PyPI d8s-domains 0.1.0 had code-execution backdoor via democritus-hypothesis package
The d8s-domains for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0
PyPI d8s-uuids for Python had a code-execution backdoor in democritus-hypothesis v0.1.0
The d8s-uuids for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0
Open redirect in python-fedora <= 0.8.0 results in CSRF protection loss
python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection
Python json2xml package (up to v3.12.0) remote attack, denial of service, typecode decoding error
The json2xml package through 3.12.0 for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of service.
PyPI d8s-urls v0.1.0 had a code-execution backdoor via third-party-inserted code
The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The affected version is 0.1.0.
PyPI Pyesasky 1.2.0-1.4.2 had code-execution backdoor
The pyesasky for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party. The affected versions are 1.2.0-1.4.2.
Remote code execution via unsafe pickle.load in Rope library (Python)
base/oi/doa.py in the Rope library in CPython (aka Python) allows remote attackers to execute arbitrary code by leveraging an unsafe call to pickle.load.
Autobahn Python < 20.12.3: Redirect header injection vulnerability
Autobahn|Python before 20.12.3 allows redirect header injection.
Beaker library Python <=1.11.0 deserialization vulnerability
The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.
AWS IoT Device SDK v2 (Java, Python, C++, Node.js) TLS hostname verification issue on Windows
Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.3.3 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.5.18 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Microsoft Windows.
Introducing the "VAITP dataset": a specialized repository of Python vulnerabilities and patches, meticulously compiled for the use of the security research community. As Python's prominence grows, understanding and addressing potential security vulnerabilities become crucial. Crafted by and for the cybersecurity community, this dataset offers a valuable resource for researchers, analysts, and developers to analyze and mitigate the security risks associated with Python. Through the comprehensive exploration of vulnerabilities and corresponding patches, the VAITP dataset fosters a safer and more resilient Python ecosystem, encouraging collaborative advancements in programming security.
The supreme art of war is to subdue the enemy without fighting.
Sun Tzu – “The Art of War”
:: Shaping the future through research and ingenuity ::