National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): python
  • Search Type: Search All
There are 358 matching records.
Displaying matches 141 through 160.
Vuln ID Summary CVSS Severity
CVE-2015-1852

The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.

Published: April 17, 2015; 01:59:02 PM -04:00
V2: 4.3 MEDIUM
CVE-2015-0693

Cisco Web Security Appliance (WSA) devices with software 8.5.0-ise-147 do not properly restrict use of the pickle Python module during certain tunnel-status checks, which allows local users to execute arbitrary Python code and gain privileges via a crafted pickle file, aka Bug ID CSCut39259.

Published: April 15, 2015; 06:59:01 AM -04:00
V2: 7.2 HIGH
CVE-2015-2775

Directory traversal vulnerability in GNU Mailman before 2.1.20, when not using a static alias, allows remote attackers to execute arbitrary files via a .. (dot dot) in a list name.

Published: April 13, 2015; 10:59:02 AM -04:00
V2: 7.6 HIGH
CVE-2015-0692

Cisco Web Security Appliance (WSA) devices with software 8.5.0-ise-147 do not properly restrict use of the pickle Python module during certain tunnel-status checks, which allows local users to execute arbitrary Python code and gain privileges via crafted serialized objects, aka Bug ID CSCut39230.

Published: April 10, 2015; 09:59:02 PM -04:00
V2: 7.2 HIGH
CVE-2015-2316

The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.

Published: March 25, 2015; 10:59:02 AM -04:00
V2: 5.0 MEDIUM
CVE-2015-2296

The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.

Published: March 18, 2015; 12:59:03 PM -04:00
V2: 6.8 MEDIUM
CVE-2014-8165

scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.

Published: February 19, 2015; 10:59:05 AM -05:00
V2: 10.0 HIGH
CVE-2014-9601

Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed.

Published: January 16, 2015; 11:59:17 AM -05:00
V2: 5.0 MEDIUM
CVE-2013-2131

Format string vulnerability in the rrdtool module 1.4.7 for Python, as used in Zenoss, allows context-dependent attackers to cause a denial of service (crash) via format string specifiers to the rrdtool.graph function.

Published: January 04, 2015; 04:59:00 PM -05:00
V2: 5.0 MEDIUM
CVE-2014-9365

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: December 12, 2014; 06:59:07 AM -05:00
V2: 5.8 MEDIUM
CVE-2014-2667

Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.

Published: November 15, 2014; 08:59:01 PM -05:00
V2: 3.3 LOW
CVE-2011-4104

The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.

Published: October 26, 2014; 09:55:23 PM -04:00
V2: 7.5 HIGH
CVE-2011-4103

emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.

Published: October 26, 2014; 09:55:23 PM -04:00
V2: 7.5 HIGH
CVE-2014-1929

python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Published: October 25, 2014; 05:55:03 PM -04:00
V2: 4.4 MEDIUM
CVE-2014-1928

The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Published: October 25, 2014; 05:55:03 PM -04:00
V2: 4.6 MEDIUM
CVE-2014-1927

The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Published: October 25, 2014; 05:55:03 PM -04:00
V2: 7.5 HIGH
CVE-2014-3593

Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration.

Published: October 15, 2014; 10:55:06 AM -04:00
V2: 6.0 MEDIUM
CVE-2014-1830

Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request.

Published: October 15, 2014; 10:55:05 AM -04:00
V2: 5.0 MEDIUM
CVE-2014-1829

Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.

Published: October 15, 2014; 10:55:05 AM -04:00
V2: 5.0 MEDIUM
CVE-2014-7185

Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function.

Published: October 08, 2014; 01:55:05 PM -04:00
V2: 6.4 MEDIUM