Releases5
Frequency10 months 2 weeks
Last Release
Interact with a long-running python child process

CVE History

CVEAffectedPublishedCVSS v3CVSS v2
< 3.15.07.5 HIGH

`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

<= 3.14.4, = 3.15.07.5 HIGH

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

< 3.15.06.1 MEDIUM

http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

< 3.13.13, >= 3.14.0, < 3.14.4, = 3.15.03.3 LOW

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

< 3.10.0, >= 3.13.0, < 3.13.13, >= 3.14.0, < 3.14.4, = 3.15.07.5 HIGH

When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.

< 3.13.13, >= 3.14.0, < 3.14.4, = 3.15.07.5 HIGH

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

< 3.13.13, >= 3.14.0, < 3.14.4, = 3.15.03.3 LOW

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

< 3.13.10, >= 3.14.0, < 3.14.1, = 3.15.05.3 MEDIUM

When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars.

< 3.13.11, >= 3.14.0, < 3.14.2, = 3.15.05.3 MEDIUM

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

= *, = 3.14.0, = 3.15.0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.117.5 HIGH

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

< 3.13.10, >= 3.14.0, < 3.14.1, = 3.15.05.5 MEDIUM

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

< 3.9.0, >= 3.13.1, < 3.13.11, >= 3.14.0, < 3.14.1, = 3.15.05.5 MEDIUM

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

= 3.14.0, >= 3.13.0, < 3.13.1, >= 3.12.0, < 3.12.8, >= 3.11.0, < 3.11.11, >= 3.10.0, < 3.10.16, < 3.9.217.8 HIGH

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

= 3.13.0, = *, >= 3.12.0, < 3.12.6, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.107.5 HIGH

There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

= 3.13.0, = *, >= 3.12.0, < 3.12.6, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.107.5 HIGH

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

= 3.12.0, = 3.13.06.1 MEDIUM

An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list. This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).

>= 3.11.0, < 3.11.5, >= 3.10.0, < 3.10.13, >= 3.9.0, < 3.9.18, < 3.8.185.3 MEDIUM

An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

>= 3.11.0, <= 3.11.47.5 HIGH

An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.

= *, >= 3.7.0, < 3.7.10, < 3.6.13, >= 3.9.0, < 3.9.1, >= 3.8.0, < 3.8.79.8 CRITICAL

An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.

= *, >= 3.7.0, < 3.7.10, < 3.6.13, >= 3.9.0, < 3.9.1, >= 3.8.0, < 3.8.75.9 MEDIUM

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.

= *, = 3.10.0, >= 3.9.0, < 3.9.1, >= 3.7.0, < 3.7.10, < 3.6.13, >= 3.8.0, < 3.8.76.5 MEDIUM

read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.

= *, = 3.9.0, >= 3.8.0, < 3.8.2, >= 3.7.0, < 3.7.7, < 3.6.117.5 HIGH

A use-after-free exists in Python through 3.9 via heappushpop in heapq.

= 3.13.05.3 MEDIUM

An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not already accessible to an adversary, becomes accessible through this bug.

<= 3.11.47.5 HIGH

The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.

= 3.12.05.5 MEDIUM

CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.

= *, <= 2.7.18, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.6, >= 3.0, < 3.8.205.3 MEDIUM

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

= *, >= 3.10.0, < 3.10.12, >= 3.9.0, < 3.9.17, >= 3.8.0, < 3.8.17, < 3.7.17, >= 3.11.0, < 3.11.47.5 HIGH

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

= 3.11.0, <= 3.7.15, >= 3.8.0, <= 3.8.15, >= 3.9.0, <= 3.9.15, >= 3.10.0, <= 3.10.87.5 HIGH

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

= *, >= 3.9.0, < 3.9.16, >= 3.10.0, < 3.10.9, >= 3.8.3, <= 3.8.15, >= 3.7.3, <= 3.7.157.8 HIGH

Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.

>= 3.8.0, < 3.8.16, >= 3.9.0, < 3.9.16, >= 3.10.0, < 3.10.9, >= 3.6.0, < 3.7.169.8 CRITICAL

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

= 3.7, = 3.11.0, >= 3.7.0, < 3.7.14, >= 3.8.0, < 3.8.14, >= 3.10.0, < 3.10.7, >= 3.9.0, < 3.9.147.5 HIGH

A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.

>= 3.9.0, < 3.9.3, >= 3.8.0, < 3.8.9, >= 3.7.0, < 3.7.11, >= 3.6.0, < 3.6.14, = 3.10.05.3 MEDIUM

A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.

= 3.11.0, >= 3.8.0, < 3.8.14, >= 3.0.0, < 3.7.14, >= 3.10.0, < 3.10.6, >= 3.9.0, < 3.9.147.4 HIGH

Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."

= 2.7.135 MEDIUM4.4 MEDIUM

A vulnerability classified as problematic was found in Python 2.7.13. This vulnerability affects unknown code of the component pgAdmin4. The manipulation leads to uncontrolled search path. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

= *, >= 3.8.0, <= 3.8.15, >= 3.9.0, <= 3.9.15, >= 3.10.0, < 3.10.8, >= 3.7.0, <= 3.7.157.6 HIGH8 HIGH

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

>= 3.10.0, < 3.10.5, >= 3.9.0, < 3.9.13, >= 3.7.0, < 3.7.14, >= 3.8.0, < 3.8.147.5 HIGH5 MEDIUM

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

<= 3.7.12, >= 3.8.0, <= 3.8.12, >= 3.9.0, <= 3.9.10, >= 3.10.0, <= 3.10.2, = 3.11.07 HIGH4.4 MEDIUM

In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.

>= 3.9.0, < 3.9.5, >= 3.7.0, < 3.7.11, < 3.6.14, = 3.10.0, >= 3.8.0, < 3.8.106.5 MEDIUM4 MEDIUM

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.

>= 3.8.0, < 3.8.11, >= 3.7.0, < 3.7.11, >= 3.9.0, < 3.9.6, >= 3.6.0, < 3.6.147.5 HIGH7.1 HIGH

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.

= 3.10.0, >= 3.9.0, < 3.9.5, >= 3.8.0, < 3.8.11, >= 3.7.0, < 3.7.11, < 3.6.147.5 HIGH5 MEDIUM

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

>= 3.8.0, < 3.8.8, >= 3.7.0, < 3.7.10, >= 3.6.0, < 3.6.13, = 3.10.0, < 2.7.18, >= 3.9.0, < 3.9.35.7 MEDIUM2.7 LOW

There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.

>= 3.9.56.1 MEDIUM4.3 MEDIUM

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.

>= 3.9.0, < 3.9.5, >= 3.8.0, < 3.8.129.8 CRITICAL7.5 HIGH

In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

= *6.1 MEDIUM4.3 MEDIUM

The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).

< 3.0.07.5 HIGH7.1 HIGH

StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data (from an action or rule name).

>= 3.9.0, < 3.9.2, >= 3.8.0, < 3.8.8, >= 3.7.0, < 3.7.10, < 3.6.135.9 MEDIUM4 MEDIUM

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

>= 3.7.0, <= 3.7.9, >= 3.9.0, <= 3.9.1, >= 3.8.0, <= 3.8.7, >= 3.6.0, <= 3.6.129.8 CRITICAL7.5 HIGH

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

>= 3.6.08.8 HIGH6.5 MEDIUM

A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation.

>= 3.7.0, < 3.7.10, >= 3.9.0, < 3.9.1, >= 3.8.0, < 3.8.7, >= 3.0.0, < 3.6.139.8 CRITICAL7.5 HIGH

In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.

>= 3.0.0, < 3.5.10, >= 3.8.0, < 3.8.5, >= 3.7.0, < 3.7.9, >= 3.6.0, < 3.6.127.2 HIGH6.4 MEDIUM

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

>= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.59.8 CRITICAL7.5 HIGH

In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The <executable-name>._pth file (e.g., the python._pth file) is not affected.

>= 3.8.0, < 3.8.5, >= 3.7.0, < 3.7.9, >= 3.6.0, < 3.6.12, >= 3.5.0, < 3.5.107.5 HIGH5 MEDIUM

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

>= 3.5.0, < 3.5.10, >= 3.6.0, < 3.6.12, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.4, = 3.8.4, = 3.9.07.8 HIGH6.9 MEDIUM

In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.

>= 3.0.0, < 3.5.10, >= 3.7.0, < 3.7.9, >= 3.6.0, < 3.6.12, >= 3.8.0, < 3.8.45.9 MEDIUM4.3 MEDIUM

Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.

>= 3.2.0, < 3.2.6, >= 3.4.0, < 3.4.3, >= 2.7.0, < 2.7.9, >= 3.3.0, < 3.3.67.5 HIGH5 MEDIUM

The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.

>= 3.2.0, < 3.2.6, >= 3.3.0, < 3.3.6, >= 3.4.0, < 3.4.2, >= 2.7.0, < 2.7.89.8 CRITICAL7.5 HIGH

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

= *, >= 3.2, <= 3.87.5 HIGH5 MEDIUM

Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.

>= 3.8.0, <= 3.8.1, >= 3.7.0, <= 3.7.6, >= 3.6.0, <= 3.6.10, >= 3.5.0, <= 3.5.9, >= 2.7.0, <= 2.7.176.5 MEDIUM7.1 HIGH

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

>= 3.8.0, <= 3.8.1, >= 3.7.0, <= 3.7.6, >= 3.6.0, <= 3.6.105.5 MEDIUM4.3 MEDIUM

In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.

>= 3.3.0, < 3.3.7, >= 3.5.0, < 3.5.3, >= 2.7.0, < 2.7.13, >= 3.4.0, < 3.4.66.1 MEDIUM5.8 MEDIUM

The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.

>= 3.7.0, < 3.7.3, >= 3.6.0, < 3.6.9, >= 3.5.0, < 3.5.7, >= 2.7.0, < 2.7.16, >= 3.4.0, < 3.4.107.5 HIGH5 MEDIUM

An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.

>= 2.0, <= 2.7.17, >= 3.8.0, < 3.8.3, >= 3.0, < 3.5.10, >= 3.6.0, < 3.6.11, >= 3.7.0, < 3.7.86.1 MEDIUM4.3 MEDIUM

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.

= 3.8.0, = 3.6.0, = 3.7.07.5 HIGH5 MEDIUM

library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.

= *, >= 2.7.0, < 2.7.17, >= 3.7.0, < 3.7.5, >= 3.6.0, < 3.6.10, >= 3.0.0, < 3.5.86.1 MEDIUM4.3 MEDIUM

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

<= 2.7.16, >= 3.5.0, <= 3.5.7, >= 3.6.0, <= 3.6.9, >= 3.7.0, <= 3.7.4, >= 3.0.0, <= 3.0.1, >= 3.1.0, <= 3.1.5, >= 3.2.0, <= 3.2.6, >= 3.3.0, <= 3.3.7, >= 3.4.0, <= 3.4.107.5 HIGH5 MEDIUM

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

>= 3.5.0, < 3.5.8, >= 2.7.0, < 2.7.17, >= 3.7.0, < 3.7.5, >= 3.6.0, < 3.6.107.5 HIGH5 MEDIUM

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

>= 2.0, <= 2.7.16, >= 3.7.0, < 3.7.3, >= 3.6.0, < 3.6.9, >= 3.5.0, < 3.5.7, >= 3.0.0, < 3.4.105 MEDIUM

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.

<= 2.7.16, >= 3.0.0, < 3.5.09.3 HIGH

The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\Python27 access control or choose a different directory, because backwards compatibility requires that C:\Python27 remain the default for 2.7.x

>= 3.10.0, < 3.10.3, >= 3.9.0, < 3.9.11, >= 3.8.0, < 3.8.13, >= 3.7.0, < 3.7.139.8 CRITICAL7.5 HIGH

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

>= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.4, >= 3.5.0, < 3.5.8, >= 2.7.0, < 2.7.17, = 3.8.09.8 CRITICAL5 MEDIUM

A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

>= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.4, >= 3.5.0, < 3.5.8, >= 2.0, < 2.7.179.1 CRITICAL6.4 MEDIUM

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

>= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.4, >= 3.5.0, < 3.5.8, >= 2.7.0, < 2.7.176.1 MEDIUM4.3 MEDIUM

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

>= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.4, >= 3.5.0, < 3.5.8, >= 2.0, < 2.7.176.1 MEDIUM4.3 MEDIUM

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

>= 3.7.0, < 3.7.3, >= 3.6.0, < 3.6.9, >= 3.5.0, < 3.5.7, >= 3.0.0, < 3.4.10, >= 2.7.0, < 2.7.179.8 CRITICAL5 MEDIUM

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

>= 3.4.0, < 3.7.15 MEDIUM

Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

>= 3.5.0, <= 3.5.6, >= 2.7.0, <= 2.7.15, = 3.7.0, >= 3.4.0, <= 3.4.9, >= 3.6.0, <= 3.6.67.5 HIGH5 MEDIUM

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

>= 2.7.0, < 2.7.169.8 CRITICAL7.5 HIGH

Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.

< 2.7.15, >= 3.0, < 3.4.9, >= 3.6, <= 3.6.4, >= 3.5.0, <= 3.5.5, = 3.7.05 MEDIUM

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.

>= 2.7.0, < 2.7.15, >= 3.5.0, < 3.5.6, >= 3.0.0, < 3.4.9, > 3.6.0, < 3.6.57.5 HIGH5 MEDIUM

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.

>= 3.6.0, < 3.6.2, >= 3.5.0, < 3.5.4, >= 3.4.0, < 3.4.7, >= 3.3.0, < 3.3.7, >= 2.7.0, < 2.7.159.8 CRITICAL7.5 HIGH

An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.

>= 3.2.0, < 3.4.9, >= 3.5.0, < 3.5.6, >= 3.6.0, < 3.6.5, = 3.7.06.7 MEDIUM7.2 HIGH

Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.

<= 3.6.44.3 MEDIUM

The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue because Python applications "need to be prepared to handle a wide variety of exceptions.

<= 2.7.143.6 LOW3.3 LOW

Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.

<= 3.6.36.8 MEDIUM

Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting

< 2.7.15, >= 3.5.0, < 3.5.5, >= 3.4.0, < 3.4.89.8 CRITICAL7.5 HIGH

CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)

>= 3.3.0, < 3.3.6, >= 2.7.0, < 2.7.7, >= 3.0.0, < 3.2.6, >= 3.4.0, < 3.4.15.9 MEDIUM4.3 MEDIUM

Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.

>= 3.6.0, < 3.6.2, >= 3.5.0, < 3.5.4, >= 3.4.0, < 3.4.7, >= 3.3.0, < 3.3.7, >= 2.7.0, < 2.7.157.5 HIGH5 MEDIUM

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.

<= 2.7.9, = 3.1.1, = 3.3.2, = 3.0, = 3.0.1, = 3.2.2, = 3.1.0, = 3.2.5, = 3.1.5, = 3.3.6, = 3.2.3, = 3.3.3, = 3.3.4, = 3.1.2, = 3.1.3, = 3.2.4, = 3.3.5, = 3.2.0, = 3.2.1, = 3.3.1, = 3.4.2, = 3.4.3, = 3.1.4, = 3.2.6, = 3.3.0, = 3.4.0, = 3.4.14.3 MEDIUM

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

= 3.1.1, = 3.3.2, = 3.0, = 3.0.1, = 3.2.2, = 3.1.0, = 3.2.5, = 3.1.5, = 3.3.6, = 3.1.2, = 3.2.3, = 3.2.4, = 3.3.5, = 3.1.3, = 3.1.4, = 3.2.6, = 3.3.0, = 3.4.0, = 3.4.1, = 3.2.1, = 3.3.3, = 3.3.4, = 3.4.4, = 3.2.0, = 3.3.1, = 3.4.2, = 3.4.3, <= 2.7.11, = 3.5.0, = 3.5.110 HIGH

Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.

= 3.5.0, = 3.5.1, = 3.1.1, = 3.3.2, = 3.0, = 3.0.1, = 3.2.2, = 3.1.0, = 3.2.5, = 3.1.5, = 3.3.6, = 3.2.1, = 3.1.2, = 3.2.3, = 3.2.4, = 3.3.4, = 3.3.5, = 3.1.3, = 3.1.4, = 3.2.6, = 3.4.0, = 3.3.3, = 3.4.4, = 3.2.0, = 3.3.0, = 3.3.1, = 3.4.1, = 3.4.2, = 3.4.3, <= 2.7.115.8 MEDIUM

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

>= 3.4.0, < 3.4.7, >= 3.5.0, < 3.5.3, >= 2.7.0, < 2.7.137.5 HIGH5 MEDIUM

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

>= 3.6.0, < 3.6.2, >= 3.5.0, < 3.5.4, >= 3.4.0, < 3.4.7, >= 3.3.0, < 3.3.7, >= 2.7.0, < 2.7.158.1 HIGH6.8 MEDIUM

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.

>= 3.10.0, < 3.10.3, >= 3.9.0, < 3.9.11, >= 3.8.0, < 3.8.13, >= 3.7.0, < 3.7.136.5 MEDIUM4.3 MEDIUM

Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.

<= 2.7.8, = 3.1, = 3.1.1, = 3.3.2, = 3.0, = 3.3.1, = 3.0.1, = 3.2.2, = 3.3, = 3.2.5, = 3.2.4, = 3.2.3, = 3.1.5, = 3.1.4, = 3.2.6, = 3.2, = 3.2.1, = 3.2.0, = 3.1.2, = 3.3.0, = 3.2.2150, = 3.1.3, = 3.1.21504.3 MEDIUM

The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.

>= 3.6.0, < 3.6.2, >= 3.5.0, < 3.5.4, >= 3.4.0, < 3.4.7, >= 3.3.0, < 3.3.7, >= 2.7.0, < 2.7.159.8 CRITICAL7.5 HIGH

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.

<= 3.5.07.2 HIGH

Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory. NOTE: the vendor says "It was determined that this is a longtime behavior of Python that cannot really be altered at this point."

>= 3.3.0, < 3.3.7, >= 3.5.0, < 3.5.2, >= 3.4.0, < 3.4.5, >= 2.7.0, < 2.7.126.8 MEDIUM

Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.

= 2.7.6, = 2.4.2, = 3.3.5, = 3.1, = 3.3.3, = 3.1.1, = 3.3.2, = 2.7.8, = 2.5.1, = 2.1.2, = 2.6.6, = 2.7.1150, = 3.0, = 3.0.1, = 3.1.5, = 3.2.5, = 2.0.1, = 2.1, = 2.3.1, = 3.2.2150, = 3.3.1, = 2.3.4, = 2.6.1, = 3.3, = 2.7.4, = 3.2.2, = 3.3.4, = 2.1.1, = 2.3.2, = 2.3.3, = 2.5.4, = 2.6.6150, = 2.7.2, = 3.3.6, = 2.5.2, = 2.5.3, = 2.6.4, = 2.7.1, = 2.7.7, = 3.2.3, = 2.4.6, = 2.6.7, = 2.6.8, = 2.7.3, = 3.2.0, = 3.4.0, = 2.0, = 2.2.1, = 2.2.2, = 2.2.3, = 2.3.7, = 2.6.2150, = 2.6.3, = 3.1.2, = 3.1.2150, = 3.2.1, = 2.4.3, = 2.4.4, = 2.5.6, = 3.2, = 3.2.4, = 3.4, = 2.4.1, = 2.6.5, = 3.1.3, = 3.1.4, = 2.1.3, = 2.2, = 2.3.5, = 2.6.2, = 2.7.2150, = 3.2.6, = 3.4.1, = 2.5.150, = 2.7.5, = 3.3.0, = 3.4.25.8 MEDIUM

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

= 3.3.2, = 3.2.2, = 3.2.5, = 3.3.6, = 3.4.0, = 3.2.1, = 3.2.0, = 3.3.1, = 3.3.4, = 3.2.6, = 3.3.0, = 3.4.1, = 3.4.2, = 3.2.4, = 3.3.5, = 3.2.3, = 3.3.33.3 LOW

Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.

= 2.7.6, <= 2.7.7, = 2.7.1150, = 2.7.4, = 2.7.1, = 2.7.3, = 2.7.2, = 2.7.5, = 2.7.21506.4 MEDIUM

Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function.

>= 3.4.0, < 3.4.2, >= 2.7.0, < 2.7.87.4 HIGH5.8 MEDIUM

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

= 2.7.6, = 3.3.5, = 3.1, = 3.3.3, = 3.1.1, = 3.3.2, = 3.0, = 3.3.1, = 3.0.1, = 3.2.5, = 2.7.1, = 3.3, = 3.3.4, = 3.2.0, = 3.2.1, = 3.1.2, = 2.7.1150, = 3.2.2, = 3.2.2150, = 3.2.3, = 3.1.5, = 2.7.3, = 2.7.4, = 3.2, = 2.7.5, = 2.7.7, = 3.3.0, = 3.1.3, = 3.1.4, = 2.7.2, = 2.7.2150, = 3.2.44.3 MEDIUM

Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.

= 3.3.3, = 3.3.2, = 3.3.1, = 3.3.07.1 HIGH

Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.

= 2.7.6, = 2.5.1, = 2.6.6, = 2.7.1150, = 2.6.1, = 2.7.4, = 2.5.4, = 2.6.3, = 2.6.2150, = 2.7.2, = 2.7.2150, = 2.6.4, = 2.6.5, = 2.7.5, = 2.7.3, = 2.6.6150, = 2.5.3, = 2.7.1, = 2.5.150, = 2.5.2, = 2.6.2, = 2.6.7, = 2.6.8, = 2.5.6, = 3.1, = 3.1.1, = 3.3.2, = 3.0, = 3.0.1, = 3.2.2, = 3.3, = 3.2.5, = 3.1.5, = 3.2, = 3.3.3, = 3.1.2150, = 3.1.3, = 3.2.2150, = 3.4, = 3.1.4, = 3.2.3, = 3.2.4, = 3.1.2, = 3.2.0, = 3.2.1, = 3.3.0, = 3.3.17.5 HIGH

Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.

>= 3.8.0, < 3.8.12, >= 3.9.0, < 3.9.7, >= 3.7.0, < 3.7.12, >= 3.6.0, < 3.6.156.8 MEDIUM

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

= 3.3.2, = 3.2.2, = 3.2.5, = 3.2.1, = 3.2.0, = 3.3.1, = 3.2.3, = 3.3.0, = 3.2.44.3 MEDIUM

Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.

= 3.1, = 3.1.1, = 3.0, = 2.6.6, = 3.0.1, = 2.7.1150, = 3.3, = 2.6.1, = 3.1.5, = 2.6.7, = 2.6.8, = 2.7.3, = 2.6.3, = 2.6.4, = 2.7.1, = 3.2.2150, = 3.2.3, = 2.6.2, = 2.6.2150, = 3.2, = 3.4, = 2.6.6150, = 2.7.2, = 3.1.2, = 3.1.2150, = 2.7.2150, = 3.1.3, = 3.1.4, = 2.6.54.3 MEDIUM

The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

= 2.4.2, = 2.5.1, = 2.3.4, = 2.6.6, = 2.1, = 2.0.1, = 2.6.1, = 2.3.1, = 0.9.1, = 2.3.2, = 2.3.3, = 2.1.1, = 2.1.2, = 1.5.2, = 1.2, = 2.6.3, = 2.4.6, = 2.2.2, = 2.0, = 0.9.0, = 2.6.2150, = 2.5.4, = 2.2.3, = 2.2.1, = 1.6.1, = 1.6, = 1.3, = 2.6.5, = 2.5.3, = 2.5.6, = 2.4.4, <= 2.6.7, = 2.6.6150, = 2.5.150, = 2.4.3, = 2.6.4, = 2.5.2, = 2.4.1, = 2.3.7, = 2.6.2, = 2.3.5, = 2.2, = 2.1.3, = 2.7.1, = 2.7.1150, = 2.7.2, = 2.7.2150, = 3.1, = 3.1.1, = 3.0, = 3.0.1, = 3.1.2, = 3.1.3, = 3.1.4, = 3.2.2150, = 3.25 MEDIUM

Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

= 2.4.2, = 2.5.1, = 2.3.4, = 2.6.6, = 2.1, = 2.0.1, = 2.6.1, = 2.3.1, = 0.9.1, = 2.6.3, = 2.6.2150, = 2.4.6, = 2.3.2, = 1.3, = 2.3.3, = 2.1.1, = 2.1.2, = 1.5.2, = 1.2, = 2.2.2, = 2.2.3, = 2.0, = 0.9.0, = 2.5.4, = 2.2.1, = 1.6.1, = 1.6, = 2.6.4, = 2.5.2, = 2.6.5, = 2.5.3, = 2.5.6, = 2.4.4, = 2.3.7, = 2.1.3, <= 2.6.7, = 2.6.6150, = 2.5.150, = 2.4.3, = 2.4.1, = 2.6.2, = 2.3.5, = 2.2, = 2.7.1, = 2.7.1150, = 2.7.2, = 2.7.2150, = 3.1, = 3.1.1, = 3.0, = 3.0.1, = 3.1.2, = 3.1.3, = 3.1.4, = 3.2.2150, = 3.25 MEDIUM

SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.

= 3.1, = 3.1.1, = 3.0, = 2.6.6, = 3.0.1, = 2.7.1150, = 2.6.1, = 3.1.5, = 2.6.3, = 2.6.2, = 2.6.5, = 2.7.2, = 2.7.1, = 3.2, = 2.6.2150, = 2.6.4, = 2.7.2150, = 2.6.7, = 2.6.8, = 3.1.2, = 3.1.3, = 2.6.6150, = 3.1.2150, = 2.7.3, = 3.1.41.9 LOW

Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.

= *, >= 3.3.0, < 3.3.3, >= 3.2.0, < 3.2.4, >= 2.7.0, < 2.7.46.4 MEDIUM

The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.

>= 3.2.0, < 3.2.3, >= 3.1.0, < 3.1.5, >= 2.7.0, < 2.7.3, >= 2.6.0, < 2.6.84.3 MEDIUM

The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.

= 2.4.2, = 2.5.1, = 2.3.4, = 2.0.1, = 2.3.1, = 0.9.1, = 2.1.2, = 0.9.0, = 1.6.1, <= 2.5.6, = 2.5.4, = 2.3.7, = 2.2.2, = 2.2.3, = 1.2, = 1.3, = 2.4.6, = 2.4.4, = 2.3.3, = 2.2.1, = 1.6, = 2.3.5, = 2.1.1, = 2.5.3, = 2.5.2, = 2.3.2, = 1.5.2, = 2.4.3, = 2.4.1, = 2.1.3, = 2.6.6, = 2.6.1, = 2.6.3, = 2.6.4, = 2.6.2, = 2.6.5, = 2.7.1, = 2.7.22.6 LOW

The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.