diff --git a/docker/rancher/security.json b/docker/rancher/security.json new file mode 100644 index 000000000..b235d0bfa --- /dev/null +++ b/docker/rancher/security.json @@ -0,0 +1,235 @@ +[ { + "versionRange" : "[1.12.0,1.12.0]", + "severity" : 6.5, + "cveName" : "CVE-2016-6595", + "description" : "The SwarmKit toolkit 1.12.0 for Docker allows remote authenticated users to cause a denial of service (prevention of cluster joins) via a long sequence of join and quit actions. NOTE: the vendor disputes this issue, stating that this sequence is not \"removing the state that is left by old nodes. At some point the manager obviously stops being able to accept new nodes, since it runs out of memory. Given that both for Docker swarm and for Docker Swarmkit nodes are *required* to provide a secret token (it's actually the only mode of operation), this means that no adversary can simply join nodes and exhaust manager resources. We can't do anything about a manager running out of memory and not being able to add new legitimate nodes to the system. This is merely a resource provisioning issue, and definitely not a CVE worthy vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-6595" +}, { + "versionRange" : "(,1.6]", + "severity" : 3.6, + "cveName" : "CVE-2015-3631", + "description" : "Docker Engine before 1.6.1 allows local users to set arbitrary Linux Security Modules (LSM) and docker_t policies via an image that allows volumes to override files in /proc.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-3631" +}, { + "versionRange" : "(,1.5.0)", + "severity" : 9.8, + "cveName" : "CVE-2014-0048", + "description" : "An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-0048" +}, { + "versionRange" : "(,18.09.4)", + "severity" : 8.4, + "cveName" : "CVE-2019-13139", + "description" : "In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the \"docker build\" command would be able to gain command execution. An issue exists in the way \"docker build\" processes remote git URLs, and results in command injection into the underlying \"git clone\" command, leading to code execution in the context of the user executing the \"docker build\" command. This occurs because git ref can be misinterpreted as a flag.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-13139" +}, { + "versionRange" : "(,1.8.3)", + "severity" : 7.5, + "cveName" : "CVE-2014-8179", + "description" : "Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-8179" +}, { + "versionRange" : "(,1.3.0]", + "severity" : 5.0, + "cveName" : "CVE-2014-5277", + "description" : "Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-5277" +}, { + "versionRange" : "[1.12.2,1.12.2]", + "severity" : 8.8, + "cveName" : "CVE-2018-15514", + "description" : "HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\\\.\\pipe\\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the \"docker-users\" group (who may not otherwise have administrator access) to escalate to administrator privileges.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-15514" +}, { + "versionRange" : "(,1.6]", + "severity" : 7.2, + "cveName" : "CVE-2015-3627", + "description" : "Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-3627" +}, { + "versionRange" : "(,1.3.3)", + "severity" : 8.6, + "cveName" : "CVE-2014-9356", + "description" : "Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9356" +}, { + "versionRange" : "[1.12.0,1.12.0]", + "severity" : 8.8, + "cveName" : "CVE-2018-15514", + "description" : "HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\\\.\\pipe\\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the \"docker-users\" group (who may not otherwise have administrator access) to escalate to administrator privileges.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-15514" +}, { + "versionRange" : "[1.0.0,1.0.0]", + "severity" : 7.2, + "cveName" : "CVE-2014-3499", + "description" : "Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3499" +}, { + "versionRange" : "[1.11.1,1.11.1]", + "severity" : 8.8, + "cveName" : "CVE-2018-15514", + "description" : "HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\\\.\\pipe\\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the \"docker-users\" group (who may not otherwise have administrator access) to escalate to administrator privileges.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-15514" +}, { + "versionRange" : "(,1.3)", + "severity" : 8.1, + "cveName" : "CVE-2014-5282", + "description" : "Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via 'docker load'.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-5282" +}, { + "versionRange" : "(,1.6]", + "severity" : 7.2, + "cveName" : "CVE-2015-3630", + "description" : "Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-3630" +}, { + "versionRange" : "(,1.10.3]", + "severity" : 6.5, + "cveName" : "CVE-2017-14992", + "description" : "Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-14992" +}, { + "versionRange" : "[1.12.2,1.12.2]", + "severity" : 7.5, + "cveName" : "CVE-2016-8867", + "description" : "Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-8867" +}, { + "versionRange" : "(,4.5.1)", + "severity" : 7.8, + "cveName" : "CVE-2022-25365", + "description" : "Docker Desktop before 4.5.1 on Windows allows attackers to move arbitrary files. NOTE: this issue exists because of an incomplete fix for CVE-2022-23774.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-25365" +}, { + "versionRange" : "[1.3.0,1.3.0]", + "severity" : 7.5, + "cveName" : "CVE-2014-6407", + "description" : "Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-6407" +}, { + "versionRange" : "(,18.09.8)", + "severity" : 7.5, + "cveName" : "CVE-2019-13509", + "description" : "In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-13509" +}, { + "versionRange" : "(,19.03.2]", + "severity" : 7.5, + "cveName" : "CVE-2019-16884", + "description" : "runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16884" +}, { + "versionRange" : "(,19.03.9)", + "severity" : 5.3, + "cveName" : "CVE-2020-27534", + "description" : "util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-27534" +}, { + "versionRange" : "(,1.3.2]", + "severity" : 6.4, + "cveName" : "CVE-2014-9358", + "description" : "Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) \"docker load\" operation or (2) \"registry communications.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9358" +}, { + "versionRange" : "[1.11,18.03.1]", + "severity" : 5.3, + "cveName" : "CVE-2018-10892", + "description" : "The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-10892" +}, { + "versionRange" : "[1.3.0,1.3.0]", + "severity" : 5.0, + "cveName" : "CVE-2014-6408", + "description" : "Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-6408" +}, { + "versionRange" : "(,1.3.1]", + "severity" : 7.5, + "cveName" : "CVE-2014-6407", + "description" : "Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-6407" +}, { + "versionRange" : "[1.12.3,1.12.3]", + "severity" : 8.8, + "cveName" : "CVE-2018-15514", + "description" : "HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\\\.\\pipe\\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the \"docker-users\" group (who may not otherwise have administrator access) to escalate to administrator privileges.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-15514" +}, { + "versionRange" : "(,1.8.3)", + "severity" : 5.5, + "cveName" : "CVE-2014-8178", + "description" : "Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-8178" +}, { + "versionRange" : "[1.10.0.0-0,1.10.0.0-0]", + "severity" : 8.8, + "cveName" : "CVE-2018-15514", + "description" : "HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\\\.\\pipe\\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the \"docker-users\" group (who may not otherwise have administrator access) to escalate to administrator privileges.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-15514" +}, { + "versionRange" : "[1.11.0,1.11.0]", + "severity" : 8.8, + "cveName" : "CVE-2018-15514", + "description" : "HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\\\.\\pipe\\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the \"docker-users\" group (who may not otherwise have administrator access) to escalate to administrator privileges.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-15514" +}, { + "versionRange" : "(,2.5.0.0)", + "severity" : 7.8, + "cveName" : "CVE-2021-3162", + "description" : "Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3162" +}, { + "versionRange" : "(,1.2.0)", + "severity" : 5.3, + "cveName" : "CVE-2014-5278", + "description" : "A vulnerability exists in Docker before 1.2 via container names, which may collide with and override container IDs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-5278" +}, { + "versionRange" : "[1.12.1,1.12.1]", + "severity" : 8.8, + "cveName" : "CVE-2018-15514", + "description" : "HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\\\.\\pipe\\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the \"docker-users\" group (who may not otherwise have administrator access) to escalate to administrator privileges.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-15514" +}, { + "versionRange" : "(,19.03.15)", + "severity" : 6.8, + "cveName" : "CVE-2021-21284", + "description" : "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21284" +}, { + "versionRange" : "(,1.4.1]", + "severity" : 7.8, + "cveName" : "CVE-2014-0047", + "description" : "Docker before 1.5 allows local users to have unspecified impact via vectors involving unsafe /tmp usage.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-0047" +}, { + "versionRange" : "[1.11.0,1.12.6)", + "severity" : 6.4, + "cveName" : "CVE-2016-9962", + "description" : "RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-9962" +}, { + "versionRange" : "(,18.09.2)", + "severity" : 8.6, + "cveName" : "CVE-2019-5736", + "description" : "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-5736" +}, { + "versionRange" : "(,2.1.0.1)", + "severity" : 7.8, + "cveName" : "CVE-2019-15752", + "description" : "Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\\DockerDesktop\\version-bin\\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-15752" +}, { + "versionRange" : "(,1.11.1]", + "severity" : 7.8, + "cveName" : "CVE-2016-3697", + "description" : "libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3697" +}, { + "versionRange" : "(,19.03.15)", + "severity" : 6.5, + "cveName" : "CVE-2021-21285", + "description" : "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21285" +} ] diff --git a/gradle/gradle/security.json b/gradle/gradle/security.json new file mode 100644 index 000000000..87ab2103c --- /dev/null +++ b/gradle/gradle/security.json @@ -0,0 +1,133 @@ +[ { + "versionRange" : "(,7.0)", + "severity" : 7.8, + "cveName" : "CVE-2021-29428", + "description" : "In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the \"sticky\" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the \"sticky\" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-29428" +}, { + "versionRange" : "[6.2.0,7.3.3]", + "severity" : 7.5, + "cveName" : "CVE-2022-23630", + "description" : "Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. For users who cannot update either do not use `ResolutionStrategy.disableDependencyVerification()` and do not use plugins that use that method to disable dependency verification for a single configuration or make sure resolution of configuration that disable that feature do not happen in builds that resolve configuration where the feature is enabled.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-23630" +}, { + "versionRange" : "(,6.8.0)", + "severity" : 7.5, + "cveName" : "CVE-2020-11979", + "description" : "As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-11979" +}, { + "versionRange" : "[8.0,8.2)", + "severity" : 8.1, + "cveName" : "CVE-2023-35947", + "description" : "Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions. For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read. To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n\n\n### Impact\n\nThis is a path traversal vulnerability when Gradle deals with Tar archives, often referenced as TarSlip, a variant of ZipSlip.\n\n* When unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions.\n* For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read.\n\nTo exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed.\n\nGradle uses Tar archives for its [Build Cache](https://docs.gradle.org/current/userguide/build_cache.html). These archives are safe when created by Gradle. But if an attacker had control of a remote build cache server, they could inject malicious build cache entries that leverage this vulnerability. This attack vector could also be exploited if a man-in-the-middle can be performed between the remote cache and the build.\n\n### Patches\n\nA fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name.\n\nIt is recommended that users upgrade to a patched version.\n\n### Workarounds\n\nThere is no workaround.\n\n* If your build deals with Tar archives that you do not fully trust, you need to inspect them to confirm they do not attempt to leverage this vulnerability.\n* If you use the Gradle remote build cache, make sure only trusted parties have write access to it and that connections to the remote cache are properly secured.\n\n### References\n\n* [CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](https://cwe.mitre.org/data/definitions/22.html)\n* [Gradle Build Cache](https://docs.gradle.org/current/userguide/build_cache.html)\n* [ZipSlip](https://security.snyk.io/research/zip-slip-vulnerability)\n", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-35947" +}, { + "versionRange" : "[6.2.0,7.5.0)", + "severity" : 4.4, + "cveName" : "CVE-2022-31156", + "description" : "Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This can occur in two ways. When signature verification is disabled but the verification metadata contains entries for dependencies that only have a `gpg` element but no `checksum` element. When signature verification is enabled, the verification metadata contains entries for dependencies with a `gpg` element but there is no signature file on the remote repository. In both cases, the verification will accept the dependency, skipping signature verification and not complaining that the dependency has no checksum entry. For builds that are vulnerable, there are two risks. Gradle could download a malicious binary from a repository outside your organization due to name squatting. For those still using HTTP only and not HTTPS for downloading dependencies, the build could download a malicious library instead of the expected one. Gradle 7.5 patches this issue by making sure to run checksum verification if signature verification cannot be completed, whatever the reason. Two workarounds are available: Remove all `gpg` elements from dependency verification metadata if you disable signature validation and/or avoid adding `gpg` entries for dependencies that do not have signature files.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-31156" +}, { + "versionRange" : "[2.12,2.12]", + "severity" : 9.8, + "cveName" : "CVE-2016-6199", + "description" : "ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-6199" +}, { + "versionRange" : "(,1.3.1)", + "severity" : 7.2, + "cveName" : "CVE-2022-30586", + "description" : "Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-30586" +}, { + "versionRange" : "[7.0.0,7.6.1)", + "severity" : 9.8, + "cveName" : "CVE-2023-26053", + "description" : "Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp` element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in Gradle 8.0 and above. The problem is also patched in Gradle 6.9.4 and 7.6.1. As a workaround, use only full fingerprint IDs for `trusted-key` or `pgp` element in the metadata is a protection against this issue.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-26053" +}, { + "versionRange" : "[8.0,8.4)", + "severity" : 5.3, + "cveName" : "CVE-2023-42445", + "description" : "Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities.\n", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-42445" +}, { + "versionRange" : "(,7.6.3)", + "severity" : 6.5, + "cveName" : "CVE-2023-44387", + "description" : "Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world readable and writeable. While it is unlikely this results in a direct vulnerability for the impacted build, it may open up attack vectors depending on where build artifacts end up being copied to or un-archived. In versions 7.6.3, 8.4 and above, Gradle will now properly use the permissions of the file pointed at by the symlink to set permissions of the copied or archived file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-44387" +}, { + "versionRange" : "(,7.6.2)", + "severity" : 5.5, + "cveName" : "CVE-2023-35946", + "description" : "Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle can be made to write files into an unintended location. The file may be written outside the dependency cache or over another file in the dependency cache. This vulnerability could be used to poison the dependency cache or overwrite important files elsewhere on the filesystem where the Gradle process has write permissions. Exploiting this vulnerability requires an attacker to have control over a dependency repository used by the Gradle build or have the ability to modify the build's configuration. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Gradle will refuse to cache dependencies that have path traversal elements in their dependency coordinates. It is recommended that users upgrade to a patched version. If you are unable to upgrade to Gradle 7.6.2 or 8.2, `dependency verification` will make this vulnerability more difficult to exploit.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-35946" +}, { + "versionRange" : "[1.4,5.3.1]", + "severity" : 5.9, + "cveName" : "CVE-2019-11065", + "description" : "Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-11065" +}, { + "versionRange" : "(,7.6.3)", + "severity" : 5.3, + "cveName" : "CVE-2023-42445", + "description" : "Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities.\n", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-42445" +}, { + "versionRange" : "[6.2.0,6.9.4)", + "severity" : 9.8, + "cveName" : "CVE-2023-26053", + "description" : "Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp` element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in Gradle 8.0 and above. The problem is also patched in Gradle 6.9.4 and 7.6.1. As a workaround, use only full fingerprint IDs for `trusted-key` or `pgp` element in the metadata is a protection against this issue.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-26053" +}, { + "versionRange" : "[8.0.0,8.4.0)", + "severity" : 6.5, + "cveName" : "CVE-2023-44387", + "description" : "Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world readable and writeable. While it is unlikely this results in a direct vulnerability for the impacted build, it may open up attack vectors depending on where build artifacts end up being copied to or un-archived. In versions 7.6.3, 8.4 and above, Gradle will now properly use the permissions of the file pointed at by the symlink to set permissions of the copied or archived file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-44387" +}, { + "versionRange" : "[5.1,7.0)", + "severity" : 7.2, + "cveName" : "CVE-2021-29427", + "description" : "In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the \"A Confusing Dependency\" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-29427" +}, { + "versionRange" : "(,7.6.2)", + "severity" : 8.1, + "cveName" : "CVE-2023-35947", + "description" : "Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions. For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read. To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n\n\n### Impact\n\nThis is a path traversal vulnerability when Gradle deals with Tar archives, often referenced as TarSlip, a variant of ZipSlip.\n\n* When unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions.\n* For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read.\n\nTo exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed.\n\nGradle uses Tar archives for its [Build Cache](https://docs.gradle.org/current/userguide/build_cache.html). These archives are safe when created by Gradle. But if an attacker had control of a remote build cache server, they could inject malicious build cache entries that leverage this vulnerability. This attack vector could also be exploited if a man-in-the-middle can be performed between the remote cache and the build.\n\n### Patches\n\nA fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name.\n\nIt is recommended that users upgrade to a patched version.\n\n### Workarounds\n\nThere is no workaround.\n\n* If your build deals with Tar archives that you do not fully trust, you need to inspect them to confirm they do not attempt to leverage this vulnerability.\n* If you use the Gradle remote build cache, make sure only trusted parties have write access to it and that connections to the remote cache are properly secured.\n\n### References\n\n* [CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](https://cwe.mitre.org/data/definitions/22.html)\n* [Gradle Build Cache](https://docs.gradle.org/current/userguide/build_cache.html)\n* [ZipSlip](https://security.snyk.io/research/zip-slip-vulnerability)\n", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-35947" +}, { + "versionRange" : "(,7.2)", + "severity" : 7.5, + "cveName" : "CVE-2021-32751", + "description" : "Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script. This may impact those who use `gradlew` on Unix-like systems or use the scripts generated by Gradle in thieir application on Unix-like systems. For this vulnerability to be exploitable, an attacker needs to be able to set the value of particular environment variables and have those environment variables be seen by the vulnerable scripts. This issue has been patched in Gradle 7.2 by removing the use of `eval` and requiring the use of the `bash` shell. There are a few workarounds available. For CI/CD systems using the Gradle build tool, one may ensure that untrusted users are unable to change environment variables for the user that executes `gradlew`. If one is unable to upgrade to Gradle 7.2, one may generate a new `gradlew` script with Gradle 7.2 and use it for older versions of Gradle. Fpplications using start scripts generated by Gradle, one may ensure that untrusted users are unable to change environment variables for the user that executes the start script. A vulnerable start script could be manually patched to remove the use of `eval` or the use of environment variables that affect the application's command-line. If the application is simple enough, one may be able to avoid the use of the start scripts by running the application directly with Java command.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-32751" +}, { + "versionRange" : "(,7.0)", + "severity" : 5.5, + "cveName" : "CVE-2021-29429", + "description" : "In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-29429" +}, { + "versionRange" : "(,5.6)", + "severity" : 9.8, + "cveName" : "CVE-2019-15052", + "description" : "The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-15052" +}, { + "versionRange" : "(,6.0)", + "severity" : 5.9, + "cveName" : "CVE-2019-16370", + "description" : "The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16370" +}, { + "versionRange" : "[8.0,8.2)", + "severity" : 5.5, + "cveName" : "CVE-2023-35946", + "description" : "Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle can be made to write files into an unintended location. The file may be written outside the dependency cache or over another file in the dependency cache. This vulnerability could be used to poison the dependency cache or overwrite important files elsewhere on the filesystem where the Gradle process has write permissions. Exploiting this vulnerability requires an attacker to have control over a dependency repository used by the Gradle build or have the ability to modify the build's configuration. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Gradle will refuse to cache dependencies that have path traversal elements in their dependency coordinates. It is recommended that users upgrade to a patched version. If you are unable to upgrade to Gradle 7.6.2 or 8.2, `dependency verification` will make this vulnerability more difficult to exploit.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-35946" +} ] diff --git a/helm/helm/security.json b/helm/helm/security.json new file mode 100644 index 000000000..e630cb9ed --- /dev/null +++ b/helm/helm/security.json @@ -0,0 +1,127 @@ +[ { + "versionRange" : "[v3.0.0,v3.10.3)", + "severity" : 7.5, + "cveName" : "CVE-2022-23525", + "description" : "Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-23525" +}, { + "versionRange" : "[v2.0.0,v2.15.2)", + "severity" : 9.8, + "cveName" : "CVE-2019-18658", + "description" : "In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlinks. No version of Tiller is known to be impacted. This is a client-only issue.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-18658" +}, { + "versionRange" : "[v3.0.0,v3.10.3)", + "severity" : 7.5, + "cveName" : "CVE-2022-23524", + "description" : "Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-23524" +}, { + "versionRange" : "(,v3.6.1)", + "severity" : 8.6, + "cveName" : "CVE-2021-32690", + "description" : "Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-32690" +}, { + "versionRange" : "[v3.0.0,v3.9.4)", + "severity" : 6.5, + "cveName" : "CVE-2022-36055", + "description" : "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-36055" +}, { + "versionRange" : "[v3.0.0,v3.11.1)", + "severity" : 4.3, + "cveName" : "CVE-2023-25165", + "description" : "Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-25165" +}, { + "versionRange" : "[v2.0.0,v2.16.11)", + "severity" : 2.7, + "cveName" : "CVE-2020-15184", + "description" : "In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15184" +}, { + "versionRange" : "[v3.0.0,v3.5.2)", + "severity" : 6.8, + "cveName" : "CVE-2021-21303", + "description" : "Helm is open-source software which is essentially \"The Kubernetes Package Manager\". Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. In Helm from version 3.0 and before version 3.5.2, there a few cases where data loaded from potentially untrusted sources was not properly sanitized. When a SemVer in the `version` field of a chart is invalid, in some cases Helm allows the string to be used \"as is\" without sanitizing. Helm fails to properly sanitized some fields present on Helm repository `index.yaml` files. Helm does not properly sanitized some fields in the `plugin.yaml` file for plugins In some cases, Helm does not properly sanitize the fields in the `Chart.yaml` file. By exploiting these attack vectors, core maintainers were able to send deceptive information to a terminal screen running the `helm` command, as well as obscure or alter information on the screen. In some cases, we could send codes that terminals used to execute higher-order logic, like clearing a terminal screen. Further, during evaluation, the Helm maintainers discovered a few other fields that were not properly sanitized when read out of repository index files. This fix remedies all such cases, and once again enforces SemVer2 policies on version fields. All users of the Helm 3 should upgrade to the fixed version 3.5.2 or later. Those who use Helm as a library should verify that they either sanitize this data on their own, or use the proper Helm API calls to sanitize the data.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21303" +}, { + "versionRange" : "[v2.0.0,v2.12.2)", + "severity" : 6.5, + "cveName" : "CVE-2019-1000008", + "description" : "All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The commands `helm fetch --untar` and `helm lint some.tgz` that can result when chart archive files are unpacked a file may be unpacked outside of the target directory. This attack appears to be exploitable via a victim must run a helm command on a specially crafted chart archive. This vulnerability appears to have been fixed in 2.12.2.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-1000008" +}, { + "versionRange" : "[v2.0.0,v2.16.11)", + "severity" : 2.7, + "cveName" : "CVE-2020-15185", + "description" : "In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index file in the Helm repository cache before installing software.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15185" +}, { + "versionRange" : "[v2.0.0,v2.16.11)", + "severity" : 4.7, + "cveName" : "CVE-2020-15187", + "description" : "In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2. As a possible workaround make sure to install plugins using a secure connection protocol like SSL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15187" +}, { + "versionRange" : "[v3.0.0,v3.3.2)", + "severity" : 4.7, + "cveName" : "CVE-2020-15187", + "description" : "In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2. As a possible workaround make sure to install plugins using a secure connection protocol like SSL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15187" +}, { + "versionRange" : "[v3.0.0,v3.3.2)", + "severity" : 2.7, + "cveName" : "CVE-2020-15184", + "description" : "In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15184" +}, { + "versionRange" : "[v3.0.0,v3.3.2)", + "severity" : 2.7, + "cveName" : "CVE-2020-15185", + "description" : "In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index file in the Helm repository cache before installing software.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15185" +}, { + "versionRange" : "[v2.0.0,v2.16.11)", + "severity" : 2.7, + "cveName" : "CVE-2020-15186", + "description" : "In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15186" +}, { + "versionRange" : "[v3.1.0,v3.2.0)", + "severity" : 5.0, + "cveName" : "CVE-2020-11013", + "description" : "Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. `lookup` is a Helm template function introduced in Helm v3. It is able to lookup resources in the cluster to check for the existence of specific resources and get details about them. This can be used as part of the process to render templates. The documented behavior of `helm template` states that it does not attach to a remote cluster. However, a the recently added `lookup` template function circumvents this restriction and connects to the cluster even during `helm template` and `helm install|update|delete|rollback --dry-run`. The user is not notified of this behavior. Running `helm template` should not make calls to a cluster. This is different from `install`, which is presumed to have access to a cluster in order to load resources into Kubernetes. Helm 2 is unaffected by this vulnerability. A malicious chart author could inject a `lookup` into a chart that, when rendered through `helm template`, performs unannounced lookups against the cluster a user's `KUBECONFIG` file points to. This information can then be disclosed via the output of `helm template`. This issue has been fixed in Helm 3.2.0", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-11013" +}, { + "versionRange" : "[v3.0.0,v3.3.2)", + "severity" : 2.7, + "cveName" : "CVE-2020-15186", + "description" : "In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15186" +}, { + "versionRange" : "[v3.0.0,v3.2.4)", + "severity" : 6.8, + "cveName" : "CVE-2020-4053", + "description" : "In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-4053" +}, { + "versionRange" : "[v3.0.0,v3.10.3)", + "severity" : 7.5, + "cveName" : "CVE-2022-23526", + "description" : "Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-23526" +}, { + "versionRange" : "[v3.0.0,v3.9.4)", + "severity" : 7.5, + "cveName" : "CVE-2022-36049", + "description" : "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-36049" +}, { + "versionRange" : "(,v2.7.2)", + "severity" : 9.8, + "cveName" : "CVE-2019-1010275", + "description" : "helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-1010275" +} ] diff --git a/intellij/intellij/security.json b/intellij/intellij/security.json new file mode 100644 index 000000000..de42fbd11 --- /dev/null +++ b/intellij/intellij/security.json @@ -0,0 +1,337 @@ +[ { + "versionRange" : "[2018.2,2018.2.8)", + "severity" : 9.8, + "cveName" : "CVE-2019-9186", + "description" : "In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server listens on all interfaces (instead of listening on only the localhost interface). This issue has been fixed in the following versions: 2019.1, 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9186" +}, { + "versionRange" : "(,2020.3.3)", + "severity" : 7.5, + "cveName" : "CVE-2021-30006", + "description" : "In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-30006" +}, { + "versionRange" : "(,2022.1)", + "severity" : 6.7, + "cveName" : "CVE-2022-29815", + "description" : "In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-29815" +}, { + "versionRange" : "(,2023.1)", + "severity" : 7.5, + "cveName" : "CVE-2022-48430", + "description" : "In JetBrains IntelliJ IDEA before 2023.1 file content could be disclosed via an external stylesheet path in Markdown preview.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48430" +}, { + "versionRange" : "[2018.2,2018.2.8)", + "severity" : 9.8, + "cveName" : "CVE-2019-9823", + "description" : "In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2018.3.5, 2018.2.8, 2018.1.8.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9823" +}, { + "versionRange" : "(,2023.1)", + "severity" : 7.8, + "cveName" : "CVE-2022-48431", + "description" : "In JetBrains IntelliJ IDEA before 2023.1 in some cases, Gradle and Maven projects could be imported without the ���Trust Project��� confirmation.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48431" +}, { + "versionRange" : "(,2022.3.1)", + "severity" : 7.8, + "cveName" : "CVE-2022-47896", + "description" : "In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-47896" +}, { + "versionRange" : "[2018.1,2018.1.8)", + "severity" : 9.8, + "cveName" : "CVE-2019-9823", + "description" : "In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2018.3.5, 2018.2.8, 2018.1.8.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9823" +}, { + "versionRange" : "(,2022.2)", + "severity" : 7.8, + "cveName" : "CVE-2022-37009", + "description" : "In JetBrains IntelliJ IDEA before 2022.2 local code execution via a Vagrant executable was possible", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-37009" +}, { + "versionRange" : "(,2022.3)", + "severity" : 7.8, + "cveName" : "CVE-2022-46828", + "description" : "In JetBrains IntelliJ IDEA before 2022.3 a DYLIB injection on macOS was possible.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-46828" +}, { + "versionRange" : "(,2023.3.3)", + "severity" : 4.3, + "cveName" : "CVE-2024-24940", + "description" : "In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2024-24940" +}, { + "versionRange" : "[2021.3.1,2021.3.1]", + "severity" : 9.8, + "cveName" : "CVE-2021-45977", + "description" : "JetBrains IntelliJ IDEA 2021.3.1 Preview, IntelliJ IDEA 2021.3.1 RC, PyCharm Professional 2021.3.1 RC, GoLand 2021.3.1, PhpStorm 2021.3.1 Preview, PhpStorm 2021.3.1 RC, RubyMine 2021.3.1 Preview, RubyMine 2021.3.1 RC, CLion 2021.3.1, WebStorm 2021.3.1 Preview, and WebStorm 2021.3.1 RC (used as Remote Development backend IDEs) bind to the 0.0.0.0 IP address. The fixed versions are: IntelliJ IDEA 2021.3.1, PyCharm Professional 2021.3.1, GoLand 2021.3.2, PhpStorm 2021.3.1 (213.6461.83), RubyMine 2021.3.1, CLion 2021.3.2, and WebStorm 2021.3.1.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-45977" +}, { + "versionRange" : "(,2023.1)", + "severity" : 8.8, + "cveName" : "CVE-2022-48432", + "description" : "In JetBrains IntelliJ IDEA before 2023.1 the bundled version of Chromium wasn't sandboxed.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48432" +}, { + "versionRange" : "(,2023.1)", + "severity" : 7.5, + "cveName" : "CVE-2022-48433", + "description" : "In JetBrains IntelliJ IDEA before 2023.1 the NTLM hash could leak through an API method used in the IntelliJ IDEA built-in web server.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48433" +}, { + "versionRange" : "(,2022.3.1)", + "severity" : 7.5, + "cveName" : "CVE-2022-47895", + "description" : "In JetBrains IntelliJ IDEA before 2022.3.1 the \"Validate JSP File\" action used the HTTP protocol to download required JAR files.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-47895" +}, { + "versionRange" : "(,2023.3.2)", + "severity" : 9.8, + "cveName" : "CVE-2023-51655", + "description" : "In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-51655" +}, { + "versionRange" : "(,2022.3)", + "severity" : 5.5, + "cveName" : "CVE-2022-46827", + "description" : "In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-46827" +}, { + "versionRange" : "(,2022.1)", + "severity" : 7.1, + "cveName" : "CVE-2022-29818", + "description" : "In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-29818" +}, { + "versionRange" : "(,2023.3.3)", + "severity" : 5.3, + "cveName" : "CVE-2024-24941", + "description" : "In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2024-24941" +}, { + "versionRange" : "(,2019.2)", + "severity" : 5.3, + "cveName" : "CVE-2019-18361", + "description" : "JetBrains IntelliJ IDEA before 2019.2 allows local user privilege escalation, potentially leading to arbitrary code execution.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-18361" +}, { + "versionRange" : "(,2022.1)", + "severity" : 7.7, + "cveName" : "CVE-2022-29814", + "description" : "In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-29814" +}, { + "versionRange" : "[2018.3.6,2019.1)", + "severity" : 9.8, + "cveName" : "CVE-2019-9186", + "description" : "In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server listens on all interfaces (instead of listening on only the localhost interface). This issue has been fixed in the following versions: 2019.1, 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9186" +}, { + "versionRange" : "[2018.2,2018.2.8)", + "severity" : 8.1, + "cveName" : "CVE-2019-9872", + "description" : "In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. If the Settings Repository plugin was then used and configured to synchronize IDE settings using a public repository, these credentials were published to this repository. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9872" +}, { + "versionRange" : "(,2022.2.2)", + "severity" : 7.8, + "cveName" : "CVE-2022-40978", + "description" : "The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-40978" +}, { + "versionRange" : "(,2020.2)", + "severity" : 5.3, + "cveName" : "CVE-2020-27622", + "description" : "In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-27622" +}, { + "versionRange" : "(,2021.3.1)", + "severity" : 7.8, + "cveName" : "CVE-2022-24346", + "description" : "In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-24346" +}, { + "versionRange" : "[2018.1,2018.1.8)", + "severity" : 9.8, + "cveName" : "CVE-2019-9186", + "description" : "In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server listens on all interfaces (instead of listening on only the localhost interface). This issue has been fixed in the following versions: 2019.1, 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9186" +}, { + "versionRange" : "(,2022.3)", + "severity" : 3.3, + "cveName" : "CVE-2022-46825", + "description" : "In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-46825" +}, { + "versionRange" : "(,2023.2)", + "severity" : 7.8, + "cveName" : "CVE-2023-39261", + "description" : "In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-39261" +}, { + "versionRange" : "(,2022.1)", + "severity" : 7.7, + "cveName" : "CVE-2022-29819", + "description" : "In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-29819" +}, { + "versionRange" : "(,2020.3.3)", + "severity" : 7.8, + "cveName" : "CVE-2021-29263", + "description" : "In JetBrains IntelliJ IDEA 2020.3.3, local code execution was possible because of insufficient checks when getting the project from VCS.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-29263" +}, { + "versionRange" : "[2018.2,2018.2.8)", + "severity" : 9.8, + "cveName" : "CVE-2019-10104", + "description" : "In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute code when the configuration is running, because a JMX server listened on all interfaces instead of localhost only. The issue has been fixed in the following versions: 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10104" +}, { + "versionRange" : "(,2019.3.0)", + "severity" : 7.5, + "cveName" : "CVE-2020-7914", + "description" : "In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. This issue was fixed in 2019.3.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-7914" +}, { + "versionRange" : "(,2020.1)", + "severity" : 9.8, + "cveName" : "CVE-2020-11690", + "description" : "In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-11690" +}, { + "versionRange" : "(,2019.3.0)", + "severity" : 7.5, + "cveName" : "CVE-2020-7905", + "description" : "Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-7905" +}, { + "versionRange" : "(,2020.3)", + "severity" : 7.8, + "cveName" : "CVE-2021-25758", + "description" : "In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-25758" +}, { + "versionRange" : "(,2021.1)", + "severity" : 7.5, + "cveName" : "CVE-2021-30504", + "description" : "In JetBrains IntelliJ IDEA before 2021.1, DoS was possible because of unbounded resource allocation.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-30504" +}, { + "versionRange" : "(,2022.1)", + "severity" : 2.3, + "cveName" : "CVE-2022-29812", + "description" : "In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-29812" +}, { + "versionRange" : "[2018.1,2018.1.8)", + "severity" : 9.8, + "cveName" : "CVE-2019-10104", + "description" : "In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute code when the configuration is running, because a JMX server listened on all interfaces instead of localhost only. The issue has been fixed in the following versions: 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10104" +}, { + "versionRange" : "(,2020.2)", + "severity" : 5.3, + "cveName" : "CVE-2021-25756", + "description" : "In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-25756" +}, { + "versionRange" : "(,2021.2.4)", + "severity" : 7.8, + "cveName" : "CVE-2022-24345", + "description" : "In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-24345" +}, { + "versionRange" : "(,2022.3)", + "severity" : 5.5, + "cveName" : "CVE-2022-46826", + "description" : "In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-46826" +}, { + "versionRange" : "(,2021.3.3)", + "severity" : 5.5, + "cveName" : "CVE-2022-28651", + "description" : "In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-28651" +}, { + "versionRange" : "(,2017.2.2)", + "severity" : 7.5, + "cveName" : "CVE-2017-8316", + "description" : "IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-8316" +}, { + "versionRange" : "(,2019.3.0)", + "severity" : 7.4, + "cveName" : "CVE-2020-7904", + "description" : "In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were accessed via HTTP instead of HTTPS.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-7904" +}, { + "versionRange" : "[2018.1,2018.1.8)", + "severity" : 8.1, + "cveName" : "CVE-2019-9872", + "description" : "In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. If the Settings Repository plugin was then used and configured to synchronize IDE settings using a public repository, these credentials were published to this repository. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9872" +}, { + "versionRange" : "[2018.3.6,2019.1)", + "severity" : 8.1, + "cveName" : "CVE-2019-9872", + "description" : "In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. If the Settings Repository plugin was then used and configured to synchronize IDE settings using a public repository, these credentials were published to this repository. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9872" +}, { + "versionRange" : "(,2023.1.4)", + "severity" : 3.3, + "cveName" : "CVE-2023-38069", + "description" : "In JetBrains IntelliJ IDEA before 2023.1.4 license dialog could be suppressed in certain cases", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-38069" +}, { + "versionRange" : "(,2019.1)", + "severity" : 9.8, + "cveName" : "CVE-2019-9873", + "description" : "In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9873" +}, { + "versionRange" : "(,2022.1)", + "severity" : 6.1, + "cveName" : "CVE-2022-29817", + "description" : "In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-29817" +}, { + "versionRange" : "(,2019.2)", + "severity" : 5.9, + "cveName" : "CVE-2019-14954", + "description" : "JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-14954" +}, { + "versionRange" : "(,2022.1)", + "severity" : 6.7, + "cveName" : "CVE-2022-29813", + "description" : "In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-29813" +}, { + "versionRange" : "(,2022.2.4)", + "severity" : 7.8, + "cveName" : "CVE-2022-46824", + "description" : "In JetBrains IntelliJ IDEA before 2022.2.4 a buffer overflow in the fsnotifier daemon on macOS was possible.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-46824" +}, { + "versionRange" : "(,2022.1)", + "severity" : 3.2, + "cveName" : "CVE-2022-29816", + "description" : "In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-29816" +}, { + "versionRange" : "[2018.3.5,2018.3.7)", + "severity" : 9.8, + "cveName" : "CVE-2019-10104", + "description" : "In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute code when the configuration is running, because a JMX server listened on all interfaces instead of localhost only. The issue has been fixed in the following versions: 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10104" +}, { + "versionRange" : "(,2022.2)", + "severity" : 3.3, + "cveName" : "CVE-2022-37010", + "description" : "In JetBrains IntelliJ IDEA before 2022.2 email address validation in the \"Git User Name Is Not Defined\" dialog was missed", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-37010" +} ] diff --git a/jasypt/jasypt/security.json b/jasypt/jasypt/security.json new file mode 100644 index 000000000..9e84caf45 --- /dev/null +++ b/jasypt/jasypt/security.json @@ -0,0 +1,7 @@ +[ { + "versionRange" : "(,1.9.1]", + "severity" : 7.5, + "cveName" : "CVE-2014-9970", + "description" : "jasypt before 1.9.2 allows a timing attack against the password hash comparison.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9970" +} ] diff --git a/jenkins/jenkins/security.json b/jenkins/jenkins/security.json new file mode 100644 index 000000000..81bfc1b3f --- /dev/null +++ b/jenkins/jenkins/security.json @@ -0,0 +1,2251 @@ +[ { + "versionRange" : "(,2.32.2)", + "severity" : 5.4, + "cveName" : "CVE-2017-2610", + "description" : "jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2610" +}, { + "versionRange" : "(,2.415]", + "severity" : 5.4, + "cveName" : "CVE-2023-39151", + "description" : "Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-39151" +}, { + "versionRange" : "(,1.580.3]", + "severity" : 3.5, + "cveName" : "CVE-2015-1808", + "description" : "Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1808" +}, { + "versionRange" : "(,2.319)", + "severity" : 9.8, + "cveName" : "CVE-2021-21693", + "description" : "When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21693" +}, { + "versionRange" : "(,2.303.3)", + "severity" : 8.1, + "cveName" : "CVE-2021-21686", + "description" : "File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21686" +}, { + "versionRange" : "(,2.319)", + "severity" : 9.8, + "cveName" : "CVE-2021-21690", + "description" : "Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21690" +}, { + "versionRange" : "(,2.191]", + "severity" : 8.8, + "cveName" : "CVE-2019-10384", + "description" : "Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10384" +}, { + "versionRange" : "(,2.120]", + "severity" : 4.3, + "cveName" : "CVE-2018-1000192", + "description" : "A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000192" +}, { + "versionRange" : "(,1.466.2]", + "severity" : 3.5, + "cveName" : "CVE-2012-6074", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6074" +}, { + "versionRange" : "(,1.482)", + "severity" : 6.1, + "cveName" : "CVE-2012-4440", + "description" : "Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the Violations plugin.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-4440" +}, { + "versionRange" : "[2.332.1,2.332.3]", + "severity" : 5.4, + "cveName" : "CVE-2022-34171", + "description" : "In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-34171" +}, { + "versionRange" : "(,2.424)", + "severity" : 8.1, + "cveName" : "CVE-2023-43497", + "description" : "In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-43497" +}, { + "versionRange" : "(,2.138.3]", + "severity" : 8.2, + "cveName" : "CVE-2018-1000863", + "description" : "A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000863" +}, { + "versionRange" : "(,2.274]", + "severity" : 5.3, + "cveName" : "CVE-2021-21609", + "description" : "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21609" +}, { + "versionRange" : "(,2.32.2)", + "severity" : 4.3, + "cveName" : "CVE-2017-2598", + "description" : "Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2598" +}, { + "versionRange" : "(,2.83]", + "severity" : 5.9, + "cveName" : "CVE-2017-1000396", + "description" : "Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000396" +}, { + "versionRange" : "[1.409.2,1.409.2]", + "severity" : 5.8, + "cveName" : "CVE-2012-6073", + "description" : "Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6073" +}, { + "versionRange" : "(,2.196]", + "severity" : 5.4, + "cveName" : "CVE-2019-10403", + "description" : "Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10403" +}, { + "versionRange" : "(,2.2]", + "severity" : 4.3, + "cveName" : "CVE-2016-3725", + "description" : "Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3725" +}, { + "versionRange" : "(,2.44)", + "severity" : 5.4, + "cveName" : "CVE-2017-2613", + "description" : "jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2613" +}, { + "versionRange" : "(,2.176.3]", + "severity" : 5.4, + "cveName" : "CVE-2019-10403", + "description" : "Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10403" +}, { + "versionRange" : "[2.50,2.424)", + "severity" : 4.3, + "cveName" : "CVE-2023-43494", + "description" : "Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-43494" +}, { + "versionRange" : "(,1.625.1]", + "severity" : 8.8, + "cveName" : "CVE-2015-7538", + "description" : "Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-7538" +}, { + "versionRange" : "(,1.649]", + "severity" : 6.5, + "cveName" : "CVE-2016-3724", + "description" : "Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3724" +}, { + "versionRange" : "(,1.639]", + "severity" : 8.8, + "cveName" : "CVE-2015-7538", + "description" : "Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-7538" +}, { + "versionRange" : "(,2.44)", + "severity" : 4.3, + "cveName" : "CVE-2017-2604", + "description" : "In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2604" +}, { + "versionRange" : "(,2.73.1]", + "severity" : 2.2, + "cveName" : "CVE-2017-1000401", + "description" : "The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, , supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for is now always sent via POST, which is typically not logged.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000401" +}, { + "versionRange" : "[2.332.1,2.332.3]", + "severity" : 5.4, + "cveName" : "CVE-2022-34170", + "description" : "In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-34170" +}, { + "versionRange" : "(,2.83]", + "severity" : 7.5, + "cveName" : "CVE-2017-1000394", + "description" : "Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000394" +}, { + "versionRange" : "(,2.218]", + "severity" : 5.4, + "cveName" : "CVE-2020-2105", + "description" : "REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2105" +}, { + "versionRange" : "(,1.565.2]", + "severity" : 4.0, + "cveName" : "CVE-2014-3667", + "description" : "Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3667" +}, { + "versionRange" : "(,1.651.1]", + "severity" : 4.3, + "cveName" : "CVE-2016-3723", + "description" : "Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3723" +}, { + "versionRange" : "(,2.107)", + "severity" : 6.5, + "cveName" : "CVE-2018-6356", + "description" : "Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-6356" +}, { + "versionRange" : "(,1.532.1]", + "severity" : 5.0, + "cveName" : "CVE-2014-2061", + "description" : "The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2061" +}, { + "versionRange" : "(,1.532.1]", + "severity" : 5.0, + "cveName" : "CVE-2014-2064", + "description" : "The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2064" +}, { + "versionRange" : "(,2.32.2)", + "severity" : 8.8, + "cveName" : "CVE-2017-2608", + "description" : "Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2608" +}, { + "versionRange" : "(,2.235.1]", + "severity" : 5.4, + "cveName" : "CVE-2020-2223", + "description" : "Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2223" +}, { + "versionRange" : "(,2.121.1]", + "severity" : 7.5, + "cveName" : "CVE-2018-1999002", + "description" : "A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1999002" +}, { + "versionRange" : "(,2.196]", + "severity" : 5.4, + "cveName" : "CVE-2019-10405", + "description" : "Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the \"Cookie\" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10405" +}, { + "versionRange" : "(,1.532.1]", + "severity" : 6.8, + "cveName" : "CVE-2014-2066", + "description" : "Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the \"override\" of Jenkins cookies.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2066" +}, { + "versionRange" : "(,2.153]", + "severity" : 9.8, + "cveName" : "CVE-2018-1000861", + "description" : "A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000861" +}, { + "versionRange" : "(,2.158]", + "severity" : 7.2, + "cveName" : "CVE-2019-1003003", + "description" : "An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-1003003" +}, { + "versionRange" : "(,1.498]", + "severity" : 9.8, + "cveName" : "CVE-2017-1000362", + "description" : "The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000362" +}, { + "versionRange" : "(,2.424)", + "severity" : 5.4, + "cveName" : "CVE-2023-43495", + "description" : "Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-43495" +}, { + "versionRange" : "(,2.107.2]", + "severity" : 8.1, + "cveName" : "CVE-2018-1000194", + "description" : "A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000194" +}, { + "versionRange" : "[1.466.1,1.466.1]", + "severity" : 3.5, + "cveName" : "CVE-2012-6074", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6074" +}, { + "versionRange" : "(,2.318]", + "severity" : 9.8, + "cveName" : "CVE-2021-21696", + "description" : "Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21696" +}, { + "versionRange" : "(,2.196]", + "severity" : 4.8, + "cveName" : "CVE-2019-10406", + "description" : "Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10406" +}, { + "versionRange" : "(,1.639]", + "severity" : 5.4, + "cveName" : "CVE-2015-7536", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-7536" +}, { + "versionRange" : "(,1.501]", + "severity" : 4.0, + "cveName" : "CVE-2013-0330", + "description" : "Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0330" +}, { + "versionRange" : "(,2.2]", + "severity" : 4.3, + "cveName" : "CVE-2016-3722", + "description" : "Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the \"full name.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3722" +}, { + "versionRange" : "(,2.32.2)", + "severity" : 5.4, + "cveName" : "CVE-2017-2599", + "description" : "Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2599" +}, { + "versionRange" : "(,1.550]", + "severity" : 6.8, + "cveName" : "CVE-2014-2066", + "description" : "Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the \"override\" of Jenkins cookies.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2066" +}, { + "versionRange" : "(,2.83]", + "severity" : 4.3, + "cveName" : "CVE-2017-1000400", + "description" : "The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000400" +}, { + "versionRange" : "(,2.89.3]", + "severity" : 5.3, + "cveName" : "CVE-2018-1000068", + "description" : "An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000068" +}, { + "versionRange" : "(,1.586]", + "severity" : 6.8, + "cveName" : "CVE-2014-3665", + "description" : "Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3665" +}, { + "versionRange" : "(,1.482)", + "severity" : 8.8, + "cveName" : "CVE-2012-4438", + "description" : "Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to insert data and execute arbitrary code.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-4438" +}, { + "versionRange" : "(,2.106]", + "severity" : 5.3, + "cveName" : "CVE-2018-1000068", + "description" : "An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000068" +}, { + "versionRange" : "(,2.137]", + "severity" : 7.5, + "cveName" : "CVE-2018-1999043", + "description" : "A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1999043" +}, { + "versionRange" : "(,2.319)", + "severity" : 9.1, + "cveName" : "CVE-2021-21685", + "description" : "Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21685" +}, { + "versionRange" : "(,2.355]", + "severity" : 7.5, + "cveName" : "CVE-2022-34174", + "description" : "In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-34174" +}, { + "versionRange" : "(,2.153]", + "severity" : 4.3, + "cveName" : "CVE-2018-1000862", + "description" : "An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000862" +}, { + "versionRange" : "(,2.227]", + "severity" : 5.4, + "cveName" : "CVE-2020-2162", + "description" : "Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2162" +}, { + "versionRange" : "[1.409.2,1.409.2]", + "severity" : 2.6, + "cveName" : "CVE-2013-0158", + "description" : "Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0158" +}, { + "versionRange" : "(,1.501]", + "severity" : 7.5, + "cveName" : "CVE-2013-0329", + "description" : "Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0329" +}, { + "versionRange" : "(,1.582]", + "severity" : 6.0, + "cveName" : "CVE-2014-3663", + "description" : "Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3663" +}, { + "versionRange" : "(,2.319)", + "severity" : 7.5, + "cveName" : "CVE-2021-21688", + "description" : "The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21688" +}, { + "versionRange" : "(,2.276)", + "severity" : 5.3, + "cveName" : "CVE-2021-21615", + "description" : "Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21615" +}, { + "versionRange" : "(,1.637]", + "severity" : 4.3, + "cveName" : "CVE-2015-5326", + "description" : "Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-5326" +}, { + "versionRange" : "(,2.251]", + "severity" : 5.4, + "cveName" : "CVE-2020-2229", + "description" : "Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2229" +}, { + "versionRange" : "(,2.73.2]", + "severity" : 7.3, + "cveName" : "CVE-2017-1000391", + "description" : "Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000391" +}, { + "versionRange" : "[1.466.1,1.466.1]", + "severity" : 2.6, + "cveName" : "CVE-2013-0158", + "description" : "Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0158" +}, { + "versionRange" : "(,2.244]", + "severity" : 5.4, + "cveName" : "CVE-2020-2222", + "description" : "Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2222" +}, { + "versionRange" : "(,2.83]", + "severity" : 4.3, + "cveName" : "CVE-2017-1000398", + "description" : "The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000398" +}, { + "versionRange" : "[1.642.1,1.642.1]", + "severity" : 9.8, + "cveName" : "CVE-2016-0788", + "description" : "The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0788" +}, { + "versionRange" : "(,1.582]", + "severity" : 7.5, + "cveName" : "CVE-2014-3666", + "description" : "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3666" +}, { + "versionRange" : "[1.596.1,1.596.1]", + "severity" : 7.5, + "cveName" : "CVE-2015-1814", + "description" : "The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a \"forced API token change\" involving anonymous users.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1814" +}, { + "versionRange" : "(,2.303.2]", + "severity" : 9.8, + "cveName" : "CVE-2021-21696", + "description" : "Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21696" +}, { + "versionRange" : "(,2.164.1]", + "severity" : 8.1, + "cveName" : "CVE-2019-1003049", + "description" : "Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-1003049" +}, { + "versionRange" : "(,2.319)", + "severity" : 9.8, + "cveName" : "CVE-2021-21691", + "description" : "Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21691" +}, { + "versionRange" : "(,2.121.1]", + "severity" : 5.4, + "cveName" : "CVE-2018-1999007", + "description" : "A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1999007" +}, { + "versionRange" : "(,1.637]", + "severity" : 5.0, + "cveName" : "CVE-2015-5319", + "description" : "XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an \"XML-aware tool,\" as demonstrated by get-job and update-job.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-5319" +}, { + "versionRange" : "(,1.565.2]", + "severity" : 7.5, + "cveName" : "CVE-2014-3666", + "description" : "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3666" +}, { + "versionRange" : "(,2.263)", + "severity" : 7.5, + "cveName" : "CVE-2022-2048", + "description" : "In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-2048" +}, { + "versionRange" : "(,1.580.3]", + "severity" : 3.5, + "cveName" : "CVE-2015-1807", + "description" : "Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1807" +}, { + "versionRange" : "(,2.137]", + "severity" : 5.4, + "cveName" : "CVE-2018-1999045", + "description" : "A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1999045" +}, { + "versionRange" : "(,2.164.1]", + "severity" : 5.4, + "cveName" : "CVE-2019-1003050", + "description" : "The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-1003050" +}, { + "versionRange" : "[1.409.2,1.409.2]", + "severity" : 4.3, + "cveName" : "CVE-2012-0325", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0324.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0325" +}, { + "versionRange" : "(,2.120]", + "severity" : 4.3, + "cveName" : "CVE-2018-1000193", + "description" : "A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000193" +}, { + "versionRange" : "(,2.314]", + "severity" : 6.5, + "cveName" : "CVE-2021-21683", + "description" : "The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21683" +}, { + "versionRange" : "[2.222.1,2.426.2]", + "severity" : 8.8, + "cveName" : "CVE-2024-23898", + "description" : "Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2024-23898" +}, { + "versionRange" : "(,2.107.1]", + "severity" : 5.3, + "cveName" : "CVE-2018-1000169", + "description" : "An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000169" +}, { + "versionRange" : "(,2.137]", + "severity" : 6.5, + "cveName" : "CVE-2018-1999047", + "description" : "A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1999047" +}, { + "versionRange" : "(,2.107.1]", + "severity" : 5.4, + "cveName" : "CVE-2018-1000170", + "description" : "A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000170" +}, { + "versionRange" : "(,2.176.3]", + "severity" : 5.4, + "cveName" : "CVE-2019-10402", + "description" : "In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10402" +}, { + "versionRange" : "(,2.107.2]", + "severity" : 4.3, + "cveName" : "CVE-2018-1000195", + "description" : "A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000195" +}, { + "versionRange" : "(,1.532.1]", + "severity" : 5.0, + "cveName" : "CVE-2014-2060", + "description" : "The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2060" +}, { + "versionRange" : "(,1.550]", + "severity" : 3.5, + "cveName" : "CVE-2014-2067", + "description" : "Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a \"remote cause note.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2067" +}, { + "versionRange" : "(,2.394)", + "severity" : 7.0, + "cveName" : "CVE-2023-27899", + "description" : "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-27899" +}, { + "versionRange" : "(,2.56]", + "severity" : 6.5, + "cveName" : "CVE-2017-1000355", + "description" : "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000355" +}, { + "versionRange" : "(,1.565.2]", + "severity" : 4.0, + "cveName" : "CVE-2014-3680", + "description" : "Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3680" +}, { + "versionRange" : "(,2.277.3)", + "severity" : 7.5, + "cveName" : "CVE-2021-28165", + "description" : "In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28165" +}, { + "versionRange" : "(,1.550]", + "severity" : 3.5, + "cveName" : "CVE-2014-2068", + "description" : "The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2068" +}, { + "versionRange" : "(,2.121.1]", + "severity" : 4.3, + "cveName" : "CVE-2018-1999003", + "description" : "A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1999003" +}, { + "versionRange" : "[2.320,2.355]", + "severity" : 5.4, + "cveName" : "CVE-2022-34170", + "description" : "In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-34170" +}, { + "versionRange" : "(,1.532.1]", + "severity" : 3.5, + "cveName" : "CVE-2014-2067", + "description" : "Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a \"remote cause note.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2067" +}, { + "versionRange" : "(,2.303.2]", + "severity" : 9.1, + "cveName" : "CVE-2021-21697", + "description" : "Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21697" +}, { + "versionRange" : "(,2.73.1]", + "severity" : 8.8, + "cveName" : "CVE-2017-1000393", + "description" : "Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000393" +}, { + "versionRange" : "(,1.447)", + "severity" : 7.5, + "cveName" : "CVE-2012-0785", + "description" : "Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka \"the Hash DoS attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0785" +}, { + "versionRange" : "(,2.196]", + "severity" : 5.4, + "cveName" : "CVE-2019-10404", + "description" : "Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10404" +}, { + "versionRange" : "(,2.137]", + "severity" : 5.3, + "cveName" : "CVE-2018-1999042", + "description" : "A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1999042" +}, { + "versionRange" : "(,2.32.2)", + "severity" : 4.3, + "cveName" : "CVE-2017-2602", + "description" : "jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2602" +}, { + "versionRange" : "(,2.319)", + "severity" : 9.1, + "cveName" : "CVE-2021-21687", + "description" : "Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21687" +}, { + "versionRange" : "(,2.83]", + "severity" : 4.3, + "cveName" : "CVE-2017-1000399", + "description" : "The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000399" +}, { + "versionRange" : "(,2.44)", + "severity" : 5.4, + "cveName" : "CVE-2017-2612", + "description" : "In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2612" +}, { + "versionRange" : "(,2.319.1]", + "severity" : 4.3, + "cveName" : "CVE-2022-20612", + "description" : "A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-20612" +}, { + "versionRange" : "(,1.501]", + "severity" : 6.8, + "cveName" : "CVE-2013-0327", + "description" : "Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0327" +}, { + "versionRange" : "(,2.107.2]", + "severity" : 4.3, + "cveName" : "CVE-2018-1000193", + "description" : "A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000193" +}, { + "versionRange" : "(,2.286)", + "severity" : 7.5, + "cveName" : "CVE-2021-28165", + "description" : "In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28165" +}, { + "versionRange" : "(,2.94]", + "severity" : 8.1, + "cveName" : "CVE-2017-1000504", + "description" : "A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000504" +}, { + "versionRange" : "[1.424.3,1.424.3]", + "severity" : 5.8, + "cveName" : "CVE-2012-6073", + "description" : "Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6073" +}, { + "versionRange" : "(,1.582]", + "severity" : 4.0, + "cveName" : "CVE-2014-3664", + "description" : "Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3664" +}, { + "versionRange" : "(,2.2]", + "severity" : 7.4, + "cveName" : "CVE-2016-3726", + "description" : "Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to \"scheme-relative\" URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3726" +}, { + "versionRange" : "(,1.637]", + "severity" : 6.5, + "cveName" : "CVE-2015-5323", + "description" : "Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-5323" +}, { + "versionRange" : "[1.642.1,1.642.1]", + "severity" : 9.8, + "cveName" : "CVE-2016-0791", + "description" : "Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0791" +}, { + "versionRange" : "(,1.649]", + "severity" : 9.8, + "cveName" : "CVE-2016-0788", + "description" : "The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0788" +}, { + "versionRange" : "[1.424.5,1.424.5]", + "severity" : 2.6, + "cveName" : "CVE-2013-0158", + "description" : "Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0158" +}, { + "versionRange" : "(,2.32.2)", + "severity" : 4.3, + "cveName" : "CVE-2017-2600", + "description" : "In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2600" +}, { + "versionRange" : "(,2.89.3]", + "severity" : 5.3, + "cveName" : "CVE-2018-1000067", + "description" : "An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000067" +}, { + "versionRange" : "[1.409.3,1.409.3]", + "severity" : 5.8, + "cveName" : "CVE-2012-6073", + "description" : "Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6073" +}, { + "versionRange" : "(,2.303.3)", + "severity" : 7.5, + "cveName" : "CVE-2021-21688", + "description" : "The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21688" +}, { + "versionRange" : "(,2.171]", + "severity" : 8.1, + "cveName" : "CVE-2019-1003049", + "description" : "Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-1003049" +}, { + "versionRange" : "(,1.550]", + "severity" : 5.0, + "cveName" : "CVE-2014-2060", + "description" : "The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2060" +}, { + "versionRange" : "(,1.437]", + "severity" : 2.6, + "cveName" : "CVE-2011-4344", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4344" +}, { + "versionRange" : "(,2.44)", + "severity" : 4.3, + "cveName" : "CVE-2017-2611", + "description" : "Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2611" +}, { + "versionRange" : "(,2.426.2]", + "severity" : 7.5, + "cveName" : "CVE-2024-23897", + "description" : "Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2024-23897" +}, { + "versionRange" : "(,2.56]", + "severity" : 8.8, + "cveName" : "CVE-2017-1000356", + "description" : "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000356" +}, { + "versionRange" : "(,2.32.2)", + "severity" : 4.3, + "cveName" : "CVE-2017-2609", + "description" : "jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2609" +}, { + "versionRange" : "(,2.318]", + "severity" : 9.1, + "cveName" : "CVE-2021-21697", + "description" : "Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21697" +}, { + "versionRange" : "[1.424.3,1.424.3]", + "severity" : 2.6, + "cveName" : "CVE-2013-0158", + "description" : "Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0158" +}, { + "versionRange" : "(,1.585]", + "severity" : 5.3, + "cveName" : "CVE-2014-9635", + "description" : "Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9635" +}, { + "versionRange" : "(,2.303.3)", + "severity" : 9.1, + "cveName" : "CVE-2021-21687", + "description" : "Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21687" +}, { + "versionRange" : "(,1.639]", + "severity" : 7.5, + "cveName" : "CVE-2015-7539", + "description" : "The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-7539" +}, { + "versionRange" : "[2.266,2.300)", + "severity" : 7.5, + "cveName" : "CVE-2021-21671", + "description" : "Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21671" +}, { + "versionRange" : "(,2.121.1]", + "severity" : 4.3, + "cveName" : "CVE-2018-1999004", + "description" : "A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1999004" +}, { + "versionRange" : "(,2.153]", + "severity" : 6.5, + "cveName" : "CVE-2018-1000864", + "description" : "A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000864" +}, { + "versionRange" : "(,1.651.1]", + "severity" : 4.3, + "cveName" : "CVE-2016-3722", + "description" : "Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the \"full name.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3722" +}, { + "versionRange" : "(,2.44)", + "severity" : 4.3, + "cveName" : "CVE-2017-2606", + "description" : "Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2606" +}, { + "versionRange" : "[1.424.4,1.424.4]", + "severity" : 5.8, + "cveName" : "CVE-2012-6073", + "description" : "Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6073" +}, { + "versionRange" : "(,2.159]", + "severity" : 7.2, + "cveName" : "CVE-2019-1003004", + "description" : "An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-1003004" +}, { + "versionRange" : "(,2.441]", + "severity" : 7.5, + "cveName" : "CVE-2024-23897", + "description" : "Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2024-23897" +}, { + "versionRange" : "(,2.289.2)", + "severity" : 4.3, + "cveName" : "CVE-2021-21670", + "description" : "Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21670" +}, { + "versionRange" : "[1.409.3,1.409.3]", + "severity" : 3.5, + "cveName" : "CVE-2012-6074", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6074" +}, { + "versionRange" : "(,1.639]", + "severity" : 8.8, + "cveName" : "CVE-2015-7537", + "description" : "Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-7537" +}, { + "versionRange" : "[1.409.1,1.409.1]", + "severity" : 4.3, + "cveName" : "CVE-2012-0325", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0324.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0325" +}, { + "versionRange" : "(,1.501]", + "severity" : 4.0, + "cveName" : "CVE-2013-0331", + "description" : "Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0331" +}, { + "versionRange" : "(,1.637]", + "severity" : 5.0, + "cveName" : "CVE-2015-5320", + "description" : "Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-5320" +}, { + "versionRange" : "(,2.2]", + "severity" : 6.5, + "cveName" : "CVE-2016-3721", + "description" : "Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3721" +}, { + "versionRange" : "(,2.73.1]", + "severity" : 5.9, + "cveName" : "CVE-2017-1000396", + "description" : "Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000396" +}, { + "versionRange" : "(,2.145]", + "severity" : 6.5, + "cveName" : "CVE-2018-1000408", + "description" : "A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000408" +}, { + "versionRange" : "(,1.649]", + "severity" : 5.3, + "cveName" : "CVE-2016-0790", + "description" : "Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0790" +}, { + "versionRange" : "(,1.583)", + "severity" : 4.3, + "cveName" : "CVE-2014-3681", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3681" +}, { + "versionRange" : "(,2.73.1]", + "severity" : 7.5, + "cveName" : "CVE-2017-1000394", + "description" : "Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000394" +}, { + "versionRange" : "(,2.145]", + "severity" : 6.5, + "cveName" : "CVE-2018-1000406", + "description" : "A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000406" +}, { + "versionRange" : "(,1.565.2]", + "severity" : 6.0, + "cveName" : "CVE-2014-3663", + "description" : "Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3663" +}, { + "versionRange" : "(,2.235.1]", + "severity" : 5.4, + "cveName" : "CVE-2020-2222", + "description" : "Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2222" +}, { + "versionRange" : "(,2.176.3]", + "severity" : 4.8, + "cveName" : "CVE-2019-10406", + "description" : "Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10406" +}, { + "versionRange" : "(,2.303.3)", + "severity" : 9.8, + "cveName" : "CVE-2021-21692", + "description" : "FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21692" +}, { + "versionRange" : "(,1.585]", + "severity" : 5.3, + "cveName" : "CVE-2014-9634", + "description" : "Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9634" +}, { + "versionRange" : "(,2.2]", + "severity" : 4.3, + "cveName" : "CVE-2016-3727", + "description" : "The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3727" +}, { + "versionRange" : "(,2.303.3)", + "severity" : 9.8, + "cveName" : "CVE-2021-21690", + "description" : "Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21690" +}, { + "versionRange" : "(,2.394)", + "severity" : 4.4, + "cveName" : "CVE-2023-27903", + "description" : "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-27903" +}, { + "versionRange" : "[1.409.2,1.409.2]", + "severity" : 4.3, + "cveName" : "CVE-2012-0324", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0325.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0324" +}, { + "versionRange" : "[2.270,2.394)", + "severity" : 9.6, + "cveName" : "CVE-2023-27898", + "description" : "Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-27898" +}, { + "versionRange" : "(,2.56]", + "severity" : 9.8, + "cveName" : "CVE-2017-1000353", + "description" : "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000353" +}, { + "versionRange" : "(,1.651.1]", + "severity" : 6.5, + "cveName" : "CVE-2016-3721", + "description" : "Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3721" +}, { + "versionRange" : "(,2.83]", + "severity" : 8.8, + "cveName" : "CVE-2017-1000393", + "description" : "Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000393" +}, { + "versionRange" : "(,2.218]", + "severity" : 5.4, + "cveName" : "CVE-2020-2103", + "description" : "Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2103" +}, { + "versionRange" : "(,1.550]", + "severity" : 6.5, + "cveName" : "CVE-2014-2058", + "description" : "BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2058" +}, { + "versionRange" : "(,1.550]", + "severity" : 7.5, + "cveName" : "CVE-2014-2063", + "description" : "Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2063" +}, { + "versionRange" : "(,2.44]", + "severity" : 8.8, + "cveName" : "CVE-2017-2608", + "description" : "Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2608" +}, { + "versionRange" : "(,2.319)", + "severity" : 9.8, + "cveName" : "CVE-2021-21692", + "description" : "FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21692" +}, { + "versionRange" : "(,1.625.1]", + "severity" : 5.4, + "cveName" : "CVE-2015-7536", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-7536" +}, { + "versionRange" : "(,2.73.1]", + "severity" : 4.3, + "cveName" : "CVE-2017-1000399", + "description" : "The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000399" +}, { + "versionRange" : "(,2.274]", + "severity" : 5.4, + "cveName" : "CVE-2021-21603", + "description" : "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21603" +}, { + "versionRange" : "(,1.649]", + "severity" : 8.8, + "cveName" : "CVE-2016-0792", + "description" : "Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0792" +}, { + "versionRange" : "(,2.185]", + "severity" : 6.5, + "cveName" : "CVE-2019-10352", + "description" : "A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10352" +}, { + "versionRange" : "(,2.303.3)", + "severity" : 9.8, + "cveName" : "CVE-2021-21693", + "description" : "When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21693" +}, { + "versionRange" : "(,2.32.2)", + "severity" : 5.4, + "cveName" : "CVE-2017-2601", + "description" : "Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2601" +}, { + "versionRange" : "(,1.532.1]", + "severity" : 3.5, + "cveName" : "CVE-2014-2068", + "description" : "The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2068" +}, { + "versionRange" : "[1.424.4,1.424.4]", + "severity" : 2.6, + "cveName" : "CVE-2013-0158", + "description" : "Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0158" +}, { + "versionRange" : "(,2.424)", + "severity" : 8.8, + "cveName" : "CVE-2023-43496", + "description" : "Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-43496" +}, { + "versionRange" : "[1.424.3,1.424.3]", + "severity" : 4.3, + "cveName" : "CVE-2012-6072", + "description" : "CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6072" +}, { + "versionRange" : "(,2.427]", + "severity" : 7.5, + "cveName" : "CVE-2023-44487", + "description" : "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-44487" +}, { + "versionRange" : "(,1.582]", + "severity" : 5.0, + "cveName" : "CVE-2014-3661", + "description" : "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3661" +}, { + "versionRange" : "(,2.106]", + "severity" : 5.3, + "cveName" : "CVE-2018-1000067", + "description" : "An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000067" +}, { + "versionRange" : "(,2.414.3)", + "severity" : 7.5, + "cveName" : "CVE-2023-36478", + "description" : "Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to\nexceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295\nwill overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-36478" +}, { + "versionRange" : "[2.81,2.94]", + "severity" : 8.1, + "cveName" : "CVE-2017-1000503", + "description" : "A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000503" +}, { + "versionRange" : "(,2.218]", + "severity" : 5.8, + "cveName" : "CVE-2020-2100", + "description" : "Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2100" +}, { + "versionRange" : "(,1.482)", + "severity" : 6.1, + "cveName" : "CVE-2012-4439", + "description" : "Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that points to Jenkins.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-4439" +}, { + "versionRange" : "(,1.651.1]", + "severity" : 4.3, + "cveName" : "CVE-2016-3725", + "description" : "Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3725" +}, { + "versionRange" : "(,2.244]", + "severity" : 5.4, + "cveName" : "CVE-2020-2221", + "description" : "Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2221" +}, { + "versionRange" : "(,2.176.3]", + "severity" : 5.4, + "cveName" : "CVE-2019-10401", + "description" : "In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10401" +}, { + "versionRange" : "(,1.596.1]", + "severity" : 4.3, + "cveName" : "CVE-2015-1812", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1812" +}, { + "versionRange" : "(,1.651.1]", + "severity" : 7.4, + "cveName" : "CVE-2016-3726", + "description" : "Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to \"scheme-relative\" URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3726" +}, { + "versionRange" : "(,2.73.1]", + "severity" : 4.3, + "cveName" : "CVE-2017-1000395", + "description" : "Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000395" +}, { + "versionRange" : "[1.424.4,1.424.4]", + "severity" : 3.5, + "cveName" : "CVE-2012-6074", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6074" +}, { + "versionRange" : "(,1.580.3]", + "severity" : 4.6, + "cveName" : "CVE-2015-1810", + "description" : "The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the \"Jenkins' own user database\" setting, which allows remote attackers to gain privileges by creating a reserved name.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1810" +}, { + "versionRange" : "(,1.605]", + "severity" : 7.5, + "cveName" : "CVE-2015-1814", + "description" : "The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a \"forced API token change\" involving anonymous users.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1814" +}, { + "versionRange" : "(,2.176.2]", + "severity" : 4.8, + "cveName" : "CVE-2019-10383", + "description" : "A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10383" +}, { + "versionRange" : "(,2.319)", + "severity" : 9.1, + "cveName" : "CVE-2021-21689", + "description" : "FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21689" +}, { + "versionRange" : "(,1.550]", + "severity" : 4.3, + "cveName" : "CVE-2014-2065", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2065" +}, { + "versionRange" : "(,2.137]", + "severity" : 4.3, + "cveName" : "CVE-2018-1999046", + "description" : "A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1999046" +}, { + "versionRange" : "(,2.244]", + "severity" : 5.4, + "cveName" : "CVE-2020-2223", + "description" : "Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2223" +}, { + "versionRange" : "(,1.605]", + "severity" : 4.3, + "cveName" : "CVE-2015-1812", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1812" +}, { + "versionRange" : "(,1.514)", + "severity" : 2.1, + "cveName" : "CVE-2013-2033", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allows remote authenticated users with write permission to inject arbitrary web script or HTML via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-2033" +}, { + "versionRange" : "[1.409.2,1.409.2]", + "severity" : 4.3, + "cveName" : "CVE-2012-6072", + "description" : "CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6072" +}, { + "versionRange" : "(,2.171]", + "severity" : 5.4, + "cveName" : "CVE-2019-1003050", + "description" : "The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-1003050" +}, { + "versionRange" : "(,2.196]", + "severity" : 5.4, + "cveName" : "CVE-2019-10401", + "description" : "In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10401" +}, { + "versionRange" : "(,2.218]", + "severity" : 5.3, + "cveName" : "CVE-2020-2102", + "description" : "Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2102" +}, { + "versionRange" : "(,2.145]", + "severity" : 6.5, + "cveName" : "CVE-2018-1000997", + "description" : "A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java, jelly/src/main/java/org/kohsuke/stapler/jelly/JellyFacet.java, jruby/src/main/java/org/kohsuke/stapler/jelly/jruby/JRubyFacet.java, jsp/src/main/java/org/kohsuke/stapler/jsp/JSPFacet.java that allows attackers to render routable objects using any view in Jenkins, exposing internal information about those objects not intended to be viewed, such as their toString() representation.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000997" +}, { + "versionRange" : "(,1.625.1]", + "severity" : 8.8, + "cveName" : "CVE-2015-7537", + "description" : "Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-7537" +}, { + "versionRange" : "[1.424.3,1.424.3]", + "severity" : 3.5, + "cveName" : "CVE-2012-6074", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6074" +}, { + "versionRange" : "[2.60.1,2.414.2)", + "severity" : 4.3, + "cveName" : "CVE-2023-43494", + "description" : "Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-43494" +}, { + "versionRange" : "(,1.637]", + "severity" : 6.8, + "cveName" : "CVE-2015-5318", + "description" : "Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-5318" +}, { + "versionRange" : "(,2.2]", + "severity" : 4.3, + "cveName" : "CVE-2016-3723", + "description" : "Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3723" +}, { + "versionRange" : "(,2.319)", + "severity" : 8.1, + "cveName" : "CVE-2021-21686", + "description" : "File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21686" +}, { + "versionRange" : "(,2.31]", + "severity" : 9.8, + "cveName" : "CVE-2016-9299", + "description" : "The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-9299" +}, { + "versionRange" : "(,2.185]", + "severity" : 7.5, + "cveName" : "CVE-2019-10353", + "description" : "CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10353" +}, { + "versionRange" : "(,1.599]", + "severity" : 3.5, + "cveName" : "CVE-2015-1808", + "description" : "Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1808" +}, { + "versionRange" : "(,2.153]", + "severity" : 8.2, + "cveName" : "CVE-2018-1000863", + "description" : "A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000863" +}, { + "versionRange" : "(,2.145]", + "severity" : 5.4, + "cveName" : "CVE-2018-1000409", + "description" : "A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000409" +}, { + "versionRange" : "[1.466.1,1.466.1]", + "severity" : 4.3, + "cveName" : "CVE-2012-6072", + "description" : "CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6072" +}, { + "versionRange" : "[1.424.5,1.424.5]", + "severity" : 3.5, + "cveName" : "CVE-2012-6074", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6074" +}, { + "versionRange" : "(,2.83]", + "severity" : 2.2, + "cveName" : "CVE-2017-1000401", + "description" : "The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, , supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for is now always sent via POST, which is typically not logged.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000401" +}, { + "versionRange" : "(,1.532.1]", + "severity" : 4.3, + "cveName" : "CVE-2014-2065", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2065" +}, { + "versionRange" : "(,2.263.3)", + "severity" : 5.3, + "cveName" : "CVE-2021-21615", + "description" : "Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21615" +}, { + "versionRange" : "(,1.637]", + "severity" : 5.0, + "cveName" : "CVE-2015-5317", + "description" : "The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-5317" +}, { + "versionRange" : "[2.321,2.355]", + "severity" : 5.4, + "cveName" : "CVE-2022-34171", + "description" : "In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-34171" +}, { + "versionRange" : "(,1.550]", + "severity" : 6.5, + "cveName" : "CVE-2014-2062", + "description" : "Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2062" +}, { + "versionRange" : "[2.340,2.355]", + "severity" : 5.4, + "cveName" : "CVE-2022-34172", + "description" : "In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-34172" +}, { + "versionRange" : "(,2.150.1]", + "severity" : 7.2, + "cveName" : "CVE-2019-1003004", + "description" : "An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-1003004" +}, { + "versionRange" : "(,2.319)", + "severity" : 9.8, + "cveName" : "CVE-2021-21694", + "description" : "FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21694" +}, { + "versionRange" : "(,1.582]", + "severity" : 4.0, + "cveName" : "CVE-2014-3667", + "description" : "Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3667" +}, { + "versionRange" : "(,2.138.3]", + "severity" : 4.3, + "cveName" : "CVE-2018-1000862", + "description" : "An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000862" +}, { + "versionRange" : "(,1.550]", + "severity" : 6.5, + "cveName" : "CVE-2014-2059", + "description" : "Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2059" +}, { + "versionRange" : "(,2.145]", + "severity" : 6.1, + "cveName" : "CVE-2018-1000407", + "description" : "A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000407" +}, { + "versionRange" : "(,2.303.3)", + "severity" : 9.8, + "cveName" : "CVE-2021-21694", + "description" : "FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21694" +}, { + "versionRange" : "(,2.274]", + "severity" : 8.0, + "cveName" : "CVE-2021-21604", + "description" : "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21604" +}, { + "versionRange" : "(,1.532.1]", + "severity" : 6.5, + "cveName" : "CVE-2014-2059", + "description" : "Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2059" +}, { + "versionRange" : "(,2.303.3)", + "severity" : 8.8, + "cveName" : "CVE-2021-21695", + "description" : "FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21695" +}, { + "versionRange" : "(,2.83]", + "severity" : 4.3, + "cveName" : "CVE-2017-1000395", + "description" : "Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000395" +}, { + "versionRange" : "(,2.32.2)", + "severity" : 5.4, + "cveName" : "CVE-2017-2607", + "description" : "jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2607" +}, { + "versionRange" : "(,2.235.1]", + "severity" : 5.4, + "cveName" : "CVE-2020-2221", + "description" : "Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2221" +}, { + "versionRange" : "(,1.565.2]", + "severity" : 4.0, + "cveName" : "CVE-2014-3664", + "description" : "Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3664" +}, { + "versionRange" : "[1.409.1,1.409.1]", + "severity" : 4.3, + "cveName" : "CVE-2012-0324", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0325.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0324" +}, { + "versionRange" : "(,2.274]", + "severity" : 6.1, + "cveName" : "CVE-2021-21610", + "description" : "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21610" +}, { + "versionRange" : "(,1.466.2]", + "severity" : 5.8, + "cveName" : "CVE-2012-6073", + "description" : "Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6073" +}, { + "versionRange" : "(,2.303.3)", + "severity" : 9.1, + "cveName" : "CVE-2021-21689", + "description" : "FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21689" +}, { + "versionRange" : "(,1.532.1]", + "severity" : 7.5, + "cveName" : "CVE-2014-2063", + "description" : "Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2063" +}, { + "versionRange" : "(,2.274]", + "severity" : 4.3, + "cveName" : "CVE-2021-21606", + "description" : "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21606" +}, { + "versionRange" : "(,2.274]", + "severity" : 6.5, + "cveName" : "CVE-2021-21607", + "description" : "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21607" +}, { + "versionRange" : "(,2.132]", + "severity" : 4.3, + "cveName" : "CVE-2018-1999006", + "description" : "A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1999006" +}, { + "versionRange" : "(,1.582]", + "severity" : 5.0, + "cveName" : "CVE-2014-3662", + "description" : "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3662" +}, { + "versionRange" : "(,2.274]", + "severity" : 8.0, + "cveName" : "CVE-2021-21605", + "description" : "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21605" +}, { + "versionRange" : "(,2.274]", + "severity" : 5.4, + "cveName" : "CVE-2021-21611", + "description" : "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21611" +}, { + "versionRange" : "(,2.88]", + "severity" : 7.3, + "cveName" : "CVE-2017-1000391", + "description" : "Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000391" +}, { + "versionRange" : "(,1.651.1]", + "severity" : 6.5, + "cveName" : "CVE-2016-3724", + "description" : "Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3724" +}, { + "versionRange" : "(,2.361.1)", + "severity" : 7.5, + "cveName" : "CVE-2022-2048", + "description" : "In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-2048" +}, { + "versionRange" : "(,2.44)", + "severity" : 4.3, + "cveName" : "CVE-2017-2600", + "description" : "In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2600" +}, { + "versionRange" : "[2.217,2.441]", + "severity" : 8.8, + "cveName" : "CVE-2024-23898", + "description" : "Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2024-23898" +}, { + "versionRange" : "(,2.145]", + "severity" : 7.8, + "cveName" : "CVE-2018-1000410", + "description" : "An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000410" +}, { + "versionRange" : "(,1.565.2]", + "severity" : 5.0, + "cveName" : "CVE-2014-3661", + "description" : "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3661" +}, { + "versionRange" : "[1.424.5,1.424.5]", + "severity" : 5.8, + "cveName" : "CVE-2012-6073", + "description" : "Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6073" +}, { + "versionRange" : "(,2.277.1]", + "severity" : 4.3, + "cveName" : "CVE-2021-21640", + "description" : "Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21640" +}, { + "versionRange" : "(,1.532.1]", + "severity" : 6.5, + "cveName" : "CVE-2014-2058", + "description" : "BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2058" +}, { + "versionRange" : "(,1.637]", + "severity" : 7.5, + "cveName" : "CVE-2015-5325", + "description" : "Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-5325" +}, { + "versionRange" : "(,2.218]", + "severity" : 4.3, + "cveName" : "CVE-2020-2104", + "description" : "Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2104" +}, { + "versionRange" : "(,2.319)", + "severity" : 8.8, + "cveName" : "CVE-2021-21695", + "description" : "FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21695" +}, { + "versionRange" : "(,2.314]", + "severity" : 4.3, + "cveName" : "CVE-2021-21682", + "description" : "Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other entities on Windows.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21682" +}, { + "versionRange" : "(,2.44)", + "severity" : 3.5, + "cveName" : "CVE-2017-2603", + "description" : "Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2603" +}, { + "versionRange" : "(,2.218]", + "severity" : 8.6, + "cveName" : "CVE-2020-2099", + "description" : "Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2099" +}, { + "versionRange" : "(,1.599]", + "severity" : 6.5, + "cveName" : "CVE-2015-1806", + "description" : "The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1806" +}, { + "versionRange" : "(,2.138.3]", + "severity" : 6.5, + "cveName" : "CVE-2018-1000864", + "description" : "A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000864" +}, { + "versionRange" : "(,2.424)", + "severity" : 8.1, + "cveName" : "CVE-2023-43498", + "description" : "In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-43498" +}, { + "versionRange" : "(,2.120]", + "severity" : 8.1, + "cveName" : "CVE-2018-1000194", + "description" : "A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000194" +}, { + "versionRange" : "(,2.227]", + "severity" : 5.4, + "cveName" : "CVE-2020-2163", + "description" : "Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2163" +}, { + "versionRange" : "(,2.44)", + "severity" : 5.4, + "cveName" : "CVE-2017-2599", + "description" : "Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2599" +}, { + "versionRange" : "(,2.56]", + "severity" : 8.8, + "cveName" : "CVE-2017-1000354", + "description" : "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000354" +}, { + "versionRange" : "(,2.274]", + "severity" : 6.5, + "cveName" : "CVE-2021-21602", + "description" : "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21602" +}, { + "versionRange" : "(,1.625.1]", + "severity" : 7.5, + "cveName" : "CVE-2015-7539", + "description" : "The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-7539" +}, { + "versionRange" : "(,2.191]", + "severity" : 4.8, + "cveName" : "CVE-2019-10383", + "description" : "A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10383" +}, { + "versionRange" : "(,2.105]", + "severity" : 5.3, + "cveName" : "CVE-2018-1000169", + "description" : "An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000169" +}, { + "versionRange" : "[1.409.3,1.409.3]", + "severity" : 2.6, + "cveName" : "CVE-2013-0158", + "description" : "Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0158" +}, { + "versionRange" : "(,2.88]", + "severity" : 4.8, + "cveName" : "CVE-2017-1000392", + "description" : "Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000392" +}, { + "versionRange" : "(,1.649]", + "severity" : 9.8, + "cveName" : "CVE-2016-0791", + "description" : "Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0791" +}, { + "versionRange" : "(,2.73.2]", + "severity" : 4.8, + "cveName" : "CVE-2017-1000392", + "description" : "Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000392" +}, { + "versionRange" : "(,2.394)", + "severity" : 7.5, + "cveName" : "CVE-2023-27900", + "description" : "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-27900" +}, { + "versionRange" : "(,2.329]", + "severity" : 4.3, + "cveName" : "CVE-2022-20612", + "description" : "A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-20612" +}, { + "versionRange" : "(,2.44)", + "severity" : 5.4, + "cveName" : "CVE-2017-2607", + "description" : "jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2607" +}, { + "versionRange" : "(,2.227]", + "severity" : 5.4, + "cveName" : "CVE-2020-2161", + "description" : "Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2161" +}, { + "versionRange" : "(,1.637]", + "severity" : 5.0, + "cveName" : "CVE-2015-5321", + "description" : "The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-5321" +}, { + "versionRange" : "(,2.121.1]", + "severity" : 5.4, + "cveName" : "CVE-2018-1999005", + "description" : "A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1999005" +}, { + "versionRange" : "(,2.251]", + "severity" : 5.4, + "cveName" : "CVE-2020-2231", + "description" : "Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2231" +}, { + "versionRange" : "(,2.286]", + "severity" : 4.3, + "cveName" : "CVE-2021-21640", + "description" : "Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21640" +}, { + "versionRange" : "(,1.550]", + "severity" : 5.0, + "cveName" : "CVE-2014-2064", + "description" : "The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2064" +}, { + "versionRange" : "(,2.176.2]", + "severity" : 8.8, + "cveName" : "CVE-2019-10384", + "description" : "Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10384" +}, { + "versionRange" : "(,1.501]", + "severity" : 4.0, + "cveName" : "CVE-2013-7330", + "description" : "Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7330" +}, { + "versionRange" : "(,1.466.2]", + "severity" : 2.6, + "cveName" : "CVE-2013-0158", + "description" : "Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0158" +}, { + "versionRange" : "(,2.121.1]", + "severity" : 8.8, + "cveName" : "CVE-2018-1999001", + "description" : "A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1999001" +}, { + "versionRange" : "(,2.44)", + "severity" : 4.3, + "cveName" : "CVE-2017-2598", + "description" : "Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2598" +}, { + "versionRange" : "(,1.596.1]", + "severity" : 4.3, + "cveName" : "CVE-2015-1813", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1813" +}, { + "versionRange" : "(,2.93]", + "severity" : 4.7, + "cveName" : "CVE-2017-17383", + "description" : "Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-17383" +}, { + "versionRange" : "(,2.274]", + "severity" : 5.4, + "cveName" : "CVE-2021-21608", + "description" : "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21608" +}, { + "versionRange" : "(,1.532.1]", + "severity" : 6.5, + "cveName" : "CVE-2014-2062", + "description" : "Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2062" +}, { + "versionRange" : "(,1.424.2)", + "severity" : 7.5, + "cveName" : "CVE-2012-0785", + "description" : "Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka \"the Hash DoS attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0785" +}, { + "versionRange" : "(,2.150.1]", + "severity" : 7.2, + "cveName" : "CVE-2019-1003003", + "description" : "An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-1003003" +}, { + "versionRange" : "(,2.244]", + "severity" : 5.4, + "cveName" : "CVE-2020-2220", + "description" : "Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2220" +}, { + "versionRange" : "(,1.638)", + "severity" : 9.8, + "cveName" : "CVE-2015-8103", + "description" : "The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the \"Groovy variant in 'ysoserial'\".", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-8103" +}, { + "versionRange" : "(,2.185]", + "severity" : 4.3, + "cveName" : "CVE-2019-10354", + "description" : "A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10354" +}, { + "versionRange" : "(,1.605]", + "severity" : 4.3, + "cveName" : "CVE-2015-1813", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1813" +}, { + "versionRange" : "(,2.32.2)", + "severity" : 4.3, + "cveName" : "CVE-2017-2611", + "description" : "Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2611" +}, { + "versionRange" : "[1.409.2,1.409.2]", + "severity" : 3.5, + "cveName" : "CVE-2012-6074", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6074" +}, { + "versionRange" : "(,2.286]", + "severity" : 4.3, + "cveName" : "CVE-2021-21639", + "description" : "Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21639" +}, { + "versionRange" : "(,2.44)", + "severity" : 4.3, + "cveName" : "CVE-2017-2602", + "description" : "jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2602" +}, { + "versionRange" : "(,2.227]", + "severity" : 8.8, + "cveName" : "CVE-2020-2160", + "description" : "Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2160" +}, { + "versionRange" : "(,2.394)", + "severity" : 5.3, + "cveName" : "CVE-2023-27904", + "description" : "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-27904" +}, { + "versionRange" : "(,2.394)", + "severity" : 4.3, + "cveName" : "CVE-2023-27902", + "description" : "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers with Item/Workspace permission to access their contents.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-27902" +}, { + "versionRange" : "(,2.176.3]", + "severity" : 5.4, + "cveName" : "CVE-2019-10405", + "description" : "Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the \"Cookie\" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10405" +}, { + "versionRange" : "[2.340,2.355]", + "severity" : 5.4, + "cveName" : "CVE-2022-34173", + "description" : "In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-34173" +}, { + "versionRange" : "(,1.649]", + "severity" : 6.1, + "cveName" : "CVE-2016-0789", + "description" : "CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0789" +}, { + "versionRange" : "(,2.137]", + "severity" : 6.5, + "cveName" : "CVE-2018-1999044", + "description" : "A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1999044" +}, { + "versionRange" : "(,2.105]", + "severity" : 5.4, + "cveName" : "CVE-2018-1000170", + "description" : "A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000170" +}, { + "versionRange" : "(,2.32.2)", + "severity" : 5.4, + "cveName" : "CVE-2017-2613", + "description" : "jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2613" +}, { + "versionRange" : "(,2.235.1]", + "severity" : 5.4, + "cveName" : "CVE-2020-2220", + "description" : "Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2220" +}, { + "versionRange" : "(,2.300)", + "severity" : 4.3, + "cveName" : "CVE-2021-21670", + "description" : "Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21670" +}, { + "versionRange" : "(,2.176.3]", + "severity" : 5.4, + "cveName" : "CVE-2019-10404", + "description" : "Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10404" +}, { + "versionRange" : "(,2.277.1]", + "severity" : 4.3, + "cveName" : "CVE-2021-21639", + "description" : "Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21639" +}, { + "versionRange" : "(,2.332.3]", + "severity" : 7.5, + "cveName" : "CVE-2022-34174", + "description" : "In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-34174" +}, { + "versionRange" : "(,1.599]", + "severity" : 4.6, + "cveName" : "CVE-2015-1810", + "description" : "The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the \"Jenkins' own user database\" setting, which allows remote attackers to gain privileges by creating a reserved name.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1810" +}, { + "versionRange" : "(,1.550]", + "severity" : 5.0, + "cveName" : "CVE-2014-2061", + "description" : "The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2061" +}, { + "versionRange" : "(,1.565.2]", + "severity" : 5.0, + "cveName" : "CVE-2014-3662", + "description" : "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3662" +}, { + "versionRange" : "(,2.400)", + "severity" : 8.0, + "cveName" : "CVE-2023-35141", + "description" : "In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-35141" +}, { + "versionRange" : "(,2.334)", + "severity" : 7.5, + "cveName" : "CVE-2022-0538", + "description" : "Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-0538" +}, { + "versionRange" : "(,1.637]", + "severity" : 5.0, + "cveName" : "CVE-2015-5324", + "description" : "Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-5324" +}, { + "versionRange" : "[1.424.5,1.424.5]", + "severity" : 4.3, + "cveName" : "CVE-2012-6072", + "description" : "CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6072" +}, { + "versionRange" : "(,2.428)", + "severity" : 7.5, + "cveName" : "CVE-2023-36478", + "description" : "Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to\nexceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295\nwill overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-36478" +}, { + "versionRange" : "(,2.196]", + "severity" : 5.4, + "cveName" : "CVE-2019-10402", + "description" : "In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10402" +}, { + "versionRange" : "(,1.466.2]", + "severity" : 4.3, + "cveName" : "CVE-2012-6072", + "description" : "CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6072" +}, { + "versionRange" : "(,2.218]", + "severity" : 5.3, + "cveName" : "CVE-2020-2101", + "description" : "Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2101" +}, { + "versionRange" : "(,2.73.1]", + "severity" : 4.3, + "cveName" : "CVE-2017-1000400", + "description" : "The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000400" +}, { + "versionRange" : "(,1.580.3]", + "severity" : 6.5, + "cveName" : "CVE-2015-1806", + "description" : "The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1806" +}, { + "versionRange" : "(,2.32.2)", + "severity" : 4.3, + "cveName" : "CVE-2017-2606", + "description" : "Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2606" +}, { + "versionRange" : "(,1.637]", + "severity" : 5.0, + "cveName" : "CVE-2015-5322", + "description" : "Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-5322" +}, { + "versionRange" : "(,2.251]", + "severity" : 5.4, + "cveName" : "CVE-2020-2230", + "description" : "Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2230" +}, { + "versionRange" : "(,2.44)", + "severity" : 4.3, + "cveName" : "CVE-2017-2609", + "description" : "jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2609" +}, { + "versionRange" : "(,2.303.3)", + "severity" : 9.1, + "cveName" : "CVE-2021-21685", + "description" : "Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21685" +}, { + "versionRange" : "[1.466.1,1.466.1]", + "severity" : 5.8, + "cveName" : "CVE-2012-6073", + "description" : "Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6073" +}, { + "versionRange" : "(,1.501]", + "severity" : 4.3, + "cveName" : "CVE-2013-0328", + "description" : "Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0328" +}, { + "versionRange" : "(,1.599]", + "severity" : 3.5, + "cveName" : "CVE-2015-1807", + "description" : "Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1807" +}, { + "versionRange" : "(,2.303.3)", + "severity" : 9.8, + "cveName" : "CVE-2021-21691", + "description" : "Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-21691" +}, { + "versionRange" : "(,2.107.2]", + "severity" : 4.3, + "cveName" : "CVE-2018-1000192", + "description" : "A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000192" +}, { + "versionRange" : "[1.424.4,1.424.4]", + "severity" : 4.3, + "cveName" : "CVE-2012-6072", + "description" : "CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6072" +}, { + "versionRange" : "[2.335,2.355]", + "severity" : 7.5, + "cveName" : "CVE-2022-34175", + "description" : "Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-34175" +}, { + "versionRange" : "(,1.582]", + "severity" : 4.0, + "cveName" : "CVE-2014-3680", + "description" : "Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3680" +}, { + "versionRange" : "(,2.120]", + "severity" : 4.3, + "cveName" : "CVE-2018-1000195", + "description" : "A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000195" +}, { + "versionRange" : "(,2.73.1]", + "severity" : 4.3, + "cveName" : "CVE-2017-1000398", + "description" : "The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000398" +}, { + "versionRange" : "[1.409.3,1.409.3]", + "severity" : 4.3, + "cveName" : "CVE-2012-6072", + "description" : "CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-6072" +}, { + "versionRange" : "(,2.44)", + "severity" : 5.4, + "cveName" : "CVE-2017-2610", + "description" : "jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2610" +}, { + "versionRange" : "(,2.138.3]", + "severity" : 9.8, + "cveName" : "CVE-2018-1000861", + "description" : "A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000861" +}, { + "versionRange" : "(,1.482)", + "severity" : 6.1, + "cveName" : "CVE-2012-4441", + "description" : "Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-4441" +}, { + "versionRange" : "(,2.44)", + "severity" : 5.4, + "cveName" : "CVE-2017-2601", + "description" : "Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-2601" +}, { + "versionRange" : "(,2.394)", + "severity" : 7.5, + "cveName" : "CVE-2023-27901", + "description" : "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-27901" +}, { + "versionRange" : "(,2.236)", + "severity" : 4.3, + "cveName" : "CVE-2020-2251", + "description" : "Jenkins SoapUI Pro Functional Testing Plugin 1.5 and earlier transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-2251" +}, { + "versionRange" : "(,1.651.1]", + "severity" : 4.3, + "cveName" : "CVE-2016-3727", + "description" : "The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3727" +} ] diff --git a/mvn/mvn/security.json b/mvn/mvn/security.json new file mode 100644 index 000000000..d310763ce --- /dev/null +++ b/mvn/mvn/security.json @@ -0,0 +1,13 @@ +[ { + "versionRange" : "[3.0.4,3.0.4]", + "severity" : 5.8, + "cveName" : "CVE-2013-0253", + "description" : "The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0253" +}, { + "versionRange" : "(,3.8.1)", + "severity" : 9.1, + "cveName" : "CVE-2021-26291", + "description" : "Apache Maven will follow repositories that are defined in a dependency���s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-26291" +} ] diff --git a/python/python/security.json b/python/python/security.json new file mode 100644 index 000000000..6ad592fe3 --- /dev/null +++ b/python/python/security.json @@ -0,0 +1,4357 @@ +[ { + "versionRange" : "[3.1.4,3.1.4]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[2.7.0,2.7.17)", + "severity" : 6.1, + "cveName" : "CVE-2019-9947", + "description" : "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9947" +}, { + "versionRange" : "[2.7.13,2.7.13]", + "severity" : 7.8, + "cveName" : "CVE-2017-20052", + "description" : "A vulnerability classified as problematic was found in Python 2.7.13. This vulnerability affects unknown code of the component pgAdmin4. The manipulation leads to uncontrolled search path. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-20052" +}, { + "versionRange" : "[2.5.0,2.5.3)", + "severity" : 7.5, + "cveName" : "CVE-2008-3142", + "description" : "Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-3142" +}, { + "versionRange" : "[3.7.0,3.7.10)", + "severity" : 5.9, + "cveName" : "CVE-2021-23336", + "description" : "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-23336" +}, { + "versionRange" : "[2.5.2,2.5.2]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[2.7.5,2.7.5]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.10.0,3.10.13)", + "severity" : 5.3, + "cveName" : "CVE-2023-40217", + "description" : "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-40217" +}, { + "versionRange" : "[2.7.3,2.7.3]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.1.4,3.1.4]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[2.6.5,2.6.5]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.5.0,3.5.0]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[2.1.1,2.1.1]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.6.0,3.6.9)", + "severity" : 7.5, + "cveName" : "CVE-2019-5010", + "description" : "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-5010" +}, { + "versionRange" : "[3.3.4,3.3.4]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[2.7.3,2.7.3]", + "severity" : 6.4, + "cveName" : "CVE-2014-7185", + "description" : "Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a \"buffer\" function.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-7185" +}, { + "versionRange" : "[2.7.6,2.7.6]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "(,3.11.4]", + "severity" : 7.5, + "cveName" : "CVE-2023-36632", + "description" : "The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \"RecursionError: maximum recursion depth exceeded while calling a Python object\" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-36632" +}, { + "versionRange" : "[2.3.7,2.3.7]", + "severity" : 10.0, + "cveName" : "CVE-2008-5031", + "description" : "Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-5031" +}, { + "versionRange" : "[2.5.2,2.5.2]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.0.0,3.7.14)", + "severity" : 7.4, + "cveName" : "CVE-2021-28861", + "description" : "Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states \"Warning: http.server is not recommended for production. It only implements basic security checks.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28861" +}, { + "versionRange" : "[3.4.0,3.4.7)", + "severity" : 8.1, + "cveName" : "CVE-2016-4472", + "description" : "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-4472" +}, { + "versionRange" : "[2.5.6,2.5.6]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.2.0,3.2.6)", + "severity" : 7.5, + "cveName" : "CVE-2013-1753", + "description" : "The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-1753" +}, { + "versionRange" : "[3.3.2,3.3.2]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[2.6.8,2.6.8]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[3.5.0,3.5.0]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.6.0,3.6.14)", + "severity" : 7.5, + "cveName" : "CVE-2021-3737", + "description" : "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3737" +}, { + "versionRange" : "[3.4.0,3.4.10]", + "severity" : 7.5, + "cveName" : "CVE-2019-16056", + "description" : "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16056" +}, { + "versionRange" : "[3.1.2,3.1.2]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[2.6.4,2.6.4]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "(,2.6.7]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[2.7.4,2.7.4]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.4.0,3.4.7)", + "severity" : 7.5, + "cveName" : "CVE-2016-2183", + "description" : "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-2183" +}, { + "versionRange" : "[3.6,3.6.4]", + "severity" : 7.5, + "cveName" : "CVE-2018-1061", + "description" : "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1061" +}, { + "versionRange" : "[2.6.4,2.6.4]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[3.1.1,3.1.1]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.2.0,3.2.6]", + "severity" : 7.5, + "cveName" : "CVE-2019-16056", + "description" : "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16056" +}, { + "versionRange" : "[3.2.0,3.2.3)", + "severity" : 4.3, + "cveName" : "CVE-2012-0876", + "description" : "The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0876" +}, { + "versionRange" : "[3.7.0,3.7.6]", + "severity" : 5.5, + "cveName" : "CVE-2020-8315", + "description" : "In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-8315" +}, { + "versionRange" : "[2.6.7,2.6.7]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[2.7.1,2.7.1]", + "severity" : 6.4, + "cveName" : "CVE-2014-7185", + "description" : "Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a \"buffer\" function.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-7185" +}, { + "versionRange" : "[2.7.3,2.7.3]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.6.0,3.6.2)", + "severity" : 7.5, + "cveName" : "CVE-2017-9233", + "description" : "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-9233" +}, { + "versionRange" : "[3.1.4,3.1.4]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.1.5,3.1.5]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[2.7.2,2.7.2]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[2.6.5,2.6.5]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "(,2.5.12)", + "severity" : 7.5, + "cveName" : "CVE-2008-3143", + "description" : "Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by \"checks for integer overflows, contributed by Google.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-3143" +}, { + "versionRange" : "[3.3.2,3.3.2]", + "severity" : 4.3, + "cveName" : "CVE-2013-2099", + "description" : "Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-2099" +}, { + "versionRange" : "[3.6.0,3.6.10]", + "severity" : 5.5, + "cveName" : "CVE-2020-8315", + "description" : "In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-8315" +}, { + "versionRange" : "[3.9.0,3.9.2)", + "severity" : 5.9, + "cveName" : "CVE-2021-23336", + "description" : "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-23336" +}, { + "versionRange" : "[2.4.3,2.4.3]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[2.7.2,2.7.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.1.4,3.1.4]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.7.0,3.7.11)", + "severity" : 5.3, + "cveName" : "CVE-2021-4189", + "description" : "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-4189" +}, { + "versionRange" : "[3.8.0,3.8.14)", + "severity" : 7.4, + "cveName" : "CVE-2021-28861", + "description" : "Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states \"Warning: http.server is not recommended for production. It only implements basic security checks.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28861" +}, { + "versionRange" : "[3.2.2,3.2.2]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[2.7.1,2.7.1]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[1.5.2,2.4.6)", + "severity" : 7.5, + "cveName" : "CVE-2008-4864", + "description" : "Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-4864" +}, { + "versionRange" : "[3.8.0,3.8.7)", + "severity" : 9.8, + "cveName" : "CVE-2020-27619", + "description" : "In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-27619" +}, { + "versionRange" : "[2.6.6,2.6.6]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "(,2.2.2)", + "severity" : 4.6, + "cveName" : "CVE-2002-1119", + "description" : "os._execvpe from os.py in Python 2.2.1 and earlier creates temporary files with predictable names, which could allow local users to execute arbitrary code via a symlink attack.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2002-1119" +}, { + "versionRange" : "[2.2.2,2.2.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.2.6,3.2.6]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.2.0,3.2.6)", + "severity" : 9.8, + "cveName" : "CVE-2014-4650", + "description" : "The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-4650" +}, { + "versionRange" : "[3.7.0,3.8.17)", + "severity" : 6.8, + "cveName" : "CVE-2007-4559", + "description" : "Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2007-4559" +}, { + "versionRange" : "[3.2.4,3.2.4]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[3.4.4,3.4.4]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[2.7.0,2.7.7)", + "severity" : 5.9, + "cveName" : "CVE-2014-4616", + "description" : "Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-4616" +}, { + "versionRange" : "[3.4.3,3.4.3]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.5.0,3.5.7)", + "severity" : 9.8, + "cveName" : "CVE-2019-9636", + "description" : "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9636" +}, { + "versionRange" : "[3.2.4,3.2.4]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[2.4.6,2.4.6]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.2.2,3.2.2]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.3.0,3.3.3)", + "severity" : 6.4, + "cveName" : "CVE-2012-2135", + "description" : "The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-2135" +}, { + "versionRange" : "[2.2.3,2.2.3]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[2.5.0,2.5.3)", + "severity" : 7.5, + "cveName" : "CVE-2008-4864", + "description" : "Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-4864" +}, { + "versionRange" : "[3.1.3,3.1.3]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.2.6,3.2.6]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[2.3.5,2.3.5]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[2.7.3,2.7.3]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[3.0.0,3.4.10)", + "severity" : 9.8, + "cveName" : "CVE-2019-9636", + "description" : "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9636" +}, { + "versionRange" : "[3.6.0,3.6.5)", + "severity" : 6.7, + "cveName" : "CVE-2018-1000117", + "description" : "Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000117" +}, { + "versionRange" : "[2.6.3,2.6.3]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[3.1.5,3.1.5]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.6.0,3.6.14)", + "severity" : 5.3, + "cveName" : "CVE-2021-4189", + "description" : "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-4189" +}, { + "versionRange" : "[3.0.1,3.0.1]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[3.9.0,3.9.14)", + "severity" : 7.4, + "cveName" : "CVE-2021-28861", + "description" : "Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states \"Warning: http.server is not recommended for production. It only implements basic security checks.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28861" +}, { + "versionRange" : "[3.2.1,3.2.1]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.7.0,3.7.7)", + "severity" : 7.5, + "cveName" : "CVE-2022-48560", + "description" : "A use-after-free exists in Python through 3.9 via heappushpop in heapq.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48560" +}, { + "versionRange" : "[3.9.0,3.9.7)", + "severity" : 6.8, + "cveName" : "CVE-2013-0340", + "description" : "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0340" +}, { + "versionRange" : "[3.8.0,3.8.5)", + "severity" : 9.8, + "cveName" : "CVE-2020-15801", + "description" : "In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The ._pth file (e.g., the python._pth file) is not affected.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15801" +}, { + "versionRange" : "[3.8.0,3.8.7]", + "severity" : 9.8, + "cveName" : "CVE-2021-3177", + "description" : "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3177" +}, { + "versionRange" : "(,3.8.18)", + "severity" : 5.3, + "cveName" : "CVE-2023-40217", + "description" : "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-40217" +}, { + "versionRange" : "[3.4.0,3.4.2)", + "severity" : 7.4, + "cveName" : "CVE-2014-0224", + "description" : "OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the \"CCS Injection\" vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-0224" +}, { + "versionRange" : "[2.3.1,2.3.1]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.1.0,3.1.3)", + "severity" : 5.0, + "cveName" : "CVE-2010-2089", + "description" : "The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2010-2089" +}, { + "versionRange" : "[2.1.3,2.1.3]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[2.6.4,2.6.4]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[2.7.1,2.7.1]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "(,3.6.13)", + "severity" : 6.5, + "cveName" : "CVE-2022-48564", + "description" : "read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48564" +}, { + "versionRange" : "[3.10.0,3.10.9)", + "severity" : 7.8, + "cveName" : "CVE-2022-42919", + "description" : "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-42919" +}, { + "versionRange" : "[3.5.0,3.5.3)", + "severity" : 6.1, + "cveName" : "CVE-2016-1000110", + "description" : "The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-1000110" +}, { + "versionRange" : "[3.9.0,3.9.1)", + "severity" : 9.8, + "cveName" : "CVE-2022-48565", + "description" : "An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48565" +}, { + "versionRange" : "[3.4.0,3.7.1)", + "severity" : 7.5, + "cveName" : "CVE-2018-20406", + "description" : "Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-20406" +}, { + "versionRange" : "[3.9.0,3.9.1]", + "severity" : 9.8, + "cveName" : "CVE-2021-3177", + "description" : "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3177" +}, { + "versionRange" : "[2.7.1,2.7.1]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[2.7.2,2.7.2]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.6.0,3.6.2)", + "severity" : 9.8, + "cveName" : "CVE-2016-0718", + "description" : "Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0718" +}, { + "versionRange" : "[3.8.0,3.8.0]", + "severity" : 7.5, + "cveName" : "CVE-2019-17514", + "description" : "library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-17514" +}, { + "versionRange" : "(,3.6.11)", + "severity" : 7.5, + "cveName" : "CVE-2022-48560", + "description" : "A use-after-free exists in Python through 3.9 via heappushpop in heapq.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48560" +}, { + "versionRange" : "(,2.7.16]", + "severity" : 7.5, + "cveName" : "CVE-2019-16056", + "description" : "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16056" +}, { + "versionRange" : "[3.5.1,3.5.1]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "(,2.7.15)", + "severity" : 7.5, + "cveName" : "CVE-2018-1061", + "description" : "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1061" +}, { + "versionRange" : "[3.9.0,3.9.11)", + "severity" : 6.5, + "cveName" : "CVE-2016-3189", + "description" : "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3189" +}, { + "versionRange" : "[3.0.1,3.0.1]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[3.3.3,3.3.3]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.1.5,3.1.5]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.3.1,3.3.1]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.1.5,3.1.5]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "(,3.6.14)", + "severity" : 7.5, + "cveName" : "CVE-2022-0391", + "description" : "A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\\r' and '\\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-0391" +}, { + "versionRange" : "[2.7.0,2.7.15)", + "severity" : 7.5, + "cveName" : "CVE-2017-9233", + "description" : "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-9233" +}, { + "versionRange" : "[3.1.3,3.1.3]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[2.3.1,2.3.1]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.2.5,3.2.5]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[3.10.0,3.10.8)", + "severity" : 7.6, + "cveName" : "CVE-2015-20107", + "description" : "In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-20107" +}, { + "versionRange" : "[3.8.0,3.8.12)", + "severity" : 6.8, + "cveName" : "CVE-2013-0340", + "description" : "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0340" +}, { + "versionRange" : "[2.6.7,2.6.7]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.9.0,3.9.10]", + "severity" : 7.0, + "cveName" : "CVE-2022-26488", + "description" : "In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-26488" +}, { + "versionRange" : "[3.0.0,3.5.0)", + "severity" : 7.8, + "cveName" : "CVE-2019-13404", + "description" : "The MSI installer for Python through 2.7.16 on Windows defaults to the C:\\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\\Python27 access control or choose a different directory, because backwards compatibility requires that C:\\Python27 remain the default for 2.7.x", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-13404" +}, { + "versionRange" : "(,3.7.15]", + "severity" : 7.5, + "cveName" : "CVE-2022-45061", + "description" : "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-45061" +}, { + "versionRange" : "[3.10.0,3.10.0]", + "severity" : 7.5, + "cveName" : "CVE-2022-0391", + "description" : "A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\\r' and '\\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-0391" +}, { + "versionRange" : "[3.4.0,3.4.3)", + "severity" : 7.5, + "cveName" : "CVE-2013-1753", + "description" : "The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-1753" +}, { + "versionRange" : "[3.7.0,3.7.13)", + "severity" : 9.8, + "cveName" : "CVE-2019-12900", + "description" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-12900" +}, { + "versionRange" : "[2.7.5,2.7.5]", + "severity" : 6.4, + "cveName" : "CVE-2014-7185", + "description" : "Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a \"buffer\" function.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-7185" +}, { + "versionRange" : "[2.1.3,2.1.3]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.5.6,2.5.6]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.4.0,3.4.6)", + "severity" : 6.1, + "cveName" : "CVE-2016-1000110", + "description" : "The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-1000110" +}, { + "versionRange" : "[2.5.1,2.5.1]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.1.3,3.1.3]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.2.1,3.2.1]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.6.0,3.6.6]", + "severity" : 7.5, + "cveName" : "CVE-2018-14647", + "description" : "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-14647" +}, { + "versionRange" : "[2.1.1,2.1.1]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "(,2.7.18]", + "severity" : 5.3, + "cveName" : "CVE-2023-27043", + "description" : "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-27043" +}, { + "versionRange" : "[2.1.1,2.1.1]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.5.0,3.5.10)", + "severity" : 7.5, + "cveName" : "CVE-2019-20907", + "description" : "In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-20907" +}, { + "versionRange" : "[2.1.3,2.1.3]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[2.5.4,2.5.4]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.1.1,3.1.1]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "(,2.7.11]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.3.2,3.3.2]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[3.9.0,3.9.16)", + "severity" : 9.8, + "cveName" : "CVE-2022-37454", + "description" : "The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-37454" +}, { + "versionRange" : "[2.7.0,2.7.13)", + "severity" : 7.5, + "cveName" : "CVE-2016-2183", + "description" : "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-2183" +}, { + "versionRange" : "[2.2.2,2.2.2]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.4.0,3.4.8)", + "severity" : 9.8, + "cveName" : "CVE-2017-1000158", + "description" : "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000158" +}, { + "versionRange" : "[3.1.4,3.1.4]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[2.4.4,2.4.4]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.8.0,3.8.5)", + "severity" : 7.5, + "cveName" : "CVE-2019-20907", + "description" : "In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-20907" +}, { + "versionRange" : "[3.1.1,3.1.1]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.2.4,3.2.4]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.2.5,3.2.5]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.3.3,3.3.3]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[2.6.1,2.6.1]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.5.3,2.5.3]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.3.3,3.3.3]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "(,2.5.1]", + "severity" : 5.8, + "cveName" : "CVE-2007-4965", + "description" : "Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2007-4965" +}, { + "versionRange" : "[3.3.2,3.3.2]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.1.0,3.1.3)", + "severity" : 5.0, + "cveName" : "CVE-2010-1634", + "description" : "Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2010-1634" +}, { + "versionRange" : "[3.9.0,3.9.3)", + "severity" : 5.7, + "cveName" : "CVE-2021-3426", + "description" : "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3426" +}, { + "versionRange" : "[3.2.1,3.2.1]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.8.0,3.8.10)", + "severity" : 6.5, + "cveName" : "CVE-2021-3733", + "description" : "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3733" +}, { + "versionRange" : "[3.9.0,3.9.0]", + "severity" : 7.8, + "cveName" : "CVE-2020-15523", + "description" : "In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15523" +}, { + "versionRange" : "[2.4.4,2.4.4]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.2.0,2.2.2)", + "severity" : 7.5, + "cveName" : "CVE-2004-0150", + "description" : "Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2004-0150" +}, { + "versionRange" : "[2.6.5,2.6.5]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.11.0,3.11.0]", + "severity" : 7.5, + "cveName" : "CVE-2022-45061", + "description" : "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-45061" +}, { + "versionRange" : "[3.7.0,3.7.9)", + "severity" : 7.8, + "cveName" : "CVE-2020-15523", + "description" : "In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15523" +}, { + "versionRange" : "[2.4.6,2.4.6]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.5.1,2.5.1]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "(,2.5.2]", + "severity" : 7.5, + "cveName" : "CVE-2008-2316", + "description" : "Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5.2 and earlier might allow context-dependent attackers to defeat cryptographic digests, related to \"partial hashlib hashing of data exceeding 4GB.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-2316" +}, { + "versionRange" : "[2.2.3,2.2.3]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[2.6.3,2.6.3]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.2.6,3.2.6]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "(,3.6.16)", + "severity" : 6.8, + "cveName" : "CVE-2007-4559", + "description" : "Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2007-4559" +}, { + "versionRange" : "[3.5.0,3.5.2)", + "severity" : 6.8, + "cveName" : "CVE-2015-1283", + "description" : "Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1283" +}, { + "versionRange" : "[3.7.0,3.7.9)", + "severity" : 7.2, + "cveName" : "CVE-2020-26116", + "description" : "http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-26116" +}, { + "versionRange" : "[2.1.2,2.1.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[2.3.4,2.3.4]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.7.2,2.7.2]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.11.0,3.11.4)", + "severity" : 7.5, + "cveName" : "CVE-2023-24329", + "description" : "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-24329" +}, { + "versionRange" : "[2.4.1,2.4.1]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.9.0,3.9.5)", + "severity" : 7.5, + "cveName" : "CVE-2022-0391", + "description" : "A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\\r' and '\\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-0391" +}, { + "versionRange" : "[2.4.0,2.4.4)", + "severity" : 7.5, + "cveName" : "CVE-2006-4980", + "description" : "Buffer overflow in the repr function in Python 2.3 through 2.6 before 20060822 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via crafted wide character UTF-32/UCS-4 strings to certain scripts.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2006-4980" +}, { + "versionRange" : "[2.4.2,2.4.2]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.7.0,2.7.17)", + "severity" : 9.8, + "cveName" : "CVE-2019-10160", + "description" : "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10160" +}, { + "versionRange" : "[3.10.0,3.10.8]", + "severity" : 7.5, + "cveName" : "CVE-2022-45061", + "description" : "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-45061" +}, { + "versionRange" : "[3.0.0,3.4.9)", + "severity" : 7.5, + "cveName" : "CVE-2018-1060", + "description" : "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1060" +}, { + "versionRange" : "[3.4.0,3.4.5)", + "severity" : 6.8, + "cveName" : "CVE-2015-1283", + "description" : "Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1283" +}, { + "versionRange" : "[3.9.0,3.9.6)", + "severity" : 7.5, + "cveName" : "CVE-2021-3737", + "description" : "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3737" +}, { + "versionRange" : "[2.7.0,2.7.4)", + "severity" : 6.4, + "cveName" : "CVE-2012-2135", + "description" : "The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-2135" +}, { + "versionRange" : "[2.6.5,2.6.5]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.2.3,2.2.3]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[2.7.4,2.7.4]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.3.6,3.3.6]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[2.3.2,2.3.2]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.3.3,3.3.3]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.7.0,3.7.15]", + "severity" : 7.6, + "cveName" : "CVE-2015-20107", + "description" : "In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-20107" +}, { + "versionRange" : "[2.2.3,2.2.3]", + "severity" : 10.0, + "cveName" : "CVE-2008-5031", + "description" : "Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-5031" +}, { + "versionRange" : "[2.1.3,2.1.3]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.4.1,3.4.1]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.2.3,2.2.3]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.0,3.5.10)", + "severity" : 6.1, + "cveName" : "CVE-2019-18348", + "description" : "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-18348" +}, { + "versionRange" : "[3.2.4,3.2.4]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.7.0,2.7.3)", + "severity" : 4.3, + "cveName" : "CVE-2012-0876", + "description" : "The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0876" +}, { + "versionRange" : "[3.8.0,3.8.0]", + "severity" : 9.8, + "cveName" : "CVE-2019-10160", + "description" : "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10160" +}, { + "versionRange" : "[2.0,2.7.17)", + "severity" : 9.1, + "cveName" : "CVE-2019-9948", + "description" : "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9948" +}, { + "versionRange" : "(,3.6.4]", + "severity" : 6.5, + "cveName" : "CVE-2017-18207", + "description" : "The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue because Python applications \"need to be prepared to handle a wide variety of exceptions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-18207" +}, { + "versionRange" : "[3.2.1,3.2.1]", + "severity" : 4.3, + "cveName" : "CVE-2013-2099", + "description" : "Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-2099" +}, { + "versionRange" : "[3.7.0,3.7.4]", + "severity" : 7.5, + "cveName" : "CVE-2019-16056", + "description" : "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16056" +}, { + "versionRange" : "(,2.4.6)", + "severity" : 7.5, + "cveName" : "CVE-2008-3142", + "description" : "Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-3142" +}, { + "versionRange" : "[3.11.0,3.11.0]", + "severity" : 7.5, + "cveName" : "CVE-2020-10735", + "description" : "A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(\"text\"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-10735" +}, { + "versionRange" : "[3.2.6,3.2.6]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[3.2.4,3.2.4]", + "severity" : 4.3, + "cveName" : "CVE-2013-2099", + "description" : "Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-2099" +}, { + "versionRange" : "[3.7.0,3.7.4)", + "severity" : 6.1, + "cveName" : "CVE-2019-9740", + "description" : "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9740" +}, { + "versionRange" : "[3.1.3,3.1.3]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[3.5.0,3.5.7]", + "severity" : 7.5, + "cveName" : "CVE-2019-16056", + "description" : "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16056" +}, { + "versionRange" : "[2.7.0,2.7.17]", + "severity" : 6.5, + "cveName" : "CVE-2020-8492", + "description" : "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-8492" +}, { + "versionRange" : "[3.3.5,3.3.5]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.6.0,3.6.12]", + "severity" : 9.8, + "cveName" : "CVE-2021-3177", + "description" : "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3177" +}, { + "versionRange" : "[2.3.2,2.3.2]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.10.0,3.10.12)", + "severity" : 6.8, + "cveName" : "CVE-2007-4559", + "description" : "Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2007-4559" +}, { + "versionRange" : "[3.0,3.11]", + "severity" : 5.3, + "cveName" : "CVE-2023-27043", + "description" : "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-27043" +}, { + "versionRange" : "[3.8.0,3.8.12]", + "severity" : 7.0, + "cveName" : "CVE-2022-26488", + "description" : "In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-26488" +}, { + "versionRange" : "[3.2.6,3.2.6]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.3.0,3.3.0]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[2.4.3,2.4.3]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.3.1,3.3.1]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[3.3.2,3.3.2]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.3.5,3.3.5]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.7.0,3.7.10)", + "severity" : 9.8, + "cveName" : "CVE-2020-27619", + "description" : "In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-27619" +}, { + "versionRange" : "(,2.3.6)", + "severity" : 7.5, + "cveName" : "CVE-2006-4980", + "description" : "Buffer overflow in the repr function in Python 2.3 through 2.6 before 20060822 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via crafted wide character UTF-32/UCS-4 strings to certain scripts.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2006-4980" +}, { + "versionRange" : "[3.0.1,3.0.1]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.6.0,3.6.15)", + "severity" : 6.8, + "cveName" : "CVE-2013-0340", + "description" : "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0340" +}, { + "versionRange" : "(,3.6.13)", + "severity" : 5.9, + "cveName" : "CVE-2022-48566", + "description" : "An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48566" +}, { + "versionRange" : "[2.3.3,2.3.3]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.1.1,3.1.1]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.2.2,3.2.2]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[3.1.2,3.1.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.8.0,3.8.4)", + "severity" : 7.8, + "cveName" : "CVE-2020-15523", + "description" : "In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15523" +}, { + "versionRange" : "[3.7.0,3.7.14)", + "severity" : 7.5, + "cveName" : "CVE-2020-10735", + "description" : "A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(\"text\"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-10735" +}, { + "versionRange" : "[2.5.1,2.5.1]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.7.0,3.7.13)", + "severity" : 6.5, + "cveName" : "CVE-2016-3189", + "description" : "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3189" +}, { + "versionRange" : "[2.6.5,2.6.5]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "(,2.7.15)", + "severity" : 9.8, + "cveName" : "CVE-2017-1000158", + "description" : "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000158" +}, { + "versionRange" : "[3.4.0,3.4.2)", + "severity" : 9.8, + "cveName" : "CVE-2014-4650", + "description" : "The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-4650" +}, { + "versionRange" : "[3.3.0,3.3.7)", + "severity" : 7.5, + "cveName" : "CVE-2017-9233", + "description" : "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-9233" +}, { + "versionRange" : "[3.2.5,3.2.5]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[2.6.3,2.6.3]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.0.1,3.0.1]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.0.1,2.0.1]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.7.3,3.7.15]", + "severity" : 7.8, + "cveName" : "CVE-2022-42919", + "description" : "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-42919" +}, { + "versionRange" : "[2.7.1,2.7.1]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[3.3.1,3.3.1]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[2.2.3,2.2.3]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[2.5.4,2.5.4]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.3,3.3]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[3.3.0,3.3.7]", + "severity" : 7.5, + "cveName" : "CVE-2019-16056", + "description" : "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16056" +}, { + "versionRange" : "[3.3.6,3.3.6]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[2.6.4,2.6.4]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.9.0,3.9.1)", + "severity" : 5.9, + "cveName" : "CVE-2022-48566", + "description" : "An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48566" +}, { + "versionRange" : "[3.3.0,3.3.6)", + "severity" : 9.8, + "cveName" : "CVE-2014-4650", + "description" : "The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-4650" +}, { + "versionRange" : "[3.1.2,3.1.2]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.10.0,3.10.5)", + "severity" : 7.5, + "cveName" : "CVE-2018-25032", + "description" : "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-25032" +}, { + "versionRange" : "[3.8.0,3.8.9)", + "severity" : 5.3, + "cveName" : "CVE-2021-4189", + "description" : "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-4189" +}, { + "versionRange" : "[2.7.0,2.7.17)", + "severity" : 7.5, + "cveName" : "CVE-2019-15903", + "description" : "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-15903" +}, { + "versionRange" : "[3.3.0,3.3.7)", + "severity" : 9.8, + "cveName" : "CVE-2016-0718", + "description" : "Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0718" +}, { + "versionRange" : "[3.4.0,3.4.7)", + "severity" : 7.5, + "cveName" : "CVE-2017-9233", + "description" : "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-9233" +}, { + "versionRange" : "[3.9.0,3.9.17)", + "severity" : 7.5, + "cveName" : "CVE-2023-24329", + "description" : "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-24329" +}, { + "versionRange" : "[3.9.0,3.9.15]", + "severity" : 7.6, + "cveName" : "CVE-2015-20107", + "description" : "In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-20107" +}, { + "versionRange" : "[3.3.0,3.3.0]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[3.7.0,3.7.10)", + "severity" : 9.8, + "cveName" : "CVE-2022-48565", + "description" : "An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48565" +}, { + "versionRange" : "(,2.5.3)", + "severity" : 6.8, + "cveName" : "CVE-2008-1679", + "description" : "Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows. NOTE: this issue is due to an incomplete fix for CVE-2007-4965.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-1679" +}, { + "versionRange" : "[3.10.0,3.10.6)", + "severity" : 7.4, + "cveName" : "CVE-2021-28861", + "description" : "Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states \"Warning: http.server is not recommended for production. It only implements basic security checks.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28861" +}, { + "versionRange" : "(,3.7.12]", + "severity" : 7.0, + "cveName" : "CVE-2022-26488", + "description" : "In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-26488" +}, { + "versionRange" : "[3.7.0,3.7.10)", + "severity" : 5.9, + "cveName" : "CVE-2022-48566", + "description" : "An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48566" +}, { + "versionRange" : "[2.0.1,2.0.1]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.2.2,3.2.2]", + "severity" : 4.3, + "cveName" : "CVE-2013-2099", + "description" : "Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-2099" +}, { + "versionRange" : "[2.7.0,2.7.15)", + "severity" : 8.1, + "cveName" : "CVE-2016-4472", + "description" : "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-4472" +}, { + "versionRange" : "[3.0.0,3.5.10)", + "severity" : 5.9, + "cveName" : "CVE-2020-14422", + "description" : "Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-14422" +}, { + "versionRange" : "[2.6.6,2.6.6]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.2.3,3.2.3]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[3.4.2,3.4.2]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[2.3.5,2.3.5]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[2.4.2,2.4.2]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.5.0,3.5.6]", + "severity" : 7.5, + "cveName" : "CVE-2018-14647", + "description" : "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-14647" +}, { + "versionRange" : "[3.8.0,3.8.1]", + "severity" : 5.5, + "cveName" : "CVE-2020-8315", + "description" : "In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-8315" +}, { + "versionRange" : "[3.2.5,3.2.5]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.9.0,3.9.15]", + "severity" : 7.5, + "cveName" : "CVE-2022-45061", + "description" : "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-45061" +}, { + "versionRange" : "[2.5.1,2.5.1]", + "severity" : 10.0, + "cveName" : "CVE-2008-5031", + "description" : "Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-5031" +}, { + "versionRange" : "(,3.6.13)", + "severity" : 9.8, + "cveName" : "CVE-2022-48565", + "description" : "An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48565" +}, { + "versionRange" : "[2.7.6,2.7.6]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.2.4,3.2.4]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.6.0,3.6.9)", + "severity" : 9.8, + "cveName" : "CVE-2019-9636", + "description" : "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9636" +}, { + "versionRange" : "[3.4.2,3.4.2]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[2.6.5,2.6.5]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[2.5.0,2.5.2]", + "severity" : 7.5, + "cveName" : "CVE-2008-1721", + "description" : "Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-1721" +}, { + "versionRange" : "[2.6.7,2.6.7]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[3.2.4,3.2.4]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.4.3,3.4.3]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.5.0,3.5.4)", + "severity" : 9.8, + "cveName" : "CVE-2016-0718", + "description" : "Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0718" +}, { + "versionRange" : "[2.3.4,2.3.4]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.8.0,3.8.14)", + "severity" : 7.5, + "cveName" : "CVE-2020-10735", + "description" : "A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(\"text\"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-10735" +}, { + "versionRange" : "[3.2.2,3.2.2]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "(,3.6.14)", + "severity" : 6.5, + "cveName" : "CVE-2021-3733", + "description" : "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3733" +}, { + "versionRange" : "[3.6.0,3.6.9]", + "severity" : 7.5, + "cveName" : "CVE-2019-16056", + "description" : "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16056" +}, { + "versionRange" : "[3.2.3,3.2.3]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "(,2.5.6]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[2.5.0,2.5.6)", + "severity" : 5.0, + "cveName" : "CVE-2010-2089", + "description" : "The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2010-2089" +}, { + "versionRange" : "[2.6.1,2.6.1]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.8.0,3.8.1]", + "severity" : 6.5, + "cveName" : "CVE-2020-8492", + "description" : "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-8492" +}, { + "versionRange" : "[2.2.1,2.2.1]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.6.0,3.6.10)", + "severity" : 6.1, + "cveName" : "CVE-2019-16935", + "description" : "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16935" +}, { + "versionRange" : "[3.1.1,3.1.1]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.3.0,3.3.7)", + "severity" : 9.8, + "cveName" : "CVE-2016-9063", + "description" : "An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-9063" +}, { + "versionRange" : "[2.6.6,2.6.6]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.3.0,3.3.6)", + "severity" : 5.9, + "cveName" : "CVE-2014-4616", + "description" : "Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-4616" +}, { + "versionRange" : "[2.7.7,2.7.7]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[2.7.0,2.7.8)", + "severity" : 7.4, + "cveName" : "CVE-2014-0224", + "description" : "OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the \"CCS Injection\" vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-0224" +}, { + "versionRange" : "[3.1.1,3.1.1]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.8.0,3.8.7)", + "severity" : 6.5, + "cveName" : "CVE-2022-48564", + "description" : "read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48564" +}, { + "versionRange" : "[3.5.0,3.5.8)", + "severity" : 9.8, + "cveName" : "CVE-2019-10160", + "description" : "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10160" +}, { + "versionRange" : "[2.5.0,2.5.6)", + "severity" : 5.0, + "cveName" : "CVE-2010-1634", + "description" : "Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2010-1634" +}, { + "versionRange" : "[3.1.2,3.1.2]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[3.12.0,3.12.0]", + "severity" : 5.5, + "cveName" : "CVE-2023-33595", + "description" : "CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-33595" +}, { + "versionRange" : "[3.5.0,3.5.8)", + "severity" : 9.1, + "cveName" : "CVE-2019-9948", + "description" : "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9948" +}, { + "versionRange" : "[2.6.3,2.6.3]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[2.7.8,2.7.8]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.1.5,3.1.5]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.1.2,3.1.2]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[2.6.4,2.6.4]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.2.2,3.2.2]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.3.5,3.3.5]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[3.3.6,3.3.6]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.10.0,3.10.9)", + "severity" : 9.8, + "cveName" : "CVE-2022-37454", + "description" : "The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-37454" +}, { + "versionRange" : "[3.7.0,3.7.0]", + "severity" : 7.5, + "cveName" : "CVE-2018-14647", + "description" : "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-14647" +}, { + "versionRange" : "[3.0.0,3.6.13)", + "severity" : 9.8, + "cveName" : "CVE-2020-27619", + "description" : "In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-27619" +}, { + "versionRange" : "[2.4.6,2.4.6]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[2.6.2,2.6.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.1.3,3.1.3]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.2.3,3.2.3]", + "severity" : 4.3, + "cveName" : "CVE-2013-2099", + "description" : "Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-2099" +}, { + "versionRange" : "[3.4.1,3.4.1]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[2.7.5,2.7.5]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.10.0,3.10.7)", + "severity" : 7.5, + "cveName" : "CVE-2020-10735", + "description" : "A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(\"text\"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-10735" +}, { + "versionRange" : "[2.6.7,2.6.7]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[3.0.0,3.4.10)", + "severity" : 5.3, + "cveName" : "CVE-2018-20852", + "description" : "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-20852" +}, { + "versionRange" : "[3.10.0,3.10.0]", + "severity" : 6.5, + "cveName" : "CVE-2021-3733", + "description" : "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3733" +}, { + "versionRange" : "[3.8.0,3.8.17)", + "severity" : 7.5, + "cveName" : "CVE-2023-24329", + "description" : "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-24329" +}, { + "versionRange" : "(,3.7.17)", + "severity" : 7.5, + "cveName" : "CVE-2023-24329", + "description" : "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-24329" +}, { + "versionRange" : "[3.5.1,3.5.1]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[2.5.4,2.5.4]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[2.3.2,2.3.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[2.6.6,2.6.6]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[3.6.0,3.6.13)", + "severity" : 5.7, + "cveName" : "CVE-2021-3426", + "description" : "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3426" +}, { + "versionRange" : "[3.2.3,3.2.3]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.3.2,3.3.2]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[2.7.1,2.7.1]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.4.1,3.4.1]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.8.0,3.8.7)", + "severity" : 9.8, + "cveName" : "CVE-2022-48565", + "description" : "An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48565" +}, { + "versionRange" : "[3.10.0,3.10.3)", + "severity" : 6.5, + "cveName" : "CVE-2016-3189", + "description" : "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3189" +}, { + "versionRange" : "[3.2.5,3.2.5]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[3.7.0,3.7.0]", + "severity" : 7.5, + "cveName" : "CVE-2018-1061", + "description" : "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1061" +}, { + "versionRange" : "[2.4.0,2.4.6)", + "severity" : 7.5, + "cveName" : "CVE-2008-1721", + "description" : "Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-1721" +}, { + "versionRange" : "[3.8.0,3.8.5)", + "severity" : 7.2, + "cveName" : "CVE-2020-26116", + "description" : "http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-26116" +}, { + "versionRange" : "[3.3,3.3]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[3.1.1,3.1.1]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[2.1.2,2.1.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[2.2.2,2.2.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "(,2.7.16]", + "severity" : 7.8, + "cveName" : "CVE-2019-13404", + "description" : "The MSI installer for Python through 2.7.16 on Windows defaults to the C:\\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\\Python27 access control or choose a different directory, because backwards compatibility requires that C:\\Python27 remain the default for 2.7.x", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-13404" +}, { + "versionRange" : "(,2.7]", + "severity" : 5.0, + "cveName" : "CVE-2010-3492", + "description" : "The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2010-3492" +}, { + "versionRange" : "[2.7.4,2.7.4]", + "severity" : 6.4, + "cveName" : "CVE-2014-7185", + "description" : "Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a \"buffer\" function.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-7185" +}, { + "versionRange" : "[3.8.0,3.8.12)", + "severity" : 9.8, + "cveName" : "CVE-2021-29921", + "description" : "In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-29921" +}, { + "versionRange" : "[3.6.0,3.6.9)", + "severity" : 5.3, + "cveName" : "CVE-2018-20852", + "description" : "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-20852" +}, { + "versionRange" : "[2.6.4,2.6.4]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.7.0,3.7.0]", + "severity" : 6.7, + "cveName" : "CVE-2018-1000117", + "description" : "Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000117" +}, { + "versionRange" : "[3.7.0,3.7.9)", + "severity" : 9.8, + "cveName" : "CVE-2020-15801", + "description" : "In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The ._pth file (e.g., the python._pth file) is not affected.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15801" +}, { + "versionRange" : "[2.7.0,2.7.13)", + "severity" : 6.1, + "cveName" : "CVE-2016-1000110", + "description" : "The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-1000110" +}, { + "versionRange" : "(,2.7.8]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[2.2.1,2.2.1]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[2.7.0,2.7.16)", + "severity" : 9.8, + "cveName" : "CVE-2018-1000802", + "description" : "Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000802" +}, { + "versionRange" : "[3.9.0,3.9.0]", + "severity" : 7.5, + "cveName" : "CVE-2022-48560", + "description" : "A use-after-free exists in Python through 3.9 via heappushpop in heapq.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48560" +}, { + "versionRange" : "[3.6.0,3.6.10]", + "severity" : 6.5, + "cveName" : "CVE-2020-8492", + "description" : "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-8492" +}, { + "versionRange" : "[3.6.0,3.6.0]", + "severity" : 7.5, + "cveName" : "CVE-2019-17514", + "description" : "library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-17514" +}, { + "versionRange" : "[3.11.0,3.11.0]", + "severity" : 7.0, + "cveName" : "CVE-2022-26488", + "description" : "In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-26488" +}, { + "versionRange" : "[3.4.3,3.4.3]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[2.4.3,2.4.3]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.6.0,3.6.9)", + "severity" : 9.1, + "cveName" : "CVE-2019-9948", + "description" : "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9948" +}, { + "versionRange" : "[3.9.0,3.9.14)", + "severity" : 7.5, + "cveName" : "CVE-2020-10735", + "description" : "A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(\"text\"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-10735" +}, { + "versionRange" : "[3.11.0,3.11.5)", + "severity" : 5.3, + "cveName" : "CVE-2023-40217", + "description" : "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-40217" +}, { + "versionRange" : "[2.4.6,2.4.6]", + "severity" : 10.0, + "cveName" : "CVE-2008-5031", + "description" : "Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-5031" +}, { + "versionRange" : "[2.3.7,2.3.7]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[2.2.1,2.2.1]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.4.0,3.4.0]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[3.8.0,3.8.3)", + "severity" : 6.1, + "cveName" : "CVE-2019-18348", + "description" : "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-18348" +}, { + "versionRange" : "[3.9.0,3.9.18)", + "severity" : 5.3, + "cveName" : "CVE-2023-40217", + "description" : "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-40217" +}, { + "versionRange" : "[3.9.0,3.9.16)", + "severity" : 7.8, + "cveName" : "CVE-2022-42919", + "description" : "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-42919" +}, { + "versionRange" : "[3.1.3,3.1.3]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.7.0,3.7.5)", + "severity" : 6.1, + "cveName" : "CVE-2019-16935", + "description" : "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16935" +}, { + "versionRange" : "[3.3.3,3.3.3]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[2.7.0,2.7.9)", + "severity" : 7.5, + "cveName" : "CVE-2013-1753", + "description" : "The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-1753" +}, { + "versionRange" : "[3.4,3.4]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[2.7.2,2.7.2]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[3.1.1,3.1.1]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[3.7.0,3.7.9)", + "severity" : 5.9, + "cveName" : "CVE-2020-14422", + "description" : "Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-14422" +}, { + "versionRange" : "[3.2.6,3.2.6]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "(,2.7.7]", + "severity" : 6.4, + "cveName" : "CVE-2014-7185", + "description" : "Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a \"buffer\" function.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-7185" +}, { + "versionRange" : "[2.7.0,2.7.15)", + "severity" : 7.5, + "cveName" : "CVE-2018-1060", + "description" : "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1060" +}, { + "versionRange" : "[3.5.0,3.5.8)", + "severity" : 6.1, + "cveName" : "CVE-2019-9740", + "description" : "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9740" +}, { + "versionRange" : "[3.7.0,3.7.4)", + "severity" : 9.1, + "cveName" : "CVE-2019-9948", + "description" : "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9948" +}, { + "versionRange" : "[3.1.2,3.1.2]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.5.0,3.5.4)", + "severity" : 7.5, + "cveName" : "CVE-2017-9233", + "description" : "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-9233" +}, { + "versionRange" : "[2.4.6,2.4.6]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.3.5,3.3.5]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.4.4,3.4.4]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "(,2.7.18)", + "severity" : 5.7, + "cveName" : "CVE-2021-3426", + "description" : "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3426" +}, { + "versionRange" : "[3.1.1,3.1.1]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.3.6,3.3.6]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.2.3,3.2.3]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.3.3,3.3.3]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[3.10.0,3.10.3)", + "severity" : 9.8, + "cveName" : "CVE-2019-12900", + "description" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-12900" +}, { + "versionRange" : "[3.6.0,3.6.2)", + "severity" : 8.1, + "cveName" : "CVE-2016-4472", + "description" : "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-4472" +}, { + "versionRange" : "[2.4.2,2.4.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[2.7.3,2.7.3]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[3.2.1,3.2.1]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.8.0,3.8.13)", + "severity" : 9.8, + "cveName" : "CVE-2019-12900", + "description" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-12900" +}, { + "versionRange" : "[2.6.3,2.6.3]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[2.7.0,2.7.15)", + "severity" : 9.8, + "cveName" : "CVE-2016-0718", + "description" : "Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0718" +}, { + "versionRange" : "[3.4.2,3.4.2]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[2.4.1,2.4.1]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[2.6.3,2.6.3]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[2.0,2.7.17)", + "severity" : 6.1, + "cveName" : "CVE-2019-9740", + "description" : "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9740" +}, { + "versionRange" : "[2.7.2,2.7.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.3.1,3.3.1]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.4.0,3.4.0]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[2.4.4,2.4.4]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.8.0,3.8.14)", + "severity" : 7.5, + "cveName" : "CVE-2018-25032", + "description" : "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-25032" +}, { + "versionRange" : "[3.0.1,3.0.1]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.1.1,3.1.1]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[3.4.1,3.4.1]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[3.2.5,3.2.5]", + "severity" : 4.3, + "cveName" : "CVE-2013-2099", + "description" : "Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-2099" +}, { + "versionRange" : "[2.7.0,2.7.12)", + "severity" : 6.8, + "cveName" : "CVE-2015-1283", + "description" : "Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1283" +}, { + "versionRange" : "[3.7.0,3.7.10)", + "severity" : 6.5, + "cveName" : "CVE-2022-48564", + "description" : "read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48564" +}, { + "versionRange" : "[3.1.3,3.1.3]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "(,2.7.9]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.3.5,3.3.5]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.7.0,3.7.5)", + "severity" : 7.5, + "cveName" : "CVE-2019-15903", + "description" : "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-15903" +}, { + "versionRange" : "[2.6.0,2.6.8)", + "severity" : 4.3, + "cveName" : "CVE-2012-0876", + "description" : "The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0876" +}, { + "versionRange" : "[3.3.0,3.3.0]", + "severity" : 4.3, + "cveName" : "CVE-2013-2099", + "description" : "Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-2099" +}, { + "versionRange" : "[3.5.0,3.5.5)", + "severity" : 9.8, + "cveName" : "CVE-2017-1000158", + "description" : "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-1000158" +}, { + "versionRange" : "(,3.7.2]", + "severity" : 7.5, + "cveName" : "CVE-2019-9674", + "description" : "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9674" +}, { + "versionRange" : "[2.6.2,2.6.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.7.0,3.7.8)", + "severity" : 6.1, + "cveName" : "CVE-2019-18348", + "description" : "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-18348" +}, { + "versionRange" : "[3.4,3.4]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.8.0,3.8.16)", + "severity" : 9.8, + "cveName" : "CVE-2022-37454", + "description" : "The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-37454" +}, { + "versionRange" : "[3.7.0,3.7.11)", + "severity" : 7.5, + "cveName" : "CVE-2021-3737", + "description" : "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3737" +}, { + "versionRange" : "[3.3.0,3.3.7)", + "severity" : 6.8, + "cveName" : "CVE-2015-1283", + "description" : "Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-1283" +}, { + "versionRange" : "[3.3.4,3.3.4]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.0.1,3.0.1]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.9.0,3.9.17)", + "severity" : 6.8, + "cveName" : "CVE-2007-4559", + "description" : "Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2007-4559" +}, { + "versionRange" : "[3.5.0,3.5.7)", + "severity" : 7.5, + "cveName" : "CVE-2019-5010", + "description" : "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-5010" +}, { + "versionRange" : "[2.4.2,2.4.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.3.0,3.3.6)", + "severity" : 7.5, + "cveName" : "CVE-2013-1753", + "description" : "The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-1753" +}, { + "versionRange" : "[3.6.0,3.6.10)", + "severity" : 7.5, + "cveName" : "CVE-2019-15903", + "description" : "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-15903" +}, { + "versionRange" : "[3.10.0,3.10.2]", + "severity" : 7.0, + "cveName" : "CVE-2022-26488", + "description" : "In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-26488" +}, { + "versionRange" : "[3.3.4,3.3.4]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[3.1.5,3.1.5]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[3.11.0,3.11.4)", + "severity" : 6.8, + "cveName" : "CVE-2007-4559", + "description" : "Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2007-4559" +}, { + "versionRange" : "[3.9.0,3.9.3)", + "severity" : 5.3, + "cveName" : "CVE-2021-4189", + "description" : "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-4189" +}, { + "versionRange" : "[3.8.0,3.8.7)", + "severity" : 5.9, + "cveName" : "CVE-2022-48566", + "description" : "An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48566" +}, { + "versionRange" : "[2.7.1,2.7.1]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.6.0,3.6.12)", + "severity" : 7.2, + "cveName" : "CVE-2020-26116", + "description" : "http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-26116" +}, { + "versionRange" : "[3.5.0,3.5.8)", + "severity" : 6.1, + "cveName" : "CVE-2019-9947", + "description" : "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9947" +}, { + "versionRange" : "[3.2.3,3.2.3]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[2.6.8,2.6.8]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.1.5,3.1.5]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.4.0,3.4.0]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.1.2,3.1.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.1.4,3.1.4]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.6.0,3.6.11)", + "severity" : 6.1, + "cveName" : "CVE-2019-18348", + "description" : "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-18348" +}, { + "versionRange" : "[3.3.2,3.3.2]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.4.0,3.4.1)", + "severity" : 5.9, + "cveName" : "CVE-2014-4616", + "description" : "Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-4616" +}, { + "versionRange" : "[2.7.0,2.7.17)", + "severity" : 9.8, + "cveName" : "CVE-2019-9636", + "description" : "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9636" +}, { + "versionRange" : "[3.1.4,3.1.4]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.5.0,3.5.5]", + "severity" : 7.5, + "cveName" : "CVE-2018-1061", + "description" : "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1061" +}, { + "versionRange" : "[2.1.2,2.1.2]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.4.5,2.4.5]", + "severity" : 7.2, + "cveName" : "CVE-2008-4108", + "description" : "Tools/faqwiz/move-faqwiz.sh (aka the generic FAQ wizard moving tool) in Python 2.4.5 might allow local users to overwrite arbitrary files via a symlink attack on a tmp$RANDOM.tmp temporary file. NOTE: there may not be common usage scenarios in which tmp$RANDOM.tmp is located in an untrusted directory.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-4108" +}, { + "versionRange" : "[3.3.3,3.3.3]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.3.4,3.3.4]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[2.6.1,2.6.1]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[3.3.1,3.3.1]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[3.3.2,3.3.2]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[2.6.6,2.6.6]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.0,3.4.9)", + "severity" : 7.5, + "cveName" : "CVE-2018-1061", + "description" : "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1061" +}, { + "versionRange" : "[2.6.2,2.6.2]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[3.2.1,3.2.1]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[3.2.2,3.2.2]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.1.3,3.1.3]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.1.2,3.1.2]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.1.4,3.1.4]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[3.2.4,3.2.4]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[3.1.2,3.1.2]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.11.0,3.11.0]", + "severity" : 7.4, + "cveName" : "CVE-2021-28861", + "description" : "Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states \"Warning: http.server is not recommended for production. It only implements basic security checks.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28861" +}, { + "versionRange" : "[3.0.0,3.2.6)", + "severity" : 5.9, + "cveName" : "CVE-2014-4616", + "description" : "Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-4616" +}, { + "versionRange" : "[3.8.3,3.8.15]", + "severity" : 7.8, + "cveName" : "CVE-2022-42919", + "description" : "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-42919" +}, { + "versionRange" : "[3.1.4,3.1.4]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.10.0,3.10.12)", + "severity" : 7.5, + "cveName" : "CVE-2023-24329", + "description" : "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-24329" +}, { + "versionRange" : "[3.2.3,3.2.3]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.3.0,3.3.7)", + "severity" : 8.1, + "cveName" : "CVE-2016-4472", + "description" : "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-4472" +}, { + "versionRange" : "[3.8.0,3.8.15]", + "severity" : 7.5, + "cveName" : "CVE-2022-45061", + "description" : "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-45061" +}, { + "versionRange" : "[2.3.3,2.3.3]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.3.1,3.3.1]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[3.2.2,3.2.2]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.3.5,3.3.5]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.1.2,3.1.2]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "(,3.6.13)", + "severity" : 5.9, + "cveName" : "CVE-2021-23336", + "description" : "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-23336" +}, { + "versionRange" : "[2.5.2,2.5.2]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[2.5.1,2.5.1]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.3.1,3.3.1]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[2.7.6,2.7.6]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[2.3.7,2.3.7]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.3.0,3.3.0]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[2.6.6,2.6.6]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.3.1,3.3.1]", + "severity" : 4.3, + "cveName" : "CVE-2013-2099", + "description" : "Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-2099" +}, { + "versionRange" : "[2.5.4,2.5.4]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.6.0,3.6.12)", + "severity" : 7.8, + "cveName" : "CVE-2020-15523", + "description" : "In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15523" +}, { + "versionRange" : "[3.7.0,3.7.4)", + "severity" : 6.1, + "cveName" : "CVE-2019-9947", + "description" : "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9947" +}, { + "versionRange" : "[2.5.3,2.5.3]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[2.1.3,2.1.3]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.1.2,3.1.2]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[2.5.2,2.5.2]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.7.4,2.7.4]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[2.4.1,2.4.1]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.4.2,3.4.2]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.7.0,3.7.9)", + "severity" : 7.5, + "cveName" : "CVE-2019-20907", + "description" : "In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-20907" +}, { + "versionRange" : "[2.3.5,2.3.5]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.4.3,2.4.3]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.7.0,3.7.0]", + "severity" : 7.5, + "cveName" : "CVE-2019-17514", + "description" : "library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-17514" +}, { + "versionRange" : "[2.7.0,2.7.15)", + "severity" : 9.8, + "cveName" : "CVE-2016-9063", + "description" : "An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-9063" +}, { + "versionRange" : "[3.6.0,3.6.9)", + "severity" : 6.1, + "cveName" : "CVE-2019-9947", + "description" : "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9947" +}, { + "versionRange" : "(,2.5.2]", + "severity" : 9.3, + "cveName" : "CVE-2008-1887", + "description" : "Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-1887" +}, { + "versionRange" : "[2.6.4,2.6.4]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.1.3,3.1.3]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.4.2,3.4.2]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.3.4,3.3.4]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.5.6,2.5.6]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.1.0,3.1.5]", + "severity" : 7.5, + "cveName" : "CVE-2019-16056", + "description" : "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16056" +}, { + "versionRange" : "[2.7.2,2.7.2]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[2.7.3,2.7.3]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.4.1,2.4.1]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.3.3,2.3.3]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.2.5,3.2.5]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.1.4,3.1.4]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[2.4.1,2.4.1]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[2.6.1,2.6.1]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[2.6.6,2.6.6]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.5.0,3.5.4)", + "severity" : 9.8, + "cveName" : "CVE-2016-9063", + "description" : "An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-9063" +}, { + "versionRange" : "(,2.6.7]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[2.3.1,2.3.1]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.2.0,3.4.9)", + "severity" : 6.7, + "cveName" : "CVE-2018-1000117", + "description" : "Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000117" +}, { + "versionRange" : "[2.7.5,2.7.5]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.4.2,2.4.2]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[2.5.3,2.5.3]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.3.2,3.3.2]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.10.0,3.10.0]", + "severity" : 5.7, + "cveName" : "CVE-2021-3426", + "description" : "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3426" +}, { + "versionRange" : "[2.6.1,2.6.1]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[3.6.0,3.6.12)", + "severity" : 5.9, + "cveName" : "CVE-2020-14422", + "description" : "Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-14422" +}, { + "versionRange" : "[3.9.0,3.9.1)", + "severity" : 6.5, + "cveName" : "CVE-2022-48564", + "description" : "read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48564" +}, { + "versionRange" : "[3.5.0,3.5.6)", + "severity" : 6.7, + "cveName" : "CVE-2018-1000117", + "description" : "Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000117" +}, { + "versionRange" : "[2.7.2,2.7.2]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[3.5.0,3.5.9]", + "severity" : 6.5, + "cveName" : "CVE-2020-8492", + "description" : "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-8492" +}, { + "versionRange" : "[3.3.2,3.3.2]", + "severity" : 7.1, + "cveName" : "CVE-2013-7338", + "description" : "Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7338" +}, { + "versionRange" : "[3.3.3,3.3.3]", + "severity" : 7.1, + "cveName" : "CVE-2013-7338", + "description" : "Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7338" +}, { + "versionRange" : "[3.1.5,3.1.5]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.2.1,3.2.1]", + "severity" : 3.3, + "cveName" : "CVE-2014-2667", + "description" : "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-2667" +}, { + "versionRange" : "[3.4.0,3.4.7)", + "severity" : 9.8, + "cveName" : "CVE-2016-0718", + "description" : "Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0718" +}, { + "versionRange" : "[3.4.0,3.4.7)", + "severity" : 9.8, + "cveName" : "CVE-2016-9063", + "description" : "An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-9063" +}, { + "versionRange" : "[3.6.0,3.6.9)", + "severity" : 6.1, + "cveName" : "CVE-2019-9740", + "description" : "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9740" +}, { + "versionRange" : "[3.1.3,3.1.3]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[2.7.0,2.7.16)", + "severity" : 7.5, + "cveName" : "CVE-2019-5010", + "description" : "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-5010" +}, { + "versionRange" : "[3.8.4,3.8.4]", + "severity" : 7.8, + "cveName" : "CVE-2020-15523", + "description" : "In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15523" +}, { + "versionRange" : "[3.7.0,3.7.3)", + "severity" : 7.5, + "cveName" : "CVE-2019-5010", + "description" : "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-5010" +}, { + "versionRange" : "[3.3.1,3.3.1]", + "severity" : 7.1, + "cveName" : "CVE-2013-7338", + "description" : "Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7338" +}, { + "versionRange" : "[3.8.0,3.8.8)", + "severity" : 5.9, + "cveName" : "CVE-2021-23336", + "description" : "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-23336" +}, { + "versionRange" : "(,2.5.2]", + "severity" : 5.0, + "cveName" : "CVE-2008-3144", + "description" : "Multiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations. NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-3144" +}, { + "versionRange" : "[3.4.0,3.4.9]", + "severity" : 7.5, + "cveName" : "CVE-2018-14647", + "description" : "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-14647" +}, { + "versionRange" : "[2.5.6,2.5.6]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.2.1,3.2.1]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.3.0,3.3.0]", + "severity" : 7.1, + "cveName" : "CVE-2013-7338", + "description" : "Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7338" +}, { + "versionRange" : "[2.6.2,2.6.2]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.7.0,3.7.10)", + "severity" : 5.7, + "cveName" : "CVE-2021-3426", + "description" : "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3426" +}, { + "versionRange" : "[2.6.0,2.6.6)", + "severity" : 5.0, + "cveName" : "CVE-2010-1634", + "description" : "Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2010-1634" +}, { + "versionRange" : "[3.1.1,3.1.1]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[3.5.0,3.5.10)", + "severity" : 7.8, + "cveName" : "CVE-2020-15523", + "description" : "In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-15523" +}, { + "versionRange" : "[3.2.2,3.2.2]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "(,2.6.6)", + "severity" : 6.9, + "cveName" : "CVE-2008-5983", + "description" : "Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-5983" +}, { + "versionRange" : "[3.3,3.3]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[2.3.7,2.3.7]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[2.7.1,2.7.1]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.3.6,3.3.6]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "(,2.7.14]", + "severity" : 3.6, + "cveName" : "CVE-2018-1000030", + "description" : "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1000030" +}, { + "versionRange" : "[3.11.0,3.11.4]", + "severity" : 7.5, + "cveName" : "CVE-2023-41105", + "description" : "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-41105" +}, { + "versionRange" : "[2.0.1,2.0.1]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[2.6.2,2.6.2]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.1.1,3.1.1]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "(,3.6.3]", + "severity" : 8.8, + "cveName" : "CVE-2017-17522", + "description" : "Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2017-17522" +}, { + "versionRange" : "[3.0.0,3.5.8)", + "severity" : 6.1, + "cveName" : "CVE-2019-16935", + "description" : "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16935" +}, { + "versionRange" : "[3.7.0,3.7.14)", + "severity" : 7.5, + "cveName" : "CVE-2018-25032", + "description" : "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-25032" +}, { + "versionRange" : "[2.7.1,2.7.1]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.3.0,3.3.7)", + "severity" : 6.1, + "cveName" : "CVE-2016-1000110", + "description" : "The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-1000110" +}, { + "versionRange" : "[3.7.0,3.7.12)", + "severity" : 6.8, + "cveName" : "CVE-2013-0340", + "description" : "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-0340" +}, { + "versionRange" : "[3.1.3,3.1.3]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[3.1.4,3.1.4]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.10.0,3.10.0]", + "severity" : 5.3, + "cveName" : "CVE-2021-4189", + "description" : "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-4189" +}, { + "versionRange" : "[3.1.0,3.1.3)", + "severity" : 6.9, + "cveName" : "CVE-2008-5983", + "description" : "Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-5983" +}, { + "versionRange" : "[3.1.0,3.1.5)", + "severity" : 4.3, + "cveName" : "CVE-2012-0876", + "description" : "The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0876" +}, { + "versionRange" : "[3.7.0,3.7.11)", + "severity" : 6.5, + "cveName" : "CVE-2021-3733", + "description" : "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3733" +}, { + "versionRange" : "[3.7.0,3.7.4)", + "severity" : 9.8, + "cveName" : "CVE-2019-10160", + "description" : "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10160" +}, { + "versionRange" : "[3.4.0,3.4.10)", + "severity" : 7.5, + "cveName" : "CVE-2019-5010", + "description" : "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-5010" +}, { + "versionRange" : "[3.7.0,3.7.9]", + "severity" : 9.8, + "cveName" : "CVE-2021-3177", + "description" : "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3177" +}, { + "versionRange" : "[2.6.0,2.6.6)", + "severity" : 5.0, + "cveName" : "CVE-2010-2089", + "description" : "The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2010-2089" +}, { + "versionRange" : "[3.6.0,3.6.9)", + "severity" : 9.8, + "cveName" : "CVE-2019-10160", + "description" : "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-10160" +}, { + "versionRange" : "[2.1.2,2.1.2]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[2.2.2,2.2.2]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[2.6.5,2.6.5]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.7.0,3.7.11)", + "severity" : 7.5, + "cveName" : "CVE-2022-0391", + "description" : "A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\\r' and '\\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-0391" +}, { + "versionRange" : "[3.4.1,3.4.1]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.5.0,3.5.6)", + "severity" : 7.5, + "cveName" : "CVE-2018-1060", + "description" : "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1060" +}, { + "versionRange" : "[2.3.5,2.3.5]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.2.3,3.2.3]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.0.1,3.0.1]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[3.9.0,3.9.5)", + "severity" : 9.8, + "cveName" : "CVE-2021-29921", + "description" : "In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-29921" +}, { + "versionRange" : "[3.3.0,3.3.0]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.9.0,3.9.11)", + "severity" : 9.8, + "cveName" : "CVE-2019-12900", + "description" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-12900" +}, { + "versionRange" : "[3.0.0,3.5.10)", + "severity" : 7.2, + "cveName" : "CVE-2020-26116", + "description" : "http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-26116" +}, { + "versionRange" : "[2.3.4,2.3.4]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[2.6.8,2.6.8]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.9.0,3.9.13)", + "severity" : 7.5, + "cveName" : "CVE-2018-25032", + "description" : "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-25032" +}, { + "versionRange" : "[3.3,3.3]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.5.0,3.5.4)", + "severity" : 8.1, + "cveName" : "CVE-2016-4472", + "description" : "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-4472" +}, { + "versionRange" : "[3.5.0,3.5.3)", + "severity" : 7.5, + "cveName" : "CVE-2016-2183", + "description" : "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-2183" +}, { + "versionRange" : "(3.6.0,3.6.5)", + "severity" : 7.5, + "cveName" : "CVE-2018-1060", + "description" : "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-1060" +}, { + "versionRange" : "[2.6.7,2.6.7]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "(,2.5.2]", + "severity" : 7.5, + "cveName" : "CVE-2008-2315", + "description" : "Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2008-2315" +}, { + "versionRange" : "[2.6.1,2.6.1]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[2.3.7,2.3.7]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[2.6.5,2.6.5]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[2.4.6,2.4.6]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.7.0,3.7.3)", + "severity" : 9.8, + "cveName" : "CVE-2019-9636", + "description" : "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-9636" +}, { + "versionRange" : "(,2.7.11]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[2.3.1,2.3.1]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[2.6.6,2.6.6]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[2.7.0,2.7.8)", + "severity" : 9.8, + "cveName" : "CVE-2014-4650", + "description" : "The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-4650" +}, { + "versionRange" : "[3.0.0,3.0.1]", + "severity" : 7.5, + "cveName" : "CVE-2019-16056", + "description" : "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16056" +}, { + "versionRange" : "[2.1.2,2.1.2]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.2.4,3.2.4]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[2.6.2,2.6.2]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.2.0,3.2.4)", + "severity" : 6.4, + "cveName" : "CVE-2012-2135", + "description" : "The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-2135" +}, { + "versionRange" : "[2.6.4,2.6.4]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[2.6.3,2.6.3]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.8.0,3.8.4)", + "severity" : 5.9, + "cveName" : "CVE-2020-14422", + "description" : "Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-14422" +}, { + "versionRange" : "[3.2.3,3.2.3]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.9.0,3.9.1)", + "severity" : 9.8, + "cveName" : "CVE-2020-27619", + "description" : "In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-27619" +}, { + "versionRange" : "[2.2.2,2.2.2]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.3.1,3.3.1]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.0.1,3.0.1]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.6.0,3.6.12)", + "severity" : 7.5, + "cveName" : "CVE-2019-20907", + "description" : "In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-20907" +}, { + "versionRange" : "[2.3.7,2.3.7]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[2.7.0,2.7.15]", + "severity" : 7.5, + "cveName" : "CVE-2018-14647", + "description" : "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-14647" +}, { + "versionRange" : "[2.7.1,2.7.1]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[3.8.0,3.8.13)", + "severity" : 6.5, + "cveName" : "CVE-2016-3189", + "description" : "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-3189" +}, { + "versionRange" : "[3.0,3.1.2)", + "severity" : 5.0, + "cveName" : "CVE-2010-3492", + "description" : "The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2010-3492" +}, { + "versionRange" : "[2.7.0,2.7.17)", + "severity" : 6.1, + "cveName" : "CVE-2019-16935", + "description" : "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-16935" +}, { + "versionRange" : "[3.4,3.4]", + "severity" : 7.5, + "cveName" : "CVE-2014-1912", + "description" : "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-1912" +}, { + "versionRange" : "[3.5.0,3.5.8)", + "severity" : 7.5, + "cveName" : "CVE-2019-15903", + "description" : "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-15903" +}, { + "versionRange" : "[2.3.1,2.3.1]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.2.1,3.2.1]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.0.1,3.0.1]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[3.8.0,3.8.11)", + "severity" : 7.5, + "cveName" : "CVE-2022-0391", + "description" : "A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\\r' and '\\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-0391" +}, { + "versionRange" : "[2.3.2,2.3.2]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.4.0,3.4.0]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[2.0,2.7.16]", + "severity" : 5.3, + "cveName" : "CVE-2018-20852", + "description" : "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-20852" +}, { + "versionRange" : "[3.0.1,3.0.1]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.5.0,3.5.7)", + "severity" : 5.3, + "cveName" : "CVE-2018-20852", + "description" : "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-20852" +}, { + "versionRange" : "[3.2.5,3.2.5]", + "severity" : 6.5, + "cveName" : "CVE-2016-0772", + "description" : "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-0772" +}, { + "versionRange" : "[3.7.0,3.7.6]", + "severity" : 6.5, + "cveName" : "CVE-2020-8492", + "description" : "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-8492" +}, { + "versionRange" : "[2.3.2,2.3.2]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[2.7.7,2.7.7]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[2.4.3,2.4.3]", + "severity" : 5.0, + "cveName" : "CVE-2012-0845", + "description" : "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-0845" +}, { + "versionRange" : "[2.6.2,2.6.2]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[3.0.1,3.0.1]", + "severity" : 6.4, + "cveName" : "CVE-2011-1521", + "description" : "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-1521" +}, { + "versionRange" : "[3.0.1,3.0.1]", + "severity" : 4.3, + "cveName" : "CVE-2013-7040", + "description" : "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7040" +}, { + "versionRange" : "[2.0,2.7.17]", + "severity" : 6.1, + "cveName" : "CVE-2019-18348", + "description" : "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-18348" +}, { + "versionRange" : "[3.8.0,3.8.15]", + "severity" : 7.6, + "cveName" : "CVE-2015-20107", + "description" : "In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-20107" +}, { + "versionRange" : "[2.3.3,2.3.3]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "[3.8.0,3.8.2)", + "severity" : 7.5, + "cveName" : "CVE-2022-48560", + "description" : "A use-after-free exists in Python through 3.9 via heappushpop in heapq.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-48560" +}, { + "versionRange" : "[3.12.0,3.12.0]", + "severity" : 4.9, + "cveName" : "CVE-2023-6507", + "description" : "An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.\n\nWhen using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list.\n\nThis issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).\n\n", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-6507" +}, { + "versionRange" : "[3.6.0,3.7.16)", + "severity" : 9.8, + "cveName" : "CVE-2022-37454", + "description" : "The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-37454" +}, { + "versionRange" : "[3.6.0,3.6.2)", + "severity" : 9.8, + "cveName" : "CVE-2016-9063", + "description" : "An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-9063" +}, { + "versionRange" : "[3.9.0,3.9.5)", + "severity" : 6.5, + "cveName" : "CVE-2021-3733", + "description" : "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3733" +}, { + "versionRange" : "(,3.5.0]", + "severity" : 7.2, + "cveName" : "CVE-2015-5652", + "description" : "Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory. NOTE: the vendor says \"It was determined that this is a longtime behavior of Python that cannot really be altered at this point.\"", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2015-5652" +}, { + "versionRange" : "[2.0.1,2.0.1]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "(,2.4.2]", + "severity" : 3.7, + "cveName" : "CVE-2006-1542", + "description" : "Stack-based buffer overflow in Python 2.4.2 and earlier, running on Linux 2.6.12.5 under gcc 4.0.3 with libc 2.3.5, allows local users to cause a \"stack overflow,\" and possibly gain privileges, by running a script from a current working directory that has a long name, related to the realpath function. NOTE: this might not be a vulnerability. However, the fact that it appears in a programming language interpreter could mean that some applications are affected, although attack scenarios might be limited because the attacker might already need to cross privilege boundaries to cause an exploitable program to be placed in a directory with a long name; or, depending on the method that Python uses to determine the current working directory, setuid applications might be affected.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2006-1542" +}, { + "versionRange" : "[3.1.5,3.1.5]", + "severity" : 4.3, + "cveName" : "CVE-2013-4238", + "description" : "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-4238" +}, { + "versionRange" : "[3.3,3.3]", + "severity" : 5.8, + "cveName" : "CVE-2014-9365", + "description" : "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-9365" +}, { + "versionRange" : "[3.1.2,3.1.2]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[3.2.3,3.2.3]", + "severity" : 5.9, + "cveName" : "CVE-2013-7440", + "description" : "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2013-7440" +}, { + "versionRange" : "[3.1.3,3.1.3]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +}, { + "versionRange" : "[3.7.0,3.7.3)", + "severity" : 5.3, + "cveName" : "CVE-2018-20852", + "description" : "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-20852" +}, { + "versionRange" : "[2.6.8,2.6.8]", + "severity" : 1.9, + "cveName" : "CVE-2011-4944", + "description" : "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4944" +}, { + "versionRange" : "[2.3.5,2.3.5]", + "severity" : 2.6, + "cveName" : "CVE-2011-4940", + "description" : "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2011-4940" +}, { + "versionRange" : "[3.8.0,3.8.8)", + "severity" : 5.7, + "cveName" : "CVE-2021-3426", + "description" : "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3426" +}, { + "versionRange" : "[3.2.5,3.2.5]", + "severity" : 6.1, + "cveName" : "CVE-2016-5699", + "description" : "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5699" +}, { + "versionRange" : "[3.8.0,3.8.11)", + "severity" : 7.5, + "cveName" : "CVE-2021-3737", + "description" : "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3737" +}, { + "versionRange" : "[2.3.4,2.3.4]", + "severity" : 5.0, + "cveName" : "CVE-2012-1150", + "description" : "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2012-1150" +}, { + "versionRange" : "(,2.3.5)", + "severity" : 7.5, + "cveName" : "CVE-2005-0089", + "description" : "The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, and 2.4, when used by XML-RPC servers that use the register_instance method to register an object without a _dispatch method, allows remote attackers to read or modify globals of the associated module, and possibly execute arbitrary code, via dotted attributes.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2005-0089" +}, { + "versionRange" : "[3.3.4,3.3.4]", + "severity" : 9.8, + "cveName" : "CVE-2016-5636", + "description" : "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2016-5636" +} ] diff --git a/quarkus/quarkus/security.json b/quarkus/quarkus/security.json new file mode 100644 index 000000000..ce63fe09e --- /dev/null +++ b/quarkus/quarkus/security.json @@ -0,0 +1,133 @@ +[ { + "versionRange" : "(,2.16.11)", + "severity" : 8.1, + "cveName" : "CVE-2023-4853", + "description" : "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-4853" +}, { + "versionRange" : "[3.0.0,3.2.9)", + "severity" : 9.8, + "cveName" : "CVE-2023-6267", + "description" : "A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-6267" +}, { + "versionRange" : "[2.10.0,2.10.4)", + "severity" : 9.8, + "cveName" : "CVE-2022-2466", + "description" : "It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-2466" +}, { + "versionRange" : "(,2.13.0)", + "severity" : 7.5, + "cveName" : "CVE-2022-42004", + "description" : "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-42004" +}, { + "versionRange" : "[3.3.0,3.3.3)", + "severity" : 8.1, + "cveName" : "CVE-2023-4853", + "description" : "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-4853" +}, { + "versionRange" : "(,2.16.1)", + "severity" : 3.3, + "cveName" : "CVE-2023-0481", + "description" : "In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-0481" +}, { + "versionRange" : "(,2.13.9)", + "severity" : 9.8, + "cveName" : "CVE-2023-6267", + "description" : "A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-6267" +}, { + "versionRange" : "(,2.13.7)", + "severity" : 6.1, + "cveName" : "CVE-2023-0044", + "description" : "If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-0044" +}, { + "versionRange" : "(,2.7.0)", + "severity" : 6.6, + "cveName" : "CVE-2022-21363", + "description" : "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-21363" +}, { + "versionRange" : "(,2.13.5)", + "severity" : 9.8, + "cveName" : "CVE-2022-4116", + "description" : "A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-4116" +}, { + "versionRange" : "[3.0.1,3.2.8)", + "severity" : 7.5, + "cveName" : "CVE-2023-5720", + "description" : "A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-5720" +}, { + "versionRange" : "[2.14.0,2.14.2)", + "severity" : 9.8, + "cveName" : "CVE-2022-4116", + "description" : "A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-4116" +}, { + "versionRange" : "(,2.13.8)", + "severity" : 7.5, + "cveName" : "CVE-2023-1584", + "description" : "A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-1584" +}, { + "versionRange" : "(,3.6.0)", + "severity" : 9.1, + "cveName" : "CVE-2023-6394", + "description" : "A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-6394" +}, { + "versionRange" : "[2.13.9,2.13.9]", + "severity" : 9.8, + "cveName" : "CVE-2023-6267", + "description" : "A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-6267" +}, { + "versionRange" : "(,2.13.3)", + "severity" : 7.5, + "cveName" : "CVE-2022-42003", + "description" : "In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-42003" +}, { + "versionRange" : "[2.14.0,2.14.2)", + "severity" : 7.5, + "cveName" : "CVE-2022-4147", + "description" : "Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-4147" +}, { + "versionRange" : "[3.2.0,3.2.6)", + "severity" : 8.1, + "cveName" : "CVE-2023-4853", + "description" : "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-4853" +}, { + "versionRange" : "[3.2.9,3.2.9]", + "severity" : 9.8, + "cveName" : "CVE-2023-6267", + "description" : "A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-6267" +}, { + "versionRange" : "(,2.7.1)", + "severity" : 8.8, + "cveName" : "CVE-2022-0981", + "description" : "A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-0981" +}, { + "versionRange" : "(,2.7.2)", + "severity" : 9.8, + "cveName" : "CVE-2022-21724", + "description" : "pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-21724" +}, { + "versionRange" : "[2.0,2.13.5)", + "severity" : 7.5, + "cveName" : "CVE-2022-4147", + "description" : "Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-4147" +} ] diff --git a/terraform/terraform/security.json b/terraform/terraform/security.json new file mode 100644 index 000000000..0ed0323b9 --- /dev/null +++ b/terraform/terraform/security.json @@ -0,0 +1,19 @@ +[ { + "versionRange" : "(,1.12.0]", + "severity" : 9.8, + "cveName" : "CVE-2018-9057", + "description" : "aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2018-9057" +}, { + "versionRange" : "[1.0.8,1.5.7)", + "severity" : 7.8, + "cveName" : "CVE-2023-4782", + "description" : "Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the `init` operation if run on maliciously crafted Terraform configuration. This vulnerability is fixed in Terraform 1.5.7.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-4782" +}, { + "versionRange" : "(,0.12.17)", + "severity" : 7.5, + "cveName" : "CVE-2019-19316", + "description" : "When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartext HTTP.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-19316" +} ] diff --git a/vscode/vscode/security.json b/vscode/vscode/security.json new file mode 100644 index 000000000..3b1a283fd --- /dev/null +++ b/vscode/vscode/security.json @@ -0,0 +1,193 @@ +[ { + "versionRange" : "(,1.55.2)", + "severity" : 7.8, + "cveName" : "CVE-2021-28475", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28475" +}, { + "versionRange" : "(,1.55.2)", + "severity" : 7.8, + "cveName" : "CVE-2021-28473", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28473" +}, { + "versionRange" : "(,2020.5.0)", + "severity" : 8.8, + "cveName" : "CVE-2020-1171", + "description" : "A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads configuration files after opening a project, aka 'Visual Studio Code Python Extension Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1192.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-1171" +}, { + "versionRange" : "(,1.56.1)", + "severity" : 7.8, + "cveName" : "CVE-2021-31214", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-31214" +}, { + "versionRange" : "(,1.55.2)", + "severity" : 7.0, + "cveName" : "CVE-2021-28477", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28477" +}, { + "versionRange" : "(,2.0.1)", + "severity" : 9.8, + "cveName" : "CVE-2021-28967", + "description" : "The unofficial MATLAB extension before 2.0.1 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace because of lint configuration settings.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28967" +}, { + "versionRange" : "(,1.79)", + "severity" : 6.6, + "cveName" : "CVE-2023-33144", + "description" : "Visual Studio Code Spoofing Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-33144" +}, { + "versionRange" : "(,0.72.0)", + "severity" : 7.8, + "cveName" : "CVE-2020-17159", + "description" : "Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-17159" +}, { + "versionRange" : "(,1.78.1)", + "severity" : 6.6, + "cveName" : "CVE-2023-29338", + "description" : "Visual Studio Code Spoofing Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-29338" +}, { + "versionRange" : "(,1.77.0)", + "severity" : 7.8, + "cveName" : "CVE-2023-24893", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-24893" +}, { + "versionRange" : "(,1.63.2)", + "severity" : 7.8, + "cveName" : "CVE-2021-43891", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-43891" +}, { + "versionRange" : "(,1.56.1)", + "severity" : 7.8, + "cveName" : "CVE-2021-31211", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-31211" +}, { + "versionRange" : "(,1.55.2)", + "severity" : 7.8, + "cveName" : "CVE-2021-28457", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28457" +}, { + "versionRange" : "(,1.67.1)", + "severity" : 8.8, + "cveName" : "CVE-2022-30129", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-30129" +}, { + "versionRange" : "(,1.55.2)", + "severity" : 7.8, + "cveName" : "CVE-2021-28469", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28469" +}, { + "versionRange" : "(,0.61.0)", + "severity" : 7.8, + "cveName" : "CVE-2020-17148", + "description" : "Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-17148" +}, { + "versionRange" : "(,1.58.1)", + "severity" : 7.8, + "cveName" : "CVE-2021-34479", + "description" : "Microsoft Visual Studio Spoofing Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-34479" +}, { + "versionRange" : "(,1.82.1)", + "severity" : 7.8, + "cveName" : "CVE-2023-36742", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-36742" +}, { + "versionRange" : "(,2012]", + "severity" : 6.8, + "cveName" : "CVE-2014-3802", + "description" : "msdia.dll in Microsoft Debug Interface Access (DIA) SDK, as distributed in Microsoft Visual Studio before 2013, does not properly validate an unspecified variable before use in calculating a dynamic-call address, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDB file.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2014-3802" +}, { + "versionRange" : "(,1.39)", + "severity" : 7.8, + "cveName" : "CVE-2019-1414", + "description" : "An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer, aka 'Visual Studio Code Elevation of Privilege Vulnerability'.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2019-1414" +}, { + "versionRange" : "(,1.55.2)", + "severity" : 7.8, + "cveName" : "CVE-2021-28471", + "description" : "Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-28471" +}, { + "versionRange" : "(,1.72.1)", + "severity" : 7.8, + "cveName" : "CVE-2022-41034", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-41034" +}, { + "versionRange" : "(,1.47.1)", + "severity" : 8.8, + "cveName" : "CVE-2020-1416", + "description" : "An elevation of privilege vulnerability exists in Visual Studio and Visual Studio Code when they load software dependencies, aka 'Visual Studio and Visual Studio Code Elevation of Privilege Vulnerability'.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-1416" +}, { + "versionRange" : "(,1.48.1)", + "severity" : 7.8, + "cveName" : "CVE-2020-16881", + "description" : "

A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

\n

To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious 'package.json' file.

\n

The update address the vulnerability by modifying the way Visual Studio Code handles JSON files.

\n", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-16881" +}, { + "versionRange" : "(,2020.5.0)", + "severity" : 7.8, + "cveName" : "CVE-2020-1192", + "description" : "A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads workspace settings from a notebook file, aka 'Visual Studio Code Python Extension Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1171.", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-1192" +}, { + "versionRange" : "(,1.16.2)", + "severity" : 7.8, + "cveName" : "CVE-2021-42322", + "description" : "Visual Studio Code Elevation of Privilege Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-42322" +}, { + "versionRange" : "(,0.24.0)", + "severity" : 7.8, + "cveName" : "CVE-2020-0604", + "description" : "A remote code execution vulnerability exists in Visual Studio Code when it process environment variables after opening a project. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\nTo exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opened the integrated terminal.\nThe update address the vulnerability by modifying the way Visual Studio Code handles environment variables.\n", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-0604" +}, { + "versionRange" : "(,1.3.0)", + "severity" : 7.8, + "cveName" : "CVE-2020-17150", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2020-17150" +}, { + "versionRange" : "(,1.57.1)", + "severity" : 7.8, + "cveName" : "CVE-2021-34529", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-34529" +}, { + "versionRange" : "(,1.74.3)", + "severity" : 7.8, + "cveName" : "CVE-2023-21779", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2023-21779" +}, { + "versionRange" : "(,1.58.1)", + "severity" : 7.8, + "cveName" : "CVE-2021-34528", + "description" : "Visual Studio Code Remote Code Execution Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2021-34528" +}, { + "versionRange" : "(,1.65.2)", + "severity" : 6.1, + "cveName" : "CVE-2022-24526", + "description" : "Visual Studio Code Spoofing Vulnerability", + "nistUrl" : "https://nvd.nist.gov/vuln/detail/CVE-2022-24526" +} ]