![]() Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. This issue has been patched in version 3.9.0.įastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. The vulnerability only occurs if the attacker can control the HTTP version of the request. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. Improper validation made it possible for an attacker to modify the HTTP request (e.g. This issue has been patched in version 3.9.0.Īiohttp is an asynchronous HTTP client/server framework for asyncio and Python. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. This vulnerability has been patched in version 41.0.6.Īiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The consequences extend to potential disruptions in system availability and stability. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. No known workarounds have been identified, and applying the patch is the most effective way to remediate the vulnerability.Ĭryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Users are strongly advised to upgrade to dpaste release v3.8 or later versions, as dpaste versions older than v3.8 are susceptible to the identified security vulnerability. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of a user's browser, potentially leading to unauthorized access, data theft, or other malicious activities. A security vulnerability has been identified in the expires parameter of the dpaste API, allowing for a POST Reflected XSS attack. There are no known workarounds for this vulnerability.ĭpaste is an open source pastebin application written in Python using the Django framework. This issue has been addressed in commit `c57355dc` which is included in release version `1.16.2`. This vulnerability does not require the file to be directly loaded through the code, only present. This is a deserilization attack that will affect any user who initializes GoogleAuth from this package while a malicious yaml file is present in the same directory. A maliciously crafted YAML file can cause arbitrary code execution if PyDrive2 is run in the same directory as it, or if it is loaded in via `LoadSettingsFile`. Unsafe YAML deserilization will result in arbitrary code execution. PyDrive2 is a wrapper library of google-api-python-client that simplifies many common Google Drive API V2 tasks. There are no known workarounds for this vulnerability. ![]() ![]() ![]() SAP BTP Security Services Integration Library ( sap-xssec) - versions = 5.13.1`. This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).Ī regression was introduced in the Red Hat build of python-eventlet due to a change in the patch application strategy, resulting in a patch for CVE-2021-21419 not being applied for all builds of all products. There is no issue when the parameter isn't used or when any value is used besides an empty list. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. ![]() An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |