Search CVE reports
1 – 10 of 43 results
MessagePack is the serializer implementation for Python msgpack.org. Prior to 1.2.1, there is an Out-of-bounds read/crash on Unpacker reuse after a caught error, potentially leading to a DoS attack. If the Unpacker is...
3 affected packages
python-msgpack, python-pip, python-srsly
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-msgpack | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| python-pip | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| python-srsly | Needs evaluation | Needs evaluation | Not in release | — | — |
urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The issue arises due to three independent code paths in `response.py` that bypass the...
2 affected packages
python-urllib3, python-pip
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-urllib3 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| python-pip | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as...
2 affected packages
python-idna, python-pip
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-idna | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| python-pip | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
1 affected package
python-pip
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-pip | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
Some fixes available 1 of 8
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was...
2 affected packages
python-pip, python-urllib3
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-pip | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| python-urllib3 | Fixed | Not affected | Not affected | Not affected | Not affected |
Some fixes available 4 of 15
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these...
2 affected packages
python-pip, python-urllib3
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-pip | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| python-urllib3 | Fixed | Fixed | Fixed | Needs evaluation | Needs evaluation |
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time...
1 affected package
python-pip
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-pip | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files...
1 affected package
python-pip
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-pip | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the...
2 affected packages
python-pip, requests
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-pip | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| requests | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to...
1 affected package
python-pip
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-pip | Vulnerable | Vulnerable | Vulnerable | Vulnerable | Vulnerable |