Palo Alto Panorama VM (pre-6.0.1) allows remote Python code execution via a malicious firmware image
Palo Alto Networks Panorama VM Appliance with PAN-OS before 6.0.1 might allow remote attackers to execute arbitrary Python code via a crafted firmware image file.
Path traversal vulnerability in akashtalole/python-flask-restful-api on GitHub before 2019-09-16 due to unsafe use of Flask's send_file function
The akashtalole/python-flask-restful-api repository through 2019-09-16 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.
Remote code execution in AlienVault Unified Security Management (before 4.15) via a crafted plugin configuration file
The Framework Daemon in AlienVault Unified Security Management before 4.15 allows remote attackers to execute arbitrary Python code via a crafted plugin configuration file (.cfg).
Unspecified vectors in Plone before 4.2.3 and 4.3 before beta 1 allow remote code execution via the admin interface
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.
Apache Airflow XSS vulnerability
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).
Log file vulnerability in Palantir Foundry Code-Workbooks 4.144 to 4.460.0 exposes tokens; fixed in 4.461.0
Information Exposure Through Log Files vulnerability discovered in Foundry Code-Workbooks where the endpoint backing that console was generating service log records of any Python code being run. These service logs included the Foundry token that represents the Code-Workbooks Python console. Upgrade to Code-Workbooks version 4.461.0. This issue affects Palantir Foundry Code-Workbooks version 4.144 to version 4.460.0 and is resolved in 4.461.0.
Remote code execution via pickle in NumPy 1.16.0 and earlier
** DISPUTED ** An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.
Flask send_file function: Absolute path traversal vulnerability
The JustAnotherSoftwareDeveloper/Python-Recipe-Database repository through 2021-03-31 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.
Remote code execution in Plone versions before 4.2.3 and 4.3 beta 1 via a crafted URL
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."
Plone < 4.2.3 & 4.3 beta 1: Remote code execution via crafted URL and createObject
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.
Introducing the "VAITP dataset": a specialized repository of Python vulnerabilities and patches, meticulously compiled for the use of the security research community. As Python's prominence grows, understanding and addressing potential security vulnerabilities become crucial. Crafted by and for the cybersecurity community, this dataset offers a valuable resource for researchers, analysts, and developers to analyze and mitigate the security risks associated with Python. Through the comprehensive exploration of vulnerabilities and corresponding patches, the VAITP dataset fosters a safer and more resilient Python ecosystem, encouraging collaborative advancements in programming security.
The supreme art of war is to subdue the enemy without fighting.
Sun Tzu – “The Art of War”
:: Shaping the future through research and ingenuity ::