This vulnerability has been patched in version 41.0.6.Īiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The consequences extend to potential disruptions in system availability and stability. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. No known workarounds have been identified, and applying the patch is the most effective way to remediate the vulnerability.Ĭryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Users are strongly advised to upgrade to dpaste release v3.8 or later versions, as dpaste versions older than v3.8 are susceptible to the identified security vulnerability. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of a user's browser, potentially leading to unauthorized access, data theft, or other malicious activities. A security vulnerability has been identified in the expires parameter of the dpaste API, allowing for a POST Reflected XSS attack. There are no known workarounds for this vulnerability.ĭpaste is an open source pastebin application written in Python using the Django framework. This issue has been addressed in commit `c57355dc` which is included in release version `1.16.2`. This vulnerability does not require the file to be directly loaded through the code, only present. This is a deserilization attack that will affect any user who initializes GoogleAuth from this package while a malicious yaml file is present in the same directory. A maliciously crafted YAML file can cause arbitrary code execution if PyDrive2 is run in the same directory as it, or if it is loaded in via `LoadSettingsFile`. Unsafe YAML deserilization will result in arbitrary code execution. PyDrive2 is a wrapper library of google-api-python-client that simplifies many common Google Drive API V2 tasks. There are no known workarounds for this vulnerability. SAP BTP Security Services Integration Library ( sap-xssec) - versions = 5.13.1`. This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).Ī regression was introduced in the Red Hat build of python-eventlet due to a change in the patch application strategy, resulting in a patch for CVE-2021-21419 not being applied for all builds of all products. There is no issue when the parameter isn't used or when any value is used besides an empty list. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |