Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Python
(Python)| Repositories | https://github.com/python/cpython |
| #Vulnerabilities | 125 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2008-08-01 | CVE-2008-2315 | Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031. | Python | N/A | ||
| 2022-09-09 | CVE-2020-10735 | A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability. | Fedora, Python, Enterprise_linux, Quay, Software_collections | 7.5 | ||
| 2020-02-04 | CVE-2019-9674 | Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb. | Ubuntu_linux, Active_iq_unified_manager, Python | 7.5 | ||
| 2017-11-17 | CVE-2017-1000158 | CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution) | Debian_linux, Python | 9.8 | ||
| 2012-06-27 | CVE-2011-4940 | The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding. | Python | N/A | ||
| 2016-09-01 | CVE-2016-2183 | The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. | Content_security_management_appliance, Node\.js, Openssl, Database, Python, Enterprise_linux, Jboss_enterprise_application_platform, Jboss_enterprise_web_server, Jboss_web_server | 7.5 | ||
| 2013-10-09 | CVE-2013-2099 | Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate. | Ubuntu_linux, Python | N/A | ||
| 2016-05-26 | CVE-2016-0718 | Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. | Mac_os_x, Ubuntu_linux, Debian_linux, Libexpat, Policy_auditor, Firefox, Leap, Opensuse, Python, Linux_enterprise_debuginfo, Linux_enterprise_desktop, Linux_enterprise_server, Linux_enterprise_software_development_kit, Studio_onsite | 9.8 | ||
| 2016-09-02 | CVE-2016-5699 | CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. | Python | 6.1 | ||
| 2019-06-07 | CVE-2019-10160 | A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the... | Ubuntu_linux, Debian_linux, Fedora, Cloud_backup, Converged_systems_advisor_agent, Leap, Python, Enterprise_linux_desktop, Enterprise_linux_eus, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Virtualization | 9.8 |