Vulnerabilities > Python

DATE CVE VULNERABILITY TITLE RISK
2014-12-12 CVE-2014-9365 TLS Certificate Validation Security Bypass vulnerability in Python
The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
network
python apple
5.8
2014-11-16 CVE-2014-2667 Race Condition vulnerability in Python
Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.
local
python CWE-362
3.3
2014-10-15 CVE-2014-1830 Information Exposure vulnerability in multiple products
Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request.
network
low complexity
opensuse python CWE-200
5.0
2014-10-15 CVE-2014-1829 Information Exposure vulnerability in multiple products
Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.
network
low complexity
debian python canonical mageia CWE-200
5.0
2014-10-08 CVE-2014-7185 Numeric Errors vulnerability in multiple products
Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function.
network
low complexity
python apple CWE-189
6.4
2014-08-25 CVE-2014-3589 Improper Input Validation vulnerability in multiple products
PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.
network
low complexity
debian python opensuse CWE-20
5.0
2014-06-05 CVE-2014-0224 Inadequate Encryption Strength vulnerability in multiple products
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
7.4
2014-05-19 CVE-2013-7040 Cryptographic Issues vulnerability in multiple products
Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
network
apple python CWE-310
4.3
2014-04-27 CVE-2014-3007 OS Command Injection vulnerability in multiple products
Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py.
network
low complexity
python pythonware CWE-78
critical
10.0
2014-04-22 CVE-2013-7338 Improper Input Validation vulnerability in multiple products
Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.
network
python apple CWE-20
7.1