Mage-ai versions 0.8.34 to 0.8.71, with user authentication enabled, have unauthorized terminal access
mage-ai is an open-source data pipeline tool for transforming and integrating data. Those who use Mage starting in version 0.8.34 and prior to 0.8.72 with user authentication enabled may be affected by a vulnerability. The terminal could be accessed by users who are not signed in or do not have editor permissions. Version 0.8.72 contains a fix for this issue.
Exotel-py v0.1.6: Backdoor code execution vulnerability
The exotel (aka exotel-py) package in PyPI as of 0.1.6 includes a code execution backdoor inserted by a third party.
XXE vulnerability in 'XML2Dict' 0.2.2 = Denial of Service
XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service.
Gradio v3.27.0 /upload interface allows arbitrary file uploads, a severe security vulnerability
Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload interface.
eth-account PyPI package: Exponential ReDoS in "encode_structured_data" method
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the eth-account PyPI package, when an attacker is able to supply arbitrary input to the encode_structured_data method
Websockets v4 improper handling of compressed data DoS via memory exhaustion
aaugustin websockets version 4 contains a CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Servers and clients, unless configured with compression=None that can result in Denial of Service by memory exhaustion. This attack appear to be exploitable via Sending a specially crafted frame on an established connection. This vulnerability appears to have been fixed in 5.
Llama_index v.0.7.13 and earlier: Remote code execution via 'exec' parameter in PandasQueryEngine function
An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter in PandasQueryEngine function.
Pandas-ai v0.9.1 and earlier have a remote code execution vulnerability via the _is_jailbreak function
An issue in pandas-ai v.0.9.1 and before allows a remote attacker to execute arbitrary code via the _is_jailbreak function.
GitPython < 3.1.32 has an insecure fix for , allowing insecure options in cloning
GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
PyTorch eval vulnerability allows arbitrary code execution
In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.
Introducing the "VAITP dataset": a specialized repository of Python vulnerabilities and patches, meticulously compiled for the use of the security research community. As Python's prominence grows, understanding and addressing potential security vulnerabilities become crucial. Crafted by and for the cybersecurity community, this dataset offers a valuable resource for researchers, analysts, and developers to analyze and mitigate the security risks associated with Python. Through the comprehensive exploration of vulnerabilities and corresponding patches, the VAITP dataset fosters a safer and more resilient Python ecosystem, encouraging collaborative advancements in programming security.
The supreme art of war is to subdue the enemy without fighting.
Sun Tzu – “The Art of War”
:: Shaping the future through research and ingenuity ::