | 2025-04-12 | 5.8 MEDIUM | 6.5 MEDIUM |
| The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack." | |||||
| CVE-2014-9365 | 2 Apple, Python | 2 Mac Os X, Python | 2025-04-12 | 5.8 MEDIUM | N/A |
| The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
| CVE-2013-7040 | 2 Apple, Python | 2 Mac Os X, Python | 2025-04-12 | 4.3 MEDIUM | N/A |
| Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150. | |||||
| CVE-2014-1932 | 2 Python, Pythonware | 2 Pillow, Python Imaging Library | 2025-04-12 | 4.4 MEDIUM | N/A |
| The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file. | |||||
| CVE-2016-5636 | 1 Python | 1 Python | 2025-04-12 | 10.0 HIGH | 9.8 CRITICAL |
| Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. | |||||
| CVE-2014-9601 | 4 Fedoraproject, Opensuse, Oracle and 1 more | 4 Fedora, Opensuse, Solaris and 1 more | 2025-04-12 | 5.0 MEDIUM | N/A |
| Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed. | |||||
| CVE-2016-9190 | 2 Debian, Python | 2 Debian Linux, Pillow | 2025-04-12 | 6.8 MEDIUM | 7.8 HIGH |
| Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component. | |||||
| CVE-2016-9189 | 2 Debian, Python | 2 Debian Linux, Pillow | 2025-04-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component. | |||||
| CVE-2014-1830 | 2 Opensuse, Python | 2 Opensuse, Requests | 2025-04-12 | 5.0 MEDIUM | N/A |
| Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request. | |||||
| CVE-2015-5652 | 2 Microsoft, Python | 2 Windows, Python | 2025-04-12 | 7.2 HIGH | N/A |
| Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory. NOTE: the vendor says "It was determined that this is a longtime behavior of Python that cannot really be altered at this point." | |||||
| CVE-2014-2667 | 1 Python | 1 Python | 2025-04-12 | 3.3 LOW | N/A |
| Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value. | |||||
| CVE-2016-0718 | 9 Apple, Canonical, Debian and 6 more | 14 Mac Os X, Ubuntu Linux, Debian Linux and 11 more | 2025-04-12 | 7.5 HIGH | 9.8 CRITICAL |
| Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. | |||||
| CVE-2016-5699 | 1 Python | 1 Python | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. | |||||
| CVE-2011-4940 | 1 Python | 1 Python | 2025-04-11 | 2.6 LOW | N/A |
| The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding. | |||||
| CVE-2011-4944 | 1 Python | 1 Python | 2025-04-11 | 1.9 LOW | N/A |
| Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file. | |||||
| CVE-2013-1633 | 1 Python | 1 Setuptools | 2025-04-11 | 6.8 MEDIUM | N/A |
| easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product. | |||||
| CVE-2010-3493 | 1 Python | 1 Python | 2025-04-11 | 4.3 MEDIUM | N/A |
| Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492. | |||||
| CVE-2012-0845 | 1 Python | 1 Python | 2025-04-11 | 5.0 MEDIUM | N/A |
| SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header. | |||||
| CVE-2013-2099 | 2 Canonical, Python | 2 Ubuntu Linux, Python | 2025-04-11 | 4.3 MEDIUM | N/A |
| Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate. | |||||
| CVE-2011-1015 | 1 Python | 1 Python | 2025-04-11 | 5.0 MEDIUM | N/A |
| The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI. | |||||