Vulnerabilities > Python > Critical

DATE CVE VULNERABILITY TITLE RISK
2019-06-07 CVE-2019-10160 A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL.
network
low complexity
python redhat debian opensuse fedoraproject canonical netapp
critical
9.8
2019-03-23 CVE-2019-9948 Path Traversal vulnerability in multiple products
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
network
low complexity
python opensuse debian fedoraproject canonical redhat CWE-22
critical
9.1
2019-03-08 CVE-2019-9636 Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization.
network
low complexity
python fedoraproject opensuse debian canonical redhat oracle
critical
9.8
2018-12-11 CVE-2018-20060 urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme).
network
low complexity
python fedoraproject
critical
9.8
2018-09-18 CVE-2018-1000802 Command Injection vulnerability in multiple products
Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive.
network
low complexity
python debian canonical opensuse CWE-77
critical
9.8
2018-06-11 CVE-2016-9063 Integer Overflow or Wraparound vulnerability in multiple products
An integer overflow during the parsing of XML using the Expat library.
network
low complexity
mozilla debian python CWE-190
critical
9.8
2017-11-17 CVE-2017-1000158 Integer Overflow or Wraparound vulnerability in multiple products
CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)
network
low complexity
python debian CWE-190
critical
9.8
2017-06-14 CVE-2017-2810 Unspecified vulnerability in Python Tablib 0.11.4
An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4.
network
low complexity
python
critical
9.8
2016-09-02 CVE-2016-5636 Integer Overflow or Wraparound vulnerability in Python
Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.
network
low complexity
python CWE-190
critical
9.8
2016-05-26 CVE-2016-0718 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
9.8