Python 2 Security Vulnerability (CVE) Updates

As part of ActiveState’s Python 2 extended support, we continuously evaluate and remediate known security vulnerabilities (CVE’s) impacting Python 2.7 since Python 2 End of Life (EOL) occurred on January 1, 2020.Python 2.7.18 vulnerabilities resolved by our ActivePython 2.7.18.6 Release:

  • 16 Critical
  • 22 High
  • 9 Medium

Need Help with Python 2.7 End of Life Support?

ActiveState can help you with Python 2.7 end of life by providing solutions to maintain and secure your existing Python 2.7 codebase.

Vulnerabilities resolved in ActivePython 2.7

CVE Severity Description Fix Available Publish Date
CVE-2021-3733 Medium

There’s a flaw in urllib’s AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.

Yes 2022/10/03
CVE-2020-10735 High

A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(“text”), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.

Yes 2022/09/09
CVE-2015-20107 High

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

Yes 2022/04/13
CVE-2022-0391 High

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like ‘\r’ and ‘\n’ in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

Yes 2022/02/09
CVE-2021-23336 High

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Yes 2021/02/15
CVE-2021-3177 Critical Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. The same buffer overflow issue is present in Python 2.7.18.2 (and earlier 2.7.18 versions) and when hit will panic a running python process. Yes 2021/01/19
CVE-2020-27619 Critical In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. Although the code is different between Python 2 and Python 3, the same issue with the eval() is present in Python 2.7.18. Yes 2020/10/21
CVE-2020-26116 High http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, inserting CR and LF control characters in the first argument of HTTPConnection.request. Although the httplib module is laid out differently in Python 3, the same execution path and behaviour is present in Python 2.7.18. Yes 2020/09/27
CVE-2019-20907 High In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. Yes 2020/07/13
CVE-2020-8492 Medium Core library urllib allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client. Yes 2020/01/30
CVE-2020-29050 High SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows directory traversal (in conjunction with CVE-2019-14511) because the mysql client can be used for CALL SNIPPETS and load_file operations on a full pathname (e.g., a file in the /etc directory). No – This CVE was attributed to the python module Sphinx, this issue has been corrected. 2023/07/19
CVE-2022-40898 High An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. Yes 2023/07/19
CVE-2021-23727 High This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system. Yes 2023/07/19
CVE-2021-20270 High An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the “exception” keyword. Yes 2023/07/19
CVE-2021-27291 High In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Yes 2023/07/19
CVE-2022-40897 High Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. Yes 2023/07/19

Third-Party Package Vulnerabilities

CVE Severity Package Description Fix Available Publish Date
CVE-2021-30560 High

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. 2023/11/13
CVE-2021-30560 High

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. 2023/11/13
CVE-2022-40304 High

An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. 2023/11/13
CVE-2022-40303 High

An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.

LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. 2023/11/13
CVE-2022-23308 High

valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.

LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. 2023/11/13
CVE-2021-3518 High

There’s a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. 2023/11/13
CVE-2021-3517 High

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. 2023/11/13
CVE-2020-7595 High

xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. 2023/11/13
CVE-2019-20388 High

xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.

LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. 2023/11/13
CVE-2022-22817 Critical

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary
expressions, such as ones that use the Python exec method. A lambda expression could also be used.

Yes 2023/03/29
CVE-2022-24303 Critical

Pillow before 9.0.1 allows attackers to delete files because spaces in
temporary pathnames are mishandled.

Yes 2023/03/29
CVE-2020-10379 Critical

In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/
TiffDecode.c.

Yes 2023/03/29
CVE-2021-23437 High

The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression
Denial of Service (ReDoS) via the getrgb function.

Yes 2023/03/29
CVE-2021-25290 High

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a
negative-offset memcpy with an invalid size.

Yes 2023/03/29
CVE-2021-25291 High

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an
out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.

Yes 2023/03/29
CVE-2021-25293 High

An issue was discovered in Pillow before 8.1.1. There is an out-ofbounds read
in SGIRleDecode.c.

Yes 2023/03/29
CVE-2021-27921 High

Pillow before 8.1.1 allows attackers to cause a denial of service (memory
consumption) because the reported size of a contained image is not properly checked for a BLP
container, and thus an attempted memory allocation can be very large.

Yes 2023/03/29
CVE-2021-27922 High

Pillow before 8.1.1 allows attackers to cause a denial of service (memory
consumption) because the reported size of a contained image is not properly checked for an ICNS
container, and thus an attempted memory allocation can be very large.

Yes 2023/03/29
CVE-2021-27923 High

Pillow before 8.1.1 allows attackers to cause a denial of service (memory
consumption) because the reported size of a contained image is not properly checked for an ICO
container, and thus an attempted memory allocation can be very large.

Yes 2023/03/29
CVE-2022-43680 High

In libexpat through 2.4.9, there is a use-after free caused by overeager
destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

Yes 2022/10/24
CVE-2022-40674 Critical

libexpat before 2.4.9 has a use-after-free in the doContent function in
xmlparse.c.

Yes 2022/09/14
CVE-2022-37434 Critical zlib through 1.2.12 has a heap-based buffer over-read or
buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications
that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code
but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Yes 2022/08/05
CVE-2022-2097 Medium

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation will not encrypt the entirety of the data under some circumstances. This could reveal
sixteen bytes of data that was preexisting in the memory that wasn’t written. In the special case of
“in place” encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not
support OCB based cipher suites for TLS and DTLS, they are both unaffected.

Yes 2022/07/05
CVE-2022-2068 Critical

In addition to the c_rehash shell command injection identified in
CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell
metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was
fixed it was not discovered that there are other places in the script where the file names of
certificates being hashed were possibly passed to a command executed through the shell. This script
is distributed by some operating systems in a manner where it is automatically executed. On such
operating systems, an attacker could execute arbitrary commands with the privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash
command line tool.

Yes 2022/06/21
CVE-2022-1292 Critical

The c_rehash script does not properly sanitise shell metacharacters to prevent
command injection. This script is distributed by some operating systems in a manner where it is
automatically executed. On such operating systems, an attacker could execute arbitrary commands with
the privileges of the script. Use of the c_rehash script is considered obsolete and should be
replaced by the OpenSSL rehash command line tool.

Yes 2022/05/03
CVE-2021-20227 Medium

A flaw was found in SQLite’s SELECT query functionality (src/select.c). This
flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to
cause a denial of service or possible code execution by triggering a use-after-free. The highest
threat from this vulnerability is to system availability.

Yes 2022/03/28
CVE-2022-0778 High

The BN_mod_sqrt() function, which computes a modular square root, contains a
bug that can cause it to loop forever for non-prime moduli. Internally this function is used when
parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic
curve parameters with a base point encoded in compressed form. It is possible to trigger the
infinite loop by crafting a certificate that has invalid explicit curve parameters. Since
certificate parsing happens prior to verification of the certificate signature, any process that
parses an externally supplied certificate may thus be subject to a denial of service attack.

Yes 2022/03/15
CVE-2022-25315 Critical

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in
storeRawNames.

Yes 2022/02/18
CVE-2022-25236 Critical

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert
namespace-separator characters into namespace URIs.

Yes 2022/02/15
CVE-2022-25235 Critical

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of
encoding, such as checks for whether a UTF-8 character is valid in a certain context.

Yes 2022/02/15
CVE-2021-34552 Critical

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow
an attacker to pass controlled parameters directly into a convert function to trigger a buffer
overflow in Convert.c.

Yes 2022/02/14
CVE-2021-25288 Critical

An issue was discovered in Pillow before 8.2.0. There is an out-ofbounds read
in J2kDecode, in j2ku_gray_i.

Yes 2022/02/14
CVE-2021-25287 Critical

An issue was discovered in Pillow before 8.2.0. There is an out-ofbounds read
in J2kDecode, in j2ku_graya_la.

Yes 2022/02/14
CVE-2021-43818 High

lxml is a library for processing XML
and HTML in the Python language. Prior to version 4.6.5, the
HTML Cleaner in lxml.html lets certain crafted script
content pass through, as well as script content in SVG files
embedded using data URIs. Users that employ the HTML cleaner
in a security relevant context should upgrade to lxml 4.6.5
to receive a patch. There are no known workarounds
available.

Fix pending 2021/12/13
CVE-2021-3711 Critical
OpenSSL – In order to decrypt SM2
encrypted data an application is expected to call the API
function EVP_PKEY_decrypt(). Typically an application will
call this function twice. The first time, on entry, the
“out” parameter can be NULL and, on exit, the “outlen”
parameter is populated with the buffer size required to hold
the decrypted plaintext. The application can then allocate a
sufficiently sized buffer and call EVP_PKEY_decrypt() again,
but this time passing a non-NULL value for the “out”
parameter. A bug in the implementation of the SM2 decryption
code means that the calculation of the buffer size required
to hold the plaintext returned by the first call to
EVP_PKEY_decrypt() can be smaller than the actual size
required by the second call….
Yes 2021/08/24
CVE-2021-25289 Critical
An issue was discovered in Pillow
before 8.1.1. TiffDecode has a heap-based buffer overflow
when decoding crafted YCbCr files because of certain
interpretation conflicts with LibTIFF in RGBA mode. NOTE:
this issue exists because of an incomplete fix for
CVE-2020-35654.
Yes 2021/03/19
CVE-2021-3712 High
OpenSSL – ASN.1 strings are
represented internally within OpenSSL as an ASN1_STRING
structure which contains a buffer holding the string data
and a field holding the buffer length. This contrasts with
normal C strings which are repesented as a buffer for the
string data which is terminated with a NUL (0) byte.
Although not a strict requirement, ASN.1 strings that are
parsed using OpenSSL’s own “d2i” functions (and other
similar parsing functions) as well as any string whose value
has been set with the ASN1_STRING_set() function will
additionally NUL terminate the byte array in the ASN1_STRING
structure. However, it is possible for applications to
directly construct valid ASN1_STRING structures which do not
NUL terminate the byte array by directly setting the
“data”…
Yes 2021/08/24
CVE-2021-33203 High
Django before 2.2.24, 3.x before
3.1.12, and 3.2.x before 3.2.4 has a potential directory
traversal via django.contrib.admindocs. Staff members could
use the TemplateDetailView view to check the existence of
arbitrary files. Additionally, if (and only if) the default
admindocs templates have been customized by application
developers to also show file contents, then not only the
existence but also the file contents would have been
exposed. In other words, there is directory traversal
outside of the template root directories.
Yes 2021/06/08
CVE-2021-31542 High
In Django 2.2 before 2.2.21,
3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and
FieldFile allowed directory traversal via uploaded files with suitably crafted
file names.
Yes 2021/05/05
CVE-2021-20270 High

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to
denial of service when performing syntax highlighting of a Standard ML (SML) source file, as
demonstrated by input that only contains the “exception” keyword.

Fix in progress 2021/03/23
CVE-2021-3449 Medium

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the
signature_algorithms extension (where it was present in the initial ClientHello), but includes a
signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash
and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation
enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue.
All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to
OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected
1.1.1-1.1.1j).

Yes 2021/03/25
CVE-2021-3450 High

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version
1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve
parameters was added as an additional strict check. An error in the implementation of this check
meant that the result of a previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check that non-CA certificates must not
be able to issue other certificates. If a “purpose” has been configured then there is a subsequent
opportunity for checks that the certificate is a valid CA. All of the named “purpose” values
implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain
will still be rejected even when the strict flag has been used. A purpose is set by default in
libssl client and server certificate verification routines, but it can be overridden or removed by
an application. In order to be affected, an application must explicitly set the
X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate
verification or, in the case of TLS client or server applications, override the default purpose.
OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade
to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected
1.1.1h-1.1.1j).

Yes 2021/03/25
CVE-2021-23841 Medium

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
create a unique hash value based on the issuer and serial number data contained within an X509
certificate. However it fails to correctly handle any errors that may occur while parsing the issuer
field (which might occur if the issuer field is maliciously constructed). This may subsequently
result in a NULL pointer deref and a crash leading to a potential denial of service attack. The
function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications
are only vulnerable if they use this function directly and they use it on certificates that may have
been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue.
Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are
affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public
updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y
(Affected 1.0.2-1.0.2x).

Yes 2021/02/16
CVE-2021-23840 High

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may
overflow the output length argument in some cases where the input length is close to the maximum
permissable length for an integer on the platform. In such cases the return value from the function
call will be 1 (indicating success), but the output length value will be negative. This could cause
applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this
issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below
are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public
updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y
(Affected 1.0.2-1.0.2x).

Yes 2021/02/16
CVE-2020-36242 Critical In the cryptography package before 3.3.2 for Python,
certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer
overflow and buffer overflow, as demonstrated by the Fernet class.
Yes 2021/02/07
CVE-2020-35654 High
In Pillow before 8.1.0,
TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files
because of certain interpretation conflicts with LibTIFF in RGBA mode.
Yes 2021/12/01
CVE-2019-11068 Critical libxslt through 1.1.33 allows bypass of a protection
mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1
error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is
subsequently loaded.
Yes 2020/04/10
CVE-2020-7212 High The _encode_invalid_chars function in util/url.py in the
urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of
an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is
not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step
(normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is
O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be
O(kN), where k is at most 484 ((10+6*2)^2).
Yes 2020/03/06
CVE-2020-26137 Medium urllib3 before 1.25.9 allows CRLF injection if the
attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in
the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Yes 2020/09/30
CVE-2020-5390 High PySAML2 before 5.0.0 does not check that the signature in
a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML
Signature Wrapping (XSW). The signature information and the node/object that is signed can be in
different places and thus the signature verification will succeed, but the wrong data will be used. This
specifically affects the verification of assertion that has been signed.
Yes 2020/01/13
CVE-2020-11538 High
In libImaging/SgiRleDecode.c in
Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of
SGI image files, a different issue than CVE-2020-5311.
Yes 2019/06/25
CVE-2020-14422 Medium Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and
IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an
application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface
objects, and this attacker can cause many dictionary entries to be created.NOTE: ipaddress is a backported Python 2 library from Python 3 core and is vulnerable to the issue
described. ActiveState has forked this version and fixed it. Source is available in our public
Github repository.
Yes 2020/06/18
CVE-2020-11655 High SQLite through 3.31.1 allows attackers to cause a denial of service
(segmentation fault) via a malformed window-function query because the AggInfo object’s initialization
is mishandled.
Yes 2020/04/08
CVE-2020-6802 Medium In Mozilla Bleach before 3.11, a mutation XSS affects
users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
Yes 2020/03/24
CVE-2020-5313 High libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. Yes 2020/01/02
CVE-2020-5312 Critical libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer
overflow.
Yes 2020/01/02
CVE-2020-5311 Critical libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. Yes 2020/01/02
CVE-2020-5310 High libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer
overflow, related to realloc.
Yes 2020/01/02
CVE-2018-20843 High
In libexpat in Expat before 2.2.7,
XML input including XML names that contain a large number of
colons could make the XML parser consume a high amount of
RAM and CPU resources while processing (enough to be usable
for denial-of-service attacks).
Yes 2019/06/24
CVE-2019-12900 Critical

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds
write when there are many selectors.

Yes 2019/06/19
Learn more about our extended support options here. For more information or if you have any questions, please contact us at sales@activestate.com.In addition, we open source all of our fixes in our public GitHub repo in order to allow the community to review and incorporate them into their projects.