National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): python
  • Search Type: Search All
There are 352 matching records.
Displaying matches 181 through 200.
Vuln ID Summary CVSS Severity
CVE-2014-0105

The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached."

Published: April 15, 2014; 10:55:03 AM -04:00
V2: 6.0 MEDIUM
CVE-2012-6131

Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.

Published: April 11, 2014; 11:55:16 AM -04:00
V2: 4.3 MEDIUM
CVE-2012-6130

Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.

Published: April 11, 2014; 11:55:05 AM -04:00
V2: 4.3 MEDIUM
CVE-2014-1912

Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.

Published: February 28, 2014; 07:55:05 PM -05:00
V2: 7.5 HIGH
CVE-2013-6396

The OpenStack Python client library for Swift (python-swiftclient) 1.0 through 1.9.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Published: February 18, 2014; 02:55:04 PM -05:00
V2: 5.8 MEDIUM
CVE-2013-2191

python-bugzilla before 0.9.0 does not validate X.509 certificates, which allows man-in-the-middle attackers to spoof Bugzilla servers via a crafted certificate.

Published: February 07, 2014; 07:55:06 PM -05:00
V2: 4.3 MEDIUM
CVE-2013-6491

The python-qpid client (common/rpc/impl_qpid.py) in OpenStack Oslo before 2013.2 does not enforce SSL connections when qpid_protocol is set to ssl, which allows remote attackers to obtain sensitive information by sniffing the network.

Published: February 01, 2014; 07:55:04 PM -05:00
V2: 4.3 MEDIUM
CVE-2014-1624

Race condition in the xdg.BaseDirectory.get_runtime_dir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the get_runtime_dir function is called.

Published: January 27, 2014; 07:55:04 PM -05:00
V2: 3.3 LOW
CVE-2014-1604

The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name.

Published: January 27, 2014; 07:55:04 PM -05:00
V2: 2.1 LOW
CVE-2013-2104

python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires.

Published: January 21, 2014; 01:55:09 PM -05:00
V2: 5.5 MEDIUM
CVE-2013-4482

Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscript, allows local users to gain privileges via a Trojan horse .egg-info file in the (1) current working directory or (2) its parent directories.

Published: November 23, 2013; 06:55:04 AM -05:00
V2: 6.2 MEDIUM
CVE-2013-2099

Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.

Published: October 09, 2013; 10:53:20 AM -04:00
V2: 4.3 MEDIUM
CVE-2013-2013

The user-password-update command in python-keystoneclient before 0.2.4 accepts the new password in the --password argument, which allows local users to obtain sensitive information by listing the process.

Published: October 01, 2013; 04:55:33 PM -04:00
V2: 2.1 LOW
CVE-2013-4314

The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

Published: September 30, 2013; 05:55:09 PM -04:00
V2: 4.3 MEDIUM
CVE-2013-5942

Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to (1) remote_storage.py, (2) storage.py, (3) render/datalib.py, and (4) whitelist/views.py, a different vulnerability than CVE-2013-5093.

Published: September 27, 2013; 06:08:04 AM -04:00
V2: 6.8 MEDIUM
CVE-2013-5093

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.

Published: September 27, 2013; 06:08:03 AM -04:00
V2: 6.8 MEDIUM
CVE-2013-1443

The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.

Published: September 23, 2013; 04:55:07 PM -04:00
V2: 5.0 MEDIUM
CVE-2013-4111

The Python client library for Glance (python-glanceclient) before 0.10.0 does not properly check the preverify_ok value, which prevents the server hostname from being verified with a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate and allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: August 28, 2013; 05:55:08 PM -04:00
V2: 5.8 MEDIUM
CVE-2013-2072

Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to configure VCPU affinity to cause a denial of service (memory corruption and xend toolstack crash) and possibly gain privileges via a crafted cpumap.

Published: August 28, 2013; 05:55:08 PM -04:00
V2: 7.4 HIGH
CVE-2013-1909

The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: August 23, 2013; 12:55:07 PM -04:00
V2: 5.8 MEDIUM