Search CVE reports
151 – 160 of 828 results
Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows
1 affected package
python-django
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-django | — | Not affected | Not affected | Not affected | Not affected |
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a...
1 affected package
python-django
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-django | — | Fixed | Fixed | Fixed | Not affected |
Some fixes available 12 of 25
If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
13 affected packages
pypy3, python2.7, python3.4, python3.5, python3.6...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| pypy3 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | — |
| python2.7 | Not in release | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| python3.4 | Not in release | Not in release | Not in release | — | — |
| python3.5 | Not in release | Not in release | Not in release | — | — |
| python3.6 | Not in release | Not in release | Not in release | — | Fixed |
| python3.7 | Not in release | Not in release | Not in release | — | Fixed |
| python3.8 | Not in release | Not in release | Not in release | Fixed | Fixed |
| python3.9 | Not in release | Not in release | Not in release | Fixed | — |
| python3.10 | Not in release | Not in release | Fixed | — | — |
| python3.11 | Not in release | Not in release | Fixed | — | — |
| python3.12 | Not in release | Fixed | Not in release | — | — |
| python3.13 | Not in release | Not in release | Not in release | — | — |
| python3.14 | Not affected | Not in release | Not in release | — | — |
Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant,...
1 affected package
python-scrapy
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-scrapy | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
Some fixes available 2 of 5
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of...
1 affected package
python-authlib
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-authlib | Needs evaluation | Fixed | Fixed | — | — |
python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of...
1 affected package
python-ldap
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-ldap | — | Fixed | Fixed | Fixed | Fixed |
python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, the sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when...
1 affected package
python-ldap
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-ldap | — | Fixed | Fixed | Fixed | Fixed |
Some fixes available 2 of 5
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose...
1 affected package
python-authlib
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-authlib | Needs evaluation | Fixed | Fixed | — | — |
python-jose thru 3.3.0 allows JWT tokens with 'alg=none' to be decoded and accepted without any cryptographic signature verification. A malicious actor can craft a forged token with arbitrary claims (e.g., is_admin=true) and...
1 affected package
python-jose
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-jose | Not in release | Needs evaluation | Needs evaluation | — | — |
Some fixes available 12 of 19
The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the...
12 affected packages
python2.7, python3.4, python3.5, python3.6, python3.7...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python2.7 | Not in release | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| python3.4 | Not in release | Not in release | Not in release | — | — |
| python3.5 | Not in release | Not in release | Not in release | — | — |
| python3.6 | Not in release | Not in release | Not in release | — | Fixed |
| python3.7 | Not in release | Not in release | Not in release | — | Fixed |
| python3.8 | Not in release | Not in release | Not in release | Fixed | Fixed |
| python3.9 | Not in release | Not in release | Not in release | Fixed | — |
| python3.10 | Not in release | Not in release | Fixed | — | — |
| python3.11 | Not in release | Not in release | Fixed | — | — |
| python3.12 | Not in release | Fixed | Not in release | — | — |
| python3.13 | Not in release | Not in release | Not in release | — | — |
| python3.14 | Not affected | Not in release | Not in release | — | — |