Perl Zero Day Security Threats
ActiveState has backported the zero day vulnerability patch & introduced EOL extended support for ongoing security fixes. Learn more.
Read MoreActiveState can help you with Python 2.7 end of life by providing solutions to maintain and secure your existing Python 2.7 codebase.
CVE | Severity | Description | Fix Available | Publish Date |
---|---|---|---|---|
CVE-2021-3733 | Medium |
There’s a flaw in urllib’s AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability. |
Yes | 2022/10/03 |
CVE-2020-10735 | High |
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(“text”), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability. |
Yes | 2022/09/09 |
CVE-2015-20107 | High |
In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9 |
Yes | 2022/04/13 |
CVE-2022-0391 | High |
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like ‘\r’ and ‘\n’ in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14. |
Yes | 2022/02/09 |
CVE-2021-23336 | High |
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. |
Yes | 2021/02/15 |
CVE-2021-3177 | Critical | Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. The same buffer overflow issue is present in Python 2.7.18.2 (and earlier 2.7.18 versions) and when hit will panic a running python process. | Yes | 2021/01/19 |
CVE-2020-27619 | Critical | In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. Although the code is different between Python 2 and Python 3, the same issue with the eval() is present in Python 2.7.18. | Yes | 2020/10/21 |
CVE-2020-26116 | High | http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, inserting CR and LF control characters in the first argument of HTTPConnection.request. Although the httplib module is laid out differently in Python 3, the same execution path and behaviour is present in Python 2.7.18. | Yes | 2020/09/27 |
CVE-2019-20907 | High | In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. | Yes | 2020/07/13 |
CVE-2020-8492 | Medium | Core library urllib allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client. | Yes | 2020/01/30 |
CVE-2020-29050 | High | SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows directory traversal (in conjunction with CVE-2019-14511) because the mysql client can be used for CALL SNIPPETS and load_file operations on a full pathname (e.g., a file in the /etc directory). | No – This CVE was attributed to the python module Sphinx, this issue has been corrected. | 2023/07/19 |
CVE-2022-40898 | High | An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. | Yes | 2023/07/19 |
CVE-2021-23727 | High | This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system. | Yes | 2023/07/19 |
CVE-2021-20270 | High | An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the “exception” keyword. | Yes | 2023/07/19 |
CVE-2021-27291 | High | In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. | Yes | 2023/07/19 |
CVE-2022-40897 | High | Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. | Yes | 2023/07/19 |
CVE | Severity | Package Description | Fix Available | Publish Date |
---|---|---|---|---|
CVE-2021-30560 | High |
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. | 2023/11/13 |
CVE-2021-30560 | High |
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. | 2023/11/13 |
CVE-2022-40304 | High |
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. |
LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. | 2023/11/13 |
CVE-2022-40303 | High |
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault. |
LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. | 2023/11/13 |
CVE-2022-23308 | High |
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. |
LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. | 2023/11/13 |
CVE-2021-3518 | High |
There’s a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. |
LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. | 2023/11/13 |
CVE-2021-3517 | High |
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. |
LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. | 2023/11/13 |
CVE-2020-7595 | High |
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. |
LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. | 2023/11/13 |
CVE-2019-20388 | High |
xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. |
LibXML2 2.11.4 and higher are now compatible with Python2 builds on our modern build system. | 2023/11/13 |
CVE-2022-22817 | Critical |
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary |
Yes | 2023/03/29 |
CVE-2022-24303 | Critical |
Pillow before 9.0.1 allows attackers to delete files because spaces in |
Yes | 2023/03/29 |
CVE-2020-10379 | Critical |
In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/ |
Yes | 2023/03/29 |
CVE-2021-23437 | High |
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression |
Yes | 2023/03/29 |
CVE-2021-25290 | High |
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a |
Yes | 2023/03/29 |
CVE-2021-25291 | High |
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an |
Yes | 2023/03/29 |
CVE-2021-25293 | High |
An issue was discovered in Pillow before 8.1.1. There is an out-ofbounds read |
Yes | 2023/03/29 |
CVE-2021-27921 | High |
Pillow before 8.1.1 allows attackers to cause a denial of service (memory |
Yes | 2023/03/29 |
CVE-2021-27922 | High |
Pillow before 8.1.1 allows attackers to cause a denial of service (memory |
Yes | 2023/03/29 |
CVE-2021-27923 | High |
Pillow before 8.1.1 allows attackers to cause a denial of service (memory |
Yes | 2023/03/29 |
CVE-2022-43680 | High |
In libexpat through 2.4.9, there is a use-after free caused by overeager |
Yes | 2022/10/24 |
CVE-2022-40674 | Critical |
libexpat before 2.4.9 has a use-after-free in the doContent function in |
Yes | 2022/09/14 |
CVE-2022-37434 | Critical | zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). |
Yes | 2022/08/05 |
CVE-2022-2097 | Medium |
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised |
Yes | 2022/07/05 |
CVE-2022-2068 | Critical |
In addition to the c_rehash shell command injection identified in |
Yes | 2022/06/21 |
CVE-2022-1292 | Critical |
The c_rehash script does not properly sanitise shell metacharacters to prevent |
Yes | 2022/05/03 |
CVE-2021-20227 | Medium |
A flaw was found in SQLite’s SELECT query functionality (src/select.c). This |
Yes | 2022/03/28 |
CVE-2022-0778 | High |
The BN_mod_sqrt() function, which computes a modular square root, contains a |
Yes | 2022/03/15 |
CVE-2022-25315 | Critical |
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in |
Yes | 2022/02/18 |
CVE-2022-25236 | Critical |
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert |
Yes | 2022/02/15 |
CVE-2022-25235 | Critical |
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of |
Yes | 2022/02/15 |
CVE-2021-34552 | Critical |
Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow |
Yes | 2022/02/14 |
CVE-2021-25288 | Critical |
An issue was discovered in Pillow before 8.2.0. There is an out-ofbounds read |
Yes | 2022/02/14 |
CVE-2021-25287 | Critical |
An issue was discovered in Pillow before 8.2.0. There is an out-ofbounds read |
Yes | 2022/02/14 |
CVE-2021-43818 | High | Fix pending | 2021/12/13 | |
CVE-2021-3711 | Critical | Yes | 2021/08/24 | |
CVE-2021-25289 | Critical | Yes | 2021/03/19 | |
CVE-2021-3712 | High | Yes | 2021/08/24 | |
CVE-2021-33203 | High | Yes | 2021/06/08 | |
CVE-2021-31542 | High | Yes | 2021/05/05 | |
CVE-2021-20270 | High |
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to |
Fix in progress | 2021/03/23 |
CVE-2021-3449 | Medium |
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation |
Yes | 2021/03/25 |
CVE-2021-3450 | High |
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the |
Yes | 2021/03/25 |
CVE-2021-23841 | Medium |
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to |
Yes | 2021/02/16 |
CVE-2021-23840 | High |
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may |
Yes | 2021/02/16 |
CVE-2020-36242 | Critical | In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
Yes | 2021/02/07 |
CVE-2020-35654 | High | Yes | 2021/12/01 | |
CVE-2019-11068 | Critical | libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. |
Yes | 2020/04/10 |
CVE-2020-7212 | High | The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2). |
Yes | 2020/03/06 |
CVE-2020-26137 | Medium | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. |
Yes | 2020/09/30 |
CVE-2020-5390 | High | PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that has been signed. |
Yes | 2020/01/13 |
CVE-2020-11538 | High | Yes | 2019/06/25 | |
CVE-2020-14422 | Medium | Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.NOTE: ipaddress is a backported Python 2 library from Python 3 core and is vulnerable to the issue described. ActiveState has forked this version and fixed it. Source is available in our public Github repository. |
Yes | 2020/06/18 |
CVE-2020-11655 | High | SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object’s initialization is mishandled. |
Yes | 2020/04/08 |
CVE-2020-6802 | Medium | In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option. |
Yes | 2020/03/24 |
CVE-2020-5313 | High | libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. | Yes | 2020/01/02 |
CVE-2020-5312 | Critical | libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. |
Yes | 2020/01/02 |
CVE-2020-5311 | Critical | libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. | Yes | 2020/01/02 |
CVE-2020-5310 | High | libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. |
Yes | 2020/01/02 |
CVE-2018-20843 | High | Yes | 2019/06/24 | |
CVE-2019-12900 | Critical |
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds |
Yes | 2019/06/19 |
ActiveState has backported the zero day vulnerability patch & introduced EOL extended support for ongoing security fixes. Learn more.
Read MoreLearn how ActiveState generates runtimes to securely extend your Cloudera environment with the latest Data Science and Machine Learning tools.
Read MoreCode and Binary repositories are essential elements of a secure software supply chain, but used incorrectly they can be the weakest link.
Read More